Shibboleth Developers

[Scott Cantor <>]

> > [13/Jul/2004 11:01:18 06387] [error] OpenSSL: error:140890C7:SSL 
> > routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate 
> > [Hint: No CAs known to server for verification?]
> > 
> > suggestions?
> 
> Try using 'openssl sclient' on the service provider to connect to the 
> identidy provider.  its possible that openssl on the SP doesn't trust 
> the signer of your origin's cert, in which case you need to put it in 
> /usr/local/ssl/certs and run /usr/local/ssl/bin/c_rehash on the certs in 
> that directory (substituting /usr/local/ssl for your openssl 
> installation).

I recommend debugging with curl, not sclient. One of them shares code with
the code you're testing, the other is quite different.

In any case, this is one of the few error messages that's actually fairly
clear. The server isn't getting a valid certificate, so it's not the client
that's complaining.

You can simulate it from the command line with curl if you tell it to use
the key/certificate. If that works, something more subtle in the SP
configuration is probably broken.

-- Scott