Skip to main content Skip to navigation

Information and Digital Group (IDG)

Troubleshooting

Problems

Solutions

I get errors from SSOClient's OAuthService with "certificate_expired"

This usually happens when it is an application running in SSO Old mode whose keystore certificate has expired. You can check it by running:

keytool -keystore search.warwick.ac.uk.keystore -alias search.warwick.ac.uk -list -v

Where search.warwick.ac.uk is replaced with whatever your domain is. The keystore password is in your sso-config file.

If you scroll up to the top and look for the bit that looks like this:

Certificate chain length: 3                                                                                 
Certificate[1]:                                                                                             
Owner: CN=search.warwick.ac.uk, OU=Information Technology Services, O=The University of Warwick, L=Coventry, ST=West Midlands, C=GB
Issuer: CN=Cybertrust Educational CA, OU=Educational CA, O=Cybertrust, C=BE                                                        
Serial number: 10000000001175a8035b1                                                                                               
Valid from: Tue Jan 08 17:43:47 GMT 2008 until: Sat Jan 08 17:43:47 GMT 2011

If the valid from until date is in the past, the certificate has expired. You'll need to generate a new keystore (and possibly a new certificate) - talk to Mat or Nick.

I get signature_invalid errors

This is usually because your SSO config is passing the requested URL as a query parameter (usually requestedUrl=...) - you need to pass it by header (otherwise it will try and sign this parameter in your OAuth message).

There is information about this in this JIRA: SSO-770. An example Apache vhost configuration above your rewrite rules is:

## SBTWO-3262: Populate request header X-Requested-URI with requested URI (including query string)                        
# If query string is empty, don't add a question mark                                                                     
RewriteCond %{QUERY_STRING} ^$                                                                                            
RewriteRule .? - [E=REQ_URI:%{ENV:SCRIPT_URI}]                                                                            
RewriteCond %{QUERY_STRING} !^$                                                                                           
RewriteRule .? - [E=REQ_URI:%{ENV:SCRIPT_URI}?%{QUERY_STRING}]                                                            
RequestHeader set X-Requested-URI "%{REQ_URI}e" env=!no-requested-uri                                                     
####

You then need to remove the ?requestedUrl=ENV:SCRIPT_URI part from your rewrites.

I get "no user found" errors

The user needs to be logged in for authorising, so your authorisation servlet needs to be behind both SSOClientFilter and ForceLoginFilter

Let us know you agree to cookies

We use cookies to give you the best online experience. Please let us know if you agree to functional, advertising and performance cookies. You can update your cookie preferences at any time.

Cookie policy