Troubleshooting
Problems
- I get errors from SSOClient's OAuthService with "certificate_expired"
- I get signature_invalid errors
- I get errors from SSOClient's OAuth Authorisation Servlet with "Couldn't find user in request"
Solutions
I get errors from SSOClient's OAuthService with "certificate_expired"
This usually happens when it is an application running in SSO Old mode whose keystore certificate has expired. You can check it by running:
keytool -keystore search.warwick.ac.uk.keystore -alias search.warwick.ac.uk -list -v
Where search.warwick.ac.uk is replaced with whatever your domain is. The keystore password is in your sso-config file.
If you scroll up to the top and look for the bit that looks like this:
Certificate chain length: 3 Certificate[1]: Owner: CN=search.warwick.ac.uk, OU=Information Technology Services, O=The University of Warwick, L=Coventry, ST=West Midlands, C=GB Issuer: CN=Cybertrust Educational CA, OU=Educational CA, O=Cybertrust, C=BE Serial number: 10000000001175a8035b1 Valid from: Tue Jan 08 17:43:47 GMT 2008 until: Sat Jan 08 17:43:47 GMT 2011
If the valid from until date is in the past, the certificate has expired. You'll need to generate a new keystore (and possibly a new certificate) - talk to Mat or Nick.
I get signature_invalid errors
This is usually because your SSO config is passing the requested URL as a query parameter (usually requestedUrl=...) - you need to pass it by header (otherwise it will try and sign this parameter in your OAuth message).
There is information about this in this JIRA: SSO-770. An example Apache vhost configuration above your rewrite rules is:
## SBTWO-3262: Populate request header X-Requested-URI with requested URI (including query string) # If query string is empty, don't add a question mark RewriteCond %{QUERY_STRING} ^$ RewriteRule .? - [E=REQ_URI:%{ENV:SCRIPT_URI}] RewriteCond %{QUERY_STRING} !^$ RewriteRule .? - [E=REQ_URI:%{ENV:SCRIPT_URI}?%{QUERY_STRING}] RequestHeader set X-Requested-URI "%{REQ_URI}e" env=!no-requested-uri ####
You then need to remove the ?requestedUrl=ENV:SCRIPT_URI part from your rewrites.
I get "no user found" errors
The user needs to be logged in for authorising, so your authorisation servlet needs to be behind both SSOClientFilter and ForceLoginFilter