Hola Sergio, no estamos dando en la tecla con la configuración de los certificados tanto en huarpe, idp, arai-usuarios y mapuche.
Tenemos configurado huarpe que sería el cliente de la api almacenada en Mapuche en el archivo de configuración parameters.yml ubicado en /var/www/html/huarpe-core/app/config/ de la siguiente forma:
parameters:
portal_url_base: 'https://huarpe.uncaus.edu.ar'
portal_url_port: 443
locale: es
secret: 42n1Ac2gJfmBQwTxYxuUT8eoG70PVw
api_client_cert: /etc/ssl/certs/saml/certificado.crt
api_client_cert_key: /etc/ssl/certs/saml/certificado.pem
trusted_proxies: null
session_name: huarpe
session_expire: 3600
session_handler: session.handler.native_file
session_memcached_host: null
session_memcached_port: null
log_handler: file
log_level: DEBUG
logo_file: logouncaus.png
nombre_institucion: UNCAUS
idp.uid_attribute: uniqueIdentifier
idp.entity_id: 'https://idp.arai-usuarios.uncaus.edu.ar/idp/saml2/idp/metadata.php'
idp.url_sso: 'https://idp.arai-usuarios.uncaus.edu.ar/idp/saml2/idp/SSOService.php'
idp.url_sls: 'https://idp.arai-usuarios.uncaus.edu.ar/idp/saml2/idp/SingleLogoutService.php'
idp.cert_data: "-----BEGIN CERTIFICATE-----\nMIIEUTCCAzmgAwIBAgIJANY9I6k1e2F9MA0GCSqGSIb3DQEBCwUAMIG+MQswCQYD\nVQQGEwJBUjEOMAwGA1UECAwFQ2hhY28xJjAkBgNVBAcMHVByZXNpZGVuY2lhIFJv\ncXVlIFNhZW56IFBl$
sp.entity_id: 'https://huarpe.uncaus.edu.ar/saml/metadata'
sp.url_acs: 'https://huarpe.uncaus.edu.ar/saml/acs'
sp.url_sls: 'https://huarpe.uncaus.edu.ar/saml/logout'
siu.arai_usuarios.api.client.defaults: { cert: /etc/ssl/certs/saml/certificado.crt, ssl_key: /etc/ssl/certs/saml/certificado.pem, base_uri: 'https://arai-usuarios.uncaus.edu.ar/gestion/rest/' }
mapuche.api.client.defaults: { cert: /etc/ssl/certs/saml/certificado.crt, ssl_key: /etc/ssl/certs/saml/certificado.pem, base_uri: 'https://170.210.156.60/siu/mapuche/rest/' }
Los certificados que figuran en api_client_cert: /etc/ssl/certs/saml/certificado.crt y api_client_cert_key: /etc/ssl/certs/saml/certificado.pem deberían ser SSL Client ?, y en el caso que así sea, al generar el CA, este lo debo copiar en /usr/share/ca-certificates/mozilla ?, siempre en la máquina donde está instalado huarpe. Ésta configuración es usada por el servicio simplesaml que conecta con el servicio api/rest de mapuche?.
Copio los mensajes de logs de apache para huarpe al momento de seleccionar la opción de Recibos de Sueldo, seguido me arroja el error 500.
[Wed Feb 21 11:18:16.374933 2018] [:error] [pid 30366] [client 170.210.156.100:46226] [2018-02-21 11:18:16] security.DEBUG: Read existing security token from the session. {"key":"_security_app"} [], referer: https://huarpe.uncaus.edu.ar/
[Wed Feb 21 11:18:16.375132 2018] [:error] [pid 30366] [client 170.210.156.100:46226] [2018-02-21 11:18:16] security.DEBUG: User was reloaded from a user provider. {"username":"facagro","provider":"CoreBundle\\\\Security\\\\User\\\\SimpleSamlUserProvider"} [], referer: https://huarpe.uncaus.edu.ar/
[Wed Feb 21 11:18:16.403985 2018] [:error] [pid 30366] [client 170.210.156.100:46226] [2018-02-21 11:18:16] security.DEBUG: Stored the security token in the session. {"key":"_security_app"} [], referer: https://huarpe.uncaus.edu.ar/
[Wed Feb 21 11:18:18.536285 2018] [:error] [pid 30366] [client 170.210.156.100:46226] [2018-02-21 11:18:18] request.INFO: Matched route "homepage". {"route":"homepage","route_parameters":{"_controller":"CoreBundle\\\\Controller\\\\CoreController::indexAction","_route":"homepage"},"request_uri":"https://huarpe.uncaus.edu.ar/?_pjax=%23pjax-container","method":"GET"} [], referer: https://huarpe.uncaus.edu.ar/
[Wed Feb 21 11:18:18.539776 2018] [:error] [pid 30366] [client 170.210.156.100:46226] [2018-02-21 11:18:18] security.DEBUG: Read existing security token from the session. {"key":"_security_app"} [], referer: https://huarpe.uncaus.edu.ar/
[Wed Feb 21 11:18:18.539974 2018] [:error] [pid 30366] [client 170.210.156.100:46226] [2018-02-21 11:18:18] security.DEBUG: User was reloaded from a user provider. {"username":"facagro","provider":"CoreBundle\\\\Security\\\\User\\\\SimpleSamlUserProvider"} [], referer: https://huarpe.uncaus.edu.ar/
[Wed Feb 21 11:18:18.581620 2018] [:error] [pid 30366] [client 170.210.156.100:46226] [2018-02-21 11:18:18] security.DEBUG: Stored the security token in the session. {"key":"_security_app"} [], referer: https://huarpe.uncaus.edu.ar/
[Wed Feb 21 11:18:18.603052 2018] [:error] [pid 30366] [client 170.210.156.100:46226] [2018-02-21 11:18:18] request.INFO: Matched route "bloque_render". {"route":"bloque_render","route_parameters":{"_controller":"CoreBundle\\\\Controller\\\\BloqueController::renderBloqueAction","zona":"principal","bloqueId":"siu.pantalla_inicial.bloque","_route":"bloque_render"},"request_uri":"https://huarpe.uncaus.edu.ar/bloque/principal/siu.pantalla_inicial.bloque","method":"GET"} [], referer: https://huarpe.uncaus.edu.ar/
[Wed Feb 21 11:18:18.606440 2018] [:error] [pid 30366] [client 170.210.156.100:46226] [2018-02-21 11:18:18] security.DEBUG: Read existing security token from the session. {"key":"_security_app"} [], referer: https://huarpe.uncaus.edu.ar/
[Wed Feb 21 11:18:18.606637 2018] [:error] [pid 30366] [client 170.210.156.100:46226] [2018-02-21 11:18:18] security.DEBUG: User was reloaded from a user provider. {"username":"facagro","provider":"CoreBundle\\\\Security\\\\User\\\\SimpleSamlUserProvider"} [], referer: https://huarpe.uncaus.edu.ar/
[Wed Feb 21 11:18:18.634562 2018] [:error] [pid 30366] [client 170.210.156.100:46226] [2018-02-21 11:18:18] security.DEBUG: Stored the security token in the session. {"key":"_security_app"} [], referer: https://huarpe.uncaus.edu.ar/
[Wed Feb 21 11:18:21.275140 2018] [:error] [pid 30366] [client 170.210.156.100:46226] [2018-02-21 11:18:21] request.INFO: Matched route "mapuche_agente_familiares". {"route":"mapuche_agente_familiares","route_parameters":{"_controller":"SIU\\\\MapucheBundle\\\\Controller\\\\MapucheController::agenteFamiliaresAction","_route":"mapuche_agente_familiares"},"request_uri":"https://huarpe.uncaus.edu.ar/mapuche/agente/familiares","method":"GET"} [], referer: https://huarpe.uncaus.edu.ar/
[Wed Feb 21 11:18:21.286442 2018] [:error] [pid 30366] [client 170.210.156.100:46226] [2018-02-21 11:18:21] security.DEBUG: Read existing security token from the session. {"key":"_security_app"} [], referer: https://huarpe.uncaus.edu.ar/
[Wed Feb 21 11:18:21.286643 2018] [:error] [pid 30366] [client 170.210.156.100:46226] [2018-02-21 11:18:21] security.DEBUG: User was reloaded from a user provider. {"username":"facagro","provider":"CoreBundle\\\\Security\\\\User\\\\SimpleSamlUserProvider"} [], referer: https://huarpe.uncaus.edu.ar/
[Wed Feb 21 11:18:21.316780 2018] [:error] [pid 30366] [client 170.210.156.100:46226] [2018-02-21 11:18:21] request.CRITICAL: Uncaught PHP Exception InvalidArgumentException: "SSL certificate not found: /etc/letsencrypt/live/huarpe.uncaus.edu.ar/fullchain.pem" at /var/www/html/huarpe-core/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php line 428 {"exception":"[object] (InvalidArgumentException(code: 0): SSL certificate not found: /etc/letsencrypt/live/huarpe.uncaus.edu.ar/fullchain.pem at /var/www/html/huarpe-core/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php:428)"} [], referer: https://huarpe.uncaus.edu.ar/
[Wed Feb 21 11:18:21.321599 2018] [:error] [pid 30366] [client 170.210.156.100:46226] [2018-02-21 11:18:21] security.DEBUG: Stored the security token in the session. {"key":"_security_app"} [], referer: https://huarpe.uncaus.edu.ar/
También pego el resultado de una consulta curl al servidor de mapuche.
arai:~# curl https://mapuche.uncaus.edu.ar/siu/mapuche/ -vvv
* Trying 170.210.156.60...
* TCP_NODELAY set
* Connected to mapuche.uncaus.edu.ar (170.210.156.60) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: C=AR; ST=CHACO; L=PRESIDENCIA ROQUE SAENZ PEÑA; O=UNCAUS; OU=UNCAUS; CN=mapuche.uncaus.edu.ar; emailAddress=stellagerzel@uncaus.edu.ar
* start date: Feb 19 17:26:49 2018 GMT
* expire date: Feb 17 17:26:49 2028 GMT
* common name: mapuche.uncaus.edu.ar (matched)
* issuer: C=AR; ST=CHACO; L=PRESIDENCIA ROQUE SAENZ PEÑA; O=UNCAUS; OU=UNCAUS; CN=mapuche.uncaus.edu.ar; emailAddress=stellagerzerl@uncaus.edu.ar
* SSL certificate verify ok.
> GET /siu/mapuche/ HTTP/1.1
> Host: mapuche.uncaus.edu.ar
> User-Agent: curl/7.52.1
> Accept: */*
>
< HTTP/1.1 302 Found
< Date: Wed, 21 Feb 2018 14:34:24 GMT
< Server: Apache/2.4.27 (Ubuntu)
< Set-Cookie: TOBA_SESSID=ot0dqj6f9jbouu3287mvk54b1a; path=/; HttpOnly
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-cache, must-revalidate
< Pragma: no-cache
< Location: https://idp.arai-usuarios.uncaus.edu.ar/idp/saml2/idp/SSOService.php?SAMLRequest=jVNNr9owELzzK1DuSUgIfWBBKgr9QKKASNpDL5XjbIqlxHa9dh%2Fv39dJoNCnCtUXR7s745ndzRxpUyuytOYkjvDTAprB0J1zUwskXXLhWS2IpMiRCNoAEsNItvy8JXEwIkpLI5msvVewxyiKCNpwKXrYZr3w9rv32%2F3Hze77NJlA8VRMpgmdzKqoYmw6nhVvZmURA42eRtNxzJIKJj30K2h0PAvP0XqDng3RwkagocK4%2BCia%2BqPYj6M8Ssg4IXHyrYeunVkuqOngJ2MUkjDkpQqopty3aKnmEgMrGLUYQGldos2Hrb%2B4%2B8qyfQb6F2cQqJPqaQ%2BXjrzjouTix%2BNGFH0Rkk95fvAP%2ByzvSZbXBq2kQNuAvjzz5bi9aW2osuwErxQit9fMW8rQSzvCeSuadK3R6X8ThCVU1NbGRzUP7xlunIrsnKvN%2BiBrzl66eHs%2BSN1Q137LS%2B9PcFnX8nmlgRpYeEZb8IbhX1SXFYSyW0jn3cDZDFeyUW4W2M4JzpSZi6ebr%2FvyVe226whV%2BnABGWFtnQsf3PUsddnODZh7O9dUoJLaXCz%2Fk7xXHT6QnQ6u6fu%2FK%2F0N&RelayState=https%3A%2F%2Fmapuche.uncaus.edu.ar%2Fsiu%2Fmapuche%2F
< Content-Length: 0
< Content-Type: text/html; charset=iso-8859-1
<
* Curl_http_done: called premature == 0
* Connection #0 to host mapuche.uncaus.edu.ar left intact
arai:~#
Entiendo que la consulta se realizó correctamente aceptando el certificado de mapuche y previamente registrando las CA en huarpe, digo las CA ya que se registró la CA generada en mapuche como servidor de api y en huarpe como cliente, luego usamos la CA de huarpe en la configuración de mapuche haciendo uso de la directiva SSLCACertificateFile.
Pego el contenido de la configuración de apache en mapuche.
SSLCertificateFile /home/administrador/certs_mapuche/servidor/certificado-servidor.pem
SSLCertificateKeyFile /home/administrador/certs_mapuche/servidor/claveprivada.pem
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
# SSLCertificateChainFile /home/administrador/certs_ca_huarpe/cahuarpecert.ca
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
# SSLCACertificatePath /etc/ssl/certs/
# SSLCACertificateFile /etc/apache2/ssl/CAXplotacert.pem
SSLCACertificateFile /home/administrador/certs_huarpe_cliente/CAXplotacert.pem
# issuer chain before deciding the certificate is not valid.
SSLVerifyClient optional_no_ca
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
SSLOptions +StdEnvVars +ExportCertData
SSLVerifyDepth 2
En la directiva SSLVerifyClient, cuando cambio el valor por require, desde huarpe cuando selecciono la aplicación registrada que es mapuche, me arroja un error de autenticación fallida ssl cliente.
170.210.156.60 no aceptó tu certificado de acceso o es posible que no se haya proporcionado.
Intenta comunicarte con el administrador del sistema.
ERR_BAD_SSL_CLIENT_AUTH_CERT
Espero que sirva de ayuda estos datos.
Saludos.