[keycloak] the root certificate that is not trusted.
jbsky opened this issue ยท 15 comments
Keycloak has an endpoint ex: https://keycloak.jbsky.dmz:8443/auth/realms/master/protocol/saml/descriptor which generates a metadata on a line.
Unfortunately, with the function, it bugs on loading the certificate (which is also on a line).
I had to rework the certificate
echo 'MIICmzCCAYMCBgF5V+1f9TANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0ZXIwHhcNMjEwNTEwMjAxNTQ1WhcNMzEwNTEwMjAxNzI1WjARMQ8wDQYDVQQDDAZtYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCI3cui55dnAwzodGs4mxaNUJRmvBQ+Sq+GYlDPp5qF88eVm6r7m8s+4bcnY7+jqa494PUViQnj3/VnOXCIvkcpdtvCwTmfo6UouHypK/ABkI+A00mYX/Mk7NH4lrcjgO3vdLDwVlRCV8CmbU8g5qgnxIbCKkGl1jPLWyRp8xEmCACprFj2+uawBWrAZ8G2UG1KzLiKGewmWnVcmK96ZwcgEwfv8Cik0Th60ozFhUjFWbaKIzdzQQQBKJM5O9r+zjYSSrDZftfkaq7kUHOeWZvYQR0Gj3byhuDlQB8WULb1WYAJzKi0UiCIA5ESN6qgEF8DtWJdUJbqGj7qwIV0TdQ9AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAF8ePNbvFgi0WbAUCNGTN8nhYiKbp0dSq+d5PK4kIwCVjzInC/HzAJKAr/iY1JuHf3Ce/8ios/70jeSAYVQoXR95zz48wTjU/7W63x3K4B+QF9b6I9xVU2BlPZ7InknbOXcLbAFxtZrPh7gYJuoSklFvV/QJLzQZTwt7omXKEapy8v6NE4N4DivKuTKpRWxH1E8P5dExZcGG4NXCMM2PZBFANU621WeNxpTrvTKNlrkIAbXQvuuyYHaH15ceW+CeXtmo8AFHSJQCenUhhCwNvg+JgLAlszx8eCh8M9U9iq5PoOw6vfLgjbZi00RN1U4gzXSU1NkIlp4nepObV/5KmeU=' | sed 's/.\{64\}/&\n/g'and finally pass a heredoc, the object loads correctly.
It would be nice and better if this was handled in your code.
Thank you for taking into consideration this bug.
Sincerely
Hi
Can you provide a little more detail as to where exactly you ran into the issue. I assume you are using something like:
my $idp = Net::SAML2::IdP->new_from_url(
url => $metadata, # URL where the xml is located
cacert => $cacert # Filename of the Identity Providers CACert
);
And the $metadata is the URL=> https://keycloak.jbsky.dmz:8443/auth/realms/master/protocol/saml/descriptor
I have tested against keycloak but had not seen the issue. Can you send me a copy of the metadata?
Tim
copy of the metadata:
<md:EntitiesDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Name="urn:keycloak"><md:EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://keycloak.jbsky.dmz:8443/auth/realms/master"><md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo><ds:KeyName>grjD9oyP9ZkRdWqZ-e0s42Qk2xQJuJVpJ4iFjl19Uxc</ds:KeyName><ds:X509Data><ds:X509Certificate>MIIE7jCCA9agAwIBAgIJAI5ZAV4k7WIvMA0GCSqGSIb3DQEBCwUAMHUxCzAJBgNVBAYTAkZSMQwwCgYDVQQKDANzc28xKzApBgNVBAsMIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKzApBgNVBAMMInNzbyAtIENlcnRpZmljYXRpb24gQXV0aG9yaXR5IFJvb3QwHhcNMjEwNTExMTM1NDM0WhcNMjIwNTExMTM1NDM0WjBeMQswCQYDVQQGEwJGUjEMMAoGA1UECgwDc3NvMSswKQYDVQQLDCJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMRQwEgYDVQQDDAsqLmpic2t5LmRtejCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALiN7ni2dF62Poxt1NYC4lro5Zu0igltL9JPeUTb0NHxp91ScmK+joATE7FGq3qmtXmxW4BzxF16A7lIEqUbz2EQA78d27xZP5VmmqCbsdLpIVuF+JvrxKFG6CYY8UBg75td9rLC0B9ZikXEUE6kwA0DwiZu5WztAliUFqZ914DNjHcpYJQTvrRafWOpyQcJPup2w46/Aeo3bcFi9Zo2mtIkU64hQ2oJYDA7GR/aRHhvcBVTKH142hEOChiL/wFqtv3VVDehipqf37Zh7DjeeM8tnRtCSF90YeoCgCn781cHi+93uFduXGh2/amPwcvImje7nUMwZFJHeDuRXI6vQH0CAwEAAaOCAZYwggGSMB0GA1UdDgQWBBSJSXLs+Ass8htaV1egA8RLt+sdtzCBsgYDVR0jBIGqMIGngBQ6AhTVvnK/LtCm+tsWpxWX9Mi4Z6F5pHcwdTELMAkGA1UEBhMCRlIxDDAKBgNVBAoMA3NzbzErMCkGA1UECwwiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzErMCkGA1UEAwwic3NvIC0gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgUm9vdIIUaLXeUxb2kY8vyEChjlkBXiTtYi4wDAYDVR0TAQH/BAIwADALBgNVHQ8EBAMCBeAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMAkGA1UdEgQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMEAGA1UdEQQ5MDeCCyouamJza3kuZG16ggsqLmpic2t5LmludIILKi5qYnNreS5sYW6CDiouZG9tLmpic2t5LmZyMA0GCSqGSIb3DQEBCwUAA4IBAQDIWbYB1yDP2hCIGNCaJ+0e/htrQ3USzqboxb1i2wurqDAvj41D9GGVMhr50DNuOpluhDTATf30dfXnab06TNVjntyWu1D4BN1WsypQg7KGboxjKk9JWHHS9R9lj4x/0CPcTN4vDQ5FYITpigdiwqh+kpQCbrWxflwHisMXUSAPgMlBcRG5WTnH1pZYWOiXIctR6seR7886jFan8IXJUAAF63IOc1DWv1lm5A0kMJT4J36nMBuHGDGK2Thyig9HxlsxfU4GKfxbR3oEtKCSJyMA0S9aOja/AWurdu1yT0k/KYBeAFCz3en+Tb53xBTWRoNPf7rdFh+zPEVpTDBM+Ial</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://keycloak.jbsky.dmz:8443/auth/realms/master/protocol/saml/resolve" index="0"/><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://keycloak.jbsky.dmz:8443/auth/realms/master/protocol/saml"/><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://keycloak.jbsky.dmz:8443/auth/realms/master/protocol/saml"/><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://keycloak.jbsky.dmz:8443/auth/realms/master/protocol/saml"/><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://keycloak.jbsky.dmz:8443/auth/realms/master/protocol/saml"/><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://keycloak.jbsky.dmz:8443/auth/realms/master/protocol/saml"/><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://keycloak.jbsky.dmz:8443/auth/realms/master/protocol/saml"/><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://keycloak.jbsky.dmz:8443/auth/realms/master/protocol/saml"/></md:IDPSSODescriptor></md:EntityDescriptor></md:EntitiesDescriptor>
Yes, it blocks to the code you wrote but it fails with url.
I have a little more success with the following piece of code.
my $xml = <<XML;
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<md:EntitiesDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Name="urn:keycloak">
<md:EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://keycloak.jbsky.dmz:8443/auth/realms/master">
<md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:KeyName>grjD9oyP9ZkRdWqZ-e0s42Qk2xQJuJVpJ4iFjl19Uxc</ds:KeyName>
<ds:X509Data>
<ds:X509Certificate>
MIIE7jCCA9agAwIBAgIJAI5ZAV4k7WIvMA0GCSqGSIb3DQEBCwUAMHUxCzAJBgNV
BAYTAkZSMQwwCgYDVQQKDANzc28xKzApBgNVBAsMIlNlY3VyZSBEaWdpdGFsIENl
cnRpZmljYXRlIFNpZ25pbmcxKzApBgNVBAMMInNzbyAtIENlcnRpZmljYXRpb24g
QXV0aG9yaXR5IFJvb3QwHhcNMjEwNTExMTM1NDM0WhcNMjIwNTExMTM1NDM0WjBe
MQswCQYDVQQGEwJGUjEMMAoGA1UECgwDc3NvMSswKQYDVQQLDCJTZWN1cmUgRGln
aXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMRQwEgYDVQQDDAsqLmpic2t5LmRtejCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALiN7ni2dF62Poxt1NYC4lro
5Zu0igltL9JPeUTb0NHxp91ScmK+joATE7FGq3qmtXmxW4BzxF16A7lIEqUbz2EQ
A78d27xZP5VmmqCbsdLpIVuF+JvrxKFG6CYY8UBg75td9rLC0B9ZikXEUE6kwA0D
wiZu5WztAliUFqZ914DNjHcpYJQTvrRafWOpyQcJPup2w46/Aeo3bcFi9Zo2mtIk
U64hQ2oJYDA7GR/aRHhvcBVTKH142hEOChiL/wFqtv3VVDehipqf37Zh7DjeeM8t
nRtCSF90YeoCgCn781cHi+93uFduXGh2/amPwcvImje7nUMwZFJHeDuRXI6vQH0C
AwEAAaOCAZYwggGSMB0GA1UdDgQWBBSJSXLs+Ass8htaV1egA8RLt+sdtzCBsgYD
VR0jBIGqMIGngBQ6AhTVvnK/LtCm+tsWpxWX9Mi4Z6F5pHcwdTELMAkGA1UEBhMC
RlIxDDAKBgNVBAoMA3NzbzErMCkGA1UECwwiU2VjdXJlIERpZ2l0YWwgQ2VydGlm
aWNhdGUgU2lnbmluZzErMCkGA1UEAwwic3NvIC0gQ2VydGlmaWNhdGlvbiBBdXRo
b3JpdHkgUm9vdIIUaLXeUxb2kY8vyEChjlkBXiTtYi4wDAYDVR0TAQH/BAIwADAL
BgNVHQ8EBAMCBeAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwLAYJYIZIAYb4QgENBB8W
HU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMAkGA1UdEgQCMAAwEQYJYIZI
AYb4QgEBBAQDAgZAMEAGA1UdEQQ5MDeCCyouamJza3kuZG16ggsqLmpic2t5Lmlu
dIILKi5qYnNreS5sYW6CDiouZG9tLmpic2t5LmZyMA0GCSqGSIb3DQEBCwUAA4IB
AQDIWbYB1yDP2hCIGNCaJ+0e/htrQ3USzqboxb1i2wurqDAvj41D9GGVMhr50DNu
OpluhDTATf30dfXnab06TNVjntyWu1D4BN1WsypQg7KGboxjKk9JWHHS9R9lj4x/
0CPcTN4vDQ5FYITpigdiwqh+kpQCbrWxflwHisMXUSAPgMlBcRG5WTnH1pZYWOiX
IctR6seR7886jFan8IXJUAAF63IOc1DWv1lm5A0kMJT4J36nMBuHGDGK2Thyig9H
xlsxfU4GKfxbR3oEtKCSJyMA0S9aOja/AWurdu1yT0k/KYBeAFCz3en+Tb53xBTW
RoNPf7rdFh+zPEVpTDBM+Ial
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://keycloak.jbsky.dmz:8443/auth/realms/master/protocol/saml/resolve" index="0"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://keycloak.jbsky.dmz:8443/auth/realms/master/protocol/saml"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://keycloak.jbsky.dmz:8443/auth/realms/master/protocol/saml"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://keycloak.jbsky.dmz:8443/auth/realms/master/protocol/saml"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://keycloak.jbsky.dmz:8443/auth/realms/master/protocol/saml"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://keycloak.jbsky.dmz:8443/auth/realms/master/protocol/saml"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://keycloak.jbsky.dmz:8443/auth/realms/master/protocol/saml"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://keycloak.jbsky.dmz:8443/auth/realms/master/protocol/saml"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>
</md:EntitiesDescriptor>
XML
my $cacert='/etc/ssl/certs/cacert.pem';
my $idp = Net::SAML2::IdP->new_from_xml(
xml => $xml,
cacert => $cacert
);
Keycloak doesn't seem to do pretty print, so I need a little more work.
Including the addition of
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
at the beginning of the document
Error in client :
Status Code: 500 no metadata at /usr/local/share/perl/5.28.1/Net/SAML2/IdP.pm line 31.
Hi
Can I also get a copy of the cacert? Should be easy to fix just need to reproduce.
Tim
-----BEGIN CERTIFICATE-----
MIID6zCCAtOgAwIBAgIUaLXeUxb2kY8vyEChjlkBXiTtYi4wDQYJKoZIhvcNAQEN
BQAwdTELMAkGA1UEBhMCRlIxDDAKBgNVBAoMA3NzbzErMCkGA1UECwwiU2VjdXJl
IERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzErMCkGA1UEAwwic3NvIC0gQ2Vy
dGlmaWNhdGlvbiBBdXRob3JpdHkgUm9vdDAeFw0yMTA1MTExMzU0MzJaFw0zMTA1
MDkxMzU0MzJaMHUxCzAJBgNVBAYTAkZSMQwwCgYDVQQKDANzc28xKzApBgNVBAsM
IlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKzApBgNVBAMMInNz
byAtIENlcnRpZmljYXRpb24gQXV0aG9yaXR5IFJvb3QwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDMXob9gbTpeI6P/5IAtaAV5634pxrjMS838FERYRK4
v/sUkBthkeYOud8wDiIAy1MhmamrJI6xASlQjb7YFXEs14GDf07ESRAYzsjcfu3p
Ezfqw64PyQgpc/iNXhHku0Ox/8QkX4eapzX6Olw0msfoC+6ldm+tAzVXaDEa69JM
wXIbGzuNBElJICDFd6F2CWykeY2UHMUVyrMRjmWohmj6IsoXXppDQULaVBtqjLwx
8NnbFK4Ixq8vfgSJbGuu5RucqsOui7xfYZq8Xbs3zH3IHMZr1b1ZrN41OGacgFK4
upbjq6EMFYT01scNvLfOR6wTOZzsBpozZN3vL7F3MKc1AgMBAAGjczBxMB0GA1Ud
DgQWBBQ6AhTVvnK/LtCm+tsWpxWX9Mi4ZzAfBgNVHSMEGDAWgBQ6AhTVvnK/LtCm
+tsWpxWX9Mi4ZzAPBgNVHRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjARBglghkgB
hvhCAQEEBAMCAQYwDQYJKoZIhvcNAQENBQADggEBAGWf2ajyotBU9nN/DiJ/rWLe
b5rQBhJxM6rrSDBJ5jmTmDksKRSI6Br6qhs6J3+rQWzUp4ubhNS+9KyhOK9ULG0u
LlFiwcW2cSl3ZWjTsRHgnmuOu2cb5pWyYrBrf5HnLxf+uyjmspuJxwOagClSnrKb
HNnHDV2eZBuMg4RiFYE9dy2r9UDASSArU0HOI/LmxOFXJORZ3bNFTuyrBc75SvEb
HMmis3ZFNri/PPJNP2sLQI71AssVl3srWh+aHdI/OIMP6O1fQDFw0UGfpIgf5CO3
tmGw7zQDPSWUD+1Yxid3LQDUAxTBtfCq0BDvrj9OTvuFMqmAyxtGo6oLiS7pYLU=
-----END CERTIFICATE-----
Hi
I missed this:
at the beginning of the document
Error in client :
Status Code: 500 no metadata at /usr/local/share/perl/5.28.1/Net/SAML2/IdP.pm line 31.
That means that it cannot get the metadata from the url - meaning that https://keycloak.jbsky.dmz:8443/auth/realms/master/protocol/saml/descriptor
does not contain the metadata OR more likely that the certificate for https://keycloak.jbsky.dmz:8443 is not signed by a CA certificate that is trusted by the server.
Currently there is not an option to tell LWP::UserAgent to ignore untrusted certificates. I can look into it but I am limiting screen time for the next few days - while I can reply to a few email I may not be able to dig into it too deeply.
Tim
Ok, the problem is the root certificate that is not trusted.
The workaround is to add in my code :
BEGIN {
$ENV{HTTPS_CA_DIR} = '/etc/ssl/certs'
}
So the question that comes to me is why pass $cacert as parameter ?
The cacert in that place is to verify the certificate that is returned in the metadata not the certificate that is used by an https server. It is expected that the appropriate trusted certificate is in place on the https server (i.e. that the server is using a trusted certificate (either third party or that the CA cert for the web server has been explicitly trusted on the server calling new_from_url()
I will mark it as a bug because there should be a configurable method to do what you did in your code OR a documentation update to specifiy how it should be done.
Tim
Can you try:
diff --git a/lib/Net/SAML2/IdP.pm b/lib/Net/SAML2/IdP.pm
index 655da74..88a864e 100644
--- a/lib/Net/SAML2/IdP.pm
+++ b/lib/Net/SAML2/IdP.pm
@@ -57,6 +57,8 @@ sub new_from_url {
my $req = GET $args{url};
my $ua = LWP::UserAgent->new;
+ $ua->ssl_opts( SSL_ca_file => '/etc/ssl/certs');
+
my $res = $ua->request($req);
die "no metadata" unless $res->is_success;
my $xml = no_comments($res->content);
If that works I can likely make it configurable
I tried your modification by putting a file name instead of a directory ๐ , it works fine.
- $ua->ssl_opts( SSL_ca_file => '/etc/ssl/certs/cacert.pem');
If I stick to the doc here https://metacpan.org/pod/LWP::UserAgent, SSL_ca_file will search in HTTPS_CA_DIR if this variable is not filled in.
The two following solutions work :
However, SSL_ca_path does not work.
Hello,
A question, have you considered porting your work to a Debian .deb package?
Why?
=> I did a work for Proxmox and unfortunately, the Proxmox devs won't take it in their project because your dev is not in a Debian package.
Waiting for your feedback.
Sincerely,
@jbsky I finally got a chance to get back to this.
This is my proposed patch for the issue. It allows you to override all the supported ssl options as in this example:
my $idp = Net::SAML2::IdP->new_from_url(
url => $this->{Saml}{ metadata},
cacert => $this->{Saml}{ cacert },
ssl_opts => {
ca_file => '/var/www/foswiki/saml/keycloak-www.pem',
verify_hostname => 0
}
);
diff --git a/lib/Net/SAML2/IdP.pm b/lib/Net/SAML2/IdP.pm
index 1c27e06..0d7e6cb 100644
--- a/lib/Net/SAML2/IdP.pm
+++ b/lib/Net/SAML2/IdP.pm
@@ -57,8 +57,17 @@ sub new_from_url {
my $req = GET $args{url};
my $ua = LWP::UserAgent->new;
+ if ( defined $args{ssl_opts} ) {
+ require LWP::Protocol::https;
+ $ua->ssl_opts( %{$args{ssl_opts}} );
+ }
+
my $res = $ua->request($req);
- die "no metadata" unless $res->is_success;
+ if (! $res->is_success ) {
+ my $msg = "no metadata: " . $res->code . ": " . $res->message . "\n";
+ die $msg;
+ }
+
my $xml = $res->content;
return $class->new_from_xml(xml => $xml, cacert => $args{cacert});
It also improves the error messaging if it cannot access the metadata url for some reason. I figured I would let you know as I will be putting it in the next version.
BTW, I now have access to create debian packages but I have not actually done one yet.
Hi timlegge,
I found out why my certificates are not trusted.
You have to keep them in PEM format and rename the file to .crt. Then, you have to copy in .crt in /usr/local/share/ca-certificates and then use the command :
update-ca-certificates
By doing this procedure, openssl is able to check my certificates with success, so logically, with your library, it should do it.
However, the option you add is great and will help another person.
Thanks for your work and the option to force trust of a certificate.
Other point, unfortunately, I have never created a debian package for the Debian community.
Sincerely