Bug#532584: libshibsp1: Backchannel fails to contact AA
Russ Allbery
rra at debian.org
Wed Jun 10 16:58:17 UTC 2009
Francesco Malvezzi <francesco.malvezzi at unimore.it> writes:
> 2009-06-10 11:57:55 ERROR Shibboleth.AttributeResolver [7]: exception
> during SAML query to
> https://omissis.unimore.it:8443/idp/profile/SAML1/SOAP/AttributeQuery:
> CURLSOAPTransport failed while contacting SOAP responder:
> error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert
> already in hash table
> 2009-06-10 11:57:55 ERROR Shibboleth.AttributeResolver [7]: unable to
> obtain a SAML response from attribute authority
http://marc.info/?t=96963077100003&r=1&w=2 seems to point at this error
being either a bug in how the OpenSSL routines are called or a bug in
the certificate configuration. Since it works for you manually with
curl, I suspect there's something different between how XMLTooling is
calling curl versus what the command-line program does (including
perhaps loading different certs).
The error message does appear to mean what it says it means, namely that
something is trying to load the same certificate twice. Do you, by any
chance, have multiple copies of the same certificate referenced anywhere
in your configuration, such as used for a certificate and for a trust
chain, or for multiple IdPs? That might help narrow down what's going
on.
> More details: the SP is a brand new Debian/etch upgraded to lenny
> (hosted on XEN). The box is 1 day old, no patching, noting.
>
> This configuration used to work since an year, at least till a week
> ago.
Did it work on a lenny system, or was it only working on etch?
--
Russ Allbery (rra at debian.org) <http://www.eyrie.org/~eagle/>
More information about the Pkg-shibboleth-devel
mailing list