Hi Satosa Users List,
Firstly, I think my registration for this email list is still pending (or emails are being swallowed by a spam filter somewhere…) is anyone able to approve? Otherwise, maybe there’s simply no traffic :)
I’m hitting an issue when coming back from my discovery service (PyFF) to Satosa. At the point where Satosa looks up the IdP/SP in PyFF it fails with a bad SSL handshake. Satosa is running with Docker, as is PyFF.
Specific error:
requests.exceptions.SSLError: HTTPSConnectionPool(host='pyff.cern.ch<http://pyff.cern.ch>', port=443): Max retries exceeded with url: /entities/%7Bsha1%7Dbf0f1310cb092e88484def3c53613f8a10ebde3d (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))
I imagine this is because my PyFF instance is running with a certificate that is not publicly trusted. I’ve manually added the certificate to the SSL store in the Satosa docker container (and am able to connect with docker exec satosa_container openssl s_client -connect pyff.cern.ch:443<http://pyff.cern.ch:443> ), but am still hitting an exception in the Satosa code.
Has anyone come across this? Is there a way to specify additional trusted CAs, or request that the MDQ lookup be more lenient (for testing purposes)?
Cheers,
Hannah