4:06 p.m.
Hi Satosa Users List,
Firstly, I think my registration for this email list is still pending (or emails are being
swallowed by a spam filter somewhere…) is anyone able to approve? Otherwise, maybe there’s
simply no traffic :)
I’m hitting an issue when coming back from my discovery service (PyFF) to Satosa. At the
point where Satosa looks up the IdP/SP in PyFF it fails with a bad SSL handshake. Satosa
is running with Docker, as is PyFF.
Specific error:
requests.exceptions.SSLError:
HTTPSConnectionPool(host='pyff.cern.ch<http://pyff.cern.ch>', port=443): Max
retries exceeded with url: /entities/%7Bsha1%7Dbf0f1310cb092e88484def3c53613f8a10ebde3d
(Caused by SSLError(SSLError("bad handshake: Error([('SSL routines',
'tls_process_server_certificate', 'certificate verify
failed')],)",),))
I imagine this is because my PyFF instance is running with a certificate that is not
publicly trusted. I’ve manually added the certificate to the SSL store in the Satosa
docker container (and am able to connect with docker exec satosa_container openssl
s_client -connect pyff.cern.ch:443<http://pyff.cern.ch:443> ), but am still hitting
an exception in the Satosa code.
Has anyone come across this? Is there a way to specify additional trusted CAs, or request
that the MDQ lookup be more lenient (for testing purposes)?
Cheers,
Hannah