OpenAthens LA support ended on 31 March 2020


You may come across a situation where you are unable to connect to a service provider or add federation metadata and can see errors referring to peer certificates when you start Apache - e.g:

[15/Apr/2014 11:31:55.879 +0100] [16930] ERROR curl  : Couldn't fetch data from URI <SOME HTTPS METADATA URL>: Peer certificate cannot be authenticated with given CA certificates: SSL certificate problem, verify that the CA cert is OK.

If the runtime is attempting to download a page from a secure location over HTTPS and it can't trust the SSL certificate used to encrypt the connection it will throw this kind of error (more commonly with a local resource than the federation metadata). This usually means that the system either is missing the root certificate and/or one of the intermediate certificates in its trust store.  To resolve this you need to place the missing certificate(s) in the trust store used by this part of the system: /usr/share/atacama-platform/trust/.

It is possible to ascertain which certificate is missing through trial and error but it is often simpler to just add any certificate that exists in the chain above the actual HTTPS one into a single file and add it into the trust directory. In many cases, only the root certificate needs to be added.

The quickest way to handle this is using OpenSSL on the runtime. You can use the following command to get the entire certificate chain and write it to a file in the /tmp directory.

openssl s_client -connect <MetadataURL>:443 -prexit -showcerts > /tmp/certificates.txt

(You can also obtain the certificates in Windows via your browser, export them as base 64 encoded X.509 certificate(s), combine them using a text editor and transfer them to the trust store on the runtime... but the command above will almost certainly be quicker and easier)

Next you need to combine the contents of the files into a single (bundle) file in the trust store. E.g:

cat /tmp/certificates.txt > /usr/share/atacama-platform/trust/relevantName.bundle.pem

Finally restart Apache and then test access.

sudo service httpd restart


Anything to watch out for?

In rare cases, the certificate chain might not be served in which case you would need to contact your certificate issuer to obtain it.

  • No labels