Strange. There’s a few things we can try:
* You are hitting this catch
block in the codebase:
https://github.com/uhm-coe/authorizer/blob/master/src/authorizer/class-authentication.php#L447-L460
Can you try enabling phpCAS debug mode to get more details? Right before that forceAuthentication()
call, add:
\phpCAS::setDebug( dirname( __FILE__ ) . '/../../debug.log' );
Then try authenticating again. That will drop a file called debug.log into the plugin directory. Review it to see if anything jumps out at you (and you can share it with me directly at prar@hawaii.edu, just be aware that it may contain privileged SAML attributes on a successful login attempt).
* I don’t see other mentions of ADFS problems on their github. Could you try using one of their examples to test authentication using vanilla phpCAS?
https://github.com/apereo/phpCAS/tree/master/docs/examples
* Authorizer bundles phpCAS 1.3.6 as of this writing, but I see 1.3.8 currently available. I can get that updated in authorizer and release a new version.
https://github.com/apereo/phpCAS/releases
Nice. That was a super helpful tip… Looks like some kind of SSL
issue. The problem is that all servers in play have legitimate not
expired certs. sts.wichita.edu is a starfield cert and cas-
dev.wichita.edu is a Lets Encrypt cert.
Hmmm…
A16 .START (2020-07-10 18:29:34) phpCAS-1.3.6 ******************
[CAS.php:468]
5A16 .=> phpCAS::forceAuthentication() [class-authentication.php:450]
5A16 .| => CAS_Client::forceAuthentication() [CAS.php:1098]
5A16 .| | => CAS_Client::isAuthenticated() [Client.php:1280]
5A16 .| | | => CAS_Client::_wasPreviouslyAuthenticated()
[Client.php:1393]
5A16 .| | | | no user found [Client.php:1635]
5A16 .| | | <= false
5A16 .| | | CAS 2.0 ticket `ST-10-eaMwMXaMRNv6AqyWO8GZ3DqYRSA-
cas-dev.wichita.edu’ is present [Client.php:1446]
5A16 .| | | => CAS_Client::validateCAS20(”, NULL, NULL,
false) [Client.php:1449]
5A16 .| | | | [Client.php:3169]
5A16 .| | | | => CAS_Client::getServerServiceValidateURL()
[Client.php:3176]
5A16 .| | | | | => CAS_Client::getURL() [Client.php:453]
5A16 .| | | | | <= ‘
https://comm306-test.wichita.edu/wp-login.php?external=cas’
5A16 .| | | | <= ‘
https://cas-dev.wichita.edu/cas/serviceValidate?service=https%3A%2F%2Fcomm306-test.wichita.edu%2Fwp-login.php%3Fexternal%3Dcas’
5A16 .| | | | => CAS_Client::_readURL(‘
https://cas-dev.wichita.edu/cas/serviceValidate?service=https%3A%2F%2Fcomm306-test.wichita.edu%2Fwp-login.php%3Fexternal%3Dcas&ticket=ST-10-eaMwMXaMRNv6AqyWO8GZ3DqYRSA-cas-dev.wichita.edu’
, NULL, NULL, NULL) [Client.php:3191]
5A16 .| | | | | =>
CAS_Request_CurlRequest::sendRequest() [AbstractRequest.php:242]
5A16 .| | | | | | CURL: Set CURLOPT_CAINFO
/data/wp/content/html/comm306/wp-includes/certificates/ca-bundle.crt
[CurlRequest.php:129]
5A16 .| | | | | | curl_exec() failed
[CurlRequest.php:77]
5A16 .| | | | | <= false
5A16 .| | | | <= false
5A16 .| | | | could not open URL ‘
https://cas-dev.wichita.edu/cas/serviceValidate?service=https%3A%2F%2Fcomm306-test.wichita.edu%2Fwp-login.php%3Fexternal%3Dcas&ticket=ST-10-eaMwMXaMRNv6AqyWO8GZ3DqYRSA-cas-dev.wichita.edu’
to validate (CURL error #60: SSL certificate problem: unable to get
local issuer certificate) [Client.php:3193]
5A16 .| | | | =>
CAS_AuthenticationException::__construct(CAS_Client, ‘Ticket not
validated’, ‘
https://cas-dev.wichita.edu/cas/serviceValidate?service=https%3A%2F%2Fcomm306-test.wichita.edu%2Fwp-login.php%3Fexternal%3Dcas&ticket=ST-10-eaMwMXaMRNv6AqyWO8GZ3DqYRSA-cas-dev.wichita.edu’
, true) [Client.php:3197]
5A16 .| | | | | => CAS_Client::getURL()
[AuthenticationException.php:77]
5A16 .| | | | | <= ‘
https://comm306-test.wichita.edu/wp-login.php?external=cas’
5A16 .| | | | | CAS URL:
https://cas-dev.wichita.edu/cas/serviceValidate?service=https%3A%2F%2Fcomm306-test.wichita.edu%2Fwp-login.php%3Fexternal%3Dcas&ticket=ST-10-eaMwMXaMRNv6AqyWO8GZ3DqYRSA-cas-dev.wichita.edu
[AuthenticationException.php:80]
5A16 .| | | | | Authentication failure: Ticket not
validated [AuthenticationException.php:81]
5A16 .| | | | | Reason: no response from the CAS server
[AuthenticationException.php:83]
5A16 .| | | | | exit()
5A16 .| | | | | –
5A16 .| | | | –
5A16 .| | | –
5A16 .| | –
5A16 .| –
—
Also… Just noticed the same behavior with “normal cas” This only seems to be effecting our cas-dev environment so… 🙂 Lemme check on all that…
Authorizer relies on the CA bundle included with WordPress, can you verify that it is available here: /data/wp/content/html/comm306/wp-includes/certificates/ca-bundle.crt
and that it matches:
https://github.com/WordPress/WordPress/blob/master/wp-includes/certificates/ca-bundle.crt
Another possibility, I noticed cas-dev.wichita.edu isn’t publicly reachable, how are you doing the letsencrypt renewals? Maybe that cert has expired?
Or it’s possible that the recent AddTrust root CA expiration could be causing this, see this for more details:
https://wordpress.org/support/topic/cannot-complete-login-process/#post-12934033
(Offtopic, but we’re trying to fully migrate to letsencrypt over here, but so far I don’t have a solution for our private servers because the letsencrypt DNS-01 challenge seems like too much of a hassle. If you have any tips, let us know!)
It’s available and the LE Root Cert matches. The cert renewal process works and the cert does not expire until Late August. I was able to curl cas-dev.wichtia.edu from the webserver where the wordpress install is. I wonder if the intermediate cert is wrong… SSL is terminated on the netscaler we have a cronjob that renews the certs, uploads and refreshes them.
Strange.
Oh! yes we use the DNS-01 ACME TXT record configuration. It’s more involved to set up but worth it once you get there. I was not the person that set it up here. Our architect and our network team did much of that work. Hit me with questions I’ll pass them along and get back to you.
From the web server, can you try a curl using the WordPress CA bundle:
curl -v --cacert /data/wp/content/html/comm306/wp-includes/certificates/ca-bundle.crt https://cas-dev.wichita.edu/
Found it. I had to open up the acls and test the cert to see the problem. The intermediate cert was not associated with the certificate. I fixed that and now it works. Sorry for wasting your time and thanks for trying to help me!
Have a good weekend.
Not a problem, glad you figured it out. Cheers!