Contrib.social

SP private key file & certificate file is missing or not accessible

Open on Drupal.org →
Created on 8 January 2024, 11 months ago
Updated 11 January 2024, 11 months ago

Problem/Motivation

I added SAML Auth to my website and I am trying to configure it, but I am stuck on the Key & Cert files. I put these files in a saml_auth directory that is in my project root (not web root), but I am getting the below warning message: 

Warning message
SP private key file is missing or not accessible.
SP certificate file is missing or not accessible.

Steps to reproduce

I am not sure if I can reproduce these steps for others as this is happening for my site, but not for my colleague's site with a similar setup.

1) Install the SAML Auth module, and configured the service and identity providers.
2) I created a key & cert file by following the instructions in the README and I placed both files into the saml_auth directory.
3) I added these to the service provider config, and when I saved the configuration I saw those warnings popped up.

Trouble Shooting

1. Check Permissions

I checked the permissions for my saml_auth folder and the key and cert files within:

drwxr-xr-x. 2 (my user) (my group) 6144 Jan 3 15:38 saml_cert

-rw-r--r--. 1 (my user) (my group) 1566 Jan 3 15:38 sp.crt
-rw-r--r--. 1 (my user) 1704 Jan 3 15:38 sp.key

2. Check for typos

I cd into the directory and used pwd. This gave me the path /var/www/websites/cabstg/saml_cert. I used this to create the absolute path in the config settings.

3. I created a PHP script that used file_exists() and file_get_contents() to see if the files and contents are accessible. I ran this script using PHP cli and it outputted "true" that the file exists, and the content of the files. I opened the site page and ran the script again, and this time it outputted false and could not output the content of the files. So for some reason, I can see the files and read the contents, but my site can't. I am not sure what could be causing this any more.

Goal

My goal with this support request is to either resolve the issue, or to get advice about what else I can try before I rule out my own setup and approach my server team to check if there's an issue with the server.

💬 Support request
Status

Closed: works as designed

Version

3.9

Component

User interface

Created by

🇨🇦Canada ciesinsg

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @ciesinsg
  • Comment 11 months ago
    🇳🇱Netherlands roderik Amsterdam,NL / Budapest,HU

    That looks like something in your webserver config.

    In the script that you execute by opening it in your webbrowser, you can print ini_get('open_basedir'). If that is something that is more specific than /var/www/websites/cabstg, that's your issue.

    And if the value is equal to your webroot (whatever it is... e.g. /var/www/websites/cabstg/public)... that would be bad. Because it means you would be forced to put your private key in your webroot. And I hope your web server team is able/willing to change that setting.

  • Comment 11 months ago
    🇨🇦Canada ciesinsg

    @roderik Thanks for the suggestion. I modified the script to include

    echo "open_basedir: " . ini_get('open_basedir') . "\n";

    But when I run this from PHP cli this just outputs "open_basedir: " and nothing afterwards as if there is no basedir set. I am not sure exactly what this means as this seems to be a different outcome than you mentioned. Does this mean that there's no basedir set, or is this variable hidden to me?

  • Comment 11 months ago
    🇳🇱Netherlands roderik Amsterdam,NL / Budapest,HU

    There's no basedir set.

    Then I have no clue about the difference between CLI PHP and your webserver PHP (with only the latter not being able to find the files, as you mentioned in the initial reply)

  • Comment 11 months ago
    🇳🇱Netherlands roderik Amsterdam,NL / Budapest,HU

    I'm too quick answering, sorry. This should not be run from PHP cli, that is expected to contain nothing.

    When run through the webserver (i.e. viewed as a webpage, i.e. put somewhere in the webroot) it is expected to contain a value. (Make sure to not output your private key, in that script)

  • Comment 11 months ago
    🇨🇦Canada ciesinsg

    Hi Roderik, thanks for all your help with this. We were able to discover the issue so I wanted to include this here in case it helps anyone.

    The issue was that the transfer instance was setup with the wrong directory name. Even though the directory I was working in was cabstg, the actual server was set to cab so the URLs I made simply didn't exist on the server. After the transfer instance and server were made to match, and I corrected the absolute paths, it is working as intended.

  • Status changed to Closed: works as designed 11 months ago
  • Comment 11 months ago
    🇨🇦Canada ciesinsg
contrib.social Blog FAQ Discussions
Production build 0.71.5 2024