<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
</head>
<body>
<div>This looks like it's failing while trying to download the Okta SAML IdP metadata. If you do an</div>
<div><br>
</div>
<div>openssl s_client -connect <Okta metadata URL host part>:443</div>
<div><br>
</div>
<div>from the host you'll get copious amounts of debugging output that should get you started.</div>
<div><br>
</div>
<div>HTH,</div>
<div>p</div>
<br>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> archivesspace_users_group-bounces@lyralists.lyrasis.org <archivesspace_users_group-bounces@lyralists.lyrasis.org> on behalf of Tom Hanstra
<hanstra@nd.edu><br>
<b>Sent:</b> 02 June 2022 14:37<br>
<b>To:</b> Archivesspace Users Group <archivesspace_users_group@lyralists.lyrasis.org><br>
<b>Subject:</b> Re: [Archivesspace_Users_Group] Problems with oauth plugin</font>
<div> </div>
</div>
<div>
<div dir="ltr">Thanks, Blake. Unfortunately, that did not do it. The install script works but we still get this complaint about the certificate verification:<br>
<br>
I'm attaching the entire error as a separate file. Perhaps someone with more Ruby understanding will see something in there that I have not. If I could figure out what certificate/file it is looking at, perhaps I could track this down. Or maybe it is a red
herring and there is something else going on in there.
<div><br>
</div>
<div>Tom</div>
</div>
<br>
<div class="x_gmail_quote">
<div dir="ltr" class="x_gmail_attr">On Wed, Jun 1, 2022 at 5:10 PM Blake Carver <<a href="mailto:blake.carver@lyrasis.org">blake.carver@lyrasis.org</a>> wrote:<br>
</div>
<blockquote class="x_gmail_quote" style="margin:0px 0px 0px 0.8ex; border-left:1px solid rgb(204,204,204); padding-left:1ex">
<div dir="ltr">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
You might try this branch, there was a weird issue with that for a while, I think maybe this fixed that?</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<a href="https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Flyrasis%2Faspace-oauth%2Ftree%2Funlock-address&data=05%7C01%7Cph448%40universityofcambridgecloud.onmicrosoft.com%7C6baf45e9bd5c413c358408da449d099f%7C49a50445bdfa4b79ade3547b4f3986e9%7C0%7C0%7C637897738505330079%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Wr5znT1IP8vEAE55WFfSRyVyYSTXNywQevv7h6rs70s%3D&reserved=0" originalsrc="https://github.com/lyrasis/aspace-oauth/tree/unlock-address" shash="GG24cZnbw+u53iZ2S6VjKZyET67BR+TdUE5Ckpx7ipLM1CqYJjbw+CsyDK9+cVaITmLEixLIw6uXr80nJA6QUZBnGXo9naMwLCPKJb096qQe25WCMhnFSxU3YcMKs4dEz6bXNYVLSDnyHfV9v5Mq9cEgGlm8tcCV/t46PS9FA/k=" target="_blank">https://github.com/lyrasis/aspace-oauth/tree/unlock-address</a><br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
This was the only change</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<a href="https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Flyrasis%2Faspace-oauth%2Fpull%2F23%2Ffiles&data=05%7C01%7Cph448%40universityofcambridgecloud.onmicrosoft.com%7C6baf45e9bd5c413c358408da449d099f%7C49a50445bdfa4b79ade3547b4f3986e9%7C0%7C0%7C637897738505330079%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=tNOz55BHEpzQ%2BnlmNlh8eG0lONcWjzS2goc724lwpVM%3D&reserved=0" originalsrc="https://github.com/lyrasis/aspace-oauth/pull/23/files" shash="kReJZiBQxI5q+XefM7o8/6N+8t06evLBFEH7y9QVBXh6PbPyFw+4qFAQ3oBQzxzaK/v/jOSXlFXcOFcTmOGcaMly2bh7+BO9V6ae9rKzFaXAApfHlPYkyQ+SpNlPPR/Zh3wPrz0y7xJ/pkmaCGCJmVkJS+4uMwdi1HBnj9e+Ul8=" target="_blank">https://github.com/lyrasis/aspace-oauth/pull/23/files</a><br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
That was a while back, so things may have changed since on some of those gems.</div>
<div id="x_gmail-m_3605731776303841302appendonsend"></div>
<hr style="display:inline-block; width:98%">
<div id="x_gmail-m_3605731776303841302divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b>
<a href="mailto:archivesspace_users_group-bounces@lyralists.lyrasis.org" target="_blank">
archivesspace_users_group-bounces@lyralists.lyrasis.org</a> <<a href="mailto:archivesspace_users_group-bounces@lyralists.lyrasis.org" target="_blank">archivesspace_users_group-bounces@lyralists.lyrasis.org</a>> on behalf of Tom Hanstra <<a href="mailto:hanstra@nd.edu" target="_blank">hanstra@nd.edu</a>><br>
<b>Sent:</b> Wednesday, June 1, 2022 2:22 PM<br>
<b>To:</b> Archivesspace Users Group <<a href="mailto:archivesspace_users_group@lyralists.lyrasis.org" target="_blank">archivesspace_users_group@lyralists.lyrasis.org</a>><br>
<b>Subject:</b> [Archivesspace_Users_Group] Problems with oauth plugin</font>
<div> </div>
</div>
<div>
<div dir="ltr">I'm having some problems with our Authentication with OKTA which I'm trying to understand.
<div><br>
</div>
<div>Because of the problems, I've tried reinstalling the oauth plugin completely. The first problem I ran into was that the current download of:<br>
<br>
<a href="https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Flyrasis%2Faspace-oauth.git&data=05%7C01%7Cph448%40universityofcambridgecloud.onmicrosoft.com%7C6baf45e9bd5c413c358408da449d099f%7C49a50445bdfa4b79ade3547b4f3986e9%7C0%7C0%7C637897738505330079%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=yUTKIQ3FN6tBEARA%2BJyHmJJvyUuQpX4xwcKDssyJ%2B5A%3D&reserved=0" originalsrc="https://github.com/lyrasis/aspace-oauth.git" shash="Fdr8qdpjOWnpw3+aNoOyVcLuckQCw79F9zPeZxutkp4INPBFBC0Qs29PIIm4xDKt1gOil42XQoZ+vrCl/w/JNMXZBAm8HanzteB2lL8XImL5nwwxZsF2v9zBhVaXOMAAmD7cHXwuHtYqB13XjST31GdM8hmcXdXqMpe/Kz2ThJ8=" target="_blank">https://github.com/lyrasis/aspace-oauth.git</a><br>
<br>
Had a Gemfile containing the line:<br>
<br>
gem 'addressable', '2.8.0'<br>
</div>
<div>
<div><br>
</div>
<div>This caused some gem issues with our 2.81. version of ArchivesSpace because 2.8.0 was evidently newer than the 2.7.0 version that is in the gems directory. I'm not savvy enough with Ruby to know how to deal with that so I simply updated the aspace-oauth
Gemvile to read:<br>
<br>
gem 'addressable', '2.7.0'<br>
<br>
Not sure if that is legit or not. But it allowed the initialize-plugin script to work.<br>
<br>
But I'm still running into what was actually the original error we are getting. In the archivesspace.out file, we see this error:<br>
<br>
--------<br>
INFO: An exception happened during JRuby-Rack startup<br>
certificate verify failed<br>
--- System<br>
jruby 9.2.12.0 (2.5.7) 2020-07-01 db01a49ba6 OpenJDK 64-Bit Server VM 25.312-b07 on 1.8.0_312-b07 +jit [linux-x86_64]<br>
Time: 2022-06-01 13:57:45 -0400<br>
Server: jetty/8.1.5.v20120716<br>
jruby.home: uri:classloader://META-INF/jruby.home<br>
<br>
--- Context Init Parameters:<br>
jruby.max.runtimes = 1<br>
jruby.min.runtimes = 1<br>
public.root = /<br>
rails.env = production<br>
<br>
--- Backtrace<br>
OpenSSL::SSL::SSLError: certificate verify failed<br>
connect at uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/net/http.rb:1002<br>
do_start at uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/net/http.rb:924<br>
start at uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/net/http.rb:913<br>
request at uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/net/http.rb:1465<br>
<br>
[and a lot more ruby stuff]<br>
----------</div>
<div><br>
</div>
<div>There seems to be some certificate that the plugin is not happy about. But I cannot determine what certificate it does not like. Both the local certificates and the OKTA certificates are valid. So what is the issue?<br>
<br>
Anyone seen this before and have ideas?</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Tom</div>
<div><br>
</div>
<div><br>
</div>
<div>--<br>
</div>
<div dir="ltr">
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div><b style="font-family:arial,helvetica,sans-serif; font-size:12.7273px; color:rgb(136,136,136)">Tom Hanstra</b><br>
</div>
<div style="color:rgb(136,136,136); font-size:12.8px">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div style="font-size:12.7273px">
<div>
<div><i style="font-size:12.7273px; font-family:arial,helvetica,sans-serif">Sr. Systems Administrator</i></div>
<div><a href="mailto:hanstra@nd.edu" target="_blank" style="color:rgb(17,85,204); font-size:12.7273px; font-family:arial,helvetica,sans-serif">hanstra@nd.edu</a><br>
</div>
</div>
<div><span style="font-family:arial,helvetica,sans-serif"><br>
</span></div>
</div>
<div style="font-size:12.7273px"><img src="https://ci3.googleusercontent.com/mail-sig/AIorK4wQjvBdM9TFi5bR5RBsq_1dY3HTxh-Kg_4W690bwTCSKeVGyazMoj0wdmkNgJ0kfjeRnparhiw"><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
_______________________________________________<br>
Archivesspace_Users_Group mailing list<br>
<a href="mailto:Archivesspace_Users_Group@lyralists.lyrasis.org" target="_blank">Archivesspace_Users_Group@lyralists.lyrasis.org</a><br>
<a href="https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Flyralists.lyrasis.org%2Fmailman%2Flistinfo%2Farchivesspace_users_group&data=05%7C01%7Cph448%40universityofcambridgecloud.onmicrosoft.com%7C6baf45e9bd5c413c358408da449d099f%7C49a50445bdfa4b79ade3547b4f3986e9%7C0%7C0%7C637897738505330079%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=evc2SVGZ1LwkgD8bFs47xXiVJB59wHCvFIB9q%2B6eHqg%3D&reserved=0" originalsrc="http://lyralists.lyrasis.org/mailman/listinfo/archivesspace_users_group" shash="vckPNTFjswk2v+RXYPQjuZG/OgdycSmKyyTOru1GbyJaSl6ZAwItfxMKhmGpHiQmYr7uO0VtH6lpNkoLIDiXyjhWI8IqTCc2Sbanorpwq99jGPWnXwPAkGkIJ1R1p/TpmM2yp22H4gqN6FtQZn/AiX4ywmjf7mofncNmRj+H/MA=" rel="noreferrer" target="_blank">http://lyralists.lyrasis.org/mailman/listinfo/archivesspace_users_group</a><br>
</blockquote>
</div>
<br clear="all">
<div><br>
</div>
-- <br>
<div dir="ltr" class="x_gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div><b style="font-family:arial,helvetica,sans-serif; font-size:12.7273px; color:rgb(136,136,136)">Tom Hanstra</b><br>
</div>
<div style="color:rgb(136,136,136); font-size:12.8px">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div style="font-size:12.7273px">
<div>
<div><i style="font-size:12.7273px; font-family:arial,helvetica,sans-serif">Sr. Systems Administrator</i></div>
<div><a href="mailto:hanstra@nd.edu" target="_blank" style="color:rgb(17,85,204); font-size:12.7273px; font-family:arial,helvetica,sans-serif">hanstra@nd.edu</a><br>
</div>
</div>
<div><span style="font-family:arial,helvetica,sans-serif"><br>
</span></div>
</div>
<div style="font-size:12.7273px"><img src="https://ci3.googleusercontent.com/mail-sig/AIorK4wQjvBdM9TFi5bR5RBsq_1dY3HTxh-Kg_4W690bwTCSKeVGyazMoj0wdmkNgJ0kfjeRnparhiw"><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>