"Secure Connection Failed" instead of redirect to IdP on fresh install

[xldcx]

Mellon 19.1 built from from source for httpd on RHEL8, using ./configure --enable-diagnostics, make and make install. No problems there.

SP metadata, generated using the provided generate-metadata-script, is installed on the IdP as well:

<EntityDescriptor entityID="https://HOSTNAME/mellon" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="true"> <KeyDescriptor use="encryption"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate>cert-content truncated for readability</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor> <KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate>cert-content truncated for readability</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://HOSTNAME/mellon/logout"/> <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://HOSTNAME/mellon/postResponse" index="0"/> </SPSSODescriptor> </EntityDescriptor>

vhost https config, protecting /private.

Listen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300
SSLCryptoDevice builtin
MellonCacheSize 100
MellonLockFile "/var/run/mod_auth_mellon.lock"
MellonPostTTL 900
MellonPostCount 100
MellonDiagnosticsEnable On
MellonDiagnosticsFile logs/mellon_diagnostics
 
  <VirtualHost _default_:443>
  
    ServerName HOSTNAME

    ErrorLog logs/ssl_error_log
    TransferLog logs/ssl_access_log
    #LogLevel warn
    LogLevel auth_mellon:debug
    SSLEngine on
    SSLHonorCipherOrder on
    SSLCipherSuite PROFILE=SYSTEM
    SSLProxyCipherSuite PROFILE=SYSTEM
    SSLCertificateFile .../HOSTNAME.crt
    SSLCertificateKeyFile .../HOSTNAME.key
    SSLCertificateChainFile .../chain.crt
    #SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
    #SSLVerifyClient require
    #SSLVerifyDepth  10
    <FilesMatch "\.(cgi|shtml|phtml|php)$">
                    SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory "/var/www/cgi-bin">
                    SSLOptions +StdEnvVars
    </Directory>
    BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
    CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

    <Location />

            MellonEnable off
            MellonSPMetadataFile "/etc/httpd/mellon/https_HOSTNAME_mellon.xml"
            MellonSPPrivateKeyFile "/etc/httpd/mellon/https_HOSTNAME_mellon.key"
            MellonSPCertFile "/etc/httpd/mellon/https_HOSTNAME_mellon.cert"
            MellonIdPMetadataFile /etc/httpd/mellon/idp-metadata.xml
            MellonSecureCookie on
            MellonCookieSameSite none
            MellonSamlResponseDump on
            MellonSessionDump on
            MellonEndpointPath /mellon
            MellonSetEnvNoPrefix REMOTE_USER NAME_ID

            Require all granted
    </Location>
    <location /private>

            Require valid-user
            MellonEnable auth
 
            Require all granted
    </location>
</VirtualHost>

On connecting to the /private endpoint, I get logs like this over and over.

[Mon Oct 14 10:01:11.583435 2024] [auth_mellon:debug] [pid 3957279:tid 140572685571840] auth_mellon_handler.c(266): [client MY-IP:40128] loaded IdP "https://IDP/idp/shibboleth" from "/etc/httpd/mellon/idp-metadata.xml".
[Mon Oct 14 10:01:12.415690 2024] [auth_mellon:debug] [pid 3957364:tid 140572685571840] auth_mellon_util.c(54): [client MY-IP:40134] reconstruct_url: url=="https://HOSTNAME/mellon/login?ReturnTo=https%3A%2F%2FHOSTNAME%2Fprivate&IdP=https%3A%2F%2FIDP%2Fidp%2Fshibboleth", unparsed_uri=="/mellon/login?ReturnTo=https%3A%2F%2HOSTNAME%2Fprivate&IdP=https%3A%2F%2FIDP%2Fidp%2Fshibboleth"
[Mon Oct 14 10:01:12.415761 2024] [auth_mellon:debug] [pid 3957364:tid 140572685571840] auth_mellon_cookie.c(77): MELLON_DISABLE_SAMESITE : (null)
[Mon Oct 14 10:01:12.415776 2024] [auth_mellon:debug] [pid 3957364:tid 140572685571840] auth_mellon_cookie.c(224): cookie_set: mellon-cookie=cookietest; Version=1; Path=/; Domain=HOSTNAME; HttpOnly; secure; SameSite=None
[Mon Oct 14 10:01:12.509277 2024] [auth_mellon:debug] [pid 3957364:tid 140572685571840] auth_mellon_handler.c(266): [client MY-IP:40134] loaded IdP "https://IDP/idp/shibboleth" from "/etc/httpd/mellon/idp-metadata.xml".

then end up with a "Secure Connection Failed" in my browser, even though I have a valid signed certificate for the host/application. There's no connection occurring to the IdP, it fails before that.

OS: RHEL 8.9

• gcc-8.5.0-22.el8_10.x86_64
• make-4.2.1-11.el8.x86_64
• httpd-devel-2.4.37-65.module+el8.10.0+22196+d82931da.2.x86_64
• libtool-ltdl-2.4.6-25.el8.x86_64 libtool-ltdl-devel-2.4.6-25.el8.x86_64
• lasso-2.6.0-13.el8.x86_64, lasso-devel-2.6.0-13.el8.x86_64
• pkgconf-1.4.2-1.el8.x86_64 pkgconf-pkg-config-1.4.2-1.el8.x86_64
• xmlsec1-openssl-devel-1.2.25-8.el8_10.x86_64

[thijskh]

If you "Secure Connection Failed" your browser tells you it will not connect to the site. Your browser (either the message screen itself and/or the debug toolbar) will be able to supply the exact detail why the connection fails. It's unlikely that mellon is the direct cause of this.