Yubico Forum

We would appreciate if you can provide us the following information:

1) Operating system details like Linux or Windows, version number etc.
2) Web Server details like Apache or IIS, version number etc.
3) PHP details like version number
5) Database details like version number of MySQL

I've installed the server on both Ubuntu Server 9.10 64-bit using Apache 2.2.14 and Windows Server 2008 R2 using IIS 7.5, both are using PHP version 5.2.12. The Linux machine is running MySQL Community Server version 5.1.42, the Windows machine is currently using the Filesystem (will be changing to the same version of MySQL at a later point in time).

I'm having the same issue on both machines.

We successfully installed Yubico OpenID server in our environment on Ubuntu server 9.10. Depending on our observation, the error you are getting seems be due to certificate error. It seems that you are using self signed certificates. If you use self signed certificate, OpenID enabled application seems to reject the OpenID server.

We would appreciate if you can confirm the followings:

1) Are you using self signed certificates?
2) Are you able to successfully use your hosted Yubico openid server in case you use identifier in http?
3) Are you facing this problem only when you use https in identifier?

We would also appreciate if you can use Yubico hosted OpenID server available at https://openid.yubico.com and try again.

You were correct about the Self Signed Certificates, we're now using certificates signed by CACert.org, the Linux server works flawlessly with both HTTP and HTTPS identifiers.

We're still having issues with the Windows Server, however. I've tried using the Yubico hosted OpenID Server, the consumer on the Windows machine still doesn't like the HTTPS identifier (the Linux machine will accept it from your hosted server as well, however). HTTP identifiers do work on the Windows machine.

For the record we've also changed the Windows server to use MySQL Community Server version 5.1.42 rather than the Filesystem.

From the information provided by you, it seems that the CACert certificate authority is not added to the trusted root certificate authorities in web browsers running on your Windows box. CACert is not present in the default list of trusted root certificate authorities in IE 8 and FireFox 3.5.7.

As the identifier is correctly working with http, it seems that this is not an issue with the Yubico OpenID server. As identifier is not working only with https, it seems to be some sort of certificate issue.

If it's a certificate issue on my end then should an HTTPS identifer provided by your own server @ https://openid.yubico.com still work since it would be dealing with your certificate?

Even while using self-signed certificates the Linux machine still had no issues with HTTPS identifiers from other OpenID providers.

It would be helpful if you can provide us following information:

1) The application for which you are trying to configure Yubico OpenID based authentication
2) Are you able to login to your application when you use other OpenID providers using both http and https identifiers?
3) Are you able to login to your application when you use online Yubico OpenID server (openid.yubico.com) from a Linux machine using both http and https identifiers?
4) Are you able to login to your application when you use your locally hosted Yubico OpenID server from a Linux machine using both http and https identifiers?
5) Are you able to login to your application when you use online Yubico OpenID server (openid.yubico.com) from a Windows machine using both http and https identifiers?
6) Are you able to login to your application when you use your locally hosted Yubico OpenID server from a Windows machine using both http and https identifiers?

Along with the above information, please send us the exact error messages you are getting while using the Yubico OpenID server (online and locally hosted).

Along with the above information, please send us the exact error messages you are getting while using the Yubico OpenID server (online and locally hosted).[/quote]

1) Currently we are testing it using the example consumer page which was packaged with the server. Eventually the server will be used to authenticate to a secure web server.
2) On the Windows server HTTP identifiers from other providers work, HTTPS identifiers do not. On the Linux server both HTTP and HTTPS identifiers work from other providers.
3) Yes, using the Linux machine, the HTTP and HTTPS identifiers from the Yubico OpenID server (openid.yubico.com) both work.
4) Yes, using the Linux machine, the HTTP and HTTPS identifiers from our locally hosted Yubico OpenID server both work.
5) No, using the Windows machine, the HTTP identifier provided by the Yubico OpenID server (openid.yubico.com) works, the HTTPS identifier does not.
6) No, using the Windows machine, the HTTP identifier provided by our locally hosted Yubico OpenID server works, the HTTPS identifier does not.

We get the same error message regardless of provider (your own (openid.yubico.com), someone elses, or locally hosted). It is as follows:

Yubico development team has recently updated it's OpenID server. The latest source code of the updated OpenID server can be downloaded from the following link:

http://code.google.com/p/yubico-openid-server/

Please use the updated OpenID server and try again.