Problem:
After an letsencrypt update the sso login was not possible anymore. Metadata could not be downloaded via https but via http.
Investigation:
curl https://ucs-sso.schein.me/simplesamlphp/saml2/idp/metadata.php
or via http
Environment
-
Letsencrypt update to version 1.2.2-6 comes with a new configuration concept:
https://forge.univention.org/bugzilla/show_bug.cgi?id=48204 -
Modified templates for /etc/apache2/sites-enabled/default-ssl.conf
-
Configured redirect for the portal url to use saml. The portal is configured on a slave server.
Solution:
The redirect must be configured at a different location so that it can be included via the vhost configuration of letsencrypt.
cat /etc/apache2/ucs-sites.conf.d/saml-redirect.conf
ProxyPass /simplesamlphp/ https://master.schein.me/simplesamlphp/ retry=0