Content
Updated by Michael Pietsch almost 4 years ago
### **Environment**:
Your OpenProject Version: 11.1.1 on Debian 10
### **Logs**
```text
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: OpenSSL::X509::CertificateError (nested asn1 error):
Jan 08 18:37:42 openproject openproject-web-1.service[35267]:
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: ruby-saml (1.11.0) lib/onelogin/ruby-saml/settings.rb:192:in `initialize'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: ruby-saml (1.11.0) lib/onelogin/ruby-saml/settings.rb:192:in `new'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: ruby-saml (1.11.0) lib/onelogin/ruby-saml/settings.rb:192:in `get_sp_cert'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: ruby-saml (1.11.0) lib/onelogin/ruby-saml/metadata.rb:37:in `generate'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: omniauth-saml (1.10.3) lib/omniauth/strategies/saml.rb:250:in `block in other_phase_for_metadata'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: omniauth-saml (1.10.3) lib/omniauth/strategies/saml.rb:218:in `with_settings'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: omniauth-saml (1.10.3) lib/omniauth/strategies/saml.rb:244:in `other_phase_for_metadata'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: omniauth-saml (1.10.3) lib/omniauth/strategies/saml.rb:77:in `other_phase'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: omniauth (fe862f986b2e) lib/omniauth/strategy.rb:190:in `call!'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: omniauth (fe862f986b2e) lib/omniauth/strategy.rb:169:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: omniauth (fe862f986b2e) lib/omniauth/builder.rb:64:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: rack-attack (6.3.1) lib/rack/attack.rb:97:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: rack (2.2.3) lib/rack/tempfile_reaper.rb:15:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: rack-attack (6.3.1) lib/rack/attack.rb:111:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: rack (2.2.3) lib/rack/tempfile_reaper.rb:15:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: rack (2.2.3) lib/rack/etag.rb:27:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: rack (2.2.3) lib/rack/deflater.rb:44:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: rack (2.2.3) lib/rack/conditional_get.rb:27:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: rack (2.2.3) lib/rack/head.rb:12:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: actionpack (6.0.3.4) lib/action_dispatch/http/content_security_policy.rb:18:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: rack (2.2.3) lib/rack/session/abstract/id.rb:266:in `context'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: rack (2.2.3) lib/rack/session/abstract/id.rb:260:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: actionpack (6.0.3.4) lib/action_dispatch/middleware/cookies.rb:648:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: actionpack (6.0.3.4) lib/action_dispatch/middleware/callbacks.rb:27:in `block in call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: activesupport (6.0.3.4) lib/active_support/callbacks.rb:101:in `run_callbacks'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: actionpack (6.0.3.4) lib/action_dispatch/middleware/callbacks.rb:26:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: actionpack (6.0.3.4) lib/action_dispatch/middleware/actionable_exceptions.rb:18:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: actionpack (6.0.3.4) lib/action_dispatch/middleware/debug_exceptions.rb:32:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: actionpack (6.0.3.4) lib/action_dispatch/middleware/show_exceptions.rb:33:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: rack-cors (1.1.1) lib/rack/cors.rb:100:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: lograge (0.11.2) lib/lograge/rails_ext/rack/logger.rb:15:in `call_app'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: railties (6.0.3.4) lib/rails/rack/logger.rb:26:in `block in call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: activesupport (6.0.3.4) lib/active_support/tagged_logging.rb:80:in `block in tagged'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: activesupport (6.0.3.4) lib/active_support/tagged_logging.rb:28:in `tagged'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: activesupport (6.0.3.4) lib/active_support/tagged_logging.rb:80:in `tagged'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: railties (6.0.3.4) lib/rails/rack/logger.rb:26:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: sprockets-rails (3.2.2) lib/sprockets/rails/quiet_assets.rb:13:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: actionpack (6.0.3.4) lib/action_dispatch/middleware/remote_ip.rb:81:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: request_store (1.5.0) lib/request_store/middleware.rb:19:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: actionpack (6.0.3.4) lib/action_dispatch/middleware/request_id.rb:27:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: rack (2.2.3) lib/rack/method_override.rb:24:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: rack (2.2.3) lib/rack/runtime.rb:22:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: activesupport (6.0.3.4) lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: actionpack (6.0.3.4) lib/action_dispatch/middleware/executor.rb:14:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: actionpack (6.0.3.4) lib/action_dispatch/middleware/static.rb:126:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: rack (2.2.3) lib/rack/sendfile.rb:110:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: actionpack (6.0.3.4) lib/action_dispatch/middleware/ssl.rb:74:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: actionpack (6.0.3.4) lib/action_dispatch/middleware/host_authorization.rb:76:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: secure_headers (6.3.1) lib/secure_headers/middleware.rb:11:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: railties (6.0.3.4) lib/rails/engine.rb:527:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: railties (6.0.3.4) lib/rails/railtie.rb:190:in `public_send'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: railties (6.0.3.4) lib/rails/railtie.rb:190:in `method_missing'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: rack-protection (2.1.0) lib/rack/protection/frame_options.rb:31:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: rack-protection (2.1.0) lib/rack/protection/json_csrf.rb:26:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: rack (2.2.3) lib/rack/urlmap.rb:74:in `block in call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: rack (2.2.3) lib/rack/urlmap.rb:58:in `each'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: rack (2.2.3) lib/rack/urlmap.rb:58:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: unicorn (5.7.0) lib/unicorn/http_server.rb:632:in `process_client'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: unicorn-worker-killer (0.4.4) lib/unicorn/worker_killer.rb:92:in `process_client'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: unicorn-worker-killer (0.4.4) lib/unicorn/worker_killer.rb:52:in `process_client'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: unicorn (5.7.0) lib/unicorn/http_server.rb:728:in `worker_loop'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: unicorn (5.7.0) lib/unicorn/http_server.rb:548:in `spawn_missing_workers'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: unicorn (5.7.0) lib/unicorn/http_server.rb:144:in `start'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: unicorn (5.7.0) bin/unicorn:128:in `<top (required)>'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: vendor/bundle/ruby/2.7.0/bin/unicorn:23:in `load'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: vendor/bundle/ruby/2.7.0/bin/unicorn:23:in `<top (required)>'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: vendor/ruby-2.7.1/lib/ruby/2.7.0/bundler/cli/exec.rb:63:in `load'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: vendor/ruby-2.7.1/lib/ruby/2.7.0/bundler/cli/exec.rb:63:in `kernel_load'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: vendor/ruby-2.7.1/lib/ruby/2.7.0/bundler/cli/exec.rb:28:in `run'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: vendor/ruby-2.7.1/lib/ruby/2.7.0/bundler/cli.rb:476:in `exec'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: vendor/ruby-2.7.1/lib/ruby/2.7.0/bundler/vendor/thor/lib/thor/command.rb:27:in `run'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: vendor/ruby-2.7.1/lib/ruby/2.7.0/bundler/vendor/thor/lib/thor/invocation.rb:127:in `invoke_command'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: vendor/ruby-2.7.1/lib/ruby/2.7.0/bundler/vendor/thor/lib/thor.rb:399:in `dispatch'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: vendor/ruby-2.7.1/lib/ruby/2.7.0/bundler/cli.rb:30:in `dispatch'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: vendor/ruby-2.7.1/lib/ruby/2.7.0/bundler/vendor/thor/lib/thor/base.rb:476:in `start'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: vendor/ruby-2.7.1/lib/ruby/2.7.0/bundler/cli.rb:24:in `start'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: bundler (2.1.4) libexec/bundle:46:in `block in <top (required)>'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: vendor/ruby-2.7.1/lib/ruby/2.7.0/bundler/friendly_errors.rb:123:in `with_friendly_errors'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: bundler (2.1.4) libexec/bundle:34:in `<top (required)>'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: bin/bundle:104:in `load'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: bin/bundle:104:in `<main>'
```
### **Steps to reproduce:**
1. Configure SAML with certificate and private\_key and have line breaks in the pem format represented by '\\n’ as shown [https://docs.openproject.org/system-admin-guide/authentication/saml/](https://docs.openproject.org/system-admin-guide/authentication/saml/)
```text
security: {
authn_requests_signed: true,
logout_responses_signed: true,
logout_requests_signed: true,
want_assertions_signed: true,
want_assertions_encrypted: true,
signature_method: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
digest_method: 'http://www.w3.org/2001/04/xmlenc#sha256',
}
```
2\. Try to access SAML metadata at `https://<your openproject host>/auth/saml/metadata`
It works if you leave out the "\\n" and completely ignore line breaks when defining the certificate and private\_key eg. instead of
```text
certificate: "-----BEGIN CERTIFICATE-----\nMIIFVzCCBD+gAwIBAgISA9kbVrNYJfQHRCHhKUBUSnSJMA0GCSqGSIb3DQEBCwUA\nMEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD\n....WOxpWYuBsBXbfxXmm/4Ppqhlm8pnScvd0vKo\n-----END CERTIFICATE-----"
```
You have to enter the certificate without line breaks
```text
certificate : "-----BEGIN CERTIFICATE-----MIIFVzCCBD+gAwIBAgISA9kbVrNYJfQHRCHhKUBUSnSJMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD....WOxpWYuBsBXbfxXmm/4Ppqhlm8pnScvd0vKo-----END CERTIFICATE-----"
```
So either the docs have to be adjusted or the parsing needs to be fixed
### **Actual Behavior**
500 error and above errors are logged
### **Expected Behavior**
It should parse the certificate correctly
Your OpenProject Version: 11.1.1 on Debian 10
### **Logs**
```text
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: OpenSSL::X509::CertificateError (nested asn1 error):
Jan 08 18:37:42 openproject openproject-web-1.service[35267]:
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: ruby-saml (1.11.0) lib/onelogin/ruby-saml/settings.rb:192:in `initialize'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: ruby-saml (1.11.0) lib/onelogin/ruby-saml/settings.rb:192:in `new'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: ruby-saml (1.11.0) lib/onelogin/ruby-saml/settings.rb:192:in `get_sp_cert'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: ruby-saml (1.11.0) lib/onelogin/ruby-saml/metadata.rb:37:in `generate'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: omniauth-saml (1.10.3) lib/omniauth/strategies/saml.rb:250:in `block in other_phase_for_metadata'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: omniauth-saml (1.10.3) lib/omniauth/strategies/saml.rb:218:in `with_settings'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: omniauth-saml (1.10.3) lib/omniauth/strategies/saml.rb:244:in `other_phase_for_metadata'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: omniauth-saml (1.10.3) lib/omniauth/strategies/saml.rb:77:in `other_phase'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: omniauth (fe862f986b2e) lib/omniauth/strategy.rb:190:in `call!'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: omniauth (fe862f986b2e) lib/omniauth/strategy.rb:169:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: omniauth (fe862f986b2e) lib/omniauth/builder.rb:64:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: rack-attack (6.3.1) lib/rack/attack.rb:97:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: rack (2.2.3) lib/rack/tempfile_reaper.rb:15:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: rack-attack (6.3.1) lib/rack/attack.rb:111:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: rack (2.2.3) lib/rack/tempfile_reaper.rb:15:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: rack (2.2.3) lib/rack/etag.rb:27:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: rack (2.2.3) lib/rack/deflater.rb:44:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: rack (2.2.3) lib/rack/conditional_get.rb:27:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: rack (2.2.3) lib/rack/head.rb:12:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: actionpack (6.0.3.4) lib/action_dispatch/http/content_security_policy.rb:18:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: rack (2.2.3) lib/rack/session/abstract/id.rb:266:in `context'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: rack (2.2.3) lib/rack/session/abstract/id.rb:260:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: actionpack (6.0.3.4) lib/action_dispatch/middleware/cookies.rb:648:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: actionpack (6.0.3.4) lib/action_dispatch/middleware/callbacks.rb:27:in `block in call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: activesupport (6.0.3.4) lib/active_support/callbacks.rb:101:in `run_callbacks'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: actionpack (6.0.3.4) lib/action_dispatch/middleware/callbacks.rb:26:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: actionpack (6.0.3.4) lib/action_dispatch/middleware/actionable_exceptions.rb:18:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: actionpack (6.0.3.4) lib/action_dispatch/middleware/debug_exceptions.rb:32:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: actionpack (6.0.3.4) lib/action_dispatch/middleware/show_exceptions.rb:33:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: rack-cors (1.1.1) lib/rack/cors.rb:100:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: lograge (0.11.2) lib/lograge/rails_ext/rack/logger.rb:15:in `call_app'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: railties (6.0.3.4) lib/rails/rack/logger.rb:26:in `block in call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: activesupport (6.0.3.4) lib/active_support/tagged_logging.rb:80:in `block in tagged'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: activesupport (6.0.3.4) lib/active_support/tagged_logging.rb:28:in `tagged'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: activesupport (6.0.3.4) lib/active_support/tagged_logging.rb:80:in `tagged'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: railties (6.0.3.4) lib/rails/rack/logger.rb:26:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: sprockets-rails (3.2.2) lib/sprockets/rails/quiet_assets.rb:13:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: actionpack (6.0.3.4) lib/action_dispatch/middleware/remote_ip.rb:81:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: request_store (1.5.0) lib/request_store/middleware.rb:19:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: actionpack (6.0.3.4) lib/action_dispatch/middleware/request_id.rb:27:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: rack (2.2.3) lib/rack/method_override.rb:24:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: rack (2.2.3) lib/rack/runtime.rb:22:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: activesupport (6.0.3.4) lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: actionpack (6.0.3.4) lib/action_dispatch/middleware/executor.rb:14:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: actionpack (6.0.3.4) lib/action_dispatch/middleware/static.rb:126:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: rack (2.2.3) lib/rack/sendfile.rb:110:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: actionpack (6.0.3.4) lib/action_dispatch/middleware/ssl.rb:74:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: actionpack (6.0.3.4) lib/action_dispatch/middleware/host_authorization.rb:76:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: secure_headers (6.3.1) lib/secure_headers/middleware.rb:11:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: railties (6.0.3.4) lib/rails/engine.rb:527:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: railties (6.0.3.4) lib/rails/railtie.rb:190:in `public_send'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: railties (6.0.3.4) lib/rails/railtie.rb:190:in `method_missing'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: rack-protection (2.1.0) lib/rack/protection/frame_options.rb:31:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: rack-protection (2.1.0) lib/rack/protection/json_csrf.rb:26:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: rack (2.2.3) lib/rack/urlmap.rb:74:in `block in call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: rack (2.2.3) lib/rack/urlmap.rb:58:in `each'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: rack (2.2.3) lib/rack/urlmap.rb:58:in `call'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: unicorn (5.7.0) lib/unicorn/http_server.rb:632:in `process_client'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: unicorn-worker-killer (0.4.4) lib/unicorn/worker_killer.rb:92:in `process_client'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: unicorn-worker-killer (0.4.4) lib/unicorn/worker_killer.rb:52:in `process_client'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: unicorn (5.7.0) lib/unicorn/http_server.rb:728:in `worker_loop'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: unicorn (5.7.0) lib/unicorn/http_server.rb:548:in `spawn_missing_workers'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: unicorn (5.7.0) lib/unicorn/http_server.rb:144:in `start'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: unicorn (5.7.0) bin/unicorn:128:in `<top (required)>'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: vendor/bundle/ruby/2.7.0/bin/unicorn:23:in `load'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: vendor/bundle/ruby/2.7.0/bin/unicorn:23:in `<top (required)>'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: vendor/ruby-2.7.1/lib/ruby/2.7.0/bundler/cli/exec.rb:63:in `load'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: vendor/ruby-2.7.1/lib/ruby/2.7.0/bundler/cli/exec.rb:63:in `kernel_load'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: vendor/ruby-2.7.1/lib/ruby/2.7.0/bundler/cli/exec.rb:28:in `run'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: vendor/ruby-2.7.1/lib/ruby/2.7.0/bundler/cli.rb:476:in `exec'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: vendor/ruby-2.7.1/lib/ruby/2.7.0/bundler/vendor/thor/lib/thor/command.rb:27:in `run'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: vendor/ruby-2.7.1/lib/ruby/2.7.0/bundler/vendor/thor/lib/thor/invocation.rb:127:in `invoke_command'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: vendor/ruby-2.7.1/lib/ruby/2.7.0/bundler/vendor/thor/lib/thor.rb:399:in `dispatch'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: vendor/ruby-2.7.1/lib/ruby/2.7.0/bundler/cli.rb:30:in `dispatch'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: vendor/ruby-2.7.1/lib/ruby/2.7.0/bundler/vendor/thor/lib/thor/base.rb:476:in `start'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: vendor/ruby-2.7.1/lib/ruby/2.7.0/bundler/cli.rb:24:in `start'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: bundler (2.1.4) libexec/bundle:46:in `block in <top (required)>'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: vendor/ruby-2.7.1/lib/ruby/2.7.0/bundler/friendly_errors.rb:123:in `with_friendly_errors'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: bundler (2.1.4) libexec/bundle:34:in `<top (required)>'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: bin/bundle:104:in `load'
Jan 08 18:37:42 openproject openproject-web-1.service[35267]: bin/bundle:104:in `<main>'
```
### **Steps to reproduce:**
1. Configure SAML with certificate and private\_key and have line breaks in the pem format represented by '\\n’ as shown [https://docs.openproject.org/system-admin-guide/authentication/saml/](https://docs.openproject.org/system-admin-guide/authentication/saml/)
```text
security: {
authn_requests_signed: true,
logout_responses_signed: true,
logout_requests_signed: true,
want_assertions_signed: true,
want_assertions_encrypted: true,
signature_method: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
digest_method: 'http://www.w3.org/2001/04/xmlenc#sha256',
}
```
2\. Try to access SAML metadata at `https://<your openproject host>/auth/saml/metadata`
It works if you leave out the "\\n" and completely ignore line breaks when defining the certificate and private\_key eg. instead of
```text
certificate: "-----BEGIN CERTIFICATE-----\nMIIFVzCCBD+gAwIBAgISA9kbVrNYJfQHRCHhKUBUSnSJMA0GCSqGSIb3DQEBCwUA\nMEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD\n....WOxpWYuBsBXbfxXmm/4Ppqhlm8pnScvd0vKo\n-----END CERTIFICATE-----"
```
You have to enter the certificate without line breaks
```text
certificate : "-----BEGIN CERTIFICATE-----MIIFVzCCBD+gAwIBAgISA9kbVrNYJfQHRCHhKUBUSnSJMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD....WOxpWYuBsBXbfxXmm/4Ppqhlm8pnScvd0vKo-----END CERTIFICATE-----"
```
So either the docs have to be adjusted or the parsing needs to be fixed
### **Actual Behavior**
500 error and above errors are logged
### **Expected Behavior**
It should parse the certificate correctly