Cannot complete login process

Sounds like you either have WP_DEBUG_DISPLAY turned on, and it’s echoing something to the client before the CAS response has completed. Or you have theme or plugin code that unintentionally echos whitespace. See this for details:
https://premium.wpmudev.org/blog/fixing-cannot-modify-header-error/

Yes, I turned on WP_DEBUG_DISLAY so that I could see any errors. I have about ten different sites that are using Authorizer, and as of this morning, I cannot log into any of those sites with Authorizer. They all use different themes and have a mix of plugins and they all return the same error (in the text below [domain] replaces name of actual folder):

———–START————–
CAS Authentication failed!

You were not authenticated.

You may submit your request again by clicking here.

If the problem persists, you may contact the administrator of this site.

Warning: Cannot modify header information – headers already sent by (output started at /home/[domain]/references/wp-content/plugins/authorizer/vendor/phpCAS-1.3.6/source/CAS/Client.php:80) in /home/[domain]/references/wp-content/plugins/authorizer/vendor/phpCAS-1.3.6/source/CAS/Client.php on line 1695

CAS logout wanted!

You should already have been redirected to the CAS server. Click here to continue.

———-END—————–

The site I am using to test and find a fix is https://testsite.ufordh.am/references. It has only one plugin (Authorizer) and uses a default WordPress theme (twenty-twenty), php 7.3, Apache 2.2.

I can successfully authenticate and log into my non-Wordpress apps using PHPCAS, which are on the same server as my WordPress apps where I am using Authorizer.

Don’t use WP_DEBUG_DISPLAY, look at the server logs instead. Echoing the errors to the client causes the problem you are seeing. If anything has been echoed before PHP writes HTTP headers with header(), then you see that message.
https://www.php.net/manual/en/function.header.php

Paul,

WP_DEBUG_DISPLAY is set to false

The WordPress Dashboard for Authorizer shows:

Authorizer Settings
Can’t reach CAS server. Please provide accurate CAS settings if you intend to use it.

None of the CAS settings for any of my WordPress sites have changed in the last few years, and I can successfully authenticate and login with the same settings with my non-Wordpress sites on the same server.

The error log shows:

[Wed Jun 03 00:05:51 2020] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Jun 03 00:07:07 2020] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)

Additional error info:

[Wed Jun 03 06:55:32 2020] [warn] [client 173.56.121.24] mod_fcgid: stderr: CAS server returned an Authentication Exception. Details:, referer: https://loginp.fordham.edu/cas/login?service=https%3A%2F%2Ftestsite.ufordh.am%2Freferences%2Fwp-login.php%3Fexternal%3Dcas%26redirect_to%3Dhttps%253A%252F%252Ftestsite.ufordh.am%252Freferences%252Fwp-admin%252F
[Wed Jun 03 06:55:32 2020] [warn] [client 173.56.121.24] mod_fcgid: stderr: CAS URL: https://loginp.fordham.edu/cas/samlValidate?TARGET=https%3A%2F%2Ftestsite.ufordh.am%2Freferences%2Fwp-login.php%3Fexternal%3Dcas%26redirect_to%3Dhttps%253A%252F%252Ftestsite.ufordh.am%252Freferences%252Fwp-admin%252F, referer: https://loginp.fordham.edu/cas/login?service=https%3A%2F%2Ftestsite.ufordh.am%2Freferences%2Fwp-login.php%3Fexternal%3Dcas%26redirect_to%3Dhttps%253A%252F%252Ftestsite.ufordh.am%252Freferences%252Fwp-admin%252F
[Wed Jun 03 06:55:32 2020] [warn] [client 173.56.121.24] mod_fcgid: stderr: Authentication failure: SA not validated, referer: https://loginp.fordham.edu/cas/login?service=https%3A%2F%2Ftestsite.ufordh.am%2Freferences%2Fwp-login.php%3Fexternal%3Dcas%26redirect_to%3Dhttps%253A%252F%252Ftestsite.ufordh.am%252Freferences%252Fwp-admin%252F
[Wed Jun 03 06:55:32 2020] [warn] [client 173.56.121.24] mod_fcgid: stderr: Reason: no response from the CAS server, referer: https://loginp.fordham.edu/cas/login?service=https%3A%2F%2Ftestsite.ufordh.am%2Freferences%2Fwp-login.php%3Fexternal%3Dcas%26redirect_to%3Dhttps%253A%252F%252Ftestsite.ufordh.am%252Freferences%252Fwp-admin%252F
[Wed Jun 03 06:55:32 2020] [warn] [client 173.56.121.24] mod_fcgid: stderr: PHP Warning: Cannot modify header information – headers already sent by (output started at ../wp-content/plugins/authorizer/vendor/phpCAS-1.3.6/source/CAS/Client.php:80) in ../wp-content/plugins/authorizer/vendor/phpCAS-1.3.6/source/CAS/Client.php on line 1695, referer: https://loginp.fordham.edu/cas/login?service=https%3A%2F%2Ftestsite.ufordh.am%2Freferences%2Fwp-login.php%3Fexternal%3Dcas%26redirect_to%3Dhttps%253A%252F%252Ftestsite.ufordh.am%252Freferences%252Fwp-admin%252F

Might be possible that openssl on one of your servers is outdated, and falling victim to this:
https://www.cmu.edu/iso/service/cert-auth/addtrust.html

I know our university replaced SSL certs on our CAS server to remove the AddTrust root CA from the chain.

Paul,

With your help we were able to see what it is that is likely causing the problem, which is our OpenSSL version 1.0.1

Our hosting provider suggests an OS upgrade (Ubuntu v14 to v18), but in the meantime, I removed the AddTrust cert from the ca-bundle.crt in “/wp-includes/certificates/ca-bundle.crt”. This revision lets Authorizer connect to the CAS server and successfully authenticate.

We know this will get overwritten by future WP upgrades, but we needed a solution immediately until our ISP can permanently resolve.

Thank you so much.

Follow up question:

Please forgive my ignorance, but when you stated that your “university replaced SSL certs on our CAS server to remove the AddTrust root CA from the chain”, were you implying that if our CAS server has an AddTrust root CA in its cert chain and we remove it, then OpenSSL versions which are failing because of the expired root CA will succeed? Or is it more complicated that this?

Glad you isolated the problem! Updating the OS is probably the best long term strategy; Ubuntu 14.04 LTS is no longer supported so there are other security risks there too. Ubuntu 20.04 LTS is out now too, so that or 18.04 are both in active support.

Here’s our university’s language on their actions:
https://www.hawaii.edu/bwiki/pages/viewpage.action?pageId=721619543
Specifically:

ITS will be updating the intermediate InCommon certificates bundle

I don’t think they replaced the SSL certs themselves, only the intermediates. In apache, this is usually specified in SSLCertificateChainFile:
https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcertificatechainfile

That said, I think your short term fix (modifying WordPress’s ca-bundle.crt) should be fine. Historically, WordPress has only updated the bundle infrequently so it’s unlikely to get overwritten in the near future.
https://github.com/WordPress/WordPress/commits/master/wp-includes/certificates/ca-bundle.crt