The Shibboleth V1 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only.

CertificateVerifyFailed

This indicates that the peer (IdP) rejected the certificate the SP presented, but did so using a layer of code inside the Apache mod_ssl module. This should never happen unless the IdP is wrongly configured by allowing mod_ssl to validate the certificate. You need to make sure the SSLVerifyClient option is set to "optional_no_ca".

If you think it is set, you're either wrong, or the certificate violated a built-in requirement that mod_ssl refuses to disable, and you should upgrade to a newer Apache version.

You may also consider running the IdP without Apache, which is now supported and documented.