Re: [gt-user] simpleCA - question.

Fri, 10 Aug 2007 14:00:41 -0700

Following are the quotes of the error when I am testing it using curl commad:
lucky0:/homes/sulakhe/apache/conf> curl -v --cert $HOME/.globus/ usercert.pem --key $HOME/.globus/userkey.pem --capath $GLOBUS_LOCATION/share/certificates https://lucky0.mcs.anl.gov 

* About to connect() to lucky0.mcs.anl.gov port 443
* Connected to lucky0.mcs.anl.gov (140.221.36.30) port 443
Enter PEM pass phrase:
* successfully set certificate verify locations:
*   CAfile: /usr/local/share/curl/curl-ca-bundle.crt
  CApath: /homes/sulakhe/globus/share/certificates
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:

*        subject: /O=Grid/OU=GlobusTest/OU=simpleCA- 
lucky0.mcs.anl.gov/CN=host/lucky0.mcs.anl.gov

*        start date: 2007-07-30 18:14:31 GMT
*        expire date: 2008-07-29 18:14:31 GMT

* SSL: certificate subject name 'host/lucky0.mcs.anl.gov' does not  
match target host name 'lucky0.mcs.anl.gov'

* Closing connection #0

curl: (51) SSL: certificate subject name 'host/lucky0.mcs.anl.gov'  
does not match target host name 'lucky0.mcs.anl.gov'






On Aug 10, 2007, at 3:38 PM, Charles Bacon wrote:


Actual quotes of the error message are typically useful in this  
situation.


-c

On Aug 10, 2007, at 3:34 PM, Dinanath Sulakhe wrote:


I am using this hostcert with an apache instance for  
authentication and it was failing. I was getting an error message  
saying the hostname doesn't match.


-Dina

On Aug 10, 2007, at 2:13 PM, Joseph Bester wrote:


On Aug 10, 2007, at 2:21 PM, Dinanath Sulakhe wrote:


Hi,


I am doing some testing on lucky cluster and I ran into a  
problem while using simple CA. When I generated a host  
certificate for lucky0:


grid-cert-request -host lucky0.mcs.anl.gov

the Subject line in the generated cert looks something like this:


Subject: O=Grid, OU=GlobusTest, OU=simpleCA-lucky0.mcs.anl.gov,  
OU=mcs.anl.gov, CN=host/lucky0.mcs.anl.gov



It adds "host" before the hostname for the CN, and I had  
authentication problems because of this. Is this default  
behavior intentional or do you guys think it should only have  
hostname without "host/" ?  I could change this behavior by  
explicitly adding the CN flag while generating the host cert:





That is normal, and should be handled fine by clients which are  
using host-based authorization. Did you have an app that wasn't  
working because of this name?


joe





























					Reply via email to