Am Mittwoch, den 12.09.2007, 10:09 -0500 schrieb Charles Bacon:
> On Sep 12, 2007, at 9:53 AM, Fabian Lueghausen wrote:
>
> > The grid-proxy-init on client side is okay:
>
> Okay. Can you "ls /home/fabian/globus-4.0.5/etc/grid-security/
> certificates" for me?
[EMAIL PROTECTED] ~]$ ls -1 /home/fabian/globus-4.0.5/etc/grid-
security/certificates/
1254a8e9.0
1254a8e9.signing_policy
fdd18892.0
fdd18892.signing_policy
globus-host-ssl.conf.fdd18892
globus-user-ssl.conf.fdd18892
grid-security.conf.1254a8e9
grid-security.conf.fdd18892
While 1254a8e9 is the hash of
'O=Grid,OU=GlobusTest,OU=simpleCA-
ingrid.scai.fraunhofer.de,CN=host/ingrid.scai.fraunhofer.de'
and fdd18892 the hash of
'/O=Grid/OU=GlobusTest/OU=simpleCA-mertens.scai.fraunhofer.de/CN=Globus
Simple CA'.
>
> > The CA I'm using on client side is the same CA installed on server
> > side.
>
> Can you run grid-proxy-init -verify -debug on the server, and ls the
> Trusted CA directory on that machine?
>
[EMAIL PROTECTED] SafetyHelloWorld]# grid-proxy-init -verify -debug
User Cert File: /root/.globus/usercert.pem
User Key File: /root/.globus/userkey.pem
Trusted CA Cert Dir: /etc/grid-security/certificates
Output File: /tmp/x509up_u0
Your identity: /O=Grid/OU=GlobusTest/OU=simpleCA-
mertens.scai.fraunhofer.de/OU=scai.fraunhofer.de/CN=root
Enter GRID pass phrase for this identity:
Creating proxy .......++++++++++++
........++++++++++++
Done
Proxy Verify OK
Your proxy is valid until: Thu Sep 13 05:27:19 2007
> It sounds like your server is using one CA, and your client another.
> The client trusts itself, so the -verify -debug works. It doesn't
> trust the one in use by the server, so it fails. When you run it on
> the server itself, you're getting the server's trusted CA set, so it
> works again.
>
> You can fix this by checking all of your certs (usercert, hostcert,
> containercert) with openssl x509 -issuer and replacing whichever ones
> are using the CA from (*) in your counter-client example. Or you can
> just add the server's CA to your clients certificates directory so
> your client will trust it.
>
I already installed the "ingrid ca" at mertens:
[EMAIL PROTECTED] ~]$ grid-default-ca
The available CA configurations installed on this host are:
Directory: /home/fabian/globus-4.0.5/etc/grid-
security/certificates
1) 1254a8e9 - /O=Grid/OU=GlobusTest/OU=simpleCA-
ingrid.scai.fraunhofer.de/CN=Globus Simple CA
2) fdd18892 - /O=Grid/OU=GlobusTest/OU=simpleCA-
mertens.scai.fraunhofer.de/CN=Globus Simple CA
Directory: /home/fabian/globus-4.0.5/share/certificates
3) fdd18892 - /O=Grid/OU=GlobusTest/OU=simpleCA-
mertens.scai.fraunhofer.de/CN=Globus Simple CA
The default CA is: /O=Grid/OU=GlobusTest/OU=simpleCA-
ingrid.scai.fraunhofer.de/CN=Globus Simple CA
Location: /home/fabian/globus-4.0.5/etc/grid-
security/certificates/1254a8e9.0
So the server should trust me I think. But he doesnt and I dont's know
why...
Fabian
