Re: [gt-user] Authentication failed [Caused by: Failure unspecified at GSS-API level [Caused by: Unknown CA]]

Wed, 12 Sep 2007 09:04:50 -0700 

[EMAIL PROTECTED] ~]# ls -1 /etc/grid-security/certificates/

        1254a8e9.0
        1254a8e9.signing_policy
        fdd18892.0
        fdd18892.signing_policy
        globus-host-ssl.conf.1254a8e9
        globus-host-ssl.conf.fdd18892
        globus-user-ssl.conf.1254a8e9
        globus-user-ssl.conf.fdd18892
        grid-security.conf.1254a8e9
        grid-security.conf.fdd18892


[EMAIL PROTECTED] ~]# openssl x509 -in /etc/grid-security/containercert.pem -
noout -issuer_hash

        1254a8e9


[EMAIL PROTECTED] ~]$ openssl x509 -in $GLOBUS_LOCATION/etc/grid-
security/containercert.pem -noout -issuer_hash
        
        fdd18892


Another thought is.. what role plays the grid-mapfile here? 
Is it necessary to have an entry like 
        "/O=Grid/OU=GlobusTest/OU=simpleCA-
        mertens.scai.fraunhofer.de/OU=scai.fraunhofer.de/CN=root" root
in my local grid-mapfile?




Am Mittwoch, den 12.09.2007, 10:48 -0500 schrieb Charles Bacon:
> You say it's the server that doesn't trust you, but that's not what I  
> think is happening.  I think the client isn't trusting the server.   
> What's in /etc/grid-security/certificates on the server?  What does  
> "openssl x509 -issuer_hash /etc/grid-security/containercert.pem - 
> noout" say?
> 
> -c
> 
> On Sep 12, 2007, at 10:31 AM, Fabian Lueghausen wrote:
> 
> > Am Mittwoch, den 12.09.2007, 10:09 -0500 schrieb Charles Bacon:
> >> On Sep 12, 2007, at 9:53 AM, Fabian Lueghausen wrote:
> >>
> >>> The grid-proxy-init on client side is okay:
> >>
> >> Okay.  Can you "ls /home/fabian/globus-4.0.5/etc/grid-security/
> >> certificates" for me?
> >
> >         [EMAIL PROTECTED] ~]$ ls -1 /home/fabian/globus-4.0.5/etc/grid-
> >         security/certificates/
> >
> >          1254a8e9.0
> >          1254a8e9.signing_policy
> >          fdd18892.0
> >          fdd18892.signing_policy
> >          globus-host-ssl.conf.fdd18892
> >          globus-user-ssl.conf.fdd18892
> >          grid-security.conf.1254a8e9
> >          grid-security.conf.fdd18892
> >
> > While 1254a8e9 is the hash of
> > 'O=Grid,OU=GlobusTest,OU=simpleCA-
> > ingrid.scai.fraunhofer.de,CN=host/ingrid.scai.fraunhofer.de'
> >
> > and fdd18892 the hash of
> > '/O=Grid/OU=GlobusTest/OU=simpleCA-mertens.scai.fraunhofer.de/ 
> > CN=Globus
> > Simple CA'.
> >
> >
> >>
> >>> The CA I'm using on client side is the same CA installed on server
> >>> side.
> >>
> >> Can you run grid-proxy-init -verify -debug on the server, and ls the
> >> Trusted CA directory on that machine?
> >>
> >
> >         [EMAIL PROTECTED] SafetyHelloWorld]# grid-proxy-init -verify -debug
> >
> >         User Cert File: /root/.globus/usercert.pem
> >         User Key File: /root/.globus/userkey.pem
> >
> >         Trusted CA Cert Dir: /etc/grid-security/certificates
> >
> >         Output File: /tmp/x509up_u0
> >         Your identity: /O=Grid/OU=GlobusTest/OU=simpleCA-
> >         mertens.scai.fraunhofer.de/OU=scai.fraunhofer.de/CN=root
> >         Enter GRID pass phrase for this identity:
> >         Creating proxy .......++++++++++++
> >         ........++++++++++++
> >          Done
> >         Proxy Verify OK
> >         Your proxy is valid until: Thu Sep 13 05:27:19 2007
> >
> >> It sounds like your server is using one CA, and your client another.
> >> The client trusts itself, so the -verify -debug works.  It doesn't
> >> trust the one in use by the server, so it fails.  When you run it on
> >> the server itself, you're getting the server's trusted CA set, so it
> >> works again.
> >>
> >> You can fix this by checking all of your certs (usercert, hostcert,
> >> containercert) with openssl x509 -issuer and replacing whichever ones
> >> are using the CA from (*) in your counter-client example.  Or you can
> >> just add the server's CA to your clients certificates directory so
> >> your client will trust it.
> >>
> >
> > I already installed the "ingrid ca" at mertens:
> >
> >         [EMAIL PROTECTED] ~]$ grid-default-ca
> >         The available CA configurations installed on this host are:
> >
> >         Directory: /home/fabian/globus-4.0.5/etc/grid-
> >         security/certificates
> >
> >         1) 1254a8e9 -  /O=Grid/OU=GlobusTest/OU=simpleCA-
> >         ingrid.scai.fraunhofer.de/CN=Globus Simple CA
> >         2) fdd18892 -  /O=Grid/OU=GlobusTest/OU=simpleCA-
> >         mertens.scai.fraunhofer.de/CN=Globus Simple CA
> >
> >         Directory: /home/fabian/globus-4.0.5/share/certificates
> >
> >         3) fdd18892 -  /O=Grid/OU=GlobusTest/OU=simpleCA-
> >         mertens.scai.fraunhofer.de/CN=Globus Simple CA
> >
> >
> >         The default CA is: /O=Grid/OU=GlobusTest/OU=simpleCA-
> >         ingrid.scai.fraunhofer.de/CN=Globus Simple CA
> >                  Location: /home/fabian/globus-4.0.5/etc/grid-
> >         security/certificates/1254a8e9.0
> >
> > So the server should trust me I think. But he doesnt and I dont's know
> > why...
> >
> >
> > Fabian
> >
> >
> >
>

Reply via email to