Can you md5sum the 1254a8e9.0 and fdd18892.0 on the two machines and
verify that they are the same?
Charles
On Sep 12, 2007, at 11:04 AM, Fabian Lueghausen wrote:
[EMAIL PROTECTED] ~]# ls -1 /etc/grid-security/certificates/
1254a8e9.0
1254a8e9.signing_policy
fdd18892.0
fdd18892.signing_policy
globus-host-ssl.conf.1254a8e9
globus-host-ssl.conf.fdd18892
globus-user-ssl.conf.1254a8e9
globus-user-ssl.conf.fdd18892
grid-security.conf.1254a8e9
grid-security.conf.fdd18892
[EMAIL PROTECTED] ~]# openssl x509 -in /etc/grid-security/
containercert.pem -
noout -issuer_hash
1254a8e9
[EMAIL PROTECTED] ~]$ openssl x509 -in $GLOBUS_LOCATION/etc/grid-
security/containercert.pem -noout -issuer_hash
fdd18892
Another thought is.. what role plays the grid-mapfile here?
Is it necessary to have an entry like
"/O=Grid/OU=GlobusTest/OU=simpleCA-
mertens.scai.fraunhofer.de/OU=scai.fraunhofer.de/CN=root" root
in my local grid-mapfile?
Am Mittwoch, den 12.09.2007, 10:48 -0500 schrieb Charles Bacon:
You say it's the server that doesn't trust you, but that's not what I
think is happening. I think the client isn't trusting the server.
What's in /etc/grid-security/certificates on the server? What does
"openssl x509 -issuer_hash /etc/grid-security/containercert.pem -
noout" say?
-c
On Sep 12, 2007, at 10:31 AM, Fabian Lueghausen wrote:
Am Mittwoch, den 12.09.2007, 10:09 -0500 schrieb Charles Bacon:
On Sep 12, 2007, at 9:53 AM, Fabian Lueghausen wrote:
The grid-proxy-init on client side is okay:
Okay. Can you "ls /home/fabian/globus-4.0.5/etc/grid-security/
certificates" for me?
[EMAIL PROTECTED] ~]$ ls -1 /home/fabian/globus-4.0.5/etc/
grid-
security/certificates/
1254a8e9.0
1254a8e9.signing_policy
fdd18892.0
fdd18892.signing_policy
globus-host-ssl.conf.fdd18892
globus-user-ssl.conf.fdd18892
grid-security.conf.1254a8e9
grid-security.conf.fdd18892
While 1254a8e9 is the hash of
'O=Grid,OU=GlobusTest,OU=simpleCA-
ingrid.scai.fraunhofer.de,CN=host/ingrid.scai.fraunhofer.de'
and fdd18892 the hash of
'/O=Grid/OU=GlobusTest/OU=simpleCA-mertens.scai.fraunhofer.de/
CN=Globus
Simple CA'.
The CA I'm using on client side is the same CA installed on server
side.
Can you run grid-proxy-init -verify -debug on the server, and ls
the
Trusted CA directory on that machine?
[EMAIL PROTECTED] SafetyHelloWorld]# grid-proxy-init -verify -
debug
User Cert File: /root/.globus/usercert.pem
User Key File: /root/.globus/userkey.pem
Trusted CA Cert Dir: /etc/grid-security/certificates
Output File: /tmp/x509up_u0
Your identity: /O=Grid/OU=GlobusTest/OU=simpleCA-
mertens.scai.fraunhofer.de/OU=scai.fraunhofer.de/CN=root
Enter GRID pass phrase for this identity:
Creating proxy .......++++++++++++
........++++++++++++
Done
Proxy Verify OK
Your proxy is valid until: Thu Sep 13 05:27:19 2007
It sounds like your server is using one CA, and your client
another.
The client trusts itself, so the -verify -debug works. It doesn't
trust the one in use by the server, so it fails. When you run
it on
the server itself, you're getting the server's trusted CA set,
so it
works again.
You can fix this by checking all of your certs (usercert, hostcert,
containercert) with openssl x509 -issuer and replacing whichever
ones
are using the CA from (*) in your counter-client example. Or
you can
just add the server's CA to your clients certificates directory so
your client will trust it.
I already installed the "ingrid ca" at mertens:
[EMAIL PROTECTED] ~]$ grid-default-ca
The available CA configurations installed on this host are:
Directory: /home/fabian/globus-4.0.5/etc/grid-
security/certificates
1) 1254a8e9 - /O=Grid/OU=GlobusTest/OU=simpleCA-
ingrid.scai.fraunhofer.de/CN=Globus Simple CA
2) fdd18892 - /O=Grid/OU=GlobusTest/OU=simpleCA-
mertens.scai.fraunhofer.de/CN=Globus Simple CA
Directory: /home/fabian/globus-4.0.5/share/certificates
3) fdd18892 - /O=Grid/OU=GlobusTest/OU=simpleCA-
mertens.scai.fraunhofer.de/CN=Globus Simple CA
The default CA is: /O=Grid/OU=GlobusTest/OU=simpleCA-
ingrid.scai.fraunhofer.de/CN=Globus Simple CA
Location: /home/fabian/globus-4.0.5/etc/grid-
security/certificates/1254a8e9.0
So the server should trust me I think. But he doesnt and I dont's
know
why...
Fabian
