Re: [gt-user] Authentication failed [Caused by: Failure unspecified at GSS-API level [Caused by: Unknown CA]]

Fabian Lueghausen Wed, 12 Sep 2007 10:19:37 -0700

On my local machine:

[EMAIL PROTECTED] certificates]$ md5sum 1254a8e9.0
        108bb1b7f71ee390fe9e151caae9f223  1254a8e9.0
[EMAIL PROTECTED] certificates]$ md5sum fdd18892.0
        b8c625f616f56366c393fbc887d0ce00  fdd18892.0
        
And on the server:


[EMAIL PROTECTED] certificates]# md5sum 1254a8e9.0
        7f8c20b75ef736d411fe313c7f420d14  1254a8e9.0
[EMAIL PROTECTED] certificates]# md5sum fdd18892.0
        b8c625f616f56366c393fbc887d0ce00  fdd18892.0
        

This is not what I expected. What it's obviously the fault.
Cause after copying the 1254a8e9.0 from the server onto my local machine

        scp [EMAIL PROTECTED]:/etc/grid-security/certificates/1254a8e9.0
        $GLOBUS_LOCATION/etc/grid-security/certificates/
        [EMAIL PROTECTED]'s password:
        1254a8e9.0
        100%  952     0.9KB/s   00:00

.. it works!

[EMAIL PROTECTED] certificates]$ md5sum 1254a8e9.0
        7f8c20b75ef736d411fe313c7f420d14  1254a8e9.0

[EMAIL PROTECTED] ~]$ counter-client -s
https://ingrid:9000/wsrf/services/CounterService
        Got notification with value: 3
        Counter has value: 3
        Got notification with value: 13


Very special thanks !!
You don't know how much time I spent with this problem... it was already
very depressing..


Thank you !

Fabian



Am Mittwoch, den 12.09.2007, 11:16 -0500 schrieb Charles Bacon:
> Can you md5sum the 1254a8e9.0 and fdd18892.0 on the two machines and  
> verify that they are the same?
> 
> 
> Charles
> 
> On Sep 12, 2007, at 11:04 AM, Fabian Lueghausen wrote:
> 
> > [EMAIL PROTECTED] ~]# ls -1 /etc/grid-security/certificates/
> >
> >         1254a8e9.0
> >         1254a8e9.signing_policy
> >         fdd18892.0
> >         fdd18892.signing_policy
> >         globus-host-ssl.conf.1254a8e9
> >         globus-host-ssl.conf.fdd18892
> >         globus-user-ssl.conf.1254a8e9
> >         globus-user-ssl.conf.fdd18892
> >         grid-security.conf.1254a8e9
> >         grid-security.conf.fdd18892
> >
> >
> > [EMAIL PROTECTED] ~]# openssl x509 -in /etc/grid-security/ 
> > containercert.pem -
> > noout -issuer_hash
> >
> >         1254a8e9
> >
> >
> > [EMAIL PROTECTED] ~]$ openssl x509 -in $GLOBUS_LOCATION/etc/grid-
> > security/containercert.pem -noout -issuer_hash
> >
> >         fdd18892
> >
> >
> > Another thought is.. what role plays the grid-mapfile here?
> > Is it necessary to have an entry like
> >         "/O=Grid/OU=GlobusTest/OU=simpleCA-
> >         mertens.scai.fraunhofer.de/OU=scai.fraunhofer.de/CN=root" root
> > in my local grid-mapfile?
> >
> >
> >
> >
> > Am Mittwoch, den 12.09.2007, 10:48 -0500 schrieb Charles Bacon:
> >> You say it's the server that doesn't trust you, but that's not what I
> >> think is happening.  I think the client isn't trusting the server.
> >> What's in /etc/grid-security/certificates on the server?  What does
> >> "openssl x509 -issuer_hash /etc/grid-security/containercert.pem -
> >> noout" say?
> >>
> >> -c
> >>
> >> On Sep 12, 2007, at 10:31 AM, Fabian Lueghausen wrote:
> >>
> >>> Am Mittwoch, den 12.09.2007, 10:09 -0500 schrieb Charles Bacon:
> >>>> On Sep 12, 2007, at 9:53 AM, Fabian Lueghausen wrote:
> >>>>
> >>>>> The grid-proxy-init on client side is okay:
> >>>>
> >>>> Okay.  Can you "ls /home/fabian/globus-4.0.5/etc/grid-security/
> >>>> certificates" for me?
> >>>
> >>>         [EMAIL PROTECTED] ~]$ ls -1 /home/fabian/globus-4.0.5/etc/ 
> >>> grid-
> >>>         security/certificates/
> >>>
> >>>          1254a8e9.0
> >>>          1254a8e9.signing_policy
> >>>          fdd18892.0
> >>>          fdd18892.signing_policy
> >>>          globus-host-ssl.conf.fdd18892
> >>>          globus-user-ssl.conf.fdd18892
> >>>          grid-security.conf.1254a8e9
> >>>          grid-security.conf.fdd18892
> >>>
> >>> While 1254a8e9 is the hash of
> >>> 'O=Grid,OU=GlobusTest,OU=simpleCA-
> >>> ingrid.scai.fraunhofer.de,CN=host/ingrid.scai.fraunhofer.de'
> >>>
> >>> and fdd18892 the hash of
> >>> '/O=Grid/OU=GlobusTest/OU=simpleCA-mertens.scai.fraunhofer.de/
> >>> CN=Globus
> >>> Simple CA'.
> >>>
> >>>
> >>>>
> >>>>> The CA I'm using on client side is the same CA installed on server
> >>>>> side.
> >>>>
> >>>> Can you run grid-proxy-init -verify -debug on the server, and ls  
> >>>> the
> >>>> Trusted CA directory on that machine?
> >>>>
> >>>
> >>>         [EMAIL PROTECTED] SafetyHelloWorld]# grid-proxy-init -verify - 
> >>> debug
> >>>
> >>>         User Cert File: /root/.globus/usercert.pem
> >>>         User Key File: /root/.globus/userkey.pem
> >>>
> >>>         Trusted CA Cert Dir: /etc/grid-security/certificates
> >>>
> >>>         Output File: /tmp/x509up_u0
> >>>         Your identity: /O=Grid/OU=GlobusTest/OU=simpleCA-
> >>>         mertens.scai.fraunhofer.de/OU=scai.fraunhofer.de/CN=root
> >>>         Enter GRID pass phrase for this identity:
> >>>         Creating proxy .......++++++++++++
> >>>         ........++++++++++++
> >>>          Done
> >>>         Proxy Verify OK
> >>>         Your proxy is valid until: Thu Sep 13 05:27:19 2007
> >>>
> >>>> It sounds like your server is using one CA, and your client  
> >>>> another.
> >>>> The client trusts itself, so the -verify -debug works.  It doesn't
> >>>> trust the one in use by the server, so it fails.  When you run  
> >>>> it on
> >>>> the server itself, you're getting the server's trusted CA set,  
> >>>> so it
> >>>> works again.
> >>>>
> >>>> You can fix this by checking all of your certs (usercert, hostcert,
> >>>> containercert) with openssl x509 -issuer and replacing whichever  
> >>>> ones
> >>>> are using the CA from (*) in your counter-client example.  Or  
> >>>> you can
> >>>> just add the server's CA to your clients certificates directory so
> >>>> your client will trust it.
> >>>>
> >>>
> >>> I already installed the "ingrid ca" at mertens:
> >>>
> >>>         [EMAIL PROTECTED] ~]$ grid-default-ca
> >>>         The available CA configurations installed on this host are:
> >>>
> >>>         Directory: /home/fabian/globus-4.0.5/etc/grid-
> >>>         security/certificates
> >>>
> >>>         1) 1254a8e9 -  /O=Grid/OU=GlobusTest/OU=simpleCA-
> >>>         ingrid.scai.fraunhofer.de/CN=Globus Simple CA
> >>>         2) fdd18892 -  /O=Grid/OU=GlobusTest/OU=simpleCA-
> >>>         mertens.scai.fraunhofer.de/CN=Globus Simple CA
> >>>
> >>>         Directory: /home/fabian/globus-4.0.5/share/certificates
> >>>
> >>>         3) fdd18892 -  /O=Grid/OU=GlobusTest/OU=simpleCA-
> >>>         mertens.scai.fraunhofer.de/CN=Globus Simple CA
> >>>
> >>>
> >>>         The default CA is: /O=Grid/OU=GlobusTest/OU=simpleCA-
> >>>         ingrid.scai.fraunhofer.de/CN=Globus Simple CA
> >>>                  Location: /home/fabian/globus-4.0.5/etc/grid-
> >>>         security/certificates/1254a8e9.0
> >>>
> >>> So the server should trust me I think. But he doesnt and I dont's  
> >>> know
> >>> why...
> >>>
> >>>
> >>> Fabian
> >>>
> >>>
> >>>
> >>
> >
>

Re: [gt-user] Authentication failed [Caused by: Failure unspecified at GSS-API level [Caused by: Unknown CA]]

Reply via email to