On Jul 19, 2008, at 2:16 PM, Omer Jilani wrote:
Hi all,
I'm trying globus-url-copy and it gives me the following error:
@> globus-url-copy file:/tmp/test
gsiftp://ce.glite.ecdf.ed.ac.uk:2811/tmp/s0782592-test
535 535-FTPD GSSAPI error: GSS Major Status: Authentication Failed
535-FTPD GSSAPI error: GSS Minor Status Error Chain:
535-FTPD GSSAPI error: 535-FTPD GSSAPI error: accept_sec_context.c:
170: gss_accept_sec_context: SSLv3 handshake problems
535-FTPD GSSAPI error: globus_i_gsi_gss_utils.c:881:
globus_i_gsi_gss_handshake: Unable to verify remote side's credentials
535-FTPD GSSAPI error: globus_i_gsi_gss_utils.c:854:
globus_i_gsi_gss_handshake: SSLv3 handshake problems: Couldn't do
ssl handshake
535-FTPD GSSAPI error: OpenSSL Error: s3_srvr.c:1816: in library:
SSL routines, function SSL3_GET_CLIENT_CERTIFICATE: no certificate
returned
535-FTPD GSSAPI error: globus_gsi_callback.c:351:
globus_i_gsi_callback_handshake_callback: Could not verify credential
535-FTPD GSSAPI error: globus_gsi_callback.c:429:
globus_i_gsi_callback_cred_verify: Can't get the local trusted CA
certificate: Cannot find issuer certificate for local credential
with subject: /C=UK/O=eScience/OU=Edinburgh/L=NeSC/CN=omer jilani/
CN=1642317439
535 FTPD GSSAPI error: accepting context
This error is coming from the gridftp server. Do you have the CA
certificate and signing policy set up on ce.glite.ecdf.ed.ac.uk in the
server's environment?
Additonal information
@> grid-proxy-init -debug -verify
Done
Proxy Verify OK
@> grid-proxy-info
subject : /C=UK/O=eScience/OU=Edinburgh/L=NeSC/CN=omer jilani/
CN=1642317439
issuer : /C=UK/O=eScience/OU=Edinburgh/L=NeSC/CN=omer jilani
identity : /C=UK/O=eScience/OU=Edinburgh/L=NeSC/CN=omer jilani
type : RFC 3820 compliant impersonation proxy
strength : 512 bits
path : /tmp/x509up_u500
timeleft : 11:54:47
@> ls -lh /etc/grid-security/certificates
-rw-r--r-- 1 root root 1.3K Jul 19 14:22 367b75c3.0
-rw-r--r-- 1 root root 33K Jul 19 15:45 367b75c3.r0
-rw-r--r-- 1 root root 606 Jul 19 15:05 367b75c3.signing_policy
-rw-r--r-- 1 root root 1.3K Jul 19 14:28 98ef0ee5.0
-rw-r--r-- 1 root root 609 Jul 19 15:46 98ef0ee5.r0
-rw-r--r-- 1 root root 618 Jul 19 15:09 98ef0ee5.signing_policy
@> ls -lh ~/.globus/
-rw-r--r-- 1 omer omer 2.2K Jul 10 21:31 usercert.pem
-r-------- 1 omer omer 1.9K Jul 10 21:32 userkey.pem
@> openssl verify -CApath /etc/grid-security/certificates -purpose
sslclient ~/.globus/usercert.pem
/home/omer/.globus/usercert.pem: OK
@> cat 367b75c3.signing_policy
# @(#)$Id: 367b75c3.signing_policy,v 1.1 2007/11/15 21:04:34
pmacvsdg Exp $
access_id_CA X509 '/C=UK/O=eScienceCA/OU=Authority/CN=UK e-
Science CA'
pos_rights globus CA:sign
cond_subjects globus '"/C=UK/O=eScience/*"'
@> cat 98ef0ee5.signing_policy
# @(#)$Id: 98ef0ee5.signing_policy,v 1.1 2007/11/15 21:04:34
pmacvsdg Exp $
access_id_CA X509 '/C=UK/O=eScienceRoot/OU=Authority/CN=UK
e-Science Root'
pos_rights globus CA:sign
cond_subjects globus '"/C=UK/O=eScienceCA/OU=Authority/CN=UK e-
Science CA"'
There is another thing that is strange, when i do
@> openssl x509 -hash -noout -in /home/omer/.globus/usercert.pem
9bcc3dd0
Shouldnt I get the hash 367b75c3. Is it beacuse the OU in my
usercert is OU=Edinburgh
and in the CA its OU=Authority?
No, this is the hash of the user certificate, which is based on the
subject identity of that, which is distinct from that of the CA
certificate. Some versions of OpenSSL have the -issuer_hash option
that will display the hash of the CA which signed the given certificate.
I've looked into the globus documentation and email archives and
seem to be doing all the things, but still cant get it right.
Any help is highly appreciated.
thanks
omer
Another tool you can use in GT 4.2 is grid-cert-diagnostics which
checks the CA directory and optionally the user cert for coherence.
Joe
