Re: [gt-user] Invocation from GT4 service to https axis service

Thu, 26 Feb 2009 04:48:11 -0800 

Andrea Turli wrote:

I don't know if this will answer you're questions but I've tried these
three commands:

$ openssl verify -CApath /etc/grid-security/certificates -purpose
sslclient /etc/grid-security/containercert.pem
/etc/grid-security/containercert.pem: OK

$ openssl verify -purpose sslclient /etc/grid-security/containercert.pem
/etc/grid-security/containercert.pem:
/C=IT/O=INFN/OU=Host/L=ENGINEERING RDLAB/CN=grids16.eng.it
error 20 at 0 depth lookup:unable to get local issuer certificate
The difference here is the missing -CApath in the second command, which confirms the act that you did not put hem in /certs instead.
In this situation, all your openssl subcommands should specify the -CApath option if that option is available. For example, verify, s_client and s_server should, x509 should not. 

Which means, retry this command:
openssl s_client -CApath /etc/grid-security/certificates -connect localhost:443 

instead of just:
openssl s_client -connect localhost:443

Ciao,
   Vincenzo



Wnat could be the solution?

Andrea



On Thu, Feb 26, 2009 at 11:35 AM, Vincenzo Ciaschini
<[email protected]> wrote:

Vincenzo Ciaschini wrote:

Tom Scavo wrote:

On Wed, Feb 25, 2009 at 10:23 AM, Andrea Turli <[email protected]>
wrote:

This command also

openssl s_client -connect localhost:443

doesn't work

This is the stacktrace I can see:
CONNECTED(00000003)
depth=0 /C=IT/O=INFN/OU=Host/L=ENGINEERING RDLAB/CN=grids16.eng.it
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=IT/O=INFN/OU=Host/L=ENGINEERING RDLAB/CN=grids16.eng.it
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=IT/O=INFN/OU=Host/L=ENGINEERING RDLAB/CN=grids16.eng.it
verify error:num=21:unable to verify the first certificate
verify return:1
20978:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
certificate:s3_pkt.c:1046:SSL alert number 42
20978:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:226:

This error trace seem to hint to the fact that OpenSSL could not find the
CA certificate of the grids16.eng.it host cert in the CA store. What is the
default value of -CApath when one does not specify it?

It is '/certs'.  I assume you do not have it, right?


 Are you sure you have the CA certificate installed?

Ciao,
  Vincenzo

Reply via email to