Hi Luis, My idea is to investigate how it's possible that the hash of required CA is aacc0995. To find it out I would consider two approaches:
1. When you submit a job and get the error about the CA certificate with the hash aacc0995, please execute $ grid-proxy-info to determine a location of your proxy credential. Your proxy credential is a file consisting three sections: certificate, RSA private key, certificate. Please copy the last section (with the starting mark "-----BEGIN CERTIFICATE-----" and the ending mark "-----END CERTIFICATE-----") to another file, for example /tmp/uc.pem. Then execute $ openssl x509 -noout -issuer_hash -in /tmp/uc.pem What do you get? 2. Increase logging level by changing values of appropriate log4j properties from INFO or WARN to DEBUG. (As far as I remember it's in $GLOBUS_LOCATION/container-log4j.properties). Regards, Lukasz On May 5, 2010, at 2:22 AM, Luis wrote: > Hi, > > No, the hash of these CA's is: > > - openssl x509 -hash -noout < /etc/grid-security/certificates/6c72648e.0 > 6c72648e > > - openssl x509 -hash -noout < /etc/grid-security/certificates/fa9133d3.0 > fa9133d3 > > > And the openssl version is: > > OpenSSL 0.9.7d 17 Mar 2004 > > Regads, > Luis > > El mar, 04-05-2010 a las 10:40 -0500, Lukasz Lacinski escribió: >> Hi, >> >> Did one of these CAs (6c72648e, fa9133d3) issued the user certificate that >> you use to submit a job? Definitely, you use somewhere a certificate issued >> by a CA with hash aacc0995. >> >> Regards, >> Lukasz >> >> >> On May 4, 2010, at 7:38 AM, Luis wrote: >> >>> Hello, >>> >>> That is what I firstly though. However, in >>> the /etc/grid-security/certificates directory I have the next files: >>> >>> -rw-r--r-- 1 root root 1,4K may 3 13:39 grid-security.conf.6c72648e >>> -rw-r--r-- 1 root root 2,8K may 3 13:39 globus-user-ssl.conf.6c72648e >>> -rw-r--r-- 1 root root 2,7K may 3 13:39 globus-host-ssl.conf.6c72648e >>> -rw-r--r-- 1 root root 1,4K may 3 13:39 6c72648e.signing_policy >>> -rw-r--r-- 1 root root 924 may 3 13:39 6c72648e.0 >>> -rw-r--r-- 1 root root 1,4K may 3 14:02 fa9133d3.signing_policy >>> -rw-r--r-- 1 root root 944 may 3 14:02 fa9133d3.0 >>> >>> Which are the certificates for the local CA (6c72648e*) and the ones for >>> the other CA (fa9133d3*). >>> >>> >>> It is possible that the certificates are searched in other directory? >>> >>> El mar, 04-05-2010 a las 05:16 -0500, Lukasz Lacinski escribió: >>>> The command globusrun-ws verifies the authenticity of GRAM4 service you >>>> submit a job to. To do that the command globusrun-ws search in >>>> $HOME/.globus/certificates or in /etc/grid-security/certificates for the >>>> certificate of the Certificate Authority that signed the GRAM4 service >>>> certificate. The error message you got suggests that you do not have the >>>> file aacc0995.0 with the certificate of that Certificate Authority. >>>> At the same time you are able to submit a job to resourceB, because you >>>> have the certificate of another Certificate Authority that issued the >>>> service certificate for the resourceB. >>>> >>>> Regards, >>>> Lukasz >>>> >>>> >>>> On May 4, 2010, at 4:37 AM, Luis wrote: >>>> >>>>> Hello, >>>>> >>>>> I have some problems to execute a basic globusrun-ws command. When I >>>>> execute: >>>>> >>>>> globusrun-ws -submit -c /bin/hostname >>>>> >>>>> The output is: >>>>> >>>>> Submitting job...Failed. >>>>> globusrun-ws: Error submitting job >>>>> OpenSSL Error: s3_clnt.c:842: in library: SSL routines, function >>>>> SSL3_GET_SERVER_CERTIFICATE: certificate verify failed >>>>> globus_gsi_callback_module: Could not verify credential >>>>> globus_gsi_callback_module: Can't get the local trusted CA certificate: >>>>> Untrusted self-signed certificate in chain with hash aacc0995 >>>>> >>>>> >>>>> Do you know what the problem is? >>>>> >>>>> I have a valid certificate and I can make transfers (globus-url-copy) to >>>>> and from this resource. Moreover, I can execute this command but setting >>>>> another resource to execute the job, for example: >>>>> >>>>> globusrun-ws -submit -F resourceB -c /bin/hostname >>>>> >>>>> >>>>> Thank you! >>>>> >>>>> Best regards! >>>>> >>>>> >>>>> >>>> >>> >> >
