Dear list, We're in the process of setting up a simple GridFTP infrastructure for use with GlobusOnline. For this we've got a gridftp and myproxy host set up. However we're struggling to get the proper CA setup with Globus running. For testing purposes we've been trying to copy files via gsiftp from the gridftp to the myproxy machine (as both have host certificates signed by the same CA).
We're not able to roll our own CA and have to use TERENA SSL provided by our NREN for signing hosts. The ``/etc/grid-security/certificates/'' directory looks like: 9df51c42.0 9df51c42.signing_policy TERENA_SSL_CA.pem where the hash was generated by running ``$GLOBUS_LOCATION/bin/openssl x509 -hash -noout < TERENA_SSL_CA.pem'' Of course both hosts have a proper ``hostkey.pem'' and ``hostcert.pem'' in ``/etc/grid-security/'' signed by TERENA SSL CA. I'm getting an error from ``globus-url-copy'' which complains about a not found CA certificate with another hash (``ff783690'' as opposed to ``9df51c42'') as seen here: error: globus_ftp_control: gss_init_sec_context failed OpenSSL Error: s3_clnt.c:983: in library: SSL routines, function SSL3_GET_SERVER_CERTIFICATE: certificate verify failed globus_gsi_callback_module: Could not verify credential globus_gsi_callback_module: Can't get the local trusted CA certificate: Cannot find trusted CA certificate with hash ff783690 in /etc/grid-security/certificates When I check the host certs they where signed by the same CA and the CN strings etc match. Can anyone explain what I'm missing here? I know that I'm not even at the step where user certificates come into play but I wanted to see if the host communication/setup was working before I proceed to molest my NREN to give me per user certificates. TIA! P Petar Forai — GMI IT/HPC Engineer mailto: [email protected] GPG/PGP-Fingerprint: F4D15 F20B 6BB0 F68D 9580 2828 D17D BB4E 4DFF B82B
