On 9/12/11 6:28 AM, Amitav Mohanty wrote:
On Mon, Sep 12, 2011 at 4:35 PM, Lukasz Lacinski
<[email protected] <mailto:[email protected]>> wrote:
On 9/12/11 3:22 AM, Amitav Mohanty wrote:
On 09/12/2011 03:44 AM, Lukasz Lacinski wrote:
Hi Amitav,
What does the command $GLOBUS_LOCATION/bin/globus-hostname
return? Is it a hostname or a fully qualified domain name (FQDN)?
My guess is that you need to correct /etc/hosts. Please, look at
the manual about a format of the file.
Please, use the mailing list 'gt-user' instead of the 'gt-dev'
that is for Globus Toolkit developers.
Regards,
Lukasz
On 9/11/11 3:48 PM, Amitav Mohanty wrote:
Hello
While using perl gt-server-ca.pl <http://gt-server-ca.pl> -y as
root I am unable to generate the certifiactes. In the log, I
found the following line:
The hostname shelby-500 does not appear to be fully qualified.
Please advise on what is causing this error and how I can
resolve it.
Regards
Amitav
Hello
You were right. I was working on an Ubuntu system. I did not know
they did not provide FQDN by default. Also, they define multiple
localhost IPs as follows:
127.0.0.1 localhost
127.0.1.1 Shelby-500
I am running xinetd successfully and getting gsiftp and myproxy
services. However, I am unable to login using myproxy-logon -s.
chini@Shelby-500:~$ ls /etc/grid-security/certificates/
583da668.0 globus-user-ssl.conf.583da668
583da668.signing_policy grid-security.conf.583da668
globus-host-ssl.conf.583da668
chini@Shelby-500:~$ myproxy-logon -s Shelby-500
Error authenticating: GSS Major Status: Authentication Failed
GSS Minor Status Error Chain:
globus_gss_assist: Error during context initialization
OpenSSL Error: s3_clnt.c:985: in library: SSL routines, function
SSL3_GET_SERVER_CERTIFICATE: certificate verify failed
globus_gsi_callback_module: Could not verify credential
globus_gsi_callback_module: Can't get the local trusted CA certificate:
Cannot find trusted CA certificate with hash 85856cce in
/etc/grid-security/certificates
It looks like a host certificate (/etc/grid-security/hostcert.pem)
used by the MyProxy server on Shelby-500 is signed by a different
CA (the hash 85856cce) than that one with a root certificate
/etc/grid-security/certificates/583da668.0.
What do the following commands say:
$ openssl verify -CApath /etc/grid-security/certificates
/etc/grid-security/hostcert.pem
/etc/grid-security/hostcert.pem:
/O=Grid/OU=GlobusTest/OU=simpleCA-shelby-500/CN=host/shelby-500.chini
error 20 at 0 depth lookup:unable to get local issuer certificate
$ openssl x509 -noout -issuer -in /etc/grid-security/hostcert.pem
issuer= /O=Grid/OU=GlobusTest/OU=simpleCA-shelby-500.chini/CN=Globus
Simple CA
$ openssl x509 -noout -subject -in
/etc/grid-security/certificates/583da668.0
subject= /O=Grid/OU=GlobusTest/OU=simpleCA-shelby-500/CN=Globus Simple CA
I am not sure how this happened. How can I fix this?
You need to generate a new host certificate using this new CA (the hash
583da668).
# grid-cert-request -host `globus-hostname`
# grid-ca-sign -in /etc/grid-security/hostcert_request.pem -out
/etc/grid-security/hostcert.pem
-Lukasz
Amitav
The error messages in /var/log/syslog are as follows:
Sep 12 13:47:42 Shelby-500 myproxy-server[6126]: myproxy-server v5.4 22 Apr
2011 OCSP starting at Mon Sep 12 13:47:42 2011
Sep 12 13:47:42 Shelby-500 myproxy-server[6126]: reading configuration file
/etc/myproxy-server.config
Sep 12 13:47:42 Shelby-500 myproxy-server[6126]: Processing usage_stats_target
(usage-stats.cilogon.org:4810 <http://usage-stats.cilogon.org:4810>)
Sep 12 13:47:43 Shelby-500 myproxy-server[6126]: USAGE-STATS: Initialized
(usage-stats.cilogon.org:4810 <http://usage-stats.cilogon.org:4810>) (VvtrlLB)
Sep 12 13:47:43 Shelby-500 myproxy-server[6126]: using storage directory
/var/myproxy
Sep 12 13:47:43 Shelby-500 myproxy-server[6126]: Connection from 127.0.0.1
Sep 12 13:47:43 Shelby-500 myproxy-server[6126]: Error authenticating
client: Connection closed.
Sep 12 13:47:43 Shelby-500 myproxy-server[6126]: Failure: error in
myproxy_send()
I have an edited hosts file which looks like the following:
127.0.1.1 Shelby-500.chini Shelby-500
Regards
Amitav
