Hi guys,
We've run into a similar issue on an Ubuntu system.
All proxy certificate verification was failing with a very similar error
message - certificates appeared to be issued by a CA with a different
hash value. With a closer look, the hash value was that of the
end-entity certificate (user or host certificate) the proxy certificate
was derived from.
And it all appeared to be due to:
http://bugzilla.globus.org/globus/show_bug.cgi?id=6984
Debian v6 uses OpenSSL 0.9.8o, which requires an additional
initialization call, which Globus wasn't making. Has been fixed in
Globus, but we are installing Globus through VDT, which has not been
updated with this fix yet.
We solved this by downgrading OpenSSL to OpenSSL 0.9.8l (installing this
into a separate directory and altering LD_LIBRARY_PATH)
Hope this helps.
Cheers,
Vlad
On -9/01/37 07:59, Amitav Mohanty wrote:
On 09/12/2011 03:44 AM, Lukasz Lacinski wrote:
> Hi Amitav,
>
> What does the command $GLOBUS_LOCATION/bin/globus-hostname return?
Is it a > hostname or a fully qualified domain name (FQDN)?
> My guess is that you need to correct /etc/hosts. Please, look at the
manual > about a format of the file.
>
> Please, use the mailing list 'gt-user' instead of the 'gt-dev' that
is for > Globus Toolkit developers.
>
> Regards,
> Lukasz
>
>
> On 9/11/11 3:48 PM, Amitav Mohanty wrote:
>> Hello
>>
>> While using perl gt-server-ca.pl <http://gt-server-ca.pl> -y as
root I am >> unable to generate the certifiactes. In the log, I found
the following line:
>>
>> The hostname shelby-500 does not appear to be fully qualified.
>>
>> Please advise on what is causing this error and how I can resolve it.
>>
>> Regards
>> Amitav
>>
>
Hello
You were right. I was working on an Ubuntu system. I did not know they
did not provide FQDN by default. Also, they define multiple localhost
IPs as follows:
127.0.0.1 localhost
127.0.1.1 Shelby-500
I am running xinetd successfully and getting gsiftp and myproxy
services. However, I am unable to login using myproxy-logon -s.
chini@Shelby-500:~$ ls /etc/grid-security/certificates/
583da668.0 globus-user-ssl.conf.583da668
583da668.signing_policy grid-security.conf.583da668
globus-host-ssl.conf.583da668
chini@Shelby-500:~$ myproxy-logon -s Shelby-500
Error authenticating: GSS Major Status: Authentication Failed
GSS Minor Status Error Chain:
globus_gss_assist: Error during context initialization
OpenSSL Error: s3_clnt.c:985: in library: SSL routines, function
SSL3_GET_SERVER_CERTIFICATE: certificate verify failed
globus_gsi_callback_module: Could not verify credential
globus_gsi_callback_module: Can't get the local trusted CA certificate:
Cannot find trusted CA certificate with hash 85856cce in
/etc/grid-security/certificates
The error messages in /var/log/syslog are as follows:
Sep 12 13:47:42 Shelby-500 myproxy-server[6126]: myproxy-server v5.4 22
Apr 2011 OCSP starting at Mon Sep 12 13:47:42 2011
Sep 12 13:47:42 Shelby-500 myproxy-server[6126]: reading configuration
file /etc/myproxy-server.config
Sep 12 13:47:42 Shelby-500 myproxy-server[6126]: Processing
usage_stats_target (usage-stats.cilogon.org:4810)
Sep 12 13:47:43 Shelby-500 myproxy-server[6126]: USAGE-STATS:
Initialized (usage-stats.cilogon.org:4810) (VvtrlLB)
Sep 12 13:47:43 Shelby-500 myproxy-server[6126]: using storage directory
/var/myproxy
Sep 12 13:47:43 Shelby-500 myproxy-server[6126]: Connection from 127.0.0.1
Sep 12 13:47:43 Shelby-500 myproxy-server[6126]: Error authenticating
client: Connection closed.
Sep 12 13:47:43 Shelby-500 myproxy-server[6126]: Failure: error in
myproxy_send()
I have an edited hosts file which looks like the following:
127.0.1.1 Shelby-500.chini Shelby-500
Regards
Amitav
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.globus.org/pipermail/gt-user/attachments/20110912/add9aed4/attachment-0001.htm>
------------------------------
--
Vladimir Mencl, Ph.D.
E-Research Services and Systems Consultant
BlueFern Computing Services
University of Canterbury
Private Bag 4800
Christchurch 8140
New Zealand
http://www.bluefern.canterbury.ac.nz
mailto:[email protected]
Phone: +64 3 364 3012
Mobile: +64 21 997 352
Fax: +64 3 364 3002
