Re: [gt-user] Problem with MyProxy and certificate_issuer_subca_certfile

[Lukasz Lacinski]

It is:

root@auth1:/var/log# less /var/lib/myproxy/.globus/simpleCA/cacert.pem
-----BEGIN CERTIFICATE-----
MIIClTCCAf6gAwIBAgIJAI/w6x7BOKQMMA0GCSqGSIb3DQEBBQUAMGkxDTALBgNV
BAoTBEdyaWQxEzARBgNVBAsTCkdsb2J1c1Rlc3QxKDAmBgNVBAsTH3NpbXBsZUNB
LWF1dGgxLmNoaWNhZ28ua2Jhc2UudXMxGTAXBgNVBAMTEEdsb2J1cyBTaW1wbGUg
Q0EwHhcNMTIwMjIzMjIxNzU0WhcNMTcwMjIxMjIxNzU0WjBpMQ0wCwYDVQQKEwRH
cmlkMRMwEQYDVQQLEwpHbG9idXNUZXN0MSgwJgYDVQQLEx9zaW1wbGVDQS1hdXRo
MS5jaGljYWdvLmtiYXNlLnVzMRkwFwYDVQQDExBHbG9idXMgU2ltcGxlIENBMIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHRrgenqHgbgEaFteMJkDXCfpsCeMP
MiL6+HChLjwr0XNP2eX2sTWTmHGhPudLFTRss/J0rYQS/Dw6ffQaxaMYhFxFykOb
bQe7ogQtYwDo5jtRiWyu5qDNlJ1HWm3pielN0I5QwoSy4758qcwcgetPF7guBx0T
IhVxf5nVXLhNPQIDAQABo0UwQzAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQL
pZw2+KlwJBmYXOlEbIHa10z5+TARBglghkgBhvhCAQEEBAMCAAcwDQYJKoZIhvcN
AQEFBQADgYEATJGsvsIybFcABgMwqqtnVFCIINKr0JT3U2BbHaOHvZnjnmuoQk8k
TfYf/J9Vy4T9IV6hL+m59ls5Beggua0DU4eHLtOwv/GaScJwV0zeGJXjgjkyGJ8p
4rXMSXThiAmEhO4MIElWIBFqOFEYKdDJiBvKifNd+D/eUY425rI03lg=
-----END CERTIFICATE-----


Thanks,
Lukasz

On 6/11/12 3:40 PM, Jim Basney wrote:

What are the contents of /var/lib/myproxy/.globus/simpleCA/cacert.pem?

On 6/11/12 3:38 PM, Lukasz Lacinski wrote:

We use MyProxy server with Simple CA to issue user credentials. And
wanted to use the certificate_issuer_subca_certfile option to add a
certificate of the Simple CA to a certificate chain sent by MyProxy
server. Unfortunately, the option causes the following error:

Jun 11 13:36:34 auth1 myproxy-server[17900]: Error parsing certificate chain 
error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large 
error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large 
error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large 
error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large 
error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large 
error:0906D06C:PEM routines:PEM_read_bio:no start line Failed to load sub-CA 
certs from file (/var/lib/myproxy/.globus/simpleCA/cacert.pem)! CA failed to 
generate certificate


We are using Ubuntu Oneiric.
root@ca:~# openssl version
OpenSSL 0.9.8k 25 Mar 2009
root@ca:~#

The version we are running is:
root@auth1:/var/log# myproxy-server --version
myproxy-server version MYPROXYv2 (v5.5 5 Sep 2011 PAM OCSP)
root@ca:~# ldd /usr/local/globus-5.0.3/sbin/myproxy-server
         linux-vdso.so.1 =>   (0x00007fff02dff000)
         libmyproxy_gcc64dbg.so.0 =>  
/usr/local/globus-5.0.3/lib/libmyproxy_gcc64dbg.so.0 (0x00007f7aa91d0000)
         libpam.so.0 =>  /lib/libpam.so.0 (0x00007f7aa8fb1000)
         libglobus_gss_assist_gcc64dbg.so.0 =>  
/usr/local/globus-5.0.3/lib/libglobus_gss_assist_gcc64dbg.so.0 (0x00007f7aa8da1000)
         libglobus_gssapi_gsi_gcc64dbg.so.0 =>  
/usr/local/globus-5.0.3/lib/libglobus_gssapi_gsi_gcc64dbg.so.0 (0x00007f7aa8b7a000)
         libglobus_gsi_proxy_core_gcc64dbg.so.0 =>  
/usr/local/globus-5.0.3/lib/libglobus_gsi_proxy_core_gcc64dbg.so.0 
(0x00007f7aa8966000)
         libglobus_gsi_credential_gcc64dbg.so.0 =>  
/usr/local/globus-5.0.3/lib/libglobus_gsi_credential_gcc64dbg.so.0 
(0x00007f7aa8752000)
         libglobus_gsi_callback_gcc64dbg.so.0 =>  
/usr/local/globus-5.0.3/lib/libglobus_gsi_callback_gcc64dbg.so.0 
(0x00007f7aa8546000)
         libglobus_oldgaa_gcc64dbg.so.0 =>  
/usr/local/globus-5.0.3/lib/libglobus_oldgaa_gcc64dbg.so.0 (0x00007f7aa833b000)
         libglobus_gsi_sysconfig_gcc64dbg.so.0 =>  
/usr/local/globus-5.0.3/lib/libglobus_gsi_sysconfig_gcc64dbg.so.0 
(0x00007f7aa812c000)
         libglobus_gsi_cert_utils_gcc64dbg.so.0 =>  
/usr/local/globus-5.0.3/lib/libglobus_gsi_cert_utils_gcc64dbg.so.0 
(0x00007f7aa7f25000)
         libglobus_usage_gcc64dbg.so.0 =>  
/usr/local/globus-5.0.3/lib/libglobus_usage_gcc64dbg.so.0 (0x00007f7aa7d20000)
         libglobus_openssl_gcc64dbg.so.0 =>  
/usr/local/globus-5.0.3/lib/libglobus_openssl_gcc64dbg.so.0 (0x00007f7aa7b1c000)
         libglobus_xio_gcc64dbg.so.0 =>  
/usr/local/globus-5.0.3/lib/libglobus_xio_gcc64dbg.so.0 (0x00007f7aa78a0000)
         libglobus_openssl_error_gcc64dbg.so.0 =>  
/usr/local/globus-5.0.3/lib/libglobus_openssl_error_gcc64dbg.so.0 
(0x00007f7aa769a000)
         libglobus_callout_gcc64dbg.so.0 =>  
/usr/local/globus-5.0.3/lib/libglobus_callout_gcc64dbg.so.0 (0x00007f7aa7494000)
         libglobus_proxy_ssl_gcc64dbg.so.0 =>  
/usr/local/globus-5.0.3/lib/libglobus_proxy_ssl_gcc64dbg.so.0 (0x00007f7aa728e000)
         libglobus_common_gcc64dbg.so.0 =>  
/usr/local/globus-5.0.3/lib/libglobus_common_gcc64dbg.so.0 (0x00007f7aa7044000)
         libltdl_gcc64dbg.so.3 =>  
/usr/local/globus-5.0.3/lib/libltdl_gcc64dbg.so.3 (0x00007f7aa6e39000)
         libm.so.6 =>  /lib/libm.so.6 (0x00007f7aa6bb6000)
         libdl.so.2 =>  /lib/libdl.so.2 (0x00007f7aa69b2000)
         libssl.so.0.9.8 =>  /lib/libssl.so.0.9.8 (0x00007f7aa675f000)
         libcrypto.so.0.9.8 =>  /lib/libcrypto.so.0.9.8 (0x00007f7aa63cf000)
         libc.so.6 =>  /lib/libc.so.6 (0x00007f7aa604c000)
         libcrypt.so.1 =>  /lib/libcrypt.so.1 (0x00007f7aa5e12000)
         /lib64/ld-linux-x86-64.so.2 (0x00007f7aa9411000)
         libz.so.1 =>  /lib/libz.so.1 (0x00007f7aa5bfa000)
root@auth1:/var/log#


There is no problem with reading the CA certificate by openssl.

Did anybody experienced such a problem with the 
certificate_issuer_subca_certfile?

Thanks,
Lukasz