That CA certificate works fine for me with certificate_issuer_subca_certfile using:
# myproxy-server --version myproxy-server version MYPROXYv2 (v5.7 May 2012 PAM OCSP) # openssl version OpenSSL 0.9.8r 8 Feb 2011 and also using: # myproxy-server --version myproxy-server version MYPROXYv2 (v5.5 5 Sep 2011 PAM OCSP) # openssl version OpenSSL 1.0.1 14 Mar 2012 I'm stumped. The "PEM_read_bio:no start line" error means OpenSSL didn't find "-----BEGIN CERTIFICATE-----" in the file but it's clearly there. My only guess is that maybe an OS OpenSSL patch introduced an incompatibility that might be cleared up by a fresh GT/MyProxy install. I see you're at GT 5.0.3. Upgrading to GT 5.2.1 may be worth a try. My current installs use gcc32dbg and I see yours uses gcc64dbg, so I'll try to reproduce the problem with a fresh gcc64dbg build. On 6/11/12 3:45 PM, Lukasz Lacinski wrote: > It is: > > root@auth1:/var/log# less /var/lib/myproxy/.globus/simpleCA/cacert.pem > -----BEGIN CERTIFICATE----- > MIIClTCCAf6gAwIBAgIJAI/w6x7BOKQMMA0GCSqGSIb3DQEBBQUAMGkxDTALBgNV > BAoTBEdyaWQxEzARBgNVBAsTCkdsb2J1c1Rlc3QxKDAmBgNVBAsTH3NpbXBsZUNB > LWF1dGgxLmNoaWNhZ28ua2Jhc2UudXMxGTAXBgNVBAMTEEdsb2J1cyBTaW1wbGUg > Q0EwHhcNMTIwMjIzMjIxNzU0WhcNMTcwMjIxMjIxNzU0WjBpMQ0wCwYDVQQKEwRH > cmlkMRMwEQYDVQQLEwpHbG9idXNUZXN0MSgwJgYDVQQLEx9zaW1wbGVDQS1hdXRo > MS5jaGljYWdvLmtiYXNlLnVzMRkwFwYDVQQDExBHbG9idXMgU2ltcGxlIENBMIGf > MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHRrgenqHgbgEaFteMJkDXCfpsCeMP > MiL6+HChLjwr0XNP2eX2sTWTmHGhPudLFTRss/J0rYQS/Dw6ffQaxaMYhFxFykOb > bQe7ogQtYwDo5jtRiWyu5qDNlJ1HWm3pielN0I5QwoSy4758qcwcgetPF7guBx0T > IhVxf5nVXLhNPQIDAQABo0UwQzAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQL > pZw2+KlwJBmYXOlEbIHa10z5+TARBglghkgBhvhCAQEEBAMCAAcwDQYJKoZIhvcN > AQEFBQADgYEATJGsvsIybFcABgMwqqtnVFCIINKr0JT3U2BbHaOHvZnjnmuoQk8k > TfYf/J9Vy4T9IV6hL+m59ls5Beggua0DU4eHLtOwv/GaScJwV0zeGJXjgjkyGJ8p > 4rXMSXThiAmEhO4MIElWIBFqOFEYKdDJiBvKifNd+D/eUY425rI03lg= > -----END CERTIFICATE----- > > > Thanks, > Lukasz > > On 6/11/12 3:40 PM, Jim Basney wrote: >> What are the contents of /var/lib/myproxy/.globus/simpleCA/cacert.pem? >> >> On 6/11/12 3:38 PM, Lukasz Lacinski wrote: >>> We use MyProxy server with Simple CA to issue user credentials. And >>> wanted to use the certificate_issuer_subca_certfile option to add a >>> certificate of the Simple CA to a certificate chain sent by MyProxy >>> server. Unfortunately, the option causes the following error: >>> >>> Jun 11 13:36:34 auth1 myproxy-server[17900]: Error parsing certificate >>> chain error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too >>> large error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too >>> large error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too >>> large error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too >>> large error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too >>> large error:0906D06C:PEM routines:PEM_read_bio:no start line Failed to load >>> sub-CA certs from file (/var/lib/myproxy/.globus/simpleCA/cacert.pem)! CA >>> failed to generate certificate >>> >>> >>> We are using Ubuntu Oneiric. >>> root@ca:~# openssl version >>> OpenSSL 0.9.8k 25 Mar 2009 >>> root@ca:~# >>> >>> The version we are running is: >>> root@auth1:/var/log# myproxy-server --version >>> myproxy-server version MYPROXYv2 (v5.5 5 Sep 2011 PAM OCSP) >>> root@ca:~# ldd /usr/local/globus-5.0.3/sbin/myproxy-server >>> linux-vdso.so.1 => (0x00007fff02dff000) >>> libmyproxy_gcc64dbg.so.0 => >>> /usr/local/globus-5.0.3/lib/libmyproxy_gcc64dbg.so.0 (0x00007f7aa91d0000) >>> libpam.so.0 => /lib/libpam.so.0 (0x00007f7aa8fb1000) >>> libglobus_gss_assist_gcc64dbg.so.0 => >>> /usr/local/globus-5.0.3/lib/libglobus_gss_assist_gcc64dbg.so.0 >>> (0x00007f7aa8da1000) >>> libglobus_gssapi_gsi_gcc64dbg.so.0 => >>> /usr/local/globus-5.0.3/lib/libglobus_gssapi_gsi_gcc64dbg.so.0 >>> (0x00007f7aa8b7a000) >>> libglobus_gsi_proxy_core_gcc64dbg.so.0 => >>> /usr/local/globus-5.0.3/lib/libglobus_gsi_proxy_core_gcc64dbg.so.0 >>> (0x00007f7aa8966000) >>> libglobus_gsi_credential_gcc64dbg.so.0 => >>> /usr/local/globus-5.0.3/lib/libglobus_gsi_credential_gcc64dbg.so.0 >>> (0x00007f7aa8752000) >>> libglobus_gsi_callback_gcc64dbg.so.0 => >>> /usr/local/globus-5.0.3/lib/libglobus_gsi_callback_gcc64dbg.so.0 >>> (0x00007f7aa8546000) >>> libglobus_oldgaa_gcc64dbg.so.0 => >>> /usr/local/globus-5.0.3/lib/libglobus_oldgaa_gcc64dbg.so.0 >>> (0x00007f7aa833b000) >>> libglobus_gsi_sysconfig_gcc64dbg.so.0 => >>> /usr/local/globus-5.0.3/lib/libglobus_gsi_sysconfig_gcc64dbg.so.0 >>> (0x00007f7aa812c000) >>> libglobus_gsi_cert_utils_gcc64dbg.so.0 => >>> /usr/local/globus-5.0.3/lib/libglobus_gsi_cert_utils_gcc64dbg.so.0 >>> (0x00007f7aa7f25000) >>> libglobus_usage_gcc64dbg.so.0 => >>> /usr/local/globus-5.0.3/lib/libglobus_usage_gcc64dbg.so.0 >>> (0x00007f7aa7d20000) >>> libglobus_openssl_gcc64dbg.so.0 => >>> /usr/local/globus-5.0.3/lib/libglobus_openssl_gcc64dbg.so.0 >>> (0x00007f7aa7b1c000) >>> libglobus_xio_gcc64dbg.so.0 => >>> /usr/local/globus-5.0.3/lib/libglobus_xio_gcc64dbg.so.0 (0x00007f7aa78a0000) >>> libglobus_openssl_error_gcc64dbg.so.0 => >>> /usr/local/globus-5.0.3/lib/libglobus_openssl_error_gcc64dbg.so.0 >>> (0x00007f7aa769a000) >>> libglobus_callout_gcc64dbg.so.0 => >>> /usr/local/globus-5.0.3/lib/libglobus_callout_gcc64dbg.so.0 >>> (0x00007f7aa7494000) >>> libglobus_proxy_ssl_gcc64dbg.so.0 => >>> /usr/local/globus-5.0.3/lib/libglobus_proxy_ssl_gcc64dbg.so.0 >>> (0x00007f7aa728e000) >>> libglobus_common_gcc64dbg.so.0 => >>> /usr/local/globus-5.0.3/lib/libglobus_common_gcc64dbg.so.0 >>> (0x00007f7aa7044000) >>> libltdl_gcc64dbg.so.3 => >>> /usr/local/globus-5.0.3/lib/libltdl_gcc64dbg.so.3 (0x00007f7aa6e39000) >>> libm.so.6 => /lib/libm.so.6 (0x00007f7aa6bb6000) >>> libdl.so.2 => /lib/libdl.so.2 (0x00007f7aa69b2000) >>> libssl.so.0.9.8 => /lib/libssl.so.0.9.8 (0x00007f7aa675f000) >>> libcrypto.so.0.9.8 => /lib/libcrypto.so.0.9.8 (0x00007f7aa63cf000) >>> libc.so.6 => /lib/libc.so.6 (0x00007f7aa604c000) >>> libcrypt.so.1 => /lib/libcrypt.so.1 (0x00007f7aa5e12000) >>> /lib64/ld-linux-x86-64.so.2 (0x00007f7aa9411000) >>> libz.so.1 => /lib/libz.so.1 (0x00007f7aa5bfa000) >>> root@auth1:/var/log# >>> >>> >>> There is no problem with reading the CA certificate by openssl. >>> >>> Did anybody experienced such a problem with the >>> certificate_issuer_subca_certfile? >>> >>> Thanks, >>> Lukasz
