Re: [gt-user] Problem with MyProxy and certificate_issuer_subca_certfile

Thu, 14 Jun 2012 12:28:09 -0700 

The error message is definitely misleading. It came out that subjects in 
mappings were incorrect. Every attribute name should be capitalized. For 
example, the following mappings will end up with the error:

"/c=us/o=Globus Testers/cn=John Doe" joed

What is interesting, the error appears when the 
'certificate_issuer_subca_certfile' option is used. If the option is not used, 
then MyProxy server issues user certificates without any problems.

Thanks,
Lukasz


On 6/11/12 6:15 PM, Jim Basney wrote:

I can't reproduce the problem with gcc64dbg GT 5.2.1 OpenSSL 0.9.8r.

On 6/11/12 4:51 PM, Jim Basney wrote:

That CA certificate works fine for me with
certificate_issuer_subca_certfile using:

# myproxy-server --version
myproxy-server version MYPROXYv2 (v5.7 May 2012 PAM OCSP)
# openssl version
OpenSSL 0.9.8r 8 Feb 2011

and also using:

# myproxy-server --version
myproxy-server version MYPROXYv2 (v5.5 5 Sep 2011 PAM OCSP)
# openssl version
OpenSSL 1.0.1 14 Mar 2012

I'm stumped. The "PEM_read_bio:no start line" error means OpenSSL didn't
find "-----BEGIN CERTIFICATE-----" in the file but it's clearly there.
My only guess is that maybe an OS OpenSSL patch introduced an
incompatibility that might be cleared up by a fresh GT/MyProxy install.
I see you're at GT 5.0.3. Upgrading to GT 5.2.1 may be worth a try.

My current installs use gcc32dbg and I see yours uses gcc64dbg, so I'll
try to reproduce the problem with a fresh gcc64dbg build.

On 6/11/12 3:45 PM, Lukasz Lacinski wrote:

It is:

root@auth1:/var/log# less /var/lib/myproxy/.globus/simpleCA/cacert.pem
-----BEGIN CERTIFICATE-----
MIIClTCCAf6gAwIBAgIJAI/w6x7BOKQMMA0GCSqGSIb3DQEBBQUAMGkxDTALBgNV
BAoTBEdyaWQxEzARBgNVBAsTCkdsb2J1c1Rlc3QxKDAmBgNVBAsTH3NpbXBsZUNB
LWF1dGgxLmNoaWNhZ28ua2Jhc2UudXMxGTAXBgNVBAMTEEdsb2J1cyBTaW1wbGUg
Q0EwHhcNMTIwMjIzMjIxNzU0WhcNMTcwMjIxMjIxNzU0WjBpMQ0wCwYDVQQKEwRH
cmlkMRMwEQYDVQQLEwpHbG9idXNUZXN0MSgwJgYDVQQLEx9zaW1wbGVDQS1hdXRo
MS5jaGljYWdvLmtiYXNlLnVzMRkwFwYDVQQDExBHbG9idXMgU2ltcGxlIENBMIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHRrgenqHgbgEaFteMJkDXCfpsCeMP
MiL6+HChLjwr0XNP2eX2sTWTmHGhPudLFTRss/J0rYQS/Dw6ffQaxaMYhFxFykOb
bQe7ogQtYwDo5jtRiWyu5qDNlJ1HWm3pielN0I5QwoSy4758qcwcgetPF7guBx0T
IhVxf5nVXLhNPQIDAQABo0UwQzAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQL
pZw2+KlwJBmYXOlEbIHa10z5+TARBglghkgBhvhCAQEEBAMCAAcwDQYJKoZIhvcN
AQEFBQADgYEATJGsvsIybFcABgMwqqtnVFCIINKr0JT3U2BbHaOHvZnjnmuoQk8k
TfYf/J9Vy4T9IV6hL+m59ls5Beggua0DU4eHLtOwv/GaScJwV0zeGJXjgjkyGJ8p
4rXMSXThiAmEhO4MIElWIBFqOFEYKdDJiBvKifNd+D/eUY425rI03lg=
-----END CERTIFICATE-----


Thanks,
Lukasz

On 6/11/12 3:40 PM, Jim Basney wrote:

What are the contents of /var/lib/myproxy/.globus/simpleCA/cacert.pem?

On 6/11/12 3:38 PM, Lukasz Lacinski wrote:

We use MyProxy server with Simple CA to issue user credentials. And
wanted to use the certificate_issuer_subca_certfile option to add a
certificate of the Simple CA to a certificate chain sent by MyProxy
server. Unfortunately, the option causes the following error:

Jun 11 13:36:34 auth1 myproxy-server[17900]: Error parsing certificate chain 
error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large 
error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large 
error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large 
error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large 
error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large 
error:0906D06C:PEM routines:PEM_read_bio:no start line Failed to load sub-CA 
certs from file (/var/lib/myproxy/.globus/simpleCA/cacert.pem)! CA failed to 
generate certificate


We are using Ubuntu Oneiric.
root@ca:~# openssl version
OpenSSL 0.9.8k 25 Mar 2009
root@ca:~#

The version we are running is:
root@auth1:/var/log# myproxy-server --version
myproxy-server version MYPROXYv2 (v5.5 5 Sep 2011 PAM OCSP)
root@ca:~# ldd /usr/local/globus-5.0.3/sbin/myproxy-server
         linux-vdso.so.1 =>   (0x00007fff02dff000)
         libmyproxy_gcc64dbg.so.0 =>  
/usr/local/globus-5.0.3/lib/libmyproxy_gcc64dbg.so.0 (0x00007f7aa91d0000)
         libpam.so.0 =>  /lib/libpam.so.0 (0x00007f7aa8fb1000)
         libglobus_gss_assist_gcc64dbg.so.0 =>  
/usr/local/globus-5.0.3/lib/libglobus_gss_assist_gcc64dbg.so.0 (0x00007f7aa8da1000)
         libglobus_gssapi_gsi_gcc64dbg.so.0 =>  
/usr/local/globus-5.0.3/lib/libglobus_gssapi_gsi_gcc64dbg.so.0 (0x00007f7aa8b7a000)
         libglobus_gsi_proxy_core_gcc64dbg.so.0 =>  
/usr/local/globus-5.0.3/lib/libglobus_gsi_proxy_core_gcc64dbg.so.0 
(0x00007f7aa8966000)
         libglobus_gsi_credential_gcc64dbg.so.0 =>  
/usr/local/globus-5.0.3/lib/libglobus_gsi_credential_gcc64dbg.so.0 
(0x00007f7aa8752000)
         libglobus_gsi_callback_gcc64dbg.so.0 =>  
/usr/local/globus-5.0.3/lib/libglobus_gsi_callback_gcc64dbg.so.0 
(0x00007f7aa8546000)
         libglobus_oldgaa_gcc64dbg.so.0 =>  
/usr/local/globus-5.0.3/lib/libglobus_oldgaa_gcc64dbg.so.0 (0x00007f7aa833b000)
         libglobus_gsi_sysconfig_gcc64dbg.so.0 =>  
/usr/local/globus-5.0.3/lib/libglobus_gsi_sysconfig_gcc64dbg.so.0 
(0x00007f7aa812c000)
         libglobus_gsi_cert_utils_gcc64dbg.so.0 =>  
/usr/local/globus-5.0.3/lib/libglobus_gsi_cert_utils_gcc64dbg.so.0 
(0x00007f7aa7f25000)
         libglobus_usage_gcc64dbg.so.0 =>  
/usr/local/globus-5.0.3/lib/libglobus_usage_gcc64dbg.so.0 (0x00007f7aa7d20000)
         libglobus_openssl_gcc64dbg.so.0 =>  
/usr/local/globus-5.0.3/lib/libglobus_openssl_gcc64dbg.so.0 (0x00007f7aa7b1c000)
         libglobus_xio_gcc64dbg.so.0 =>  
/usr/local/globus-5.0.3/lib/libglobus_xio_gcc64dbg.so.0 (0x00007f7aa78a0000)
         libglobus_openssl_error_gcc64dbg.so.0 =>  
/usr/local/globus-5.0.3/lib/libglobus_openssl_error_gcc64dbg.so.0 
(0x00007f7aa769a000)
         libglobus_callout_gcc64dbg.so.0 =>  
/usr/local/globus-5.0.3/lib/libglobus_callout_gcc64dbg.so.0 (0x00007f7aa7494000)
         libglobus_proxy_ssl_gcc64dbg.so.0 =>  
/usr/local/globus-5.0.3/lib/libglobus_proxy_ssl_gcc64dbg.so.0 (0x00007f7aa728e000)
         libglobus_common_gcc64dbg.so.0 =>  
/usr/local/globus-5.0.3/lib/libglobus_common_gcc64dbg.so.0 (0x00007f7aa7044000)
         libltdl_gcc64dbg.so.3 =>  
/usr/local/globus-5.0.3/lib/libltdl_gcc64dbg.so.3 (0x00007f7aa6e39000)
         libm.so.6 =>  /lib/libm.so.6 (0x00007f7aa6bb6000)
         libdl.so.2 =>  /lib/libdl.so.2 (0x00007f7aa69b2000)
         libssl.so.0.9.8 =>  /lib/libssl.so.0.9.8 (0x00007f7aa675f000)
         libcrypto.so.0.9.8 =>  /lib/libcrypto.so.0.9.8 (0x00007f7aa63cf000)
         libc.so.6 =>  /lib/libc.so.6 (0x00007f7aa604c000)
         libcrypt.so.1 =>  /lib/libcrypt.so.1 (0x00007f7aa5e12000)
         /lib64/ld-linux-x86-64.so.2 (0x00007f7aa9411000)
         libz.so.1 =>  /lib/libz.so.1 (0x00007f7aa5bfa000)
root@auth1:/var/log#


There is no problem with reading the CA certificate by openssl.

Did anybody experienced such a problem with the 
certificate_issuer_subca_certfile?

Thanks,
Lukasz

Reply via email to