Thanks for reporting the cause. The bug fix will appear in MyProxy v5.8. https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=7259
On 6/14/12 2:28 PM, Lukasz Lacinski wrote: > The error message is definitely misleading. It came out that subjects in > mappings were incorrect. Every attribute name should be capitalized. For > example, the following mappings will end up with the error: > > "/c=us/o=Globus Testers/cn=John Doe" joed > > What is interesting, the error appears when the > 'certificate_issuer_subca_certfile' option is used. If the option is not > used, then MyProxy server issues user certificates without any problems. > > Thanks, > Lukasz > > > On 6/11/12 6:15 PM, Jim Basney wrote: >> I can't reproduce the problem with gcc64dbg GT 5.2.1 OpenSSL 0.9.8r. >> >> On 6/11/12 4:51 PM, Jim Basney wrote: >>> That CA certificate works fine for me with >>> certificate_issuer_subca_certfile using: >>> >>> # myproxy-server --version >>> myproxy-server version MYPROXYv2 (v5.7 May 2012 PAM OCSP) >>> # openssl version >>> OpenSSL 0.9.8r 8 Feb 2011 >>> >>> and also using: >>> >>> # myproxy-server --version >>> myproxy-server version MYPROXYv2 (v5.5 5 Sep 2011 PAM OCSP) >>> # openssl version >>> OpenSSL 1.0.1 14 Mar 2012 >>> >>> I'm stumped. The "PEM_read_bio:no start line" error means OpenSSL didn't >>> find "-----BEGIN CERTIFICATE-----" in the file but it's clearly there. >>> My only guess is that maybe an OS OpenSSL patch introduced an >>> incompatibility that might be cleared up by a fresh GT/MyProxy install. >>> I see you're at GT 5.0.3. Upgrading to GT 5.2.1 may be worth a try. >>> >>> My current installs use gcc32dbg and I see yours uses gcc64dbg, so I'll >>> try to reproduce the problem with a fresh gcc64dbg build. >>> >>> On 6/11/12 3:45 PM, Lukasz Lacinski wrote: >>>> It is: >>>> >>>> root@auth1:/var/log# less /var/lib/myproxy/.globus/simpleCA/cacert.pem >>>> -----BEGIN CERTIFICATE----- >>>> MIIClTCCAf6gAwIBAgIJAI/w6x7BOKQMMA0GCSqGSIb3DQEBBQUAMGkxDTALBgNV >>>> BAoTBEdyaWQxEzARBgNVBAsTCkdsb2J1c1Rlc3QxKDAmBgNVBAsTH3NpbXBsZUNB >>>> LWF1dGgxLmNoaWNhZ28ua2Jhc2UudXMxGTAXBgNVBAMTEEdsb2J1cyBTaW1wbGUg >>>> Q0EwHhcNMTIwMjIzMjIxNzU0WhcNMTcwMjIxMjIxNzU0WjBpMQ0wCwYDVQQKEwRH >>>> cmlkMRMwEQYDVQQLEwpHbG9idXNUZXN0MSgwJgYDVQQLEx9zaW1wbGVDQS1hdXRo >>>> MS5jaGljYWdvLmtiYXNlLnVzMRkwFwYDVQQDExBHbG9idXMgU2ltcGxlIENBMIGf >>>> MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHRrgenqHgbgEaFteMJkDXCfpsCeMP >>>> MiL6+HChLjwr0XNP2eX2sTWTmHGhPudLFTRss/J0rYQS/Dw6ffQaxaMYhFxFykOb >>>> bQe7ogQtYwDo5jtRiWyu5qDNlJ1HWm3pielN0I5QwoSy4758qcwcgetPF7guBx0T >>>> IhVxf5nVXLhNPQIDAQABo0UwQzAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQL >>>> pZw2+KlwJBmYXOlEbIHa10z5+TARBglghkgBhvhCAQEEBAMCAAcwDQYJKoZIhvcN >>>> AQEFBQADgYEATJGsvsIybFcABgMwqqtnVFCIINKr0JT3U2BbHaOHvZnjnmuoQk8k >>>> TfYf/J9Vy4T9IV6hL+m59ls5Beggua0DU4eHLtOwv/GaScJwV0zeGJXjgjkyGJ8p >>>> 4rXMSXThiAmEhO4MIElWIBFqOFEYKdDJiBvKifNd+D/eUY425rI03lg= >>>> -----END CERTIFICATE----- >>>> >>>> >>>> Thanks, >>>> Lukasz >>>> >>>> On 6/11/12 3:40 PM, Jim Basney wrote: >>>>> What are the contents of /var/lib/myproxy/.globus/simpleCA/cacert.pem? >>>>> >>>>> On 6/11/12 3:38 PM, Lukasz Lacinski wrote: >>>>>> We use MyProxy server with Simple CA to issue user credentials. And >>>>>> wanted to use the certificate_issuer_subca_certfile option to add a >>>>>> certificate of the Simple CA to a certificate chain sent by MyProxy >>>>>> server. Unfortunately, the option causes the following error: >>>>>> >>>>>> Jun 11 13:36:34 auth1 myproxy-server[17900]: Error parsing >>>>>> certificate chain error:0D06407A:asn1 encoding >>>>>> routines:a2d_ASN1_OBJECT:first num too large error:0D06407A:asn1 >>>>>> encoding routines:a2d_ASN1_OBJECT:first num too large >>>>>> error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num >>>>>> too large error:0D06407A:asn1 encoding >>>>>> routines:a2d_ASN1_OBJECT:first num too large error:0D06407A:asn1 >>>>>> encoding routines:a2d_ASN1_OBJECT:first num too large >>>>>> error:0906D06C:PEM routines:PEM_read_bio:no start line Failed to >>>>>> load sub-CA certs from file >>>>>> (/var/lib/myproxy/.globus/simpleCA/cacert.pem)! CA failed to >>>>>> generate certificate >>>>>> >>>>>> >>>>>> We are using Ubuntu Oneiric. >>>>>> root@ca:~# openssl version >>>>>> OpenSSL 0.9.8k 25 Mar 2009 >>>>>> root@ca:~# >>>>>> >>>>>> The version we are running is: >>>>>> root@auth1:/var/log# myproxy-server --version >>>>>> myproxy-server version MYPROXYv2 (v5.5 5 Sep 2011 PAM OCSP) >>>>>> root@ca:~# ldd /usr/local/globus-5.0.3/sbin/myproxy-server >>>>>> linux-vdso.so.1 => (0x00007fff02dff000) >>>>>> libmyproxy_gcc64dbg.so.0 => >>>>>> /usr/local/globus-5.0.3/lib/libmyproxy_gcc64dbg.so.0 >>>>>> (0x00007f7aa91d0000) >>>>>> libpam.so.0 => /lib/libpam.so.0 (0x00007f7aa8fb1000) >>>>>> libglobus_gss_assist_gcc64dbg.so.0 => >>>>>> /usr/local/globus-5.0.3/lib/libglobus_gss_assist_gcc64dbg.so.0 >>>>>> (0x00007f7aa8da1000) >>>>>> libglobus_gssapi_gsi_gcc64dbg.so.0 => >>>>>> /usr/local/globus-5.0.3/lib/libglobus_gssapi_gsi_gcc64dbg.so.0 >>>>>> (0x00007f7aa8b7a000) >>>>>> libglobus_gsi_proxy_core_gcc64dbg.so.0 => >>>>>> /usr/local/globus-5.0.3/lib/libglobus_gsi_proxy_core_gcc64dbg.so.0 >>>>>> (0x00007f7aa8966000) >>>>>> libglobus_gsi_credential_gcc64dbg.so.0 => >>>>>> /usr/local/globus-5.0.3/lib/libglobus_gsi_credential_gcc64dbg.so.0 >>>>>> (0x00007f7aa8752000) >>>>>> libglobus_gsi_callback_gcc64dbg.so.0 => >>>>>> /usr/local/globus-5.0.3/lib/libglobus_gsi_callback_gcc64dbg.so.0 >>>>>> (0x00007f7aa8546000) >>>>>> libglobus_oldgaa_gcc64dbg.so.0 => >>>>>> /usr/local/globus-5.0.3/lib/libglobus_oldgaa_gcc64dbg.so.0 >>>>>> (0x00007f7aa833b000) >>>>>> libglobus_gsi_sysconfig_gcc64dbg.so.0 => >>>>>> /usr/local/globus-5.0.3/lib/libglobus_gsi_sysconfig_gcc64dbg.so.0 >>>>>> (0x00007f7aa812c000) >>>>>> libglobus_gsi_cert_utils_gcc64dbg.so.0 => >>>>>> /usr/local/globus-5.0.3/lib/libglobus_gsi_cert_utils_gcc64dbg.so.0 >>>>>> (0x00007f7aa7f25000) >>>>>> libglobus_usage_gcc64dbg.so.0 => >>>>>> /usr/local/globus-5.0.3/lib/libglobus_usage_gcc64dbg.so.0 >>>>>> (0x00007f7aa7d20000) >>>>>> libglobus_openssl_gcc64dbg.so.0 => >>>>>> /usr/local/globus-5.0.3/lib/libglobus_openssl_gcc64dbg.so.0 >>>>>> (0x00007f7aa7b1c000) >>>>>> libglobus_xio_gcc64dbg.so.0 => >>>>>> /usr/local/globus-5.0.3/lib/libglobus_xio_gcc64dbg.so.0 >>>>>> (0x00007f7aa78a0000) >>>>>> libglobus_openssl_error_gcc64dbg.so.0 => >>>>>> /usr/local/globus-5.0.3/lib/libglobus_openssl_error_gcc64dbg.so.0 >>>>>> (0x00007f7aa769a000) >>>>>> libglobus_callout_gcc64dbg.so.0 => >>>>>> /usr/local/globus-5.0.3/lib/libglobus_callout_gcc64dbg.so.0 >>>>>> (0x00007f7aa7494000) >>>>>> libglobus_proxy_ssl_gcc64dbg.so.0 => >>>>>> /usr/local/globus-5.0.3/lib/libglobus_proxy_ssl_gcc64dbg.so.0 >>>>>> (0x00007f7aa728e000) >>>>>> libglobus_common_gcc64dbg.so.0 => >>>>>> /usr/local/globus-5.0.3/lib/libglobus_common_gcc64dbg.so.0 >>>>>> (0x00007f7aa7044000) >>>>>> libltdl_gcc64dbg.so.3 => >>>>>> /usr/local/globus-5.0.3/lib/libltdl_gcc64dbg.so.3 >>>>>> (0x00007f7aa6e39000) >>>>>> libm.so.6 => /lib/libm.so.6 (0x00007f7aa6bb6000) >>>>>> libdl.so.2 => /lib/libdl.so.2 (0x00007f7aa69b2000) >>>>>> libssl.so.0.9.8 => /lib/libssl.so.0.9.8 >>>>>> (0x00007f7aa675f000) >>>>>> libcrypto.so.0.9.8 => /lib/libcrypto.so.0.9.8 >>>>>> (0x00007f7aa63cf000) >>>>>> libc.so.6 => /lib/libc.so.6 (0x00007f7aa604c000) >>>>>> libcrypt.so.1 => /lib/libcrypt.so.1 (0x00007f7aa5e12000) >>>>>> /lib64/ld-linux-x86-64.so.2 (0x00007f7aa9411000) >>>>>> libz.so.1 => /lib/libz.so.1 (0x00007f7aa5bfa000) >>>>>> root@auth1:/var/log# >>>>>> >>>>>> >>>>>> There is no problem with reading the CA certificate by openssl. >>>>>> >>>>>> Did anybody experienced such a problem with the >>>>>> certificate_issuer_subca_certfile? >>>>>> >>>>>> Thanks, >>>>>> Lukasz >
