It turns out what was causing this error for me is I had run grid-ca-create multiple times, so the Simple CA instance I previously used to sign my hostcert.pem was overwritten with a new Simple CA instance, making the old hostcert.pem signature no longer valid. Running grid-ca-sign to re-sign hostcert.pem using my current Simple CA installation (re-using my old hostcert_request.pem) fixed it for me.
$ openssl verify -CApath $X509_CERT_DIR hostcert.pem hostcert.pem: /O=Grid/OU=GlobusTest/OU=simpleCA-mpt.ncsa.illinois.edu/CN=host/mpt.ncsa.illinois.edu error 7 at 0 depth lookup:certificate signature failure 8794:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100: 8794:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:fips_rsa_eay.c:748: 8794:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:a_verify.c:168: $ mv hostcert.pem hostcert.pem.old $ grid-ca-sign -in hostcert_request.pem -out hostcert.pem To sign the request please enter the password for the CA key: The new signed certificate is at: /home/jbasney/.globus/simpleCA/newcerts/01.pem $ openssl verify -CApath $X509_CERT_DIR hostcert.pem hostcert.pem: OK On 2/21/13 9:13 AM, Jim Basney wrote: > Hi, > > I installed globus-simple-ca-3.2-1.el5 on CentOS 5.9 which has > OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 > and signed a host certificate, and now I'm getting: > > # openssl verify -CApath /etc/grid-security/certificates > /etc/grid-security/hostcert.pem > /etc/grid-security/hostcert.pem: > /O=Grid/OU=GlobusTest/OU=simpleCA-mpt.ncsa.illinois.edu/CN=host/mpt.ncsa.illinois.edu > error 7 at 0 depth lookup:certificate signature failure > 27641:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block > type is not 01:rsa_pk1.c:100: > 27641:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check > failed:fips_rsa_eay.c:748: > 27641:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP > lib:a_verify.c:168: > > Does anyone know what causes this? > > Thanks, > Jim
