Thanks very very very much for your help! That straightened out the issue with openssl and the hostcert*.
[root@go grid-security]# grid-ca-sign -in hostcert_request.pem -out hostcert.pem To sign the request please enter the password for the CA key: The new signed certificate is at: /var/lib/globus/simple_ca/newcerts/01.pem [root@go grid-security]# openssl verify -CApath $X509_CERT_DIR hostcert.pem hostcert.pem: OK [root@go grid-security]# The myproxy-get-trustroots is still being difficult though. [root@go grid-security]# myproxy-get-trustroots -s go.hpcs.lbl.gov Error authenticating: GSS Major Status: Authentication Failed GSS Minor Status Error Chain: globus_gss_assist: Error during context initialization OpenSSL Error: a_verify.c:184: in library: asn1 encoding routines, function ASN1_item_verify: EVP lib OpenSSL Error: rsa_eay.c:773: in library: rsa routines, function RSA_EAY_PUBLIC_DECRYPT: padding check failed OpenSSL Error: rsa_pk1.c:100: in library: rsa routines, function RSA_padding_check_PKCS1_type_1: block type is not 01 [root@go grid-security] thanks! -k -- On Sat, Feb 23, 2013 at 10:37:33AM -0600, Jim Basney wrote: > It turns out what was causing this error for me is I had run > grid-ca-create multiple times, so the Simple CA instance I previously > used to sign my hostcert.pem was overwritten with a new Simple CA > instance, making the old hostcert.pem signature no longer valid. Running > grid-ca-sign to re-sign hostcert.pem using my current Simple CA > installation (re-using my old hostcert_request.pem) fixed it for me. > > $ openssl verify -CApath $X509_CERT_DIR hostcert.pem > hostcert.pem: > /O=Grid/OU=GlobusTest/OU=simpleCA-mpt.ncsa.illinois.edu/CN=host/mpt.ncsa.illinois.edu > error 7 at 0 depth lookup:certificate signature failure > 8794:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block > type is not 01:rsa_pk1.c:100: > 8794:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check > failed:fips_rsa_eay.c:748: > 8794:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP > lib:a_verify.c:168: > $ mv hostcert.pem hostcert.pem.old > $ grid-ca-sign -in hostcert_request.pem -out hostcert.pem > To sign the request > please enter the password for the CA key: > The new signed certificate is at: > /home/jbasney/.globus/simpleCA/newcerts/01.pem > $ openssl verify -CApath $X509_CERT_DIR hostcert.pem > hostcert.pem: OK > > On 2/21/13 9:13 AM, Jim Basney wrote: > > Hi, > > > > I installed globus-simple-ca-3.2-1.el5 on CentOS 5.9 which has > > OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 > > and signed a host certificate, and now I'm getting: > > > > # openssl verify -CApath /etc/grid-security/certificates > > /etc/grid-security/hostcert.pem > > /etc/grid-security/hostcert.pem: > > /O=Grid/OU=GlobusTest/OU=simpleCA-mpt.ncsa.illinois.edu/CN=host/mpt.ncsa.illinois.edu > > error 7 at 0 depth lookup:certificate signature failure > > 27641:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block > > type is not 01:rsa_pk1.c:100: > > 27641:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check > > failed:fips_rsa_eay.c:748: > > 27641:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP > > lib:a_verify.c:168: > > > > Does anyone know what causes this? > > > > Thanks, > > Jim
