Hi Karen, By any chance are you running myproxy-get-trustroots on the same machine where your myproxy-server is running? The myproxy-get-trustroots command [1] is for downloading the trusted CA certificates from a remote myproxy-server machine to the local machine, but it's not needed when your myproxy-server is running on the local machine, where /etc/grid-security/certificates is already configured.
In any case, it seems that myproxy-get-trustroots is trying to use a certificate with a signature problem. If you add -v to the myproxy-get-trustroots command-line, it should output something like: Using Proxy file (/tmp/x509up_u501) or Using Host cert file (hostcert.pem), key file (hostkey.pem) to tell you what certificate and key are the source of the trouble. Maybe you have an old proxy in /tmp/x509up_u0 that you created from the old hostcert.pem, which grid-proxy-destroy could clean up for you. If you post the full output of 'myproxy-get-trustroots -v -s go.hpcs.lbl.gov' I'll be happy to help interpret it. Depending on your myproxy-server configuration, you might also have a copy of hostcert.pem in /etc/grid-security/myproxy which may need to be updated to match your current Simple CA installation. In general, if a MyProxy client command is giving trouble, try adding -v for verbose output, and if the myproxy-server is giving trouble, look in the syslog messages (typically /var/log/messages) according to [2]. -Jim [1] http://grid.ncsa.illinois.edu/myproxy/man/myproxy-get-trustroots.1.html [2] http://grid.ncsa.illinois.edu/myproxy/troubleshooting.html On 2/25/13 6:49 PM, Karen M. Fernsler wrote: > Thanks very very very much for your help! > That straightened out the issue with openssl and the hostcert*. > > [root@go grid-security]# grid-ca-sign -in hostcert_request.pem -out > hostcert.pem > > To sign the request > please enter the password for the CA key: > > The new signed certificate is at: /var/lib/globus/simple_ca/newcerts/01.pem > > [root@go grid-security]# openssl verify -CApath $X509_CERT_DIR hostcert.pem > hostcert.pem: OK > [root@go grid-security]# > > > The myproxy-get-trustroots is still being difficult though. > > [root@go grid-security]# myproxy-get-trustroots -s go.hpcs.lbl.gov > Error authenticating: GSS Major Status: Authentication Failed > GSS Minor Status Error Chain: > globus_gss_assist: Error during context initialization > OpenSSL Error: a_verify.c:184: in library: asn1 encoding routines, function > ASN1_item_verify: EVP lib > OpenSSL Error: rsa_eay.c:773: in library: rsa routines, function > RSA_EAY_PUBLIC_DECRYPT: padding check failed > OpenSSL Error: rsa_pk1.c:100: in library: rsa routines, function > RSA_padding_check_PKCS1_type_1: block type is not 01 > > [root@go grid-security] > > thanks! > -k > -- > > > On Sat, Feb 23, 2013 at 10:37:33AM -0600, Jim Basney wrote: >> It turns out what was causing this error for me is I had run >> grid-ca-create multiple times, so the Simple CA instance I previously >> used to sign my hostcert.pem was overwritten with a new Simple CA >> instance, making the old hostcert.pem signature no longer valid. Running >> grid-ca-sign to re-sign hostcert.pem using my current Simple CA >> installation (re-using my old hostcert_request.pem) fixed it for me. >> >> $ openssl verify -CApath $X509_CERT_DIR hostcert.pem >> hostcert.pem: >> /O=Grid/OU=GlobusTest/OU=simpleCA-mpt.ncsa.illinois.edu/CN=host/mpt.ncsa.illinois.edu >> error 7 at 0 depth lookup:certificate signature failure >> 8794:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block >> type is not 01:rsa_pk1.c:100: >> 8794:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check >> failed:fips_rsa_eay.c:748: >> 8794:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP >> lib:a_verify.c:168: >> $ mv hostcert.pem hostcert.pem.old >> $ grid-ca-sign -in hostcert_request.pem -out hostcert.pem >> To sign the request >> please enter the password for the CA key: >> The new signed certificate is at: >> /home/jbasney/.globus/simpleCA/newcerts/01.pem >> $ openssl verify -CApath $X509_CERT_DIR hostcert.pem >> hostcert.pem: OK >> >> On 2/21/13 9:13 AM, Jim Basney wrote: >>> Hi, >>> >>> I installed globus-simple-ca-3.2-1.el5 on CentOS 5.9 which has >>> OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 >>> and signed a host certificate, and now I'm getting: >>> >>> # openssl verify -CApath /etc/grid-security/certificates >>> /etc/grid-security/hostcert.pem >>> /etc/grid-security/hostcert.pem: >>> /O=Grid/OU=GlobusTest/OU=simpleCA-mpt.ncsa.illinois.edu/CN=host/mpt.ncsa.illinois.edu >>> error 7 at 0 depth lookup:certificate signature failure >>> 27641:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block >>> type is not 01:rsa_pk1.c:100: >>> 27641:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check >>> failed:fips_rsa_eay.c:748: >>> 27641:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP >>> lib:a_verify.c:168: >>> >>> Does anyone know what causes this? >>> >>> Thanks, >>> Jim
