Jim, Thanks again for your response.
I am in fact running myproxy-get-trustroots on the same machine where myproxy-server is running. I admit, I have no idea how this is to work. What I'm really trying to accomplish is to get oauth working with myproxy so we can setup a an oauth server to work with globus online, but I wanted to test it before applying for a *real* cert. I ran into the myproxy-get-trustroots thing following this walkthrough (nice walkthrough, btw!): http://www.sciencegatewaysecurity.org/oauth-for-myproxy/installation-walk-through The real issue is that when I set up a client on this same machine and bring up: https://go.hpcs.lbl.gov/client/ and click the start button, the server responds with: "Oh dear... There was a problem getting the cert. Check the server logs... The message received was: Error: could not connect to the server. Is your trusted roots store up to date? " I noticed I skipped the myproxy-get-trustroots part of the walkthough, and thought maybe it was related. Though, now I should try and re-set the client now that the cert is in order. I'm not even really sure what certificate the server is trying to retrieve here though. Thanks! Here is the output to myproxy-get-trustroots -v -s go.hpcs.lbl.gov: [root@go ~]# myproxy-get-trustroots -v -s go.hpcs.lbl.gov MyProxy v5.9 Jul 2012 PAM SASL KRB5 LDAP VOMS OCSP Attempting to connect to 131.243.60.14:7512 Successfully connected to go.hpcs.lbl.gov:7512 using trusted certificates directory /etc/grid-security/certificates Using Host cert file (/etc/grid-security/hostcert.pem), key file (/etc/grid-security/hostkey.pem) no valid credentials found -- performing anonymous authentication Using Host cert file (/etc/grid-security/hostcert.pem), key file (/etc/grid-security/hostkey.pem) Error authenticating: GSS Major Status: Authentication Failed GSS Minor Status Error Chain: globus_gss_assist: Error during context initialization OpenSSL Error: a_verify.c:184: in library: asn1 encoding routines, function ASN1_item_verify: EVP lib OpenSSL Error: rsa_eay.c:773: in library: rsa routines, function RSA_EAY_PUBLIC_DECRYPT: padding check failed OpenSSL Error: rsa_pk1.c:100: in library: rsa routines, function RSA_padding_check_PKCS1_type_1: block type is not 01 [root@go ~]# How (again) can I update the hostcert.pem in /etc/grid-security/myproxy? Copying the one from /etc/grid-security (that openssl verify now likes) causes myproxy-server to choke, and I can not start the server: (here's the debug output for that in case it's relevant): [root@go myproxy]# runuser -s /bin/bash myproxy -c 'ulimit -S -c 0 ; X509_USER_CERT=/etc/grid-security/myproxy/hostcert.pem X509_USER_KEY=/etc/grid-security/myproxy/hostkey.pem /usr/sbin/myproxy-server -d' myproxy-server v5.9 Jul 2012 PAM SASL KRB5 LDAP VOMS OCSP starting at Tue Feb 26 17:31:14 2013 reading configuration file /etc/myproxy-server.config allow_voms_attribute_requests is not set. VOMS attribute requests will be ignored. Processing usage_stats_target (usage-stats.cilogon.org:4810) usage_stats: initialized (usage-stats.cilogon.org:4810) (VvtrlLB) using storage directory /var/lib/myproxy Using Host cert file (/etc/grid-security/myproxy/hostcert.pem), key file (/etc/grid-security/myproxy/hostkey.pem) Problem with server credentials. GSS Major Status: General failure GSS Minor Status Error Chain: globus_gsi_gssapi: Error with GSI credential globus_gsi_gssapi: Error with gss credential handle globus_gsi_gssapi: Error with openssl: Couldn't set the private key to be used for the SSL context OpenSSL Error: x509_cmp.c:325: in library: x509 certificate routines, function X509_check_private_key: key values mismatch [root@go myproxy]# -k On Mon, Feb 25, 2013 at 07:53:53PM -0600, Jim Basney wrote: > Hi Karen, > > By any chance are you running myproxy-get-trustroots on the same machine > where your myproxy-server is running? The myproxy-get-trustroots command > [1] is for downloading the trusted CA certificates from a remote > myproxy-server machine to the local machine, but it's not needed when > your myproxy-server is running on the local machine, where > /etc/grid-security/certificates is already configured. > > In any case, it seems that myproxy-get-trustroots is trying to use a > certificate with a signature problem. If you add -v to the > myproxy-get-trustroots command-line, it should output something like: > > Using Proxy file (/tmp/x509up_u501) > > or > > Using Host cert file (hostcert.pem), key file (hostkey.pem) > > to tell you what certificate and key are the source of the trouble. > Maybe you have an old proxy in /tmp/x509up_u0 that you created from the > old hostcert.pem, which grid-proxy-destroy could clean up for you. If > you post the full output of 'myproxy-get-trustroots -v -s > go.hpcs.lbl.gov' I'll be happy to help interpret it. > > Depending on your myproxy-server configuration, you might also have a > copy of hostcert.pem in /etc/grid-security/myproxy which may need to be > updated to match your current Simple CA installation. > > In general, if a MyProxy client command is giving trouble, try adding -v > for verbose output, and if the myproxy-server is giving trouble, look in > the syslog messages (typically /var/log/messages) according to [2]. > > -Jim > > [1] http://grid.ncsa.illinois.edu/myproxy/man/myproxy-get-trustroots.1.html > > [2] http://grid.ncsa.illinois.edu/myproxy/troubleshooting.html > > On 2/25/13 6:49 PM, Karen M. Fernsler wrote: > > Thanks very very very much for your help! > > That straightened out the issue with openssl and the hostcert*. > > > > [root@go grid-security]# grid-ca-sign -in hostcert_request.pem -out > > hostcert.pem > > > > To sign the request > > please enter the password for the CA key: > > > > The new signed certificate is at: /var/lib/globus/simple_ca/newcerts/01.pem > > > > [root@go grid-security]# openssl verify -CApath $X509_CERT_DIR hostcert.pem > > hostcert.pem: OK > > [root@go grid-security]# > > > > > > The myproxy-get-trustroots is still being difficult though. > > > > [root@go grid-security]# myproxy-get-trustroots -s go.hpcs.lbl.gov > > Error authenticating: GSS Major Status: Authentication Failed > > GSS Minor Status Error Chain: > > globus_gss_assist: Error during context initialization > > OpenSSL Error: a_verify.c:184: in library: asn1 encoding routines, function > > ASN1_item_verify: EVP lib > > OpenSSL Error: rsa_eay.c:773: in library: rsa routines, function > > RSA_EAY_PUBLIC_DECRYPT: padding check failed > > OpenSSL Error: rsa_pk1.c:100: in library: rsa routines, function > > RSA_padding_check_PKCS1_type_1: block type is not 01 > > > > [root@go grid-security] > > > > thanks! > > -k > > -- > > > > > > On Sat, Feb 23, 2013 at 10:37:33AM -0600, Jim Basney wrote: > >> It turns out what was causing this error for me is I had run > >> grid-ca-create multiple times, so the Simple CA instance I previously > >> used to sign my hostcert.pem was overwritten with a new Simple CA > >> instance, making the old hostcert.pem signature no longer valid. Running > >> grid-ca-sign to re-sign hostcert.pem using my current Simple CA > >> installation (re-using my old hostcert_request.pem) fixed it for me. > >> > >> $ openssl verify -CApath $X509_CERT_DIR hostcert.pem > >> hostcert.pem: > >> /O=Grid/OU=GlobusTest/OU=simpleCA-mpt.ncsa.illinois.edu/CN=host/mpt.ncsa.illinois.edu > >> error 7 at 0 depth lookup:certificate signature failure > >> 8794:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block > >> type is not 01:rsa_pk1.c:100: > >> 8794:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check > >> failed:fips_rsa_eay.c:748: > >> 8794:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP > >> lib:a_verify.c:168: > >> $ mv hostcert.pem hostcert.pem.old > >> $ grid-ca-sign -in hostcert_request.pem -out hostcert.pem > >> To sign the request > >> please enter the password for the CA key: > >> The new signed certificate is at: > >> /home/jbasney/.globus/simpleCA/newcerts/01.pem > >> $ openssl verify -CApath $X509_CERT_DIR hostcert.pem > >> hostcert.pem: OK > >> > >> On 2/21/13 9:13 AM, Jim Basney wrote: > >>> Hi, > >>> > >>> I installed globus-simple-ca-3.2-1.el5 on CentOS 5.9 which has > >>> OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 > >>> and signed a host certificate, and now I'm getting: > >>> > >>> # openssl verify -CApath /etc/grid-security/certificates > >>> /etc/grid-security/hostcert.pem > >>> /etc/grid-security/hostcert.pem: > >>> /O=Grid/OU=GlobusTest/OU=simpleCA-mpt.ncsa.illinois.edu/CN=host/mpt.ncsa.illinois.edu > >>> error 7 at 0 depth lookup:certificate signature failure > >>> 27641:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block > >>> type is not 01:rsa_pk1.c:100: > >>> 27641:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check > >>> failed:fips_rsa_eay.c:748: > >>> 27641:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP > >>> lib:a_verify.c:168: > >>> > >>> Does anyone know what causes this? > >>> > >>> Thanks, > >>> Jim
