Karen,
The OAuth server setup assumes you've already got a working
myproxy-server installation, so I recommend focusing on getting your
myproxy-server working first, then moving on to OAuth.
The first thing I notice in your myproxy-get-trustroots output is:
> using trusted certificates directory /etc/grid-security/certificates
> Using Host cert file (/etc/grid-security/hostcert.pem), key file
> (/etc/grid-security/hostkey.pem)
> no valid credentials found [...]
This is indicating that your /etc/grid-security/hostcert.pem and
/etc/grid-security/hostkey.pem files don't contain valid credentials.
The MyProxy troubleshooting guide [1] recommends using 'grid-proxy-init
-debug -verify' to debug a grid security problem like this, i.e.,
grid-proxy-init -debug -verify \
-cert /etc/grid-security/hostcert.pem \
-key /etc/grid-security/hostkey.pem
The second thing I notice is in your myproxy-server output:
> Using Host cert file (/etc/grid-security/myproxy/hostcert.pem), key file
> (/etc/grid-security/myproxy/hostkey.pem)
> [...] function X509_check_private_key: key values mismatch
This output indicates that your /etc/grid-security/myproxy/hostcert.pem
file doesn't match your /etc/grid-security/myproxy/hostkey.pem file.
One way to check if hostcert.pem and hostkey.pem match is to compare the
modulus values:
if [ "`openssl x509 -in hostcert.pem -noout -modulus`" = \
"`openssl rsa -in hostkey.pem -noout -modulus`" ]; \
then echo "Match"; else echo "Different"; fi
You mentioned your desire to test things before getting a "real cert"
but it seems your trouble is due to your Globus Simple CA setup and
creating your test hostcert.pem/hostkey.pem. Maybe it'd be better to go
ahead and get your real hostcert.pem/hostkey.pem created using your
trusted CA, as that will give you confidence that those files are
correct for production use, and you won't be delayed by issues with
correctly creating a test CA and test hostcert.pem/hostkey.pem.
-Jim
[1] http://grid.ncsa.illinois.edu/myproxy/troubleshooting.html
On 2/26/13 7:35 PM, Karen M. Fernsler wrote:
> Jim,
>
> Thanks again for your response.
>
> I am in fact running myproxy-get-trustroots on the same machine where
> myproxy-server is running. I admit, I have no idea how this is to
> work.
>
> What I'm really trying to accomplish is to get oauth working with
> myproxy so we can setup a an oauth server to work with globus online,
> but I wanted to test it before applying for a *real* cert.
>
> I ran into the myproxy-get-trustroots thing following this walkthrough
> (nice walkthrough, btw!):
>
> http://www.sciencegatewaysecurity.org/oauth-for-myproxy/installation-walk-through
>
> The real issue is that when I set up a client on this same machine and
> bring up:
> https://go.hpcs.lbl.gov/client/
>
> and click the start button, the server responds with:
>
> "Oh dear...
>
> There was a problem getting the cert. Check the server logs...
>
> The message received was: Error: could not connect to the server. Is your
> trusted roots store up to date? "
>
> I noticed I skipped the myproxy-get-trustroots part of the walkthough,
> and thought maybe it was related.
>
> Though, now I should try and re-set the client now that the cert is in
> order. I'm not even really sure what certificate the server is trying
> to retrieve here though.
>
> Thanks!
> Here is the output to myproxy-get-trustroots -v -s go.hpcs.lbl.gov:
>
> [root@go ~]# myproxy-get-trustroots -v -s go.hpcs.lbl.gov
> MyProxy v5.9 Jul 2012 PAM SASL KRB5 LDAP VOMS OCSP
> Attempting to connect to 131.243.60.14:7512
> Successfully connected to go.hpcs.lbl.gov:7512
> using trusted certificates directory /etc/grid-security/certificates
> Using Host cert file (/etc/grid-security/hostcert.pem), key file
> (/etc/grid-security/hostkey.pem)
> no valid credentials found -- performing anonymous authentication
> Using Host cert file (/etc/grid-security/hostcert.pem), key file
> (/etc/grid-security/hostkey.pem)
> Error authenticating: GSS Major Status: Authentication Failed
> GSS Minor Status Error Chain:
> globus_gss_assist: Error during context initialization
> OpenSSL Error: a_verify.c:184: in library: asn1 encoding routines, function
> ASN1_item_verify: EVP lib
> OpenSSL Error: rsa_eay.c:773: in library: rsa routines, function
> RSA_EAY_PUBLIC_DECRYPT: padding check failed
> OpenSSL Error: rsa_pk1.c:100: in library: rsa routines, function
> RSA_padding_check_PKCS1_type_1: block type is not 01
>
> [root@go ~]#
>
> How (again) can I update the hostcert.pem in /etc/grid-security/myproxy?
>
> Copying the one from /etc/grid-security (that openssl verify now likes)
> causes myproxy-server to choke, and I can not start the server:
>
> (here's the debug output for that in case it's relevant):
>
> [root@go myproxy]# runuser -s /bin/bash myproxy -c 'ulimit -S -c 0 ;
> X509_USER_CERT=/etc/grid-security/myproxy/hostcert.pem
> X509_USER_KEY=/etc/grid-security/myproxy/hostkey.pem /usr/sbin/myproxy-server
> -d'
> myproxy-server v5.9 Jul 2012 PAM SASL KRB5 LDAP VOMS OCSP starting at Tue Feb
> 26 17:31:14 2013
> reading configuration file /etc/myproxy-server.config
> allow_voms_attribute_requests is not set.
> VOMS attribute requests will be ignored.
> Processing usage_stats_target (usage-stats.cilogon.org:4810)
> usage_stats: initialized (usage-stats.cilogon.org:4810) (VvtrlLB)
> using storage directory /var/lib/myproxy
> Using Host cert file (/etc/grid-security/myproxy/hostcert.pem), key file
> (/etc/grid-security/myproxy/hostkey.pem)
> Problem with server credentials. GSS Major Status: General failure GSS Minor
> Status Error Chain: globus_gsi_gssapi: Error with GSI credential
> globus_gsi_gssapi: Error with gss credential handle globus_gsi_gssapi: Error
> with openssl: Couldn't set the private key to be used for the SSL context
> OpenSSL Error: x509_cmp.c:325: in library: x509 certificate routines,
> function X509_check_private_key: key values mismatch
> [root@go myproxy]#
>
> -k
>
>
> On Mon, Feb 25, 2013 at 07:53:53PM -0600, Jim Basney wrote:
>> Hi Karen,
>>
>> By any chance are you running myproxy-get-trustroots on the same machine
>> where your myproxy-server is running? The myproxy-get-trustroots command
>> [1] is for downloading the trusted CA certificates from a remote
>> myproxy-server machine to the local machine, but it's not needed when
>> your myproxy-server is running on the local machine, where
>> /etc/grid-security/certificates is already configured.
>>
>> In any case, it seems that myproxy-get-trustroots is trying to use a
>> certificate with a signature problem. If you add -v to the
>> myproxy-get-trustroots command-line, it should output something like:
>>
>> Using Proxy file (/tmp/x509up_u501)
>>
>> or
>>
>> Using Host cert file (hostcert.pem), key file (hostkey.pem)
>>
>> to tell you what certificate and key are the source of the trouble.
>> Maybe you have an old proxy in /tmp/x509up_u0 that you created from the
>> old hostcert.pem, which grid-proxy-destroy could clean up for you. If
>> you post the full output of 'myproxy-get-trustroots -v -s
>> go.hpcs.lbl.gov' I'll be happy to help interpret it.
>>
>> Depending on your myproxy-server configuration, you might also have a
>> copy of hostcert.pem in /etc/grid-security/myproxy which may need to be
>> updated to match your current Simple CA installation.
>>
>> In general, if a MyProxy client command is giving trouble, try adding -v
>> for verbose output, and if the myproxy-server is giving trouble, look in
>> the syslog messages (typically /var/log/messages) according to [2].
>>
>> -Jim
>>
>> [1] http://grid.ncsa.illinois.edu/myproxy/man/myproxy-get-trustroots.1.html
>>
>> [2] http://grid.ncsa.illinois.edu/myproxy/troubleshooting.html
>>
>> On 2/25/13 6:49 PM, Karen M. Fernsler wrote:
>>> Thanks very very very much for your help!
>>> That straightened out the issue with openssl and the hostcert*.
>>>
>>> [root@go grid-security]# grid-ca-sign -in hostcert_request.pem -out
>>> hostcert.pem
>>>
>>> To sign the request
>>> please enter the password for the CA key:
>>>
>>> The new signed certificate is at: /var/lib/globus/simple_ca/newcerts/01.pem
>>>
>>> [root@go grid-security]# openssl verify -CApath $X509_CERT_DIR hostcert.pem
>>> hostcert.pem: OK
>>> [root@go grid-security]#
>>>
>>>
>>> The myproxy-get-trustroots is still being difficult though.
>>>
>>> [root@go grid-security]# myproxy-get-trustroots -s go.hpcs.lbl.gov
>>> Error authenticating: GSS Major Status: Authentication Failed
>>> GSS Minor Status Error Chain:
>>> globus_gss_assist: Error during context initialization
>>> OpenSSL Error: a_verify.c:184: in library: asn1 encoding routines, function
>>> ASN1_item_verify: EVP lib
>>> OpenSSL Error: rsa_eay.c:773: in library: rsa routines, function
>>> RSA_EAY_PUBLIC_DECRYPT: padding check failed
>>> OpenSSL Error: rsa_pk1.c:100: in library: rsa routines, function
>>> RSA_padding_check_PKCS1_type_1: block type is not 01
>>>
>>> [root@go grid-security]
>>>
>>> thanks!
>>> -k
>>> --
>>>
>>>
>>> On Sat, Feb 23, 2013 at 10:37:33AM -0600, Jim Basney wrote:
>>>> It turns out what was causing this error for me is I had run
>>>> grid-ca-create multiple times, so the Simple CA instance I previously
>>>> used to sign my hostcert.pem was overwritten with a new Simple CA
>>>> instance, making the old hostcert.pem signature no longer valid. Running
>>>> grid-ca-sign to re-sign hostcert.pem using my current Simple CA
>>>> installation (re-using my old hostcert_request.pem) fixed it for me.
>>>>
>>>> $ openssl verify -CApath $X509_CERT_DIR hostcert.pem
>>>> hostcert.pem:
>>>> /O=Grid/OU=GlobusTest/OU=simpleCA-mpt.ncsa.illinois.edu/CN=host/mpt.ncsa.illinois.edu
>>>> error 7 at 0 depth lookup:certificate signature failure
>>>> 8794:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block
>>>> type is not 01:rsa_pk1.c:100:
>>>> 8794:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check
>>>> failed:fips_rsa_eay.c:748:
>>>> 8794:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP
>>>> lib:a_verify.c:168:
>>>> $ mv hostcert.pem hostcert.pem.old
>>>> $ grid-ca-sign -in hostcert_request.pem -out hostcert.pem
>>>> To sign the request
>>>> please enter the password for the CA key:
>>>> The new signed certificate is at:
>>>> /home/jbasney/.globus/simpleCA/newcerts/01.pem
>>>> $ openssl verify -CApath $X509_CERT_DIR hostcert.pem
>>>> hostcert.pem: OK
>>>>
>>>> On 2/21/13 9:13 AM, Jim Basney wrote:
>>>>> Hi,
>>>>>
>>>>> I installed globus-simple-ca-3.2-1.el5 on CentOS 5.9 which has
>>>>> OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
>>>>> and signed a host certificate, and now I'm getting:
>>>>>
>>>>> # openssl verify -CApath /etc/grid-security/certificates
>>>>> /etc/grid-security/hostcert.pem
>>>>> /etc/grid-security/hostcert.pem:
>>>>> /O=Grid/OU=GlobusTest/OU=simpleCA-mpt.ncsa.illinois.edu/CN=host/mpt.ncsa.illinois.edu
>>>>> error 7 at 0 depth lookup:certificate signature failure
>>>>> 27641:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block
>>>>> type is not 01:rsa_pk1.c:100:
>>>>> 27641:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check
>>>>> failed:fips_rsa_eay.c:748:
>>>>> 27641:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP
>>>>> lib:a_verify.c:168:
>>>>>
>>>>> Does anyone know what causes this?
>>>>>
>>>>> Thanks,
>>>>> Jim
