Thanks Jim, for all of your insight. I think I will go about the process of getting a real cert. for this.
thanks again! -k On Tue, Feb 26, 2013 at 07:57:44PM -0600, Jim Basney wrote: > Karen, > > The OAuth server setup assumes you've already got a working > myproxy-server installation, so I recommend focusing on getting your > myproxy-server working first, then moving on to OAuth. > > The first thing I notice in your myproxy-get-trustroots output is: > > > using trusted certificates directory /etc/grid-security/certificates > > Using Host cert file (/etc/grid-security/hostcert.pem), key file > > (/etc/grid-security/hostkey.pem) > > no valid credentials found [...] > > This is indicating that your /etc/grid-security/hostcert.pem and > /etc/grid-security/hostkey.pem files don't contain valid credentials. > The MyProxy troubleshooting guide [1] recommends using 'grid-proxy-init > -debug -verify' to debug a grid security problem like this, i.e., > > grid-proxy-init -debug -verify \ > -cert /etc/grid-security/hostcert.pem \ > -key /etc/grid-security/hostkey.pem > > The second thing I notice is in your myproxy-server output: > > > Using Host cert file (/etc/grid-security/myproxy/hostcert.pem), key file > > (/etc/grid-security/myproxy/hostkey.pem) > > [...] function X509_check_private_key: key values mismatch > > This output indicates that your /etc/grid-security/myproxy/hostcert.pem > file doesn't match your /etc/grid-security/myproxy/hostkey.pem file. > > One way to check if hostcert.pem and hostkey.pem match is to compare the > modulus values: > > if [ "`openssl x509 -in hostcert.pem -noout -modulus`" = \ > "`openssl rsa -in hostkey.pem -noout -modulus`" ]; \ > then echo "Match"; else echo "Different"; fi > > You mentioned your desire to test things before getting a "real cert" > but it seems your trouble is due to your Globus Simple CA setup and > creating your test hostcert.pem/hostkey.pem. Maybe it'd be better to go > ahead and get your real hostcert.pem/hostkey.pem created using your > trusted CA, as that will give you confidence that those files are > correct for production use, and you won't be delayed by issues with > correctly creating a test CA and test hostcert.pem/hostkey.pem. > > -Jim > > [1] http://grid.ncsa.illinois.edu/myproxy/troubleshooting.html > > On 2/26/13 7:35 PM, Karen M. Fernsler wrote: > > Jim, > > > > Thanks again for your response. > > > > I am in fact running myproxy-get-trustroots on the same machine where > > myproxy-server is running. I admit, I have no idea how this is to > > work. > > > > What I'm really trying to accomplish is to get oauth working with > > myproxy so we can setup a an oauth server to work with globus online, > > but I wanted to test it before applying for a *real* cert. > > > > I ran into the myproxy-get-trustroots thing following this walkthrough > > (nice walkthrough, btw!): > > > > http://www.sciencegatewaysecurity.org/oauth-for-myproxy/installation-walk-through > > > > The real issue is that when I set up a client on this same machine and > > bring up: > > https://go.hpcs.lbl.gov/client/ > > > > and click the start button, the server responds with: > > > > "Oh dear... > > > > There was a problem getting the cert. Check the server logs... > > > > The message received was: Error: could not connect to the server. Is your > > trusted roots store up to date? " > > > > I noticed I skipped the myproxy-get-trustroots part of the walkthough, > > and thought maybe it was related. > > > > Though, now I should try and re-set the client now that the cert is in > > order. I'm not even really sure what certificate the server is trying > > to retrieve here though. > > > > Thanks! > > Here is the output to myproxy-get-trustroots -v -s go.hpcs.lbl.gov: > > > > [root@go ~]# myproxy-get-trustroots -v -s go.hpcs.lbl.gov > > MyProxy v5.9 Jul 2012 PAM SASL KRB5 LDAP VOMS OCSP > > Attempting to connect to 131.243.60.14:7512 > > Successfully connected to go.hpcs.lbl.gov:7512 > > using trusted certificates directory /etc/grid-security/certificates > > Using Host cert file (/etc/grid-security/hostcert.pem), key file > > (/etc/grid-security/hostkey.pem) > > no valid credentials found -- performing anonymous authentication > > Using Host cert file (/etc/grid-security/hostcert.pem), key file > > (/etc/grid-security/hostkey.pem) > > Error authenticating: GSS Major Status: Authentication Failed > > GSS Minor Status Error Chain: > > globus_gss_assist: Error during context initialization > > OpenSSL Error: a_verify.c:184: in library: asn1 encoding routines, function > > ASN1_item_verify: EVP lib > > OpenSSL Error: rsa_eay.c:773: in library: rsa routines, function > > RSA_EAY_PUBLIC_DECRYPT: padding check failed > > OpenSSL Error: rsa_pk1.c:100: in library: rsa routines, function > > RSA_padding_check_PKCS1_type_1: block type is not 01 > > > > [root@go ~]# > > > > How (again) can I update the hostcert.pem in /etc/grid-security/myproxy? > > > > Copying the one from /etc/grid-security (that openssl verify now likes) > > causes myproxy-server to choke, and I can not start the server: > > > > (here's the debug output for that in case it's relevant): > > > > [root@go myproxy]# runuser -s /bin/bash myproxy -c 'ulimit -S -c 0 ; > > X509_USER_CERT=/etc/grid-security/myproxy/hostcert.pem > > X509_USER_KEY=/etc/grid-security/myproxy/hostkey.pem > > /usr/sbin/myproxy-server -d' > > myproxy-server v5.9 Jul 2012 PAM SASL KRB5 LDAP VOMS OCSP starting at Tue > > Feb 26 17:31:14 2013 > > reading configuration file /etc/myproxy-server.config > > allow_voms_attribute_requests is not set. > > VOMS attribute requests will be ignored. > > Processing usage_stats_target (usage-stats.cilogon.org:4810) > > usage_stats: initialized (usage-stats.cilogon.org:4810) (VvtrlLB) > > using storage directory /var/lib/myproxy > > Using Host cert file (/etc/grid-security/myproxy/hostcert.pem), key file > > (/etc/grid-security/myproxy/hostkey.pem) > > Problem with server credentials. GSS Major Status: General failure GSS > > Minor Status Error Chain: globus_gsi_gssapi: Error with GSI credential > > globus_gsi_gssapi: Error with gss credential handle globus_gsi_gssapi: > > Error with openssl: Couldn't set the private key to be used for the SSL > > context OpenSSL Error: x509_cmp.c:325: in library: x509 certificate > > routines, function X509_check_private_key: key values mismatch > > [root@go myproxy]# > > > > -k > > > > > > On Mon, Feb 25, 2013 at 07:53:53PM -0600, Jim Basney wrote: > >> Hi Karen, > >> > >> By any chance are you running myproxy-get-trustroots on the same machine > >> where your myproxy-server is running? The myproxy-get-trustroots command > >> [1] is for downloading the trusted CA certificates from a remote > >> myproxy-server machine to the local machine, but it's not needed when > >> your myproxy-server is running on the local machine, where > >> /etc/grid-security/certificates is already configured. > >> > >> In any case, it seems that myproxy-get-trustroots is trying to use a > >> certificate with a signature problem. If you add -v to the > >> myproxy-get-trustroots command-line, it should output something like: > >> > >> Using Proxy file (/tmp/x509up_u501) > >> > >> or > >> > >> Using Host cert file (hostcert.pem), key file (hostkey.pem) > >> > >> to tell you what certificate and key are the source of the trouble. > >> Maybe you have an old proxy in /tmp/x509up_u0 that you created from the > >> old hostcert.pem, which grid-proxy-destroy could clean up for you. If > >> you post the full output of 'myproxy-get-trustroots -v -s > >> go.hpcs.lbl.gov' I'll be happy to help interpret it. > >> > >> Depending on your myproxy-server configuration, you might also have a > >> copy of hostcert.pem in /etc/grid-security/myproxy which may need to be > >> updated to match your current Simple CA installation. > >> > >> In general, if a MyProxy client command is giving trouble, try adding -v > >> for verbose output, and if the myproxy-server is giving trouble, look in > >> the syslog messages (typically /var/log/messages) according to [2]. > >> > >> -Jim > >> > >> [1] http://grid.ncsa.illinois.edu/myproxy/man/myproxy-get-trustroots.1.html > >> > >> [2] http://grid.ncsa.illinois.edu/myproxy/troubleshooting.html > >> > >> On 2/25/13 6:49 PM, Karen M. Fernsler wrote: > >>> Thanks very very very much for your help! > >>> That straightened out the issue with openssl and the hostcert*. > >>> > >>> [root@go grid-security]# grid-ca-sign -in hostcert_request.pem -out > >>> hostcert.pem > >>> > >>> To sign the request > >>> please enter the password for the CA key: > >>> > >>> The new signed certificate is at: > >>> /var/lib/globus/simple_ca/newcerts/01.pem > >>> > >>> [root@go grid-security]# openssl verify -CApath $X509_CERT_DIR > >>> hostcert.pem > >>> hostcert.pem: OK > >>> [root@go grid-security]# > >>> > >>> > >>> The myproxy-get-trustroots is still being difficult though. > >>> > >>> [root@go grid-security]# myproxy-get-trustroots -s go.hpcs.lbl.gov > >>> Error authenticating: GSS Major Status: Authentication Failed > >>> GSS Minor Status Error Chain: > >>> globus_gss_assist: Error during context initialization > >>> OpenSSL Error: a_verify.c:184: in library: asn1 encoding routines, > >>> function ASN1_item_verify: EVP lib > >>> OpenSSL Error: rsa_eay.c:773: in library: rsa routines, function > >>> RSA_EAY_PUBLIC_DECRYPT: padding check failed > >>> OpenSSL Error: rsa_pk1.c:100: in library: rsa routines, function > >>> RSA_padding_check_PKCS1_type_1: block type is not 01 > >>> > >>> [root@go grid-security] > >>> > >>> thanks! > >>> -k > >>> -- > >>> > >>> > >>> On Sat, Feb 23, 2013 at 10:37:33AM -0600, Jim Basney wrote: > >>>> It turns out what was causing this error for me is I had run > >>>> grid-ca-create multiple times, so the Simple CA instance I previously > >>>> used to sign my hostcert.pem was overwritten with a new Simple CA > >>>> instance, making the old hostcert.pem signature no longer valid. Running > >>>> grid-ca-sign to re-sign hostcert.pem using my current Simple CA > >>>> installation (re-using my old hostcert_request.pem) fixed it for me. > >>>> > >>>> $ openssl verify -CApath $X509_CERT_DIR hostcert.pem > >>>> hostcert.pem: > >>>> /O=Grid/OU=GlobusTest/OU=simpleCA-mpt.ncsa.illinois.edu/CN=host/mpt.ncsa.illinois.edu > >>>> error 7 at 0 depth lookup:certificate signature failure > >>>> 8794:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block > >>>> type is not 01:rsa_pk1.c:100: > >>>> 8794:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check > >>>> failed:fips_rsa_eay.c:748: > >>>> 8794:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP > >>>> lib:a_verify.c:168: > >>>> $ mv hostcert.pem hostcert.pem.old > >>>> $ grid-ca-sign -in hostcert_request.pem -out hostcert.pem > >>>> To sign the request > >>>> please enter the password for the CA key: > >>>> The new signed certificate is at: > >>>> /home/jbasney/.globus/simpleCA/newcerts/01.pem > >>>> $ openssl verify -CApath $X509_CERT_DIR hostcert.pem > >>>> hostcert.pem: OK > >>>> > >>>> On 2/21/13 9:13 AM, Jim Basney wrote: > >>>>> Hi, > >>>>> > >>>>> I installed globus-simple-ca-3.2-1.el5 on CentOS 5.9 which has > >>>>> OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 > >>>>> and signed a host certificate, and now I'm getting: > >>>>> > >>>>> # openssl verify -CApath /etc/grid-security/certificates > >>>>> /etc/grid-security/hostcert.pem > >>>>> /etc/grid-security/hostcert.pem: > >>>>> /O=Grid/OU=GlobusTest/OU=simpleCA-mpt.ncsa.illinois.edu/CN=host/mpt.ncsa.illinois.edu > >>>>> error 7 at 0 depth lookup:certificate signature failure > >>>>> 27641:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block > >>>>> type is not 01:rsa_pk1.c:100: > >>>>> 27641:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check > >>>>> failed:fips_rsa_eay.c:748: > >>>>> 27641:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP > >>>>> lib:a_verify.c:168: > >>>>> > >>>>> Does anyone know what causes this? > >>>>> > >>>>> Thanks, > >>>>> Jim
