Does one system have OpenSSL version 1.x and the other have OpenSSL version 0.x? The hashes are different for the different OpenSSL versions. Some details at: http://www.cilogon.org/openssl1
On 1/26/16, 6:21 PM, José Luis Gordillo Ruiz wrote: Hi, I’m trying to setup some globus clients on a Mac OS (el capitan). Initially, I’ve nothing on /etc/grid-security/certificates nor .globus/certificates $ myproxy-get-trustroots -s condor -v MyProxy v6.1 Jan 2016 PAM OCSP Attempting to connect to 132.248.83.81:7512 Successfully connected to condor:7512 Expecting non-standard server DN "/O=Grid/OU=GlobusTest/OU=simpleCA-condor.super.unam.mx/CN=condor.super.unam.mx" using trusted certificates directory /Users/jlgr/.globus/certificates no valid credentials found -- performing anonymous authentication Error authenticating: GSS Major Status: Authentication Failed GSS Minor Status Error Chain: globus_gss_assist: Error during context initialization OpenSSL Error: /BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59/src/ssl/s3_clnt.c:998: in library: SSL routines, function SSL3_GET_SERVER_CERTIFICATE: certificate verify failed globus_gsi_callback_module: Could not verify credential globus_gsi_callback_module: Can't get the local trusted CA certificate: Untrusted self-signed certificate in chain with hash 63167cb The CA that signed the myproxy-server's certificate is untrusted. If you want to trust the CA, re-run with the -b option. ——— so, I know I have to run it con ‘-b’ option. However, my concern is that when I run the same command on a Linux box (under the same circumstances, with the same user certificate) I got: $ myproxy-get-trustroots -s condor -v MyProxy v6.1 Dec 2015 PAM SASL KRB5 LDAP VOMS OCSP Attempting to connect to 132.248.83.81:7512 Successfully connected to condor:7512 Expecting non-standard server DN "/O=Grid/OU=GlobusTest/OU=simpleCA-condor.super.unam.mx/CN=condor.super.unam.mx" using trusted certificates directory /home/staff/jlgr/.globus/certificates no valid credentials found -- performing anonymous authentication Error authenticating: GSS Major Status: Authentication Failed GSS Minor Status Error Chain: globus_gss_assist: Error during context initialization OpenSSL Error: s3_clnt.c:1172: in library: SSL routines, function SSL3_GET_SERVER_CERTIFICATE: certificate verify failed globus_gsi_callback_module: Could not verify credential globus_gsi_callback_module: Can't get the local trusted CA certificate: Untrusted self-signed certificate in chain with hash a6589a6c The CA that signed the myproxy-server's certificate is untrusted. If you want to trust the CA, re-run with the -b option. ——— So, you can se that the ‘untrusted self-signed’ certificates have different hashes, but the request was made to the same my-proxy server Why could be that? My real concern is that I can’t run globus clientes (globus-ftp, globusrun, etc) from MacOS but I can from Linux (with same user certificate, same servers, etc). I’ve been tracking down differences bt the clients and I found this difference in setting trust roots. saludos, José Luis Gordillo Ruiz Coordinación de Supercómputo - DGTIC
