Hi,
> I get an error when starting the gatekeeper on an LCG CE.
> [root@lcgce01 root]# /etc/init.d/globus-gatekeeper start
> Starting edg-gatekeeper:GSS failed getting server credentials:
> GSS Major Status: General failure
> GSS Minor Status Error Chain:
>
> acquire_cred.c:125: gss_acquire_cred: Error with GSI credential
> globus_i_gsi_gss_utils.c:1311: globus_i_gsi_gss_cred_read: Error with
> gss credential handle
> globus_i_gsi_gss_utils.c:1520: globus_i_gsi_gss_create_cred: Error with
> gss credential handle
> globus_i_gsi_gss_utils.c:2177: globus_i_gsi_gssapi_init_ssl_context:
> Error with
> openssl: Couldn't set the private key to be used for the SSL context
> OpenSSL Error: x509_cmp.c:383: in library: x509 certificate routines,
> function X509_check_private_key: key values mismatchFailure: GSS failed
> to get server credentials
>
> The host certificate and key is from the Canadian CA. They are correctly
> installed and grid-proxy-init works, however "grid-proxy-init -verify"
> complains
> ERROR: Couldn't verify the authenticity of the user's credential to
> generate a proxy from.
>
> The verify option checks the certificate chain too, ie. "-verify Before
> a proxy certificate is created, the certificate/key pair to make proxy
> for is verified by following the /certificate chain/ all the way back to
> a trusted certificate."
>
> The CA fingerprint is installed. I presume the gatekeeper does this too.
> Here are the details of the issuer and host certificate subject.
> Issuer: C=CA, O=Grid, CN=Grid Canada CA
> Subject: C=CA, O=Grid, OU=triumf.ca, CN=host/lcgce01.triumf.ca
>
> So has anyone used a canadian host certificate with LCG. Presumabely
> they have been used with a gatekeeper so any hint as to what I`ve got wrong.
>
> Cheers,
> Rod.
|