Mario,
Il 24/08/11 15.07, Mario Kadastik ha scritto:
>> the default configuration of Argus implies the use of https, e.g.
>>
>> [root@mercury argus]# pepcli -p https://mercury.hep.kbfi.ee:8154/authz -c ~/x509up_u101 -r myCE -a myAction
when you use pepcli on https you have to specify two client certificates:
+ one that is used for the XACML subject
+ one that is used for ssl client authentication
so in your command you should have at least also the --cert (which is
*not* -c) option set.
Hope this helps.
Andrea
>>
>> notice the s attached to https. Beside of that your command looks right :)
>
> Ok, that was stupid. However it seems there is something fishy with the certificate chain…
>
> [root@mercury argus]# pepcli -d -p https://mercury.hep.kbfi.ee:8154/authz -c ~/x509up_u101 -r myCE -a myA -t 60 -x --capath /etc/grid-security/certificates/
> pepcli:DEBUG: debug set.
> pepcli:DEBUG: pepd: https://mercury.hep.kbfi.ee:8154/authz
> pepcli:DEBUG: certchain: /root/x509up_u101
> pepcli:DEBUG: resourceid: myCE
> pepcli:DEBUG: actionid: myA
> pepcli:DEBUG: timeout: 60
> pepcli:DEBUG: show effective Request context.
> pepcli:DEBUG: capath: /etc/grid-security/certificates/
> pepcli:DEBUG: read certchain from: /root/x509up_u101
> pepcli:DEBUG: certchain:[
> …..
> ]
> pepcli:DEBUG: create PEP client...
> pepcli:DEBUG: set PEP_OPTION_LOG_LEVEL: PEP_LOGLEVEL_DEBUG
> libargus-pep:DEBUG: pep_setoption: PEP#0 PEP_OPTION_LOG_LEVEL: 3
> libargus-pep:DEBUG: set_curl_verbose: PEP#0 option_loglevel: 3
> pepcli:DEBUG: set PEPd url: https://mercury.hep.kbfi.ee:8154/authz
> libargus-pep:DEBUG: pep_setoption: PEP#0 PEP_OPTION_ENDPOINT_URL: https://mercury.hep.kbfi.ee:8154/authz
> libargus-pep:DEBUG: set_curl_endpoint_url: PEP#0 option_endpoint_url: https://mercury.hep.kbfi.ee:8154/authz
> pepcli:DEBUG: set PEP-C client timeout: 60
> libargus-pep:DEBUG: pep_setoption: PEP#0 PEP_OPTION_ENDPOINT_TIMEOUT: 60
> libargus-pep:DEBUG: set_curl_connection_timeout: PEP#0 option_timeout: 60
> pepcli:DEBUG: enabling peers SSL validation
> libargus-pep:DEBUG: pep_setoption: PEP#0 PEP_OPTION_ENDPOINT_SSL_VALIDATION: TRUE
> libargus-pep:DEBUG: set_curl_ssl_validation: PEP#0 option_ssl_validation: TRUE
> pepcli:DEBUG: setting SSL ciphers: 'DEFAULT:-ECDH' (OpenSSL 1.0.0 bug fix)
> libargus-pep:DEBUG: pep_setoption: PEP#0 PEP_OPTION_ENDPOINT_SSL_CIPHER_LIST: DEFAULT:-ECDH
> libargus-pep:DEBUG: set_curl_ssl_cipher_list: PEP#0 option_ssl_cipher_list: DEFAULT:-ECDH
> pepcli:DEBUG: setting server trust anchors CA path: /etc/grid-security/certificates/
> libargus-pep:DEBUG: pep_setoption: PEP#0 PEP_OPTION_ENDPOINT_SERVER_CAPATH: /etc/grid-security/certificates/
> libargus-pep:DEBUG: set_curl_server_capath: PEP#0 option_server_capath: /etc/grid-security/certificates/
> pepcli:DEBUG: create XACML subject
> pepcli:DEBUG: create XACML request
> libargus-pep: pep_authorize: PEP#0 sending XACML request to: https://mercury.hep.kbfi.ee:8154/authz
> * About to connect() to mercury.hep.kbfi.ee port 8154
> * Trying 193.40.150.250... * connected
> * Connected to mercury.hep.kbfi.ee (193.40.150.250) port 8154
> * successfully set certificate verify locations:
> * CAfile: /etc/pki/tls/certs/ca-bundle.crt
> CApath: /etc/grid-security/certificates/
> * error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
> * Closing connection #0
> * SSL connect error
> libargus-pep:ERROR: pep_authorize: PEP#0 sending XACML request failed: curl[35] SSL connect error.
> pepcli:ERROR: failed to authorize XACML request: CURL processing error
>
>
> So it didn't like the certificate of the host… then again the certificates seem ok:
> [root@mercury argus]# openssl x509 -noout -modulus -in /etc/grid-security/hostcert.pem | openssl md5 ;\
>> openssl rsa -noout -modulus -in /etc/grid-security/hostkey.pem | openssl md5
> 4d8af568dee076088cc94b8d50f66fbc
> 4d8af568dee076088cc94b8d50f66fbc
>
> [root@mercury argus]# openssl x509 -noout -text -in /etc/grid-security/hostcert.pem
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 1640 (0x668)
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: DC=org, DC=balticgrid, CN=Baltic Grid Certification Authority
> Validity
> Not Before: Jan 27 14:43:59 2011 GMT
> Not After : Jan 27 14:43:59 2012 GMT
> Subject: DC=org, DC=balticgrid, OU=kbfi.ee, CN=host/mercury.hep.kbfi.ee
>
> …
>
> The system time seems right:
> [root@mercury argus]# ntpdate -q ntp.eenet.ee
> server 193.40.133.142, stratum 1, offset -0.045216, delay 0.03004
> 24 Aug 16:06:44 ntpdate[8854]: adjust time server 193.40.133.142 offset -0.045216 sec
>
> The hostname<-> IP mapping should be fine
> [root@mercury argus]# host mercury.hep.kbfi.ee
> mercury.hep.kbfi.ee has address 193.40.150.250
> [root@mercury argus]# host 193.40.150.250
> 250.150.40.193.in-addr.arpa domain name pointer mercury.hep.kbfi.ee.
>
> So I'm a bit out of ideas… Any way to crank up the SSL debug more to get the actual error why it thinks the certificate isn't worth a damn?
>
> Mario Kadastik, PhD
> Researcher
>
> ---
> "Physics is like sex, sure it may have practical reasons, but that's not why we do it"
> -- Richard P. Feynman
--
INFN-CNAF
---------
Andrea Ceccanti
Via Ranzani 13/2 40127 Bologna, Italy
phone: +39 051 6092845, fax: +39 051 6092916
skype: andreaceccanti
[log in to unmask]
|