Hi Mario,
me again. Andrea is of course right. Additionally you also need a key
for the ssl client authentication.
To avoid confusion here is the complete command using a host-certificate
and host-key installed on standard locations (you could also use your
personal cert and key):
https://mercury.hep.kbfi.ee:8154/authz -c ~/x509up_u101 -r myCE -a
myAction --cert /etc/grid-security/hostcert.pem --key
/etc/grid-security/hostkey.pem
cheers,
Joël
On 24.08.11 15:20, Andrea Ceccanti wrote:
> Mario,
>
> Il 24/08/11 15.07, Mario Kadastik ha scritto:
>>> the default configuration of Argus implies the use of https, e.g.
>>>
>>> [root@mercury argus]# pepcli -p
>>> https://mercury.hep.kbfi.ee:8154/authz -c ~/x509up_u101 -r myCE -a
>>> myAction
>
> when you use pepcli on https you have to specify two client certificates:
>
> + one that is used for the XACML subject
> + one that is used for ssl client authentication
>
> so in your command you should have at least also the --cert (which is
> *not* -c) option set.
>
> Hope this helps.
>
> Andrea
>
>
>>>
>>> notice the s attached to https. Beside of that your command looks
>>> right :)
>>
>> Ok, that was stupid. However it seems there is something fishy with
>> the certificate chain…
>>
>> [root@mercury argus]# pepcli -d -p
>> https://mercury.hep.kbfi.ee:8154/authz -c ~/x509up_u101 -r myCE -a myA
>> -t 60 -x --capath /etc/grid-security/certificates/
>> pepcli:DEBUG: debug set.
>> pepcli:DEBUG: pepd: https://mercury.hep.kbfi.ee:8154/authz
>> pepcli:DEBUG: certchain: /root/x509up_u101
>> pepcli:DEBUG: resourceid: myCE
>> pepcli:DEBUG: actionid: myA
>> pepcli:DEBUG: timeout: 60
>> pepcli:DEBUG: show effective Request context.
>> pepcli:DEBUG: capath: /etc/grid-security/certificates/
>> pepcli:DEBUG: read certchain from: /root/x509up_u101
>> pepcli:DEBUG: certchain:[
>> …..
>> ]
>> pepcli:DEBUG: create PEP client...
>> pepcli:DEBUG: set PEP_OPTION_LOG_LEVEL: PEP_LOGLEVEL_DEBUG
>> libargus-pep:DEBUG: pep_setoption: PEP#0 PEP_OPTION_LOG_LEVEL: 3
>> libargus-pep:DEBUG: set_curl_verbose: PEP#0 option_loglevel: 3
>> pepcli:DEBUG: set PEPd url: https://mercury.hep.kbfi.ee:8154/authz
>> libargus-pep:DEBUG: pep_setoption: PEP#0 PEP_OPTION_ENDPOINT_URL:
>> https://mercury.hep.kbfi.ee:8154/authz
>> libargus-pep:DEBUG: set_curl_endpoint_url: PEP#0 option_endpoint_url:
>> https://mercury.hep.kbfi.ee:8154/authz
>> pepcli:DEBUG: set PEP-C client timeout: 60
>> libargus-pep:DEBUG: pep_setoption: PEP#0 PEP_OPTION_ENDPOINT_TIMEOUT: 60
>> libargus-pep:DEBUG: set_curl_connection_timeout: PEP#0 option_timeout: 60
>> pepcli:DEBUG: enabling peers SSL validation
>> libargus-pep:DEBUG: pep_setoption: PEP#0
>> PEP_OPTION_ENDPOINT_SSL_VALIDATION: TRUE
>> libargus-pep:DEBUG: set_curl_ssl_validation: PEP#0
>> option_ssl_validation: TRUE
>> pepcli:DEBUG: setting SSL ciphers: 'DEFAULT:-ECDH' (OpenSSL 1.0.0 bug
>> fix)
>> libargus-pep:DEBUG: pep_setoption: PEP#0
>> PEP_OPTION_ENDPOINT_SSL_CIPHER_LIST: DEFAULT:-ECDH
>> libargus-pep:DEBUG: set_curl_ssl_cipher_list: PEP#0
>> option_ssl_cipher_list: DEFAULT:-ECDH
>> pepcli:DEBUG: setting server trust anchors CA path:
>> /etc/grid-security/certificates/
>> libargus-pep:DEBUG: pep_setoption: PEP#0
>> PEP_OPTION_ENDPOINT_SERVER_CAPATH: /etc/grid-security/certificates/
>> libargus-pep:DEBUG: set_curl_server_capath: PEP#0
>> option_server_capath: /etc/grid-security/certificates/
>> pepcli:DEBUG: create XACML subject
>> pepcli:DEBUG: create XACML request
>> libargus-pep: pep_authorize: PEP#0 sending XACML request to:
>> https://mercury.hep.kbfi.ee:8154/authz
>> * About to connect() to mercury.hep.kbfi.ee port 8154
>> * Trying 193.40.150.250... * connected
>> * Connected to mercury.hep.kbfi.ee (193.40.150.250) port 8154
>> * successfully set certificate verify locations:
>> * CAfile: /etc/pki/tls/certs/ca-bundle.crt
>> CApath: /etc/grid-security/certificates/
>> * error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
>> * Closing connection #0
>> * SSL connect error
>> libargus-pep:ERROR: pep_authorize: PEP#0 sending XACML request failed:
>> curl[35] SSL connect error.
>> pepcli:ERROR: failed to authorize XACML request: CURL processing error
>>
>>
>> So it didn't like the certificate of the host… then again the
>> certificates seem ok:
>> [root@mercury argus]# openssl x509 -noout -modulus -in
>> /etc/grid-security/hostcert.pem | openssl md5 ;\
>>> openssl rsa -noout -modulus -in /etc/grid-security/hostkey.pem |
>>> openssl md5
>> 4d8af568dee076088cc94b8d50f66fbc
>> 4d8af568dee076088cc94b8d50f66fbc
>>
>> [root@mercury argus]# openssl x509 -noout -text -in
>> /etc/grid-security/hostcert.pem
>> Certificate:
>> Data:
>> Version: 3 (0x2)
>> Serial Number: 1640 (0x668)
>> Signature Algorithm: sha1WithRSAEncryption
>> Issuer: DC=org, DC=balticgrid, CN=Baltic Grid Certification Authority
>> Validity
>> Not Before: Jan 27 14:43:59 2011 GMT
>> Not After : Jan 27 14:43:59 2012 GMT
>> Subject: DC=org, DC=balticgrid, OU=kbfi.ee, CN=host/mercury.hep.kbfi.ee
>>
>> …
>>
>> The system time seems right:
>> [root@mercury argus]# ntpdate -q ntp.eenet.ee
>> server 193.40.133.142, stratum 1, offset -0.045216, delay 0.03004
>> 24 Aug 16:06:44 ntpdate[8854]: adjust time server 193.40.133.142
>> offset -0.045216 sec
>>
>> The hostname<-> IP mapping should be fine
>> [root@mercury argus]# host mercury.hep.kbfi.ee
>> mercury.hep.kbfi.ee has address 193.40.150.250
>> [root@mercury argus]# host 193.40.150.250
>> 250.150.40.193.in-addr.arpa domain name pointer mercury.hep.kbfi.ee.
>>
>> So I'm a bit out of ideas… Any way to crank up the SSL debug more to
>> get the actual error why it thinks the certificate isn't worth a damn?
>>
>> Mario Kadastik, PhD
>> Researcher
>>
>> ---
>> "Physics is like sex, sure it may have practical reasons, but that's
>> not why we do it"
>> -- Richard P. Feynman
>
>
--
SWITCH
Serving Swiss Universities
--------------------------
Joël Casutt, Informatics Engineer, Middleware
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
email: [log in to unmask] phone: +41 44 268 1573
|