Hi,
I'm trying to debug a globus certificate problem, and I came across
something I don't understand in the CNRS certificates. These were
installed from RPMs, but I can't say I remember *which* RPMs. I
understand that CNRS has the role of signing certs from random places.
What I'm wondering is if Globus/openssl require that all sub-CA signing
policies be more restrictive than their parent. Thinking about it, this
wouldn't make sense to me, but I am grasping at straws for what may be
the cause of my problem.
Here is how the CNRS certs seem to be setup:
1. CNRS CA: Can only sign itself and CNRS/Projets
Signed by itself
2. CNRS/Projets CA: Can only sign itself and CNRS/Datagrid-fr
Signed by CNRS CA
3. CNRS/Datagrid-fr CA: Can sign anything
Signed by CNRS/Projets
Besides the fact that I don't understand why CNRS/Projets (french
spelling) can sign itself, and the fact that it seems possibly a little
risky to let CNRS sign /*, this seems like a very reasonable
arrangement. However, I am failing to authenticate using a CNRS cert,
but my UK e-Science cert works fine (so it definitely seems like the
problem is either with my CNRS cert or with the installation of the CNRS
CA certs on the remote site).
Below is the error message I get:
[lxgate03] ~ > gsissh -p 2222 -2 -i ~/.globus/userkey.pem
grid-compute.oesc.ox.ac.uk
GSSAPI Error:
GSS Major Status: Authentication Failed
GSS Minor Status Error Chain:
an unknown error occurred
Disconnecting: Protocol error: didn't expect packet type 34
Ha. At this very instant it works. I do not know if the site has fixed
their policies or if I have managed to change something locally.
Anyway, if anyone else has seen this problem and knows what causes it, I
had the same problem a few weeks ago and it also seemed to
"mysteriously" disappear.
Cheers,
Ian.
--
Ian Stokes-Rees [log in to unmask]
Particle Physics, Oxford http://www-pnp.physics.ox.ac.uk/~stokes
