> the default configuration of Argus implies the use of https, e.g.
>
> [root@mercury argus]# pepcli -p https://mercury.hep.kbfi.ee:8154/authz -c ~/x509up_u101 -r myCE -a myAction
>
> notice the s attached to https. Beside of that your command looks right :)
Ok, that was stupid. However it seems there is something fishy with the certificate chain…
[root@mercury argus]# pepcli -d -p https://mercury.hep.kbfi.ee:8154/authz -c ~/x509up_u101 -r myCE -a myA -t 60 -x --capath /etc/grid-security/certificates/
pepcli:DEBUG: debug set.
pepcli:DEBUG: pepd: https://mercury.hep.kbfi.ee:8154/authz
pepcli:DEBUG: certchain: /root/x509up_u101
pepcli:DEBUG: resourceid: myCE
pepcli:DEBUG: actionid: myA
pepcli:DEBUG: timeout: 60
pepcli:DEBUG: show effective Request context.
pepcli:DEBUG: capath: /etc/grid-security/certificates/
pepcli:DEBUG: read certchain from: /root/x509up_u101
pepcli:DEBUG: certchain:[
…..
]
pepcli:DEBUG: create PEP client...
pepcli:DEBUG: set PEP_OPTION_LOG_LEVEL: PEP_LOGLEVEL_DEBUG
libargus-pep:DEBUG: pep_setoption: PEP#0 PEP_OPTION_LOG_LEVEL: 3
libargus-pep:DEBUG: set_curl_verbose: PEP#0 option_loglevel: 3
pepcli:DEBUG: set PEPd url: https://mercury.hep.kbfi.ee:8154/authz
libargus-pep:DEBUG: pep_setoption: PEP#0 PEP_OPTION_ENDPOINT_URL: https://mercury.hep.kbfi.ee:8154/authz
libargus-pep:DEBUG: set_curl_endpoint_url: PEP#0 option_endpoint_url: https://mercury.hep.kbfi.ee:8154/authz
pepcli:DEBUG: set PEP-C client timeout: 60
libargus-pep:DEBUG: pep_setoption: PEP#0 PEP_OPTION_ENDPOINT_TIMEOUT: 60
libargus-pep:DEBUG: set_curl_connection_timeout: PEP#0 option_timeout: 60
pepcli:DEBUG: enabling peers SSL validation
libargus-pep:DEBUG: pep_setoption: PEP#0 PEP_OPTION_ENDPOINT_SSL_VALIDATION: TRUE
libargus-pep:DEBUG: set_curl_ssl_validation: PEP#0 option_ssl_validation: TRUE
pepcli:DEBUG: setting SSL ciphers: 'DEFAULT:-ECDH' (OpenSSL 1.0.0 bug fix)
libargus-pep:DEBUG: pep_setoption: PEP#0 PEP_OPTION_ENDPOINT_SSL_CIPHER_LIST: DEFAULT:-ECDH
libargus-pep:DEBUG: set_curl_ssl_cipher_list: PEP#0 option_ssl_cipher_list: DEFAULT:-ECDH
pepcli:DEBUG: setting server trust anchors CA path: /etc/grid-security/certificates/
libargus-pep:DEBUG: pep_setoption: PEP#0 PEP_OPTION_ENDPOINT_SERVER_CAPATH: /etc/grid-security/certificates/
libargus-pep:DEBUG: set_curl_server_capath: PEP#0 option_server_capath: /etc/grid-security/certificates/
pepcli:DEBUG: create XACML subject
pepcli:DEBUG: create XACML request
libargus-pep: pep_authorize: PEP#0 sending XACML request to: https://mercury.hep.kbfi.ee:8154/authz
* About to connect() to mercury.hep.kbfi.ee port 8154
* Trying 193.40.150.250... * connected
* Connected to mercury.hep.kbfi.ee (193.40.150.250) port 8154
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: /etc/grid-security/certificates/
* error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
* Closing connection #0
* SSL connect error
libargus-pep:ERROR: pep_authorize: PEP#0 sending XACML request failed: curl[35] SSL connect error.
pepcli:ERROR: failed to authorize XACML request: CURL processing error
So it didn't like the certificate of the host… then again the certificates seem ok:
[root@mercury argus]# openssl x509 -noout -modulus -in /etc/grid-security/hostcert.pem | openssl md5 ;\
> openssl rsa -noout -modulus -in /etc/grid-security/hostkey.pem | openssl md5
4d8af568dee076088cc94b8d50f66fbc
4d8af568dee076088cc94b8d50f66fbc
[root@mercury argus]# openssl x509 -noout -text -in /etc/grid-security/hostcert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1640 (0x668)
Signature Algorithm: sha1WithRSAEncryption
Issuer: DC=org, DC=balticgrid, CN=Baltic Grid Certification Authority
Validity
Not Before: Jan 27 14:43:59 2011 GMT
Not After : Jan 27 14:43:59 2012 GMT
Subject: DC=org, DC=balticgrid, OU=kbfi.ee, CN=host/mercury.hep.kbfi.ee
…
The system time seems right:
[root@mercury argus]# ntpdate -q ntp.eenet.ee
server 193.40.133.142, stratum 1, offset -0.045216, delay 0.03004
24 Aug 16:06:44 ntpdate[8854]: adjust time server 193.40.133.142 offset -0.045216 sec
The hostname <-> IP mapping should be fine
[root@mercury argus]# host mercury.hep.kbfi.ee
mercury.hep.kbfi.ee has address 193.40.150.250
[root@mercury argus]# host 193.40.150.250
250.150.40.193.in-addr.arpa domain name pointer mercury.hep.kbfi.ee.
So I'm a bit out of ideas… Any way to crank up the SSL debug more to get the actual error why it thinks the certificate isn't worth a damn?
Mario Kadastik, PhD
Researcher
---
"Physics is like sex, sure it may have practical reasons, but that's not why we do it"
-- Richard P. Feynman
|