I get the following error while trying to run macaroon-init using a proxy certificate obtained with voms-proxy-init: ``` -Error with certificate at depth: 0 issuer = /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=esindril/CN=706330/CN=Elvin Alin Sindrilaru subject = /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=esindril/CN=706330/CN=Elvin Alin Sindrilaru/CN=proxy err 20:unable to get local issuer certificate 140522296248064:error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed:s3_srvr.c:3327: -Error with certificate at depth: 0 issuer = /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=esindril/CN=706330/CN=Elvin Alin Sindrilaru subject = /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=esindril/CN=706330/CN=Elvin Alin Sindrilaru/CN=375449781 err 40:proxy certificates not allowed, please set the appropriate flag 140522295195392:error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed:s3_srvr.c:3327: -Error with certificate at depth: 0 issuer = /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=esindril/CN=706330/CN=Elvin Alin Sindrilaru subject = /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=esindril/CN=706330/CN=Elvin Alin Sindrilaru/CN=proxy err 20:unable to get local issuer certificate 140521420654336:error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed:s3_srvr.c:3327: ``` All this works fine if I use directly my certificate. I seems to me that the way openssl is used in the macaroon part is does not support proxy certificates. Below you have the configuration used on the server side: ``` ofs.osslib libXrdPss.so ofs.ckslib * libXrdPss.so xrootd.chksum adler32 xrootd.seclib libXrdSec.so pss.origin eospps.cern.ch:1094 all.export /eos/ all.adminpath /var/spool/xrootd all.pidpath /var/run/xrootd sec.protocol gsi -dlgpxy:1 -exppxy:=creds -crl:1 -moninfo:1 -cert:/etc/grid-security/daemon/gridftp-cert.pem -key:/etc/grid-security/daemon/gridftp-key.pem -gridmap:/etc/grid-security/grid-mapfile -d:1 -gmapopt:2 sec.protbind * gsi ofs.tpc autorm fcreds gsi =X509_USER_PROXY ttl 60 60 xfr 9 pgm /usr/local/bin/xrootd-third-party-copy.sh if exec xrootd all.sitename eospps xrd.protocol http:1094 /usr/lib64/libXrdHttp-4.so http.cadir /etc/grid-security/certificates/ http.cert /etc/grid-security/daemon/gridftp-cert.pem http.key /etc/grid-security/daemon/gridftp-key.pem http.gridmap /etc/grid-security/grid-mapfile http.exthandler xrdtpc libXrdHttpTPC.so http.exthandler xrdmacaroons libXrdMacaroons.so http.desthttps yes http.trace all macaroons.secretkey /etc/xrootd/macaroon-secret macaroons.onmissing allow macaroons.trace all ofs.authlib libXrdMacaroons.so #http.listingdeny yes #http.staticpreload http://static/robots.txt /etc/xrootd/robots.txt #http.header2cgi Authorization authz fi continue /etc/xrootd/config.d/ ``` Is there any trick I need to employ to have this working? Thanks, Elvin -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/xrootd/xrootd/issues/1083 ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1