LISTSERV 16.5 - XROOTD-DEV Archives

I get the following error while trying to run macaroon-init using a proxy certificate obtained with voms-proxy-init:

-Error with certificate at depth: 0
  issuer   = /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=esindril/CN=706330/CN=Elvin Alin Sindrilaru
  subject  = /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=esindril/CN=706330/CN=Elvin Alin Sindrilaru/CN=proxy
  err 20:unable to get local issuer certificate
140522296248064:error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed:s3_srvr.c:3327:
-Error with certificate at depth: 0
  issuer   = /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=esindril/CN=706330/CN=Elvin Alin Sindrilaru
  subject  = /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=esindril/CN=706330/CN=Elvin Alin Sindrilaru/CN=375449781
  err 40:proxy certificates not allowed, please set the appropriate flag
140522295195392:error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed:s3_srvr.c:3327:
-Error with certificate at depth: 0
  issuer   = /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=esindril/CN=706330/CN=Elvin Alin Sindrilaru
  subject  = /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=esindril/CN=706330/CN=Elvin Alin Sindrilaru/CN=proxy
  err 20:unable to get local issuer certificate
140521420654336:error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed:s3_srvr.c:3327:

All this works fine if I use directly my certificate. I seems to me that the way openssl is used in the macaroon part is does not support proxy certificates.
Below you have the configuration used on the server side:

ofs.osslib  libXrdPss.so
ofs.ckslib  * libXrdPss.so
xrootd.chksum  adler32
xrootd.seclib  libXrdSec.so
pss.origin  eospps.cern.ch:1094
all.export  /eos/
all.adminpath  /var/spool/xrootd
all.pidpath  /var/run/xrootd
sec.protocol  gsi -dlgpxy:1 -exppxy:=creds -crl:1 -moninfo:1 -cert:/etc/grid-security/daemon/gridftp-cert.pem -key:/etc/grid-security/daemon/gridftp-key.pem -gridmap:/etc/grid-security/grid-mapfile -d:1 -gmapopt:2 
sec.protbind  * gsi
ofs.tpc  autorm fcreds gsi =X509_USER_PROXY ttl 60 60 xfr 9 pgm /usr/local/bin/xrootd-third-party-copy.sh

if exec xrootd
  all.sitename eospps
  xrd.protocol http:1094 /usr/lib64/libXrdHttp-4.so
  http.cadir /etc/grid-security/certificates/
  http.cert /etc/grid-security/daemon/gridftp-cert.pem
  http.key /etc/grid-security/daemon/gridftp-key.pem
  http.gridmap /etc/grid-security/grid-mapfile
  http.exthandler xrdtpc libXrdHttpTPC.so
  http.exthandler xrdmacaroons libXrdMacaroons.so
  http.desthttps yes
  http.trace all
  macaroons.secretkey /etc/xrootd/macaroon-secret
  macaroons.onmissing allow
  macaroons.trace all
  ofs.authlib libXrdMacaroons.so
  #http.listingdeny yes
  #http.staticpreload http://static/robots.txt /etc/xrootd/robots.txt  
  #http.header2cgi Authorization authz
fi

continue  /etc/xrootd/config.d/

Is there any trick I need to employ to have this working?

Thanks,
Elvin

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.

[ { "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://github.com/xrootd/xrootd/issues/1083?email_source=notifications\u0026email_token=AA7NRDWUEIYQYA3KSYAXKHLQTUGFDA5CNFSM4JNH3742YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4HZH4VLA", "url": "https://github.com/xrootd/xrootd/issues/1083?email_source=notifications\u0026email_token=AA7NRDWUEIYQYA3KSYAXKHLQTUGFDA5CNFSM4JNH3742YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4HZH4VLA", "name": "View Issue" }, "description": "View this Issue on GitHub", "publisher": { "@type": "Organization", "name": "GitHub", "url": "https://github.com" } } ]

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1