GEANT Certificates not accepted / maybe a problem with comma in DN

[jolange]

Hi everybody,

@Panos512 asked me to open this ticket as a "follow up" to these in CRIC and the Service Portal (LDAP). The context there is that a comma in the DN was causing trouble and it is fixed in CRIC already and will hopefully be fixed for LDAP. I am not sure if this is also the problem in DAS:

I have a new certificate from a new provider (Issuer: C = NL, O = GEANT Vereniging, CN = GEANT eScience Personal CA 4) and the DN has a somewhat funny format:

$ openssl x509 -noout -text -in usercert.pem | grep Lange
        Subject: DC = org, DC = terena, DC = tcs, C = DE, O = Universitaet Hamburg, CN = "Lange, Dr. Johannes <username>@uni-hamburg.de"

The CN is generated with information from an SSO of the home institution and in the case of Uni Hamburg unfortunately contains a comma (and is in quotes). All new certificates for our group members will be issued by GEANT from now on, because GridKa-CA will stop operation.

cmsweb does not complain when selecting the new certificate, but when I go on to DAS, I receive "Peer does not recognize and trust the CA that issued your certificate." The situation is the same for http://cmsweb-testbed.cern.ch/ and http://cmsweb-prod.cern.ch/.

I am not sure if this is also caused by the comma in the DN or if this is a different problem. Any help would be appreciated and I can provide more information, if needed!

Best, Johannes

[vkuznet]

Johannes, I need more input from you. You wrote that cmsweb does not complain, but it is our frontend where all user certificates are evaluated. As such you need to access at least one services under cmsweb. Could you please try out to reach and post here the output from: https://cmsweb.cern.ch/httpgo This service basically dumps all HTTP headers we setup using user's DN. If it works, then I need to know your Root CA. The later is what your error complains about. It is a root certificate from your authority which was used to sign your personal certificate. Usually, we have this certificates in /etc/grid-security/certificates which you can look-up on lxplus. It may be that our images we deploy on cmsweb does not have this root CA (but it may exists on lxplus). As such we just need to know the file name and we can include it into cmsweb image.

To find your root CA you may dump your cert details using the following command:

openssl x509 -inform pem -in -noout -text -in <your_cert.pem>
# and it will print something like:
...
        Issuer: DC=ch, DC=cern, CN=CERN Grid Certification Authority
...

In my case my grid certificate issued by CERN Grid CA, and its file is

openssl x509 -inform pem -in -noout -text -in /etc/grid-security/certificates/CERN-GridCA.pem
...
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            61:98:6a:3f:00:00:00:00:00:03
    Signature Algorithm: sha512WithRSAEncryption
        Issuer: C=ch, O=CERN, CN=CERN Root Certification Authority 2

So, we need to find out yours.

[jolange]

@vkuznet thanks for the instructions!

You wrote that cmsweb does not complain, but it is our frontend where all user certificates are evaluated. As such you need to access at least one services under cmsweb.

Indeed I get the same SSL_ERROR_UNKNOWN_CA_ALERT error when I try to access https://cmsweb.cern.ch/ with the certificate. Before I probably simply used http, which works up to that stage.

Could you please try out to reach and post here the output from: https://cmsweb.cern.ch/httpgo

There I get the sameSSL_ERROR_UNKNOWN_CA_ALERT error that's shown in my original screenshot.

The issuer string I posted before is exactly extracted as you suggest:

$ openssl x509 -inform pem -in -noout -text -in usercert.pem | grep Issuer
        Issuer: C=NL, O=GEANT Vereniging, CN=GEANT eScience Personal CA 4

and the corresponding certificate file should be this one:

$ openssl x509 -inform pem -in -noout -text -in /etc/grid-security/certificates/GEANTeSciencePersonalCA4.pem | grep -E 'Subject|Issuer'
        Issuer: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
        Subject: C=NL, O=GEANT Vereniging, CN=GEANT eScience Personal CA 4

[vkuznet]

Ok, the issue is generic to cmsweb and not related to a specific service (DAS).

@muhammadimranfarooqi could you please check if our CMSWEB FE image contains /etc/grid-security/certificates/GEANTeSciencePersonalCA4.pem root CA?

[muhammadimranfarooqi]

Yes,

[_frontend@cmsweb-uiyd2lkjujqz-node-1 data]$ ls /etc/grid-security/certificates/  | grep GEANTeSciencePersonalCA4.pem
GEANTeSciencePersonalCA4.pem

[jolange]

@vkuznet @muhammadimranfarooqi thanks! What would you suggest to debug this further?

[vkuznet]

This issue should be move to CMSKUBERNETES Jira, please see it here: https://its.cern.ch/jira/browse/CMSKUBERNETES-137 Since the issue is not related to DAS I'll close the ticket. The particular steps to debug issue further are provided in new ticket and CMS HTTP group will follow from there.