Hi Jens,
all the CA rpms are up to date, including 1.10 that came in this night.
The problem is clearly correlated to the host certificate for the CE.
Trouble is, I have no further idea where to look for a problem, which
leads to the site being not operational.
cheers,
gianfranco
On Thu, 19 Oct 2006, Jensen, J (Jens) wrote:
> Hi Gianfranco.
>
> The trouble with these error messages is that they indicate
> there is a problem but not where it is. If you're lucky you
> might have a glimmer of finding out at least what's wrong.
>
> I suggest you check your CA rpms - you should have lcg-CA-1.9
> installed and 1.10 should be out very shortly!
>
> All that stuff lives in /etc/grid-security/certificates/
>
> By that message it looks like a problem with the signing policy
> file which are all in those RPMs.
>
> Cheers,
> --jens
>
> -----Original Message-----
> From: Testbed Support for GridPP member institutes
> [mailto:[log in to unmask]]On Behalf Of Gianfranco Sciacca
> Sent: 18 October 2006 18:03
> To: [log in to unmask]
> Subject: failing SFT/SAM: problem with CE certificate
>
>
> We are failing SFTs after installing a new CE certificate. Problems also with the MON certificate.
> I wonder if I'm missing copying certs and keys to any extra certificate location. I have:
>
> CE:
> in /etc/grid-security/
> -rw-r--r-- 1 root root 2344 Oct 19 2005 hostcert.pem
> -r-------- 1 root root 1850 Oct 19 2005 hostkey.pem
>
> in /opt/glite/var/rgma/.certs/
> -rw-r--r-- 1 rgma rgma 2344 Oct 11 14:01 hostcert.pem
> -r-------- 1 rgma rgma 1850 Oct 11 14:01 hostkey.pem
>
> for MON:
> in /etc/grid-security/
> -rw-r--r-- 1 root root 2344 Oct 24 2005 hostcert.pem
> -r-------- 1 root root 1854 Oct 24 2005 hostkey.pem
>
> in /etc/tomcat5/
> -rw-r--r-- 1 tomcat4 tomcat4 2344 Oct 24 2005 hostcert.pem
> -r-------- 1 tomcat4 tomcat4 1854 Oct 24 2005 hostkey.pem
>
> On the CE, I have tried restarting all the globus-* services and even re-run yaim to restart everything in proper fashion.
>
> The gatekeeper log doesn't reveal anything. In the home directories of pool accounts, I have this in globus-url-copy.log:
>
> GSS failure:
> GSS Major Status: Authentication Failed
> GSS Minor Status Error Chain:
>
> init_sec_context.c:171: gss_init_sec_context: SSLv3 handshake problems
> globus_i_gsi_gss_utils.c:881: globus_i_gsi_gss_handshake: Unable to verify remote side's credentials
> globus_i_gsi_gss_utils.c:854: globus_i_gsi_gss_handshake: SSLv3 handshake problems: Couldn't do ssl handshake
> OpenSSL Error: s3_clnt.c:840: in library: SSL routines, function SSL3_GET_SERVER_CERTIFICATE: certificate verify failed
> globus_gsi_callback.c:351: globus_i_gsi_callback_handshake_callback: Could not verify credential
> globus_gsi_callback.c:490: globus_i_gsi_callback_cred_verify: Could not verify credential
> globus_gsi_callback.c:850: globus_i_gsi_callback_check_signing_policy: Error with signing policy
> globus_gsi_callback.c:927: globus_i_gsi_callback_check_gaa_auth: Error with signing policy: The signing policy file doesn't exist or can't be read
>
> Any suggested course of action?
>
> cheers and thanks for any pointers,
> gianfranco
>
|