Thanks for the fast replies Rod and Maarten.
There was some confusion with our GCA and we had multiple host
certificates issued. I have installed the "CN=host" certificate and the
globus-url-copy seems to authenticate fine now.
Leslie
On Wed, 16 Mar 2005, Maarten Litmaath wrote:
> Leslie Groer wrote:
>
> > I am getting this error when trying to contact our SE.
> >
> > % globus-job-run bigmac-lcg-se.physics.utoronto.ca:/C=CA/O=Grid/CN=storage/bigmac-lcg-se.physics.utoronto.ca /bin/pwd
>
> It is non-standard to run a gatekeeper on an SE...
>
> To test such things globus-url-copy (with the "-dbg" option) is a lot easier.
>
> > GRAM Job submission failed because authentication failed:
> > GSS Major Status: Authentication Failed
> > GSS Minor Status Error Chain:
> > init.c:499: globus_gss_assist_init_sec_context_async: Error during context
> > initialization
> > init_sec_context.c:171: gss_init_sec_context: SSLv3 handshake problems
> > globus_i_gsi_gss_utils.c:881: globus_i_gsi_gss_handshake: Unable to verify
> > remote side's credentials
> > globus_i_gsi_gss_utils.c:854: globus_i_gsi_gss_handshake: SSLv3 handshake
> > problems: Couldn't do ssl handshake
> > OpenSSL Error: s3_clnt.c:840: in library: SSL routines, function
> > SSL3_GET_SERVER_CERTIFICATE: certificate verify failed
> > globus_gsi_callback.c:351: globus_i_gsi_callback_handshake_callback: Could
> > not verify credential
> > globus_gsi_callback.c:436: globus_i_gsi_callback_cred_verify: The
> > certificate has expired: Credential with subject:
> > /C=CA/O=Grid/CN=host/bigmac-lcg-se.physics.utoronto.ca has expired. (error
> > code 7)
> >
> > The error occurs as well when I do not specify the certificate subject in
> > the globus-job-run command.
> >
> > Upon renewing the host certificate for this machines, the CN in the host
> > certificate subject had to be changed as the Canadian Grid Authority can
> > only have one "host" machine per site which we have reserved for our CE.
>
> That restriction appears bizarre to me. Are you sure it is like that?
> Why do they consider the string "host" special?
>
> > The new storage element certificate is installed with:
> >
> > Subject: C=CA, O=Grid, CN=storage/bigmac-lcg-se.physics.utoronto.ca
> > [Note that the CN=storage/bigmac.... and not CN=host/bigmac....]
> >
> > The new certificate should be valid
> > Validity
> > Not Before: Feb 4 16:41:20 2005 GMT
> > Not After : Feb 4 16:41:20 2006 GMT
> >
> > The new certificate seems to be installed in the correct place:
> > /etc/grid-security/hostcert.pem
> > but is either not being picked up correctly by globus [...]
>
> Exactly. The string "host/" is magic in Globus, so if the Canadian CA insists
> on its peculiar requirements, your SE can no longer be used in LCG-2.
>
--
,-~~-.___. ________________________________________________
/ | ' \ [log in to unmask] Department of Physics
( ) 0 Tel: +1-416-978-2959 University of Toronto
\_/-, ,----' Fax: +1-416-978-8221 60 St. George Street
==== // Toronto, ON M5S 1A7
/ \-'~; /~~~(O) Canada
/ __/~| / | Office: McLennan Physics Lab Room 911
=( _____| (_________| http://home.fnal.gov/~groer
Leslie S. Groer
|