Hi I sent an email yesterday about the French CRLs that expired (subject
: [LCG-ROLLOUT] CNRS / Datagrid-fr CRLs out of date... )
The CRLs file is now up-to-date, but it appeared today that the web
server fails answering all queries for this file, since every machine on
the grid seems to download all CRLs at the same time... so I guess (and
I'm not sure there is only one problem) that what happened is that the
RB did not succeed in downloading the new and valid CRL... :(
Some machines might have suceeded in downloading the good files, others
not...
This is a general problem about the cron jobs that are set up : with
the new (LCG 2.3 - SL3) release, it seems that the setup puts a file in
/etc/cron.d/ called edg-fetch-crl which contains the following :
56 3,9,15,21 * * * root /opt/edg/etc/cron/edg-fetch-crl-cron >>
/var/log/edg-fetch-crl-cron.log 2>&1
So, it would be great that the cron tab times are randomly set up when
installed ...
Regards,
Frederic
P.S : lxn1177 seem to be OK while lxn1188 fails. We have a test RB in
France which fails the same way as does lxn1188 but has the good
Datagrid-fr CRL (but the CNRS-Projets CRL still is wrong), so we're
trying to find what else could be wrong...
P.S : what could be done ? Hemmm... we could wait, or upgrade the CRL
web server (under investigation), or ask all RB/CE/SE/UI (WN?) admins to
manually upgrade the CRLs... or pray ? ;)
Emanouil Atanassov a écrit :
>I can still not authenticate to the lxn1188.cern.ch resource broker,
>the default one on my UI.
>I have a valid Datagrid-fr certificate, and I get
>
>the following error:
>
>edg-gridftp-ls -v gsiftp://lxn1188.cern.ch/
>error the server sent an error response: 535 535-FTPD GSSAPI error: GSS Major Status: Authentication Failed
>535-FTPD GSSAPI error: GSS Minor Status Error Chain:
>535-FTPD GSSAPI error:
>535-FTPD GSSAPI error: accept_sec_context.c:170: gss_accept_sec_context: SSLv3 handshake problems
>535-FTPD GSSAPI error: globus_i_gsi_gss_utils.c:881: globus_i_gsi_gss_handshake: Unable to verify remote side's credentials
>535-FTPD GSSAPI error: globus_i_gsi_gss_utils.c:854: globus_i_gsi_gss_handshake: SSLv3 handshake problems: Couldn't do ssl handshake
>535-FTPD GSSAPI error: OpenSSL Error: s3_srvr.c:1816: in library: SSL routines, function SSL3_GET_CLIENT_CERTIFICATE: no certificate returned
>535-FTPD GSSAPI error: globus_gsi_callback.c:351: globus_i_gsi_callback_handshake_callback: Could not verify credential
>535-FTPD GSSAPI error: globus_gsi_callback.c:477: globus_i_gsi_callback_cred_verify: Could not verify credential
>535-FTPD GSSAPI error: globus_gsi_callback.c:769: globus_i_gsi_callback_check_revoked: Invalid CRL: The available CRL has expired
>535 FTPD GSSAPI error: accepting context
>
>error the server sent an error response: 535 535-FTPD GSSAPI error: GSS Major Status: Authentication Failed
>535-FTPD GSSAPI error: GSS Minor Status Error Chain:
>535-FTPD GSSAPI error:
>535-FTPD GSSAPI error: accept_sec_context.c:170: gss_accept_sec_context: SSLv3 handshake problems
>535-FTPD GSSAPI error: globus_i_gsi_gss_utils.c:881: globus_i_gsi_gss_handshake: Unable to verify remote side's credentials
>535-FTPD GSSAPI error: globus_i_gsi_gss_utils.c:854: globus_i_gsi_gss_handshake: SSLv3 handshake problems: Couldn't do ssl handshake
>535-FTPD GSSAPI error: OpenSSL Error: s3_srvr.c:1816: in library: SSL routines, function SSL3_GET_CLIENT_CERTIFICATE: no certificate returned
>535-FTPD GSSAPI error: globus_gsi_callback.c:351: globus_i_gsi_callback_handshake_callback: Could not verify credential
>535-FTPD GSSAPI error: globus_gsi_callback.c:477: globus_i_gsi_callback_cred_verify: Could not verify credential
>535-FTPD GSSAPI error: globus_gsi_callback.c:769: globus_i_gsi_callback_check_revoked: Invalid CRL: The available CRL has expired
>535 FTPD GSSAPI error: accepting context
>
>However, I can authenticate, submit jobs and retrieve output using lxn1177.cern.ch.
>
>I can see that users trying to submit jobs to our CE ce001.grid.bas.bg
>from lxn1188.cern.ch, are having authentication problems too:
>
>Notice: 6: Got connection 137.138.152.217 at Wed Jan 5 11:27:44 2005
>
>Failed reading length 0
>GSS authentication failure
> globus_gss_assist token :3: read failure: Connection closed
>Failure: GSS failed Major:01090000 Minor:00000000 Token:00000003
>
>Failure: GSS failed Major:01090000 Minor:00000000 Token:00000003
>
>I explicitly allowed access for 137.138.152.217 through our firewall,
>and I manually updated the CRLs.
>
>
>What can be done about these problems?
>
>Thanks in advance,
>
>Emanouil Atanassov
>
>BG01-IPP site administrator
>
>[log in to unmask]
>
>
>
|