Hi Gianfranco.
The trouble with these error messages is that they indicate
there is a problem but not where it is. If you're lucky you
might have a glimmer of finding out at least what's wrong.
I suggest you check your CA rpms - you should have lcg-CA-1.9
installed and 1.10 should be out very shortly!
All that stuff lives in /etc/grid-security/certificates/
By that message it looks like a problem with the signing policy
file which are all in those RPMs.
Cheers,
--jens
-----Original Message-----
From: Testbed Support for GridPP member institutes
[mailto:[log in to unmask]]On Behalf Of Gianfranco Sciacca
Sent: 18 October 2006 18:03
To: [log in to unmask]
Subject: failing SFT/SAM: problem with CE certificate
We are failing SFTs after installing a new CE certificate. Problems also with the MON certificate.
I wonder if I'm missing copying certs and keys to any extra certificate location. I have:
CE:
in /etc/grid-security/
-rw-r--r-- 1 root root 2344 Oct 19 2005 hostcert.pem
-r-------- 1 root root 1850 Oct 19 2005 hostkey.pem
in /opt/glite/var/rgma/.certs/
-rw-r--r-- 1 rgma rgma 2344 Oct 11 14:01 hostcert.pem
-r-------- 1 rgma rgma 1850 Oct 11 14:01 hostkey.pem
for MON:
in /etc/grid-security/
-rw-r--r-- 1 root root 2344 Oct 24 2005 hostcert.pem
-r-------- 1 root root 1854 Oct 24 2005 hostkey.pem
in /etc/tomcat5/
-rw-r--r-- 1 tomcat4 tomcat4 2344 Oct 24 2005 hostcert.pem
-r-------- 1 tomcat4 tomcat4 1854 Oct 24 2005 hostkey.pem
On the CE, I have tried restarting all the globus-* services and even re-run yaim to restart everything in proper fashion.
The gatekeeper log doesn't reveal anything. In the home directories of pool accounts, I have this in globus-url-copy.log:
GSS failure:
GSS Major Status: Authentication Failed
GSS Minor Status Error Chain:
init_sec_context.c:171: gss_init_sec_context: SSLv3 handshake problems
globus_i_gsi_gss_utils.c:881: globus_i_gsi_gss_handshake: Unable to verify remote side's credentials
globus_i_gsi_gss_utils.c:854: globus_i_gsi_gss_handshake: SSLv3 handshake problems: Couldn't do ssl handshake
OpenSSL Error: s3_clnt.c:840: in library: SSL routines, function SSL3_GET_SERVER_CERTIFICATE: certificate verify failed
globus_gsi_callback.c:351: globus_i_gsi_callback_handshake_callback: Could not verify credential
globus_gsi_callback.c:490: globus_i_gsi_callback_cred_verify: Could not verify credential
globus_gsi_callback.c:850: globus_i_gsi_callback_check_signing_policy: Error with signing policy
globus_gsi_callback.c:927: globus_i_gsi_callback_check_gaa_auth: Error with signing policy: The signing policy file doesn't exist or can't be read
Any suggested course of action?
cheers and thanks for any pointers,
gianfranco
|