Hi Gianfranco.
I checked your certificate for pc90.hep.ucl.ac.uk and there
is nothing wrong with it:
jensen@ganesha[1]22% openssl verify -purpose sslserver -CApath /etc/grid-security/certificates uclhep
uclhep: OK
And it does have the right DNS name in the extension and all
that. It's a 2048 bit key but that shouldn't harm anything
(just makes security go slower :-) It was valid from 20 Sep.
It could also be from where the tests are run, that the CAs
aren't kept up to date - we've seen this a few times recently
even at Tier 1s (not ours, at least not the main bits).
The new UK certificates were in 1.7, waaaay back in July.
That seems a bit unlikely though; lots of CAs have updated
since then, but worth checking nonetheless.
Given that your cert was valid from 20 Sep, and you
were nice and green till a couple of days ago on
https://lcg-sft.cern.ch:9443/sft/sitehistory.cgi?site=pc90.hep.ucl.ac.uk
perhaps it's not your certificate that's the problem. Your
installation looks at-a-glance ok.
Sorry I can't suggest anything more. You may want to keep
an eye on your CRLs (the .r0 files in /e/g-s/c/) and check that
ops is still enabled.
Cheers
--jens
-----Original Message-----
From: Testbed Support for GridPP member institutes
[mailto:[log in to unmask]]On Behalf Of gianfranco sciacca
Sent: 19 October 2006 09:38
To: [log in to unmask]
Subject: Re: failing SFT/SAM: problem with CE certificate
Hi Jens,
all the CA rpms are up to date, including 1.10 that came in this night.
The problem is clearly correlated to the host certificate for the CE.
Trouble is, I have no further idea where to look for a problem, which
leads to the site being not operational.
cheers,
gianfranco
On Thu, 19 Oct 2006, Jensen, J (Jens) wrote:
> Hi Gianfranco.
>
> The trouble with these error messages is that they indicate
> there is a problem but not where it is. If you're lucky you
> might have a glimmer of finding out at least what's wrong.
>
> I suggest you check your CA rpms - you should have lcg-CA-1.9
> installed and 1.10 should be out very shortly!
>
> All that stuff lives in /etc/grid-security/certificates/
>
> By that message it looks like a problem with the signing policy
> file which are all in those RPMs.
>
> Cheers,
> --jens
>
> -----Original Message-----
> From: Testbed Support for GridPP member institutes
> [mailto:[log in to unmask]]On Behalf Of Gianfranco Sciacca
> Sent: 18 October 2006 18:03
> To: [log in to unmask]
> Subject: failing SFT/SAM: problem with CE certificate
>
>
> We are failing SFTs after installing a new CE certificate. Problems also with the MON certificate.
> I wonder if I'm missing copying certs and keys to any extra certificate location. I have:
>
> CE:
> in /etc/grid-security/
> -rw-r--r-- 1 root root 2344 Oct 19 2005 hostcert.pem
> -r-------- 1 root root 1850 Oct 19 2005 hostkey.pem
>
> in /opt/glite/var/rgma/.certs/
> -rw-r--r-- 1 rgma rgma 2344 Oct 11 14:01 hostcert.pem
> -r-------- 1 rgma rgma 1850 Oct 11 14:01 hostkey.pem
>
> for MON:
> in /etc/grid-security/
> -rw-r--r-- 1 root root 2344 Oct 24 2005 hostcert.pem
> -r-------- 1 root root 1854 Oct 24 2005 hostkey.pem
>
> in /etc/tomcat5/
> -rw-r--r-- 1 tomcat4 tomcat4 2344 Oct 24 2005 hostcert.pem
> -r-------- 1 tomcat4 tomcat4 1854 Oct 24 2005 hostkey.pem
>
> On the CE, I have tried restarting all the globus-* services and even re-run yaim to restart everything in proper fashion.
>
> The gatekeeper log doesn't reveal anything. In the home directories of pool accounts, I have this in globus-url-copy.log:
>
> GSS failure:
> GSS Major Status: Authentication Failed
> GSS Minor Status Error Chain:
>
> init_sec_context.c:171: gss_init_sec_context: SSLv3 handshake problems
> globus_i_gsi_gss_utils.c:881: globus_i_gsi_gss_handshake: Unable to verify remote side's credentials
> globus_i_gsi_gss_utils.c:854: globus_i_gsi_gss_handshake: SSLv3 handshake problems: Couldn't do ssl handshake
> OpenSSL Error: s3_clnt.c:840: in library: SSL routines, function SSL3_GET_SERVER_CERTIFICATE: certificate verify failed
> globus_gsi_callback.c:351: globus_i_gsi_callback_handshake_callback: Could not verify credential
> globus_gsi_callback.c:490: globus_i_gsi_callback_cred_verify: Could not verify credential
> globus_gsi_callback.c:850: globus_i_gsi_callback_check_signing_policy: Error with signing policy
> globus_gsi_callback.c:927: globus_i_gsi_callback_check_gaa_auth: Error with signing policy: The signing policy file doesn't exist or can't be read
>
> Any suggested course of action?
>
> cheers and thanks for any pointers,
> gianfranco
>
|