Thanks to all !!!
I do have found the problem from the debug option of the voms-proxy-init
command line. Certificates are checked in
/opt/external/etc/grid-security/certificates and not in
/etc/grid-security/certificates
This could be because I missed somrthing in the WIKI:
https://twiki.cern.ch/twiki/bin/view/LCG/UiTarInstall
in my site-info.def file I've set:
INSTALL_ROOT=/opt
GLITE_EXTERNAL_ROOT=${INSTALL_ROOT}/external
GRID_ENV_LOCATION=${GLITE_EXTERNAL_ROOT}/etc/profile.d
and the configuration line used was;
/opt/glite/yaim/bin/yaim -c -s site-info.def -n UI_TAR
now that I know that all certificates are in
/opt/external/etc/grid-security/certificates I've added the one of our
VOMS in this directory, and I will continue to make tests to avoid this
mix of directories.
regards, Jean-Bernard
FAVREAU Jean-Bernard wrote:
> After the YAIM configuration for egeode and all VOs the VOMS server
> file was correctly created in /opt/glite/etc/vomses/
>
> [favreau@ui2 ~]$ cat
> /opt/glite/etc/vomses/egeode-voms.beingrid.fr.cgg.com
> "egeode" "voms.beingrid.fr.cgg.com" "15001"
> "/C=FR/L=Massy/O=CGG/OU=IRD/CN=voms.beingrid.fr.cgg.com/Email=voms.fr.cgg.com"
> "egeode"
>
> --> here is the debug output :
>
>
> [favreau@ui2 ~]$ voms-proxy-init -debug -voms egeode
> Detected Globus version: 22
> Unspecified proxy version, settling on Globus version: 2
> Number of bits in key :512
> Using configuration file /home/favreau/.glite/vomses
> Using configuration file /opt/glite/etc/vomses
> Files being used:
> CA certificate file: none
> Trusted certificates directory :
> /opt/external/etc/grid-security/certificates
> Proxy certificate file : /tmp/x509up_u513
> User certificate file: /home/favreau/.globus/usercert.pem
> User key file: /home/favreau/.globus/userkey.pem
> Output to /tmp/x509up_u513
> Enter GRID pass phrase:
> Your identity: /C=FR/ST=Essonne/L=Massy/O=CGG/OU=IRD/CN=Jean-Bernard
> [log in to unmask]
> Using configuration file /home/favreau/.glite/vomses
> Cannot find file or dir: /home/favreau/.glite/vomses
> Using configuration file /opt/glite/etc/vomses
> Creating temporary proxy to /tmp/tmp_x509up_u513_5729 ...++++++++++++
> ...........++++++++++++
> Done
> Contacting voms.beingrid.fr.cgg.com:15001
> [/C=FR/L=Massy/O=CGG/OU=IRD/CN=voms.beingrid.fr.cgg.com/Email=voms.fr.cgg.com]
> "egeode" Failed
>
> Error: Could not establish authenticated connection with the server.
> GSS Major Status: Authentication Failed
> GSS Minor Status Error Chain:
> globus_gss_assist: Error during context initialization
> OpenSSL Error: s3_clnt.c:842: in library: SSL routines, function
> SSL3_GET_SERVER_CERTIFICATE: certificate verify failed
> globus_gsi_callback_module: Could not verify credential
> globus_gsi_callback_module: Could not verify credential: self signed
> certificate in certificate chain
>
> None of the contacted servers for egeode were capable
> of returning a valid AC for the user.
>
>
> The VOMS is ready listening on port 15001 (you can connect to it with
> telnet) and it is working for the UI 3.0/SL3
>
> Is it possible that something is not compatible, between our version
> of the VOMS server and this new UI 3.1/SL4 ?
>
> RPM of the present VOMS are:
>
> [root@voms root]# rpm -qa | grep -i voms
> glite-security-voms-server-1.6.16-5
> glite-security-voms-api-1.6.16-3
> glite-security-voms-api-cpp-1.6.16-4
> glite-security-voms-admin-client-1.2.13-1
> glite-security-voms-admin-server-1.2.16-1
> glite-security-voms-clients-1.6.16-2
> glite-security-voms-mysql-1.1.2-0
> glite-VOMS_mysql-3.0.5-0
> glite-security-voms-api-c-1.6.16-4
> glite-security-voms-admin-interface-1.0.3-1
> glite-security-voms-config-1.6.16-1
>
>
> regards, Jean-Bernard
>
> Jan Just Keijser wrote:
>> Hi Jean-Bernard,
>>
>> can you do a
>> voms-proxy-init -debug -voms .......
>> and post the output? it should list which voms directories it is
>> using, e.g. on my SL3 UI:
>>
>> # voms-proxy-init -debug -voms tutor
>> Detected Globus version: 22
>> Unspecified proxy version, settling on Globus version: 2
>> Number of bits in key :512
>> >>>>> Using configuration file /home/ui_users/janjust/.glite/vomses
>> >>>>> Using configuration file /opt/glite/etc/vomses
>> Files being used:
>> CA certificate file: none
>> >>>>> Trusted certificates directory : /etc/grid-security/certificates
>> Proxy certificate file : /tmp/x509up_u99999039
>> User certificate file: /home/ui_users/janjust/.globus/usercert.pem
>> User key file: /home/ui_users/janjust/.globus/userkey.pem
>> Output to /tmp/x509up_u99999039
>> Enter GRID pass phrase:
>> Your identity: /O=dutchgrid/O=users/O=nikhef/CN=Jan Just Keijser
>> >>>>> Using configuration file /home/ui_users/janjust/.glite/vomses
>> >>>>> Cannot find file or dir: /home/ui_users/janjust/.glite/vomses
>> >>>>> Using configuration file /opt/glite/etc/vomses
>> .....
>>
>> cheers,
>>
>> Jan Just Keijser
>> System Integrator
>> Nikhef Amsterdam
>>
>>
>> FAVREAU Jean-Bernard wrote:
>>> Hello Jan,
>>>
>>> on this new UI, I do have installed the VOMS cerver certificate:
>>>
>>> [root@ui2 ~]# ls -l /etc/grid-security/vomsdir
>>> -rw-r--r-- 1 root root 3517 Jan 11 2007 voms.beingrid.fr.cgg.com.1
>>>
>>> [root@ui2 ~]# openssl x509 -in
>>> /etc/grid-security/vomsdir/voms.beingrid.fr.cgg.com.1 -dates -issuer
>>> -noout -subject
>>> notBefore=Nov 7 13:15:56 2006 GMT
>>> notAfter=Nov 6 13:15:56 2011 GMT
>>> issuer= /C=FR/ST=Essonne/L=Massy/O=CGG/OU=IRD/CN=CGG
>>> [log in to unmask]
>>> subject=
>>> /C=FR/L=Massy/O=CGG/OU=IRD/CN=voms.beingrid.fr.cgg.com/emailAddress=voms.fr.cgg.com
>>>
>>>
>>> the output difference is about the e-mail field for issuer and
>>> subject the "Email=" before in openssl SL3/glite 3.0
>>> is now "emailAdress=" in openssl of SL4.4/gLite 3.1
>>>
>>> J.B
>>>
>>> Jan Just Keijser wrote:
>>>> Hi Jean-Bernard,
>>>>
>>>> I just ran into a very similar issue: the last line
>>>>
>>>> [favreau@ui2 favreau]$ voms-proxy-init -voms egeode
>>>> Enter GRID pass phrase:
>>>> Your identity:
>>>> /C=FR/ST=Essonne/L=Massy/O=CGG/OU=IRD/CN=Jean-Bernard
>>>> [log in to unmask]
>>>> Cannot find file or dir: /home/favreau/.glite/vomses
>>>>
>>>> suggests that you have not installed the voms server cert in
>>>> /etc/grid-security/vomsdir at all (as your other openssl lines also
>>>> suggest); please install this cert (e.g. copy it over from your SL3
>>>> UI) and try again.
>>>>
>>>>
>>>> HTH,
>>>>
>>>> Jan Just Keijser
>>>> System Integrator
>>>> Nikhef Amsterdam
>>>>
>>>> FAVREAU Jean-Bernard wrote:
>>>>> Hi Marteen and Michel,
>>>>>
>>>>> Yes, CRL is up to date, CAs installed and host cert of
>>>>> voms.beingrid.fr.cgg.com installed and are exactly the same as the
>>>>> working UI.
>>>>> Like Michel said, I think also that there is a problem with the
>>>>> server certificate but I got difficulties to figure what it is.
>>>>> To help you I've found that the output of openssl command line to
>>>>> query the subject of the certificate is not the same on both UI
>>>>>
>>>>> --> on the working UI 3.0/SL3 it is:
>>>>>
>>>>> [favreau@ui1 JDL]$ openssl x509 -in
>>>>> /etc/grid-security/vomsdir/voms.beingrid.fr.cgg.com.1 -dates
>>>>> -issuer -noout -subject
>>>>> notBefore=Nov 7 13:15:56 2006 GMT
>>>>> notAfter=Nov 6 13:15:56 2011 GMT
>>>>> issuer= /C=FR/ST=Essonne/L=Massy/O=CGG/OU=IRD/CN=CGG
>>>>> [log in to unmask]
>>>>> subject=
>>>>> /C=FR/L=Massy/O=CGG/OU=IRD/CN=voms.beingrid.fr.cgg.com/Email=voms.fr.cgg.com
>>>>>
>>>>>
>>>>>
>>>>> --> on the new UI 3.1/SL4 it is
>>>>> [favreau@ui2 ~]$ openssl x509 -in
>>>>> /etc/grid-security/certificates/a1508cc7.0 -dates -issuer -noout
>>>>> -subject
>>>>> notBefore=Jul 7 15:18:51 2006 GMT
>>>>> notAfter=Jul 4 15:18:51 2016 GMT
>>>>> issuer= /C=FR/ST=Essonne/L=Massy/O=CGG/OU=IRD/CN=CGG
>>>>> [log in to unmask]
>>>>> subject= /C=FR/ST=Essonne/L=Massy/O=CGG/OU=IRD/CN=CGG
>>>>> [log in to unmask]
>>>>>
>>>>>
>>>>> OPENSLL version on the working UI is openssl-0.9.7a-33.21 and on
>>>>> the new UI it is openssl-0.9.7a-43.16
>>>>>
>>>>> hope it could help, J.B
>>>>>
>>>>>
>>>>> Maarten Litmaath wrote:
>>>>>> Maarten Litmaath wrote:
>>>>>>
>>>>>>> FAVREAU Jean-Bernard wrote:
>>>>>>>
>>>>>>>> [favreau@ui2 favreau]$ voms-proxy-init -voms egeode
>>>>>>>> Enter GRID pass phrase:
>>>>>>>> Your identity:
>>>>>>>> /C=FR/ST=Essonne/L=Massy/O=CGG/OU=IRD/CN=Jean-Bernard
>>>>>>>> [log in to unmask]
>>>>>>>> Cannot find file or dir: /home/favreau/.glite/vomses
>>>>>>>> Creating temporary proxy ............................... Done
>>>>>>>> Contacting voms.beingrid.fr.cgg.com:15001
>>>>>>>> [/C=FR/L=Massy/O=CGG/OU=IRD/CN=voms.beingrid.fr.cgg.com/Email=voms.fr.cgg.com]
>>>>>>>> "egeode" Failed
>>>>>>>>
>>>>>>>> globus_gss_assist: Error during context initialization
>>>>>>>> OpenSSL Error: s3_clnt.c:842: in library: SSL routines,
>>>>>>>> function SSL3_GET_SERVER_CERTIFICATE: certificate verify failed
>>>>>>>> globus_gsi_callback_module: Could not verify credential
>>>>>>>> globus_gsi_callback_module: Could not verify credential: self
>>>>>>>> signed certificate in certificate chain
>>>>>>>
>>>>>>>
>>>>>>> You need to have the host cert of voms.beingrid.fr.cgg.com
>>>>>>> installed in
>>>>>>> /etc/grid-security/vomsdir on the UI. Also ensure all CAs are
>>>>>>> installed.
>>>>>>
>>>>>> In fact, that error message just means the CAs are not installed;
>>>>>> the host cert is relevant for voms-proxy-info, not voms-proxy-init.
>>>>>>
>>>>
>>
>
|