Hi Adeel,

The proper script to use is /opt/glite/libexec/fetch-crl.sh

Could you also check that CRL of your CA is not expired (i.e. that CA is not
publishing the expired CRL; this then does not have to do anything with the
setup of your CE, but will not allow any operation based on certificates to be
completed if CRL is expired, since this mean that the identity of any entity
which uses certificates issued by such CA cannot be verified - they may be
revoked in the meantime, but CRL is expired and this cannot be checked).

Also, not that the definition of RB is not related to globus-job-run in any way.

I assume you checked that ntp is working correctly on your nodes and that the
time is indeed synchronized proprly?

Best regards, Antun

-----
Antun Balaz
Research Assistant
E-mail: [log in to unmask]
Web: http://scl.phy.bg.ac.yu/

Phone: +381 11 3713152
Fax: +381 11 3162190

Scientific Computing Laboratory
Institute of Physics, Belgrade, Serbia
-----

---------- Original Message -----------
From: Adeel-ur-Rehman <[log in to unmask]>
To: [log in to unmask]
Sent: Mon, 3 Sep 2007 12:10:13 +0500
Subject: Re: [LCG-ROLLOUT] Invalid CRL

> Dear Maarten and All,
> 
> I've re-installed our CE and checked the job submission with 2 newly
> installed WNs, but still I was getting the same behaviour since Saturday
> i.e. Unspecified Gridmanager Error. 
> Then during my investigation I changed the values for RB_RLS in
> site-info.def for testing. Since then, I am getting the error when doing
> globus-job-run:
> 
> [pcncp21] ~ > globus-job-run pcncp04.ncp.edu.pk /bin/pwd
> GRAM Job submission failed because authentication failed:
> GSS Major Status: Authentication Failed
> GSS Minor Status Error Chain:
> 
> init.c:499: globus_gss_assist_init_sec_context_async: Error during context
> initialization
> init_sec_context.c:171: gss_init_sec_context: SSLv3 handshake 
> problems globus_i_gsi_gss_utils.c:881: globus_i_gsi_gss_handshake: 
> Unable to verify remote side's credentials 
> globus_i_gsi_gss_utils.c:854: globus_i_gsi_gss_handshake: SSLv3 handshake
> problems: Couldn't do ssl handshake
> OpenSSL Error: s3_clnt.c:840: in library: SSL routines, function
> SSL3_GET_SERVER_CERTIFICATE: certificate verify failed
> globus_gsi_callback.c:351: globus_i_gsi_callback_handshake_callback: 
> Could not verify credential globus_gsi_callback.c:477: 
> globus_i_gsi_callback_cred_verify: Could not verify credential 
> globus_gsi_callback.c:769: globus_i_gsi_callback_check_revoked: 
> Invalid CRL: The available CRL has expired (error code 7) [pcncp21] 
> ~ >
> 
> But I have made the changes of site-info.def back and also ran:
> ./edg-fetch-crl -o /etc/grid-security/certificates
> 
> But still I am getting the same problem.
> 
> Any ideas??
> 
> Awaiting for your urgent response,
> Thanks in advance,
> 
> -- Best Regards --
> Adeel
> 
> -----Original Message-----
> From: Maarten Litmaath [mailto:[log in to unmask]] 
> Sent: Tuesday, August 28, 2007 7:35 PM
> To: [log in to unmask]
> Cc: LHC Computer Grid - Rollout
> Subject: Re: [LCG-ROLLOUT] Job Submission Failure
> 
> Adeel-ur-Rehman wrote:
> 
> > [root@pcncp24 root]#  globus-url-copy -dbg -vb
> > gsiftp://wn01.ncp.edu.pk/root/lcg-db.sql file:///tmp/WN-file
> > debug: starting to get gsiftp://wn01.ncp.edu.pk/root/lcg-db.sql
> > debug: connecting to gsiftp://wn01.ncp.edu.pk/root/lcg-db.sql
> > debug: fault on connection to gsiftp://wn01.ncp.edu.pk/root/lcg-db.sql:
> > globus_ftp_control_connect: globus_libc_gethostbyaddr_r failed
> > error: globus_ftp_control_connect: globus_libc_gethostbyaddr_r failed
> 
> I suppose wn01 is a WN?  Then it does not run a GridFTP server,
> so "gsiftp://wn01.ncp.edu.pk/..." will not work.
> 
> The error you got is normal, because:
> 
> -------------------------------------------
> $ host wn01.ncp.edu.pk
> Host wn01.ncp.edu.pk not found: 3(NXDOMAIN)
> -------------------------------------------
> 
> That is OK for a WN on a private network.
> 
> Yiannis meant a test like the following, run as a grid account on the
> WN with a proxy copied from a UI:
> 
>      globus-url-copy file:/etc/group gsiftp://rb104.cern.ch/tmp/test.$$
> 
> But note that the original problem you reported prevents jobs from
> being submitted to the batch system, so they do not even reach the WN.
------- End of Original Message -------