Did you check if around that time something happened with the
/etc/grid-security/certificates
directory and the CRLs ?
Flavia
Antun Balaz wrote:
> Hi,
>
> Any idea on what can cause MyProxy server to suddenly start not to recognize
> WMS/LB (which is trying to renew user's proxies) as authorized, after
> previously successfully renewing proxies on requests from the same WMS/LB and
> the same user for hours? The delegated credentials did not expire for that
> user. This is the excerpt from /var/log/messages:
>
> Jun 19 10:43:11 myproxy myproxy-server: <11733> Connection from 147.91.84.25
> Jun 19 10:43:11 myproxy myproxy-server: <22407> using trusted certificates
> directory /etc/grid-security/certificates
> Jun 19 10:43:11 myproxy myproxy-server: <22407> Authenticated client
> /C=RS/O=AEGIS/OU=Institute of Physics Belgrade/CN=host/wms.phy.bg.ac.yu
> Jun 19 10:43:11 myproxy myproxy-server: <22407> applying trusted_retrievers policy
> Jun 19 10:43:11 myproxy myproxy-server: <22407> applying authorized_retrievers
> policy
> Jun 19 10:43:11 myproxy myproxy-server: <22407> applying authorized_renewers
> policy
> Jun 19 10:43:11 myproxy myproxy-server: <22407> sending
> MYPROXY_AUTHORIZATION_RESPONSE
> Jun 19 10:43:11 myproxy myproxy-server: <22407> client chose X509_certificate
> Jun 19 10:43:11 myproxy myproxy-server: <22407> authorization failed
> Jun 19 10:43:11 myproxy myproxy-server: <22407> Exiting: certificate chain
> verification failed "/C=RS/O=AEGIS/OU=Institute of Physics
> Belgrade/CN=host/wms.phy.bg.ac.yu" not authorized by server's trusted_
> retrievers policy X509_verify_cert() failed authentication failed
> authentication failed
>
>
> After several minutes of such madness, MyProxy server suddenly again continues
> to renew proxy for this same WMS/LB (however, for another user, since for the
> original one all jobs are aborted; I am not sure if this is relevant, since
> the problem reported is that WMS/LB is not authorized).
>
> /etc/myproxy-server.config is created on 18 May, and since it is re-created
> each time myproxy service is restarted, which excludes the possibility that
> myproxy was restarted at 10:43 or so toady. authorized_renewers contains DN of
> WMS/LB, while authorized_retrievers is set to "*".
>
> Any idea is appreciated. Also, is it possible to convince WMS/LB not to give
> up immediately on a job for which it cannot renew the proxy, but to try again
> later (i.e. 10 minutes later would save the day here)?
>
> Thanks, Antun
>
>
> -----
> Antun Balaz
> Research Assistant
> E-mail: [log in to unmask]
> Web: http://scl.phy.bg.ac.yu/
>
> Phone: +381 11 3713152
> Fax: +381 11 3162190
>
> Scientific Computing Laboratory
> Institute of Physics Belgrade
> Pregrevica 118, 11080 Belgrade, Serbia
> -----
>
|