After voms proxy initialization, gridmap problem is gone, but second part of problem, still exist. i.e fetch-crl could not update CRL file 367b75c3.r0. As a result, log file /var/log/messages is also showing errors like:
Sep 23 15:43:58 ce GRAM gatekeeper[13230]: Got connection 140.109.98.154 at Tue Sep 23 15:43:58 2008
Sep 23 15:44:05 ce GRAM gatekeeper[13205]: GSS failed Major:01090000 Minor:00000000 Token:00000003
Sep 23 15:44:05 ce GRAM gatekeeper[13206]: GSS failed Major:01090000 Minor:00000000 Token:00000003
Sep 23 15:44:08 ce GRAM gatekeeper[13411]: Got connection 128.142.173.150 at Tue Sep 23 15:44:08 2008
Sep 23 15:44:21 ce GRAM gatekeeper[13230]: GSS failed Major:01090000 Minor:00000000 Token:00000003
Sep 23 15:44:23 ce GRAM gatekeeper[13411]: GSS failed Major:01090000 Minor:00000000 Token:00000003
Sep 23 15:44:27 ce glite-lb-interlogd[25054]: queue_thread: event_queue_connect: edg_wll_gss_connect: GSS Major Status: Authe
ntication Failed (GSS Minor Status Error Chain: globus_gsi_gssapi: SSLv3 handshake problems globus_gsi_callback_module: Coul
d not verify credential globus_gsi_callback_module: Could not verify credential globus_gsi_callback_module: Invalid CRL: The
available CRL has expired )
Cheers,
Asif Osman
________________________________
From: LHC Computer Grid - Rollout on behalf of Oscar Koeroo
Sent: Tue 9/23/2008 10:44 AM
To: [log in to unmask]
Subject: Re: [LCG-ROLLOUT] SSL negotiation failed
Hi Asif,
I tried to download the gridmapfile from the VOMS server and it worked
nicely by using my Firefox as a client authenticating with my personal
certificate.
According to the error message, it's a peer certificate cipher failure.
The cipher failure _usually_ means that you didn't supply a key when
required. Especially for this service you are obligated to use a
certificate to authenticate as a client (both for users as for
services/hosts).
Could you check that as well?
Oscar
Jan Just Keijser wrote:
> Hi Asif,
>
> to me it seems that the fetch-crl error has little to do with the
> edg-mkgridmap error. Also, the edg-mkgridmap command did not change
> between release 30 and release 31, as far as I can tell. Can you run
> rpm -qf /opt/edg/sbin/edg-mkgridmap
> to verify that you're running
> edg-mkgridmap-3.0.0-1
>
> As for the openssl error: please be aware that you need to have a valid
> certificate in order to run this command against newer VOMS server. What
> happens if you run the command with
> --verbose
> added (this will produce quite a lot of output). I just ran the command
> with
> --verbose --usermode
> added and received no errors from the CERN voms servers.
>
> HTH,
>
> JJK / Jan Just Keijser
> Nikhef Amsterdam
>
> Asif Osman wrote:
>> Dear All,
>>
>> To my previous email, I am adding some more information.
>>
>> Upgrading our site to glite 3.1 with latest release 31 resulted in the
>> following error:
>>
>> [root@ce certificates]# [root@ce scripts]#
>> /opt/edg/sbin/edg-mkgridmap --output=/etc/grid-security/grid-mapfile
>> --safe
>> voms
>> search(https://voms.cern.ch:8443/voms/alice/services/VOMSCompatibility?method=getGridmapUsers&container=%2Falice):
>> SSL negotiation failed: error:1406D0CB:SSL
>> routines:GET_SERVER_HELLO:peer error no cipher
>>
>> The CRL file 367b75c3.r0 is not updated properly, despite running
>> fetch-crl several times.
>>
>> Signature Algorithm: md5WithRSAEncryption
>> Issuer: /C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA
>> Last Update: Aug 13 15:41:37 2008 GMT
>> Next Update: Sep 12 15:41:37 2008 GMT
>>
>> Last time, we solved the problem by introducting the option
>> "--no-cache" in script /usr/sbin/fetch-crl:
>> wgetAdditionalOptions="--no-cache" # require valid server cert
>>
>> but this time even this trick does not work.
>>
>> Any idea?
>>
>> Cheers,
>> Asif Osman
>>
>>
>>
>> -----Original Message-----
>> From: LHC Computer Grid - Rollout on behalf of Asif Osman
>> Sent: Tue 9/23/2008 4:51 AM
>> To: [log in to unmask]
>> Subject: [LCG-ROLLOUT] SSL negotiation failed
>>
>> Dear All,
>>
>> We are getting SSL negotiatin problem with voms server after latest
>> upgrade:
>>
>> voms
>> search(https://voms.cern.ch:8443/voms/cms/services/VOMSCompatibility?method=getGridmapUsers&container=%2Fcms%2FRole%3Dproduction):
>> SSL negotiation failed: error:1406D0CB:SSL
>> routines:GET_SERVER_HELLO:peer error no cipher
>>
>>
|