Hi Tom,
Try to use the old format (Email instead of emailAddress) in the LSC file:
/C=AU/O=APACGrid/OU=The University of Melbourne/CN=voms.atlas.unimelb.edu.au
[log in to unmask]
Best regards,
Dimitar
Tom Fifield wrote:
> Hi All,
>
> So I'm trying to setup a local VOMS, and the VOMS service itself appears
> to be functioning quite well: voms-proxy-init works great:
>
> [ui]$ voms-proxy-init --voms neuropsychiatry
> Your identity: /C=AU/O=APACGrid/OU=The University of Melbourne/CN=Tom
> Fifield
> Creating temporary proxy ............................ Done
> Contacting voms.atlas.unimelb.edu.au:16000 [/C=AU/O=APACGrid/OU=The
> University of Melbourne/CN=voms.atlas.unimelb.edu.au] "neuropsychiatry" Done
> Creating proxy ............................. Done
>
> However, voms-proxy-info and similar tools report that they can't verify
> its certificate. Note that this is the *error* message and not the
> similar harmless warning.
>
> [ui]$ voms-proxy-info --all
> WARNING: Unable to verify signature! Server certificate possibly not
> installed.
> Error: Cannot verify AC signature!
> subject : /C=AU/O=APACGrid/OU=The University of Melbourne/CN=Tom
> Fifield/CN=proxy
> issuer : /C=AU/O=APACGrid/OU=The University of Melbourne/CN=Tom Fifield
> identity : /C=AU/O=APACGrid/OU=The University of Melbourne/CN=Tom Fifield
> type : proxy
> strength : 1024 bits
> path : /tmp/x509up_u1056
> timeleft : 11:59:44
> === VO neuropsychiatry extension information ===
> VO : neuropsychiatry
> subject : /C=AU/O=APACGrid/OU=The University of Melbourne/CN=Tom Fifield
> issuer : /C=AU/O=APACGrid/OU=The University of
> Melbourne/CN=voms.atlas.unimelb.edu.au
> attribute : /neuropsychiatry/Role=NULL/Capability=NULL
> timeleft : 11:59:24
> uri : voms.atlas.unimelb.edu.au:16000
>
> Which means things like job submission fail:
>
> [ui]$ glite-ce-job-submit -a --vo neuropsychiatry -r
> agh5.atlas.unimelb.edu.au/cream-pbs-neuropsychiatry test_freesurfer.jdl
> 2009-10-23 02:31:44,980 FATAL - Problems with proxyfile
> [/tmp/x509up_u1056]: WARNING: The VOMS attribute could not be verified.
> Possibly, the VOMS server certificate is not installed.
>
> Of course, you can use the --donot-verify-ac-sign option, but the CREAM
> CE is configured identically (all hail cfengine) and similar issues are
> encountered with the LCAS VOMS plugin. (If you'd really like to see
> those logs they're here:
> https://eppwiki.ph.unimelb.edu.au/glexec_lcas_lcmaps.log -
> vomsdata::Retrieve() returns VERR_SIGN)
>
> So, config:
>
> [ui]$ ls -l /etc/grid-security/vomsdir/
> ...
> drwxr-xr-x 2 root root 4096 Oct 23 01:05 neuropsychiatry
> ...
> voms.atlas.unimelb.edu.au.2009-09-04.pem
>
>
> [ui]$ cat
> /etc/grid-security/vomsdir/neuropsychiatry/voms.atlas.unimelb.edu.au.lsc
> /C=AU/O=APACGrid/OU=The University of Melbourne/CN=voms.atlas.unimelb.edu.au
> [log in to unmask]
>
> [ui]$ cat /opt/glite/etc/vomses/neuropsychiatry-voms.atlas.unimelb.edu.au
> "neuropsychiatry" "voms.atlas.unimelb.edu.au" "16000"
> "/C=AU/O=APACGrid/OU=The University of
> Melbourne/CN=voms.atlas.unimelb.edu.au" "neuropsychiatry"
>
> CA cert is from IGTF distribution rpm ca_APAC.noarch and look fine in
> /etc/grid-security/certificates/1e12d831.*
>
> This UI and the CREAM CE I'm attempting to submit to work fine with
> other VOs (atlas, dteam, belle).
>
> Random conspiracy theory: Our CA is probably one of very few that uses
> 4096 bit certificates and the emailAddress field in its DN.
>
> I've probably missed something really trivial, but this is driving me
> mad. So if anyone has any suggestions, comments or queries that would
> make my fortnight...
>
> Regards,
>
> Tom
>
|