On 21/03/12 04:33, Jonathan Perkin wrote:
> Hi all, I have a t2k.org member who's CA is in the US:
> /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1
>
> He is configured to use the VOMS server at Manchester, can acquire
> a proxy from it with VOMS attributes, but it throws the infamous
> 'cannot verify AC signature!' error.
On his UI machine, can he check that he gets the following:
[root@ce04 ~]# cat /etc/grid-security/vomsdir/t2k.org/voms.gridpp.ac.uk.lsc
/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk
/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B
Note that both lines have changed.
This is usually set in the yaim config - see
https://www.gridpp.ac.uk/wiki/GridPP_approved_VOs
for the lines in question.
> However he can submit jobs
> and retrieve the output, but gets the same error when trying
> to query the job's status. All the output is below - could
> this actually be a case where the VOMS server is not configured
> for the CA in question, or is it a deeper issue?
If he gets it from the voms server, it's the UI.
He should also check he has these versions of the CA packages installed:
[root@ce04 ~]# rpm -qa | grep CA | grep UK
ca_UKeScienceCA-2A-1.44-1
ca_UKeScienceCA-2007-1.44-1
ca_UKeScienceCA-2B-1.44-1
I suspect that the new CA 2B server isn't installed.
> Cheers
>
> Jon
>
> output follows:
>
> subject : /DC=org/DC=doegrids/OU=People/CN=Istvan Danko 390647/CN=proxy
> issuer : /DC=org/DC=doegrids/OU=People/CN=Istvan Danko 390647
> identity : /DC=org/DC=doegrids/OU=People/CN=Istvan Danko 390647
> type : proxy
> strength : 1024 bits
> path : /tmp/x509up_u2012
> timeleft : 3:11:41
> === VO t2k.org extension information ===
> VO : t2k.org
> subject : /DC=org/DC=doegrids/OU=People/CN=Istvan Danko 390647
> issuer : /C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk
> attribute : /t2k.org/Role=NULL/Capability=NULL
> timeleft : 3:11:41
> uri : voms.gridpp.ac.uk:15003
>
> $ glite-wms-job-submit -a -c autowms.conf -o helloworld.jid helloworld.jdl
> Connecting to the service
> https://lcgwms03.gridpp.rl.ac.uk:7443/glite_wms_wmproxy_server
> ====================== glite-wms-job-submit Success ======================
>
> The job has been successfully submitted to the WMProxy
> Your job identifier is:
> https://lcglb02.gridpp.rl.ac.uk:9000/IIhtsk1E2mCGKkRbF6kvzw
> The job identifier has been saved in the following file:
> /export/home/izdanko/testGridProc/helloworld.jid
>
> ==========================================================================
>
>
>
> $ glite-wms-job-output --dir ./ -i helloworld.jid
> Connecting to the service
> https://lcgwms03.gridpp.rl.ac.uk:7443/glite_wms_wmproxy_server
> ======================================================================
>
> JOB GET OUTPUT OUTCOME
>
> Output sandbox files for the job:
> https://lcglb02.gridpp.rl.ac.uk:9000/IIhtsk1E2mCGKkRbF6kvzw
> have been successfully retrieved and stored in the directory:
> /export/home/izdanko/testGridProc/izdanko_IIhtsk1E2mCGKkRbF6kvzw
>
> ======================================================================
>
>
> But when I tried to check the status of the job earlier, I got:
>
> $ glite-wms-job-status -i helloworld.jid
> **** Error: API_NATIVE_ERROR ****
> Error while calling the "UcWrapper::getExpiration" native api
> Cannot verify AC signature!
> (Please check if the host certificate of the VOMS server that has
> issued your proxy is installed on this machine)
AIUI, lcgwms03.gridpp.rl.ac.uk (which probably has a certificate issued
by the old CA) accepts the job and passes the details to
lcglb02.gridpp.rl.ac.uk (which probably has a certificate issued by the
new CA).
Jens had a blog post about the new CA, but I can't find it at the moment.
Chris
|