Hi Tomas
I get the same error when trying to submit job via a new installed WMS :
Connecting to the service https://wms-ce.haifa.il.ibm.com:7443/glite_wms_wmproxy_server
Connection failed: CA certificate verification failed
SSL_connect error in tcp_connect()
when trying the command that you have tried (on my WMS) : openssl s_client -connect wms-ce.haifa.il.ibm.com:7443
I get the following output . Note that I use a valid temporal 30 days hostcert/hostkey from KnowARC . a similar one works fine for the CE node .
Do you understand the below error 19 as meaning that the hostcert is not ok ?
CONNECTED(00000003)
depth=1 DC = eu, DC = KnowARC, CN = CE1-1371030106.61
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/DC=eu/DC=KnowARC/O=IBM research/CN=wms-ce.haifa.il.ibm.com
i:/DC=eu/DC=KnowARC/CN=CE1-1371030106.61
1 s:/DC=eu/DC=KnowARC/CN=CE1-1371030106.61
i:/DC=eu/DC=KnowARC/CN=CE1-1371030106.61
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICYzCCAcygAwIBAgIBAzANBgkqhkiG9w0BAQUFADBJMRIwEAYKCZImiZPyLGQB
GRYCZXUxFzAVBgoJkiaJk/IsZAEZFgdLbm93QVJDMRowGAYDVQQDExFDRTEtMTM3
MTAzMDEwNi42MTAeFw0xMzA2MTIwOTQxNDdaFw0xMzA2MjYwOTQxNDdaMGYxEjAQ
BgoJkiaJk/IsZAEZFgJldTEXMBUGCgmSJomT8ixkARkWB0tub3dBUkMxFTATBgNV
BAoTDElCTSByZXNlYXJjaDEgMB4GA1UEAxMXd21zLWNlLmhhaWZhLmlsLmlibS5j
b20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAP2bmPGCfmCUvWZIJw/uknfd
JdS/IU69tGB0GbkbZU0RhD9msNeP1VXLbyImH3F5uBSABQ/d7ST7bv3kp8J8PZGd
CaCxeHJlLCrMwSYRdDaU0JKTO5NCiZfvobWctQsM+Gvuh3+TYxsIg7JreW+yD7d0
IjSx+nHA0VN8pfYmWl2rAgMBAAGjPjA8MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXg
MCIGA1UdEQQbMBmCF3dtcy1jZS5oYWlmYS5pbC5pYm0uY29tMA0GCSqGSIb3DQEB
BQUAA4GBADk5jhL2wzrnsg7azavzPpKJR6jKJ+btqlMBgRqVRhF7d2iCkTYJaCg6
ecd3U7Qn7hV7Ejy6EIjwgB/pADKwFKrPxJjuURruYNksY/jzCC/s8fhCoVRF6brX
WlK9OOQ64MhCLVbRHZhWWXxoY1SIg6tzayC05oTR/Wg7ftWFvknU
-----END CERTIFICATE-----
subject=/DC=eu/DC=KnowARC/O=IBM research/CN=wms-ce.haifa.il.ibm.com
issuer=/DC=eu/DC=KnowARC/CN=CE1-1371030106.61
---
Acceptable client certificate CA names
/C=SY/O=HIAST/CN=HIAST GRID CA
/C=EG/O=EG-GRID/CN=EG-GRID Certification Authority
/DC=CN/DC=Grid/CN=Root Certificate Authority at CNIC
/C=TW/O=AS/CN=Academia Sinica Grid Computing Certification Authority Mercury
/C=RS/O=AEGIS/CN=AEGIS-CA
/C=AM/O=ArmeSFo/CN=ArmeSFo CA
/DC=org/DC=balticgrid/CN=Baltic Grid Certification Authority
/DC=bg/DC=acad/CN=BG.ACAD CA
/DC=eu/DC=KnowARC/CN=CE1-1371030106.61
/DC=ch/DC=cern/CN=CERN Root CA
/DC=ch/DC=cern/CN=CERN Trusted Certification Authority
/DC=LV/DC=latgrid/CN=Certification Authority for Latvian Grid
/C=FR/O=CNRS/CN=CNRS2
/C=FR/O=CNRS/CN=CNRS2-Projets
/C=CA/O=Grid/CN=Grid Canada Certificate Authority
/C=FR/O=CNRS/CN=GRID2-FR
/C=DE/O=GermanGrid/CN=GridKa-CA
/DC=IN/DC=GARUDAINDIA/CN=Indian Grid Certification Authority
/C=IT/O=INFN/CN=INFN CA
/C=CN/O=HEP/CN=Institute of High Energy Physics Certification Authority
/DC=es/DC=irisgrid/CN=IRISGridCA
/C=JO/O=JUNet/CN=JUNet CA
/C=PT/O=LIPCA/CN=LIP Certification Authority
/C=MA/O=MaGrid/CN=MaGrid CA
/C=MK/O=MARGI/CN=MARGI-CA
/C=NL/O=NIKHEF/CN=NIKHEF medium-security certification auth
/O=Grid/O=NorduGrid/CN=NorduGrid Certification Authority
/C=PK/O=NCP/CN=PK-GRID-CA
/C=PL/O=GRID/CN=Polish Grid CA
/DC=NET/DC=PRAGMA-GRID/CN=PRAGMA-UCSD CA
/C=US/O=Pittsburgh Supercomputing Center/CN=PSC MyProxy CA
/C=CL/O=REUNACA/CN=REUNA Certification Authority
/C=RU/O=RDIG/CN=Russian Data-Intensive Grid CA
/DC=ORG/DC=SEE-GRID/CN=SEE-GRID CA
/C=SI/O=SiGNET/CN=SiGNET CA
/C=SK/O=SlovakGrid/CN=SlovakGrid CA
/C=CH/O=Switch - Teleinformatikdienste fuer Lehre und Forschung/CN=SWITCHgrid Root CA
/C=CH/O=SWITCH/CN=SWITCHslcs CA
/C=NL/O=TERENA/CN=TERENA eScience Personal CA
/C=NL/O=TERENA/CN=TERENA eScience SSL CA
/C=TR/O=TRGrid/CN=TR-Grid CA
/DC=org/DC=ugrid/CN=UGRID CA
/C=HR/O=edu/OU=srce/CN=SRCE CA
/C=BE/OU=BEGRID/O=BELNET/CN=BEgrid CA
/DC=cz/DC=cesnet-ca/O=CESNET CA/CN=CESNET CA 3
/DC=HK/DC=HKU/DC=GRID/CN=HKU Grid CA
/DC=DZ/DC=ARN/O=DZ e-Science GRID/CN=DZ e-Science CA
/DC=CN/DC=Grid/DC=SDG/CN=Scientific Data Grid CA
/C=BR/O=ICPEDU/O=UFF BrGrid CA/CN=UFF Brazilian Grid Certification Authority
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
/C=BR/O=ANSP/OU=ANSPGrid CA/CN=ANSPGrid CA
/DC=by/DC=grid/O=uiip.bas-net.by/CN=Belarusian Grid Certification Authority
/C=MX/O=UNAMgrid/OU=UNAM/CN=CA
/C=US/O=National Center for Supercomputing Applications/OU=Certificate Authorities/CN=CACL
/C=JP/O=AIST/OU=GRID/CN=Certificate Authority
/C=AT/O=AustrianGrid/OU=Certification Authority/CN=Certificate Issuer
/DC=cz/DC=cesnet-ca/O=CESNET CA/CN=CESNET CA Root
/C=CY/O=CyGrid/O=HPCL/CN=CyGridCA
/C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN SLCS-CA
/C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Grid - G01
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
/DC=com/DC=DigiCert-Grid/O=DigiCert Grid/CN=DigiCert Grid CA-1
/DC=com/DC=DigiCert-Grid/O=DigiCert Grid/CN=DigiCert Grid Root CA
/C=US/O=DigiCert Grid/OU=www.digicert.com/CN=DigiCert Grid Trust CA
/DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1
/C=GR/O=HellasGrid/OU=Certification Authorities/CN=HellasGrid CA 2006
/C=GR/O=HellasGrid/OU=Certification Authorities/CN=HellasGrid Root CA 2006
/C=IR/O=IPM/O=IRAN-GRID/CN=IRAN-GRID CA
/C=JP/O=KEK/OU=CRC/CN=KEK GRID Certificate Authority
/C=KR/O=KISTI/O=GRID/CN=KISTI Grid Certificate Authority
/DC=me/DC=ac/DC=MREN/CN=MREN-CA
/C=US/O=National Center for Supercomputing Applications/OU=Certificate Authorities/CN=MyProxy
/C=JP/O=National Research Grid Initiative/OU=CGRD/CN=NAREGI CA
/DC=TW/DC=ORG/DC=NCHC/CN=NCHC CA
/C=TH/O=NECTEC/OU=GOC/CN=NECTEC GOC CA
/DC=net/DC=ES/OU=Certificate Authorities/CN=NERSC Online CA
/C=HU/O=NIIF/OU=Certificate Authorities/CN=NIIF Root CA
/C=BM/O=QuoVadis Limited/OU=Issuing Certification Authority/CN=QuoVadis Grid ICA
/C=BM/O=QuoVadis Limited/OU=Root Certification Authority/CN=QuoVadis Root Certification Authority
/C=US/O=National Center for Supercomputing Applications/OU=Certificate Authorities/CN=Two Factor CA
/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2A
/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B
/C=UK/O=eScienceRoot/OU=Authority/CN=UK e-Science Root
[log in to unmask]
[log in to unmask]
/DC=EDU/DC=TENNESSEE/DC=NICS/O=National Institute for Computational Sciences/CN=MyProxy
/C=CO/O=Uniandes CA/O=UNIANDES/OU=DTI/CN=Uniandes CA
/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
/DC=org/DC=cilogon/C=US/O=CILogon/CN=CILogon Silver CA 1
/DC=net/DC=ES/O=ESnet/OU=Certificate Authorities/CN=ESnet Root CA 1
/DC=gov/DC=fnal/O=Fermilab/OU=Certificate Authorities/CN=Kerberized CA HSM
/DC=MD/DC=MD-Grid/O=RENAM/OU=Certification Authority/CN=MD-Grid CA
/C=AR/O=e-Ciencia/OU=UNLP/L=CeSPI/CN=PKIGrid
/DC=RO/DC=RomanianGRID/O=ROSA/OU=Certification Authority/CN=RomanianGRID CA
/DC=BR/DC=UFF/DC=IC/O=UFF LACGrid CA/CN=UFF Latin American and Caribbean Catch-all Grid CA
/C=VE/O=Grid/O=Universidad de Los Andes/OU=CeCalCULA/CN=ULAGrid Certification Authority
[log in to unmask]
/DC=MY/DC=UPM/DC=MYIFAM/C=MY/O=MYIFAM/CN=Malaysian Identity Federation and Access Management
/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Client Authentication and Email
/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
---
SSL handshake has read 10790 bytes and written 322 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: B437F2C0D498A5FF0513C13E9E36E37CD77559DEE641372CCA06178506D7C412
Session-ID-ctx:
Master-Key: D34A8D24BEB9CB69E2D9EF1E9453FC86632E01E4FCC2963FDE405271503589A20AF197F4C53AF000EB32635664AF7015
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1371463194
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
and it gets stuck for a long time
|