Hi Mario,
note that there are two proxies playing a role in gLExec, one is the one
pointed to by the GLEXEC_CLIENT_CERT and in pilot jobs typically holds
the payload proxy, the other one is pointed to by the X509_USER_PROXY
and holds the pilot proxy. The error from LCMAPS is about the
GLEXEC_CLIENT_CERT proxy and is very clear in that its embeded VOMS
attribute certificate (AC) has expired. This doesn't mean that the
proxy itself also has expired. So try at least what Maarten said, and
print
voms-proxy-info -all
You also seem to have a problem with the Argus installation. There are
in principle two different versions of the UTN-USERFirst-Hardware
certificate. One is self-signed, and you then should have it installed
on your system, the other is signed by
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
and contained in ca_AddTrust-External-CA-Root-1.54-1.noarch which should
be installed by e.g. ca_policy_igtf-classic-1.54-1.noarch or a
corresponding EGI trust anchors package.
You also have problems with the way you try to run curl, but let's leave
that out for the moment
Cheers,
Mischa
On Mon, Jul 01, 2013 at 07:42:17PM +0300, Mario Kadastik wrote:
> Hi,
>
> I'm a bit mystified by ARGUS... We're still running EMI-1 ARGUS and haven't really been using it that much or testing, but I remember that this started a while ago when we had to replace the host certificate and the new keys and certs that we can get are only minimum 2048b size. Once I did the swap it seemed that CREAM CEs worked so I didn't bother checking at the time why pepcli failed, but today I started to look again why our glexec tests are failing and I'm not figuring it out why LCMAPS fails due to SSL errors.
>
> Here's what I see when I try the mapping on ARGUS itself using pepcli:
>
> pepcli -v -p https://our_argus_host:8154/authz -r myCE -a myA -t 60 -x --capath /etc/grid-security/certificates/ --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem -c ~/x509up_u1000005
> pepcli: pepd: https://our_argus_host:8154/authz
> pepcli: certchain: /root/x509up_u1000005
> pepcli: resourceid: myCE
> pepcli: actionid: myA
> pepcli: capath: /etc/grid-security/certificates/
> pepcli: cert: /etc/grid-security/hostcert.pem
> pepcli: key: /etc/grid-security/hostkey.pem
> pepcli: authorize XACML request
> libargus-pep: pep_authorize: PEP#0 sending XACML request to: https://our_argus_host:8154/authz
> libargus-pep:ERROR: pep_authorize: PEP#0 sending XACML request failed: curl[35] SSL connect error.
> pepcli:ERROR: failed to authorize XACML request: CURL processing error
>
> On the glexec side:
> $ glexec id -a
> [gLExec]: LCMAPS failed.
> The reason can be found in the syslog.
>
> Jul 1 19:35:49 comp-c-021 glexec[8325]: Trying to read /etc/glexec.conf as 498(glexec)/498(glexec)
> Jul 1 19:35:49 comp-c-021 glexec[8325]: lcmaps: lcmaps_x509_to_voms_fqans(): Generic verification error for VOMS (failure): AC not valid anymore.
> Jul 1 19:35:49 comp-c-021 glexec[8325]: lcmaps: Error: Verifying proxy: Proxy certificate expired.
> Jul 1 19:35:49 comp-c-021 glexec[8325]: lcmaps: Warning: Serial numbers do not match.
> Jul 1 19:35:49 comp-c-021 glexec[8325]: lcmaps: Error: Verifying certificate chain: certificate has expired#012
> Jul 1 19:35:49 comp-c-021 glexec[8325]: lcmaps: LCMAPS failed to do mapping and return account information
> Jul 1 19:35:49 comp-c-021 glexec[8325]: LCMAPS failed.
>
> which seems a bit odd messages with proxy expired while it is quite alive and kicking:
>
> $ voms-proxy-info
> subject : /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=mario/CN=631445/CN=Mario Kadastik/CN=proxy
> issuer : /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=mario/CN=631445/CN=Mario Kadastik
> identity : /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=mario/CN=631445/CN=Mario Kadastik
> type : proxy
> strength : 1024 bits
> path : /tmp/sert1
> timeleft : 190:20:28
>
> I have validated that the argus cert and key match and that the expiration date is in 2014.
>
> This is what I see in pepd log:
> 2013-07-01 15:44:29.636Z - ERROR [PKIVerifier] - Certificate verification: no trust anchor found.
> 2013-07-01 15:44:36.231Z - ERROR [PKIVerifier] - Cannot find issuer candidate for: CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
> 2013-07-01 16:25:09.304Z - ERROR [PKIVerifier] - Certificate verification: no trust anchor found.
> 2013-07-01 16:33:48.719Z - ERROR [PKIVerifier] - Cannot find issuer candidate for: CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
>
> Trying a simple curl against the ARGUS node I see this:
>
> curl -v --capath /etc/grid-security/certificates/ -E /home/mario/x509up_u1000005 https://our_argus_host:8154/ 2>&1 |grep -v "failed to load"
> * About to connect() to our_argus_host port 8154 (#0)
> * Trying xxxx... connected
> * Connected to our_argus_host (xxxx) port 8154 (#0)
> * Initializing NSS with certpath: sql:/etc/pki/nssdb
> * CAfile: /etc/pki/tls/certs/ca-bundle.crt
> CApath: /etc/grid-security/certificates/
> * NSS: client certificate: PEM Token #1:x509up_u1000005
> * subject: CN=proxy,CN=Mario Kadastik,CN=631445,CN=mario,OU=Users,OU=Organic Units,DC=cern,DC=ch
> * start date: Jul 01 14:52:11 2013 GMT
> * expire date: Jul 09 14:57:11 2013 GMT
> * common name: proxy
> * issuer: CN=Mario Kadastik,CN=631445,CN=mario,OU=Users,OU=Organic Units,DC=cern,DC=ch
> * NSS error -12224
> * Closing connection #0
> * SSL connect error
>
> curl: (35) SSL connect error
>
> So I'm a bit confused how to debug this. Ideas are welcome as well as confirmations that ARGUS works fine with 2k key size :) Also, as right now glexec will be the sole use of argus (we've moved over to ARC CE from CREAMs so can't check if auth works from CREAM anymore) I can in theory update to a newer ARGUS version, but I'd like to get ideas what might be the root cause here.
>
> Oh and I've checked, all nodes involved are in time sync.
>
> PS! I renamed in this e-mail our argus host FQDN to our_argus_host and its IP to xxxx just in case :)
>
> Mario Kadastik, PhD
> Researcher
>
> ---
> "Physics is like sex, sure it may have practical reasons, but that's not why we do it"
> -- Richard P. Feynman
--
Nikhef Room H155
Science Park 105 Tel. +31-20-592 5102
1098 XG Amsterdam Fax +31-20-592 5155
The Netherlands Email [log in to unmask]
__ .. ... _._. .... ._ ... ._ ._.. ._.. .._..
|