JISCMail - LCG-ROLLOUT Archives

Leslie Groer wrote:

> I am getting this error when trying to contact our SE.
>
> % globus-job-run bigmac-lcg-se.physics.utoronto.ca:/C=CA/O=Grid/CN=storage/bigmac-lcg-se.physics.utoronto.ca /bin/pwd

It is non-standard to run a gatekeeper on an SE...

To test such things globus-url-copy (with the "-dbg" option) is a lot easier.

> GRAM Job submission failed because authentication failed:
> GSS Major Status: Authentication Failed
> GSS Minor Status Error Chain:
> init.c:499: globus_gss_assist_init_sec_context_async: Error during context
> initialization
> init_sec_context.c:171: gss_init_sec_context: SSLv3 handshake problems
> globus_i_gsi_gss_utils.c:881: globus_i_gsi_gss_handshake: Unable to verify
> remote side's credentials
> globus_i_gsi_gss_utils.c:854: globus_i_gsi_gss_handshake: SSLv3 handshake
> problems: Couldn't do ssl handshake
> OpenSSL Error: s3_clnt.c:840: in library: SSL routines, function
> SSL3_GET_SERVER_CERTIFICATE: certificate verify failed
> globus_gsi_callback.c:351: globus_i_gsi_callback_handshake_callback: Could
> not verify credential
> globus_gsi_callback.c:436: globus_i_gsi_callback_cred_verify: The
> certificate has expired: Credential with subject:
> /C=CA/O=Grid/CN=host/bigmac-lcg-se.physics.utoronto.ca has expired. (error
> code 7)
>
> The error occurs as well when I do not specify the certificate subject in
> the globus-job-run command.
>
> Upon renewing the host certificate for this machines, the CN in the host
> certificate subject had to be changed as the Canadian Grid Authority can
> only have one "host" machine per site which we have reserved for our CE.

That restriction appears bizarre to me.  Are you sure it is like that?
Why do they consider the string "host" special?

> The new storage element certificate is installed with:
>
>             Subject: C=CA, O=Grid, CN=storage/bigmac-lcg-se.physics.utoronto.ca
> [Note that the CN=storage/bigmac....  and not CN=host/bigmac....]
>
> The new certificate should be valid
>         Validity
>             Not Before: Feb  4 16:41:20 2005 GMT
>             Not After : Feb  4 16:41:20 2006 GMT
>
> The new certificate seems to be installed in the correct place:
>    /etc/grid-security/hostcert.pem
> but is either not being picked up correctly by globus [...]

Exactly.  The string "host/" is magic in Globus, so if the Canadian CA insists
on its peculiar requirements, your SE can no longer be used in LCG-2.