Hi Jens, all the CA rpms are up to date, including 1.10 that came in this night. The problem is clearly correlated to the host certificate for the CE. Trouble is, I have no further idea where to look for a problem, which leads to the site being not operational. cheers, gianfranco On Thu, 19 Oct 2006, Jensen, J (Jens) wrote: > Hi Gianfranco. > > The trouble with these error messages is that they indicate > there is a problem but not where it is. If you're lucky you > might have a glimmer of finding out at least what's wrong. > > I suggest you check your CA rpms - you should have lcg-CA-1.9 > installed and 1.10 should be out very shortly! > > All that stuff lives in /etc/grid-security/certificates/ > > By that message it looks like a problem with the signing policy > file which are all in those RPMs. > > Cheers, > --jens > > -----Original Message----- > From: Testbed Support for GridPP member institutes > [mailto:[log in to unmask]]On Behalf Of Gianfranco Sciacca > Sent: 18 October 2006 18:03 > To: [log in to unmask] > Subject: failing SFT/SAM: problem with CE certificate > > > We are failing SFTs after installing a new CE certificate. Problems also with the MON certificate. > I wonder if I'm missing copying certs and keys to any extra certificate location. I have: > > CE: > in /etc/grid-security/ > -rw-r--r-- 1 root root 2344 Oct 19 2005 hostcert.pem > -r-------- 1 root root 1850 Oct 19 2005 hostkey.pem > > in /opt/glite/var/rgma/.certs/ > -rw-r--r-- 1 rgma rgma 2344 Oct 11 14:01 hostcert.pem > -r-------- 1 rgma rgma 1850 Oct 11 14:01 hostkey.pem > > for MON: > in /etc/grid-security/ > -rw-r--r-- 1 root root 2344 Oct 24 2005 hostcert.pem > -r-------- 1 root root 1854 Oct 24 2005 hostkey.pem > > in /etc/tomcat5/ > -rw-r--r-- 1 tomcat4 tomcat4 2344 Oct 24 2005 hostcert.pem > -r-------- 1 tomcat4 tomcat4 1854 Oct 24 2005 hostkey.pem > > On the CE, I have tried restarting all the globus-* services and even re-run yaim to restart everything in proper fashion. > > The gatekeeper log doesn't reveal anything. In the home directories of pool accounts, I have this in globus-url-copy.log: > > GSS failure: > GSS Major Status: Authentication Failed > GSS Minor Status Error Chain: > > init_sec_context.c:171: gss_init_sec_context: SSLv3 handshake problems > globus_i_gsi_gss_utils.c:881: globus_i_gsi_gss_handshake: Unable to verify remote side's credentials > globus_i_gsi_gss_utils.c:854: globus_i_gsi_gss_handshake: SSLv3 handshake problems: Couldn't do ssl handshake > OpenSSL Error: s3_clnt.c:840: in library: SSL routines, function SSL3_GET_SERVER_CERTIFICATE: certificate verify failed > globus_gsi_callback.c:351: globus_i_gsi_callback_handshake_callback: Could not verify credential > globus_gsi_callback.c:490: globus_i_gsi_callback_cred_verify: Could not verify credential > globus_gsi_callback.c:850: globus_i_gsi_callback_check_signing_policy: Error with signing policy > globus_gsi_callback.c:927: globus_i_gsi_callback_check_gaa_auth: Error with signing policy: The signing policy file doesn't exist or can't be read > > Any suggested course of action? > > cheers and thanks for any pointers, > gianfranco >