Hi Gianfranco. The trouble with these error messages is that they indicate there is a problem but not where it is. If you're lucky you might have a glimmer of finding out at least what's wrong. I suggest you check your CA rpms - you should have lcg-CA-1.9 installed and 1.10 should be out very shortly! All that stuff lives in /etc/grid-security/certificates/ By that message it looks like a problem with the signing policy file which are all in those RPMs. Cheers, --jens -----Original Message----- From: Testbed Support for GridPP member institutes [mailto:[log in to unmask]]On Behalf Of Gianfranco Sciacca Sent: 18 October 2006 18:03 To: [log in to unmask] Subject: failing SFT/SAM: problem with CE certificate We are failing SFTs after installing a new CE certificate. Problems also with the MON certificate. I wonder if I'm missing copying certs and keys to any extra certificate location. I have: CE: in /etc/grid-security/ -rw-r--r-- 1 root root 2344 Oct 19 2005 hostcert.pem -r-------- 1 root root 1850 Oct 19 2005 hostkey.pem in /opt/glite/var/rgma/.certs/ -rw-r--r-- 1 rgma rgma 2344 Oct 11 14:01 hostcert.pem -r-------- 1 rgma rgma 1850 Oct 11 14:01 hostkey.pem for MON: in /etc/grid-security/ -rw-r--r-- 1 root root 2344 Oct 24 2005 hostcert.pem -r-------- 1 root root 1854 Oct 24 2005 hostkey.pem in /etc/tomcat5/ -rw-r--r-- 1 tomcat4 tomcat4 2344 Oct 24 2005 hostcert.pem -r-------- 1 tomcat4 tomcat4 1854 Oct 24 2005 hostkey.pem On the CE, I have tried restarting all the globus-* services and even re-run yaim to restart everything in proper fashion. The gatekeeper log doesn't reveal anything. In the home directories of pool accounts, I have this in globus-url-copy.log: GSS failure: GSS Major Status: Authentication Failed GSS Minor Status Error Chain: init_sec_context.c:171: gss_init_sec_context: SSLv3 handshake problems globus_i_gsi_gss_utils.c:881: globus_i_gsi_gss_handshake: Unable to verify remote side's credentials globus_i_gsi_gss_utils.c:854: globus_i_gsi_gss_handshake: SSLv3 handshake problems: Couldn't do ssl handshake OpenSSL Error: s3_clnt.c:840: in library: SSL routines, function SSL3_GET_SERVER_CERTIFICATE: certificate verify failed globus_gsi_callback.c:351: globus_i_gsi_callback_handshake_callback: Could not verify credential globus_gsi_callback.c:490: globus_i_gsi_callback_cred_verify: Could not verify credential globus_gsi_callback.c:850: globus_i_gsi_callback_check_signing_policy: Error with signing policy globus_gsi_callback.c:927: globus_i_gsi_callback_check_gaa_auth: Error with signing policy: The signing policy file doesn't exist or can't be read Any suggested course of action? cheers and thanks for any pointers, gianfranco