JISCMail - TB-SUPPORT Archives

Hi Gianfranco.

The trouble with these error messages is that they indicate
there is a problem but not where it is.  If you're lucky you
might have a glimmer of finding out at least what's wrong.

I suggest you check your CA rpms - you should have lcg-CA-1.9
installed and 1.10 should be out very shortly!

All that stuff lives in /etc/grid-security/certificates/

By that message it looks like a problem with the signing policy
file which are all in those RPMs.

Cheers,
--jens

-----Original Message-----
From: Testbed Support for GridPP member institutes
[mailto:[log in to unmask]]On Behalf Of Gianfranco Sciacca
Sent: 18 October 2006 18:03
To: [log in to unmask]
Subject: failing SFT/SAM: problem with CE certificate


We are failing SFTs after installing a new CE certificate. Problems also with the MON certificate.
I wonder if I'm missing copying certs and keys to any extra certificate location. I have:

CE:
in /etc/grid-security/
-rw-r--r--    1 root     root         2344 Oct 19  2005 hostcert.pem
-r--------    1 root     root         1850 Oct 19  2005 hostkey.pem

in /opt/glite/var/rgma/.certs/
-rw-r--r--    1 rgma     rgma         2344 Oct 11 14:01 hostcert.pem
-r--------    1 rgma     rgma         1850 Oct 11 14:01 hostkey.pem

for MON:
in /etc/grid-security/
-rw-r--r--    1 root     root         2344 Oct 24  2005 hostcert.pem
-r--------    1 root     root         1854 Oct 24  2005 hostkey.pem

in /etc/tomcat5/
-rw-r--r--    1 tomcat4  tomcat4      2344 Oct 24  2005 hostcert.pem
-r--------    1 tomcat4  tomcat4      1854 Oct 24  2005 hostkey.pem

On the CE, I have tried restarting all the globus-* services and even re-run yaim to restart everything in proper fashion.

The gatekeeper log doesn't reveal anything. In the home directories of pool accounts, I have this in globus-url-copy.log:

 GSS failure:
GSS Major Status: Authentication Failed
GSS Minor Status Error Chain:
                                                                                                                                                                                                                 
init_sec_context.c:171: gss_init_sec_context: SSLv3 handshake problems
globus_i_gsi_gss_utils.c:881: globus_i_gsi_gss_handshake: Unable to verify remote side's credentials
globus_i_gsi_gss_utils.c:854: globus_i_gsi_gss_handshake: SSLv3 handshake problems: Couldn't do ssl handshake
OpenSSL Error: s3_clnt.c:840: in library: SSL routines, function SSL3_GET_SERVER_CERTIFICATE: certificate verify failed
globus_gsi_callback.c:351: globus_i_gsi_callback_handshake_callback: Could not verify credential
globus_gsi_callback.c:490: globus_i_gsi_callback_cred_verify: Could not verify credential
globus_gsi_callback.c:850: globus_i_gsi_callback_check_signing_policy: Error with signing policy
globus_gsi_callback.c:927: globus_i_gsi_callback_check_gaa_auth: Error with signing policy: The signing policy file doesn't exist or can't be read

Any suggested course of action? 

cheers and thanks for any pointers,
gianfranco