We've encountered problems after upgrading the certificates on our CE,
SE and MON boxes
For example, globus_url_copy gives the following problem ...
init_sec_context.c:171: gss_init_sec_context: SSLv3 handshake problems
globus_i_gsi_gss_utils.c:881: globus_i_gsi_gss_handshake: Unable to
verify remote side's credentials
globus_i_gsi_gss_utils.c:854: globus_i_gsi_gss_handshake: SSLv3
handshake problems: Couldn't do ssl handshake
OpenSSL Error: s3_clnt.c:840: in library: SSL routines, function
SSL3_GET_SERVER_CERTIFICATE: certificate verify failed
globus_gsi_callback.c:351: globus_i_gsi_callback_handshake_callback:
Could not verify credential
globus_gsi_callback.c:443: globus_i_gsi_callback_cred_verify: Could not
verify credential: self signed certificate in certificate chain
We installed the certificates and keys from UK E-Science to the
following locations.
SE
/etc/grid-security/hostcert.pem
/etc/grid-security/hostkey.pem
/opt/glite/var/rgma/.certs/hostcert.pem
/opt/glite/var/rgma/.certs/hostkey.pem
/etc/grid-security/dpmmgr/dpmcert.pem
/etc/grid-security/dpmmgr/dpmkey.pem
CE
/etc/grid-security/hostcert.pem
/etc/grid-security/hostkey.pem
/opt/glite/var/rgma/.certs/hostcert.pem
/opt/glite/var/rgma/.certs/hostkey.pem
MON
/etc/grid-security/hostcert.pem
/etc/grid-security/hostkey.pem
/opt/glite/var/rgma/.certs/hostcert.pem
/opt/glite/var/rgma/.certs/hostkey.pem
/etc/tomcat5/hostcert.pem
/etc/tomcat5/hostkey.pem
All files are owned by root:root. The permissions on the certificates are 644
and on the keys,400. We can use grid-cert-info to verify that the certificates
are for the correct machine, and are current. We have re-configured with yaim
and even rebooted.
What are we missing?? We are running glite 3.0 on these service nodes, and have
lcg-CA-1.21-1 installed
Thanks in advance
Dave
--
David Robson
CODAS & IT Department, UKAEA Culham
Culham Science Centre, Abingdon, OXON, OX14 3DB, UK
Voice: +44(0)1235-46-4569, Fax: 4404
Work email: [log in to unmask]
Home email: [log in to unmask]
|