Dimitar,
I owe you much beer/coffee/food.
Using Email= instead of emailAddress= makes the problems disappear.
Also, it looks like there is already a bug in Savannah:
https://savannah.cern.ch/bugs/?45221
Thanks again!
Regards,
Tom
Dimitar Shiyachki wrote:
> Hi Tom,
>
> Try to use the old format (Email instead of emailAddress) in the LSC
> file:
>
> /C=AU/O=APACGrid/OU=The University of
> Melbourne/CN=voms.atlas.unimelb.edu.au
> [log in to unmask]
>
> Best regards,
> Dimitar
>
> Tom Fifield wrote:
>> Hi All,
>>
>> So I'm trying to setup a local VOMS, and the VOMS service itself
>> appears to be functioning quite well: voms-proxy-init works great:
>>
>> [ui]$ voms-proxy-init --voms neuropsychiatry
>> Your identity: /C=AU/O=APACGrid/OU=The University of Melbourne/CN=Tom
>> Fifield
>> Creating temporary proxy ............................ Done
>> Contacting voms.atlas.unimelb.edu.au:16000 [/C=AU/O=APACGrid/OU=The
>> University of Melbourne/CN=voms.atlas.unimelb.edu.au]
>> "neuropsychiatry" Done
>> Creating proxy ............................. Done
>>
>> However, voms-proxy-info and similar tools report that they can't
>> verify its certificate. Note that this is the *error* message and not
>> the similar harmless warning.
>>
>> [ui]$ voms-proxy-info --all
>> WARNING: Unable to verify signature! Server certificate possibly not
>> installed.
>> Error: Cannot verify AC signature!
>> subject : /C=AU/O=APACGrid/OU=The University of Melbourne/CN=Tom
>> Fifield/CN=proxy
>> issuer : /C=AU/O=APACGrid/OU=The University of Melbourne/CN=Tom
>> Fifield
>> identity : /C=AU/O=APACGrid/OU=The University of Melbourne/CN=Tom
>> Fifield
>> type : proxy
>> strength : 1024 bits
>> path : /tmp/x509up_u1056
>> timeleft : 11:59:44
>> === VO neuropsychiatry extension information ===
>> VO : neuropsychiatry
>> subject : /C=AU/O=APACGrid/OU=The University of Melbourne/CN=Tom
>> Fifield
>> issuer : /C=AU/O=APACGrid/OU=The University of
>> Melbourne/CN=voms.atlas.unimelb.edu.au
>> attribute : /neuropsychiatry/Role=NULL/Capability=NULL
>> timeleft : 11:59:24
>> uri : voms.atlas.unimelb.edu.au:16000
>>
>> Which means things like job submission fail:
>>
>> [ui]$ glite-ce-job-submit -a --vo neuropsychiatry -r
>> agh5.atlas.unimelb.edu.au/cream-pbs-neuropsychiatry test_freesurfer.jdl
>> 2009-10-23 02:31:44,980 FATAL - Problems with proxyfile
>> [/tmp/x509up_u1056]: WARNING: The VOMS attribute could not be
>> verified. Possibly, the VOMS server certificate is not installed.
>>
>> Of course, you can use the --donot-verify-ac-sign option, but the
>> CREAM CE is configured identically (all hail cfengine) and similar
>> issues are encountered with the LCAS VOMS plugin. (If you'd really
>> like to see those logs they're here:
>> https://eppwiki.ph.unimelb.edu.au/glexec_lcas_lcmaps.log -
>> vomsdata::Retrieve() returns VERR_SIGN)
>>
>> So, config:
>>
>> [ui]$ ls -l /etc/grid-security/vomsdir/
>> ...
>> drwxr-xr-x 2 root root 4096 Oct 23 01:05 neuropsychiatry
>> ...
>> voms.atlas.unimelb.edu.au.2009-09-04.pem
>>
>>
>> [ui]$ cat
>> /etc/grid-security/vomsdir/neuropsychiatry/voms.atlas.unimelb.edu.au.lsc
>> /C=AU/O=APACGrid/OU=The University of
>> Melbourne/CN=voms.atlas.unimelb.edu.au
>> [log in to unmask]
>>
>> [ui]$ cat
>> /opt/glite/etc/vomses/neuropsychiatry-voms.atlas.unimelb.edu.au
>> "neuropsychiatry" "voms.atlas.unimelb.edu.au" "16000"
>> "/C=AU/O=APACGrid/OU=The University of
>> Melbourne/CN=voms.atlas.unimelb.edu.au" "neuropsychiatry"
>>
>> CA cert is from IGTF distribution rpm ca_APAC.noarch and look fine in
>> /etc/grid-security/certificates/1e12d831.*
>>
>> This UI and the CREAM CE I'm attempting to submit to work fine with
>> other VOs (atlas, dteam, belle).
>>
>> Random conspiracy theory: Our CA is probably one of very few that
>> uses 4096 bit certificates and the emailAddress field in its DN.
>>
>> I've probably missed something really trivial, but this is driving me
>> mad. So if anyone has any suggestions, comments or queries that would
>> make my fortnight...
>>
>> Regards,
>>
>> Tom
>>
|