Hi,

I'm a bit mystified by ARGUS... We're still running EMI-1 ARGUS and haven't really been using it that much or testing, but I remember that this started a while ago when we had to replace the host certificate and the new keys and certs that we can get are only minimum 2048b size. Once I did the swap it seemed that CREAM CEs worked so I didn't bother checking at the time why pepcli failed, but today I started to look again why our glexec tests are failing and I'm not figuring it out why LCMAPS fails due to SSL errors. 

Here's what I see when I try the mapping on ARGUS itself using pepcli:

pepcli -v -p https://our_argus_host:8154/authz -r myCE -a myA -t 60 -x --capath /etc/grid-security/certificates/ --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem -c ~/x509up_u1000005
pepcli: pepd: https://our_argus_host:8154/authz
pepcli: certchain: /root/x509up_u1000005
pepcli: resourceid: myCE
pepcli: actionid: myA
pepcli: capath: /etc/grid-security/certificates/
pepcli: cert: /etc/grid-security/hostcert.pem
pepcli: key: /etc/grid-security/hostkey.pem
pepcli: authorize XACML request
libargus-pep: pep_authorize: PEP#0 sending XACML request to: https://our_argus_host:8154/authz
libargus-pep:ERROR: pep_authorize: PEP#0 sending XACML request failed: curl[35] SSL connect error.
pepcli:ERROR: failed to authorize XACML request: CURL processing error

On the glexec side:
$ glexec id -a
[gLExec]:  LCMAPS failed.
           The reason can be found in the syslog.

Jul  1 19:35:49 comp-c-021 glexec[8325]: Trying to read /etc/glexec.conf as 498(glexec)/498(glexec)
Jul  1 19:35:49 comp-c-021 glexec[8325]: lcmaps: lcmaps_x509_to_voms_fqans(): Generic verification error for VOMS (failure): AC not valid anymore.
Jul  1 19:35:49 comp-c-021 glexec[8325]: lcmaps: Error: Verifying proxy: Proxy certificate expired.
Jul  1 19:35:49 comp-c-021 glexec[8325]: lcmaps: Warning: Serial numbers do not match.
Jul  1 19:35:49 comp-c-021 glexec[8325]: lcmaps: Error: Verifying certificate chain: certificate has expired#012
Jul  1 19:35:49 comp-c-021 glexec[8325]: lcmaps: LCMAPS failed to do mapping and return account information
Jul  1 19:35:49 comp-c-021 glexec[8325]:   LCMAPS failed.

which seems a bit odd messages with proxy expired while it is quite alive and kicking:

$ voms-proxy-info
subject   : /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=mario/CN=631445/CN=Mario Kadastik/CN=proxy
issuer    : /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=mario/CN=631445/CN=Mario Kadastik
identity  : /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=mario/CN=631445/CN=Mario Kadastik
type      : proxy
strength  : 1024 bits
path      : /tmp/sert1
timeleft  : 190:20:28

I have validated that the argus cert and key match and that the expiration date is in 2014. 

This is what I see in pepd log:
2013-07-01 15:44:29.636Z - ERROR [PKIVerifier] - Certificate verification: no trust anchor found.
2013-07-01 15:44:36.231Z - ERROR [PKIVerifier] - Cannot find issuer candidate for: CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
2013-07-01 16:25:09.304Z - ERROR [PKIVerifier] - Certificate verification: no trust anchor found.
2013-07-01 16:33:48.719Z - ERROR [PKIVerifier] - Cannot find issuer candidate for: CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US

Trying a simple curl against the ARGUS node I see this:

curl -v --capath /etc/grid-security/certificates/ -E /home/mario/x509up_u1000005 https://our_argus_host:8154/ 2>&1 |grep -v "failed to load"
* About to connect() to our_argus_host port 8154 (#0)
*   Trying xxxx... connected
* Connected to our_argus_host (xxxx) port 8154 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: /etc/grid-security/certificates/
* NSS: client certificate: PEM Token #1:x509up_u1000005
* 	subject: CN=proxy,CN=Mario Kadastik,CN=631445,CN=mario,OU=Users,OU=Organic Units,DC=cern,DC=ch
* 	start date: Jul 01 14:52:11 2013 GMT
* 	expire date: Jul 09 14:57:11 2013 GMT
* 	common name: proxy
* 	issuer: CN=Mario Kadastik,CN=631445,CN=mario,OU=Users,OU=Organic Units,DC=cern,DC=ch
* NSS error -12224
* Closing connection #0
* SSL connect error

curl: (35) SSL connect error

So I'm a bit confused how to debug this. Ideas are welcome as well as confirmations that ARGUS works fine with 2k key size :) Also, as right now glexec will be the sole use of argus (we've moved over to ARC CE from CREAMs so can't check if auth works from CREAM anymore) I can in theory update to a newer ARGUS version, but I'd like to get ideas what might be the root cause here.

Oh and I've checked, all nodes involved are in time sync. 

PS! I renamed in this e-mail our argus host FQDN to our_argus_host and its IP to xxxx just in case :) 

Mario Kadastik, PhD
Researcher

---
  "Physics is like sex, sure it may have practical reasons, but that's not why we do it" 
     -- Richard P. Feynman