Hi,
I'm a bit mystified by ARGUS... We're still running EMI-1 ARGUS and haven't really been using it that much or testing, but I remember that this started a while ago when we had to replace the host certificate and the new keys and certs that we can get are only minimum 2048b size. Once I did the swap it seemed that CREAM CEs worked so I didn't bother checking at the time why pepcli failed, but today I started to look again why our glexec tests are failing and I'm not figuring it out why LCMAPS fails due to SSL errors.
Here's what I see when I try the mapping on ARGUS itself using pepcli:
pepcli -v -p https://our_argus_host:8154/authz -r myCE -a myA -t 60 -x --capath /etc/grid-security/certificates/ --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem -c ~/x509up_u1000005
pepcli: pepd: https://our_argus_host:8154/authz
pepcli: certchain: /root/x509up_u1000005
pepcli: resourceid: myCE
pepcli: actionid: myA
pepcli: capath: /etc/grid-security/certificates/
pepcli: cert: /etc/grid-security/hostcert.pem
pepcli: key: /etc/grid-security/hostkey.pem
pepcli: authorize XACML request
libargus-pep: pep_authorize: PEP#0 sending XACML request to: https://our_argus_host:8154/authz
libargus-pep:ERROR: pep_authorize: PEP#0 sending XACML request failed: curl[35] SSL connect error.
pepcli:ERROR: failed to authorize XACML request: CURL processing error
On the glexec side:
$ glexec id -a
[gLExec]: LCMAPS failed.
The reason can be found in the syslog.
Jul 1 19:35:49 comp-c-021 glexec[8325]: Trying to read /etc/glexec.conf as 498(glexec)/498(glexec)
Jul 1 19:35:49 comp-c-021 glexec[8325]: lcmaps: lcmaps_x509_to_voms_fqans(): Generic verification error for VOMS (failure): AC not valid anymore.
Jul 1 19:35:49 comp-c-021 glexec[8325]: lcmaps: Error: Verifying proxy: Proxy certificate expired.
Jul 1 19:35:49 comp-c-021 glexec[8325]: lcmaps: Warning: Serial numbers do not match.
Jul 1 19:35:49 comp-c-021 glexec[8325]: lcmaps: Error: Verifying certificate chain: certificate has expired#012
Jul 1 19:35:49 comp-c-021 glexec[8325]: lcmaps: LCMAPS failed to do mapping and return account information
Jul 1 19:35:49 comp-c-021 glexec[8325]: LCMAPS failed.
which seems a bit odd messages with proxy expired while it is quite alive and kicking:
$ voms-proxy-info
subject : /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=mario/CN=631445/CN=Mario Kadastik/CN=proxy
issuer : /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=mario/CN=631445/CN=Mario Kadastik
identity : /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=mario/CN=631445/CN=Mario Kadastik
type : proxy
strength : 1024 bits
path : /tmp/sert1
timeleft : 190:20:28
I have validated that the argus cert and key match and that the expiration date is in 2014.
This is what I see in pepd log:
2013-07-01 15:44:29.636Z - ERROR [PKIVerifier] - Certificate verification: no trust anchor found.
2013-07-01 15:44:36.231Z - ERROR [PKIVerifier] - Cannot find issuer candidate for: CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
2013-07-01 16:25:09.304Z - ERROR [PKIVerifier] - Certificate verification: no trust anchor found.
2013-07-01 16:33:48.719Z - ERROR [PKIVerifier] - Cannot find issuer candidate for: CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
Trying a simple curl against the ARGUS node I see this:
curl -v --capath /etc/grid-security/certificates/ -E /home/mario/x509up_u1000005 https://our_argus_host:8154/ 2>&1 |grep -v "failed to load"
* About to connect() to our_argus_host port 8154 (#0)
* Trying xxxx... connected
* Connected to our_argus_host (xxxx) port 8154 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: /etc/grid-security/certificates/
* NSS: client certificate: PEM Token #1:x509up_u1000005
* subject: CN=proxy,CN=Mario Kadastik,CN=631445,CN=mario,OU=Users,OU=Organic Units,DC=cern,DC=ch
* start date: Jul 01 14:52:11 2013 GMT
* expire date: Jul 09 14:57:11 2013 GMT
* common name: proxy
* issuer: CN=Mario Kadastik,CN=631445,CN=mario,OU=Users,OU=Organic Units,DC=cern,DC=ch
* NSS error -12224
* Closing connection #0
* SSL connect error
curl: (35) SSL connect error
So I'm a bit confused how to debug this. Ideas are welcome as well as confirmations that ARGUS works fine with 2k key size :) Also, as right now glexec will be the sole use of argus (we've moved over to ARC CE from CREAMs so can't check if auth works from CREAM anymore) I can in theory update to a newer ARGUS version, but I'd like to get ideas what might be the root cause here.
Oh and I've checked, all nodes involved are in time sync.
PS! I renamed in this e-mail our argus host FQDN to our_argus_host and its IP to xxxx just in case :)
Mario Kadastik, PhD
Researcher
---
"Physics is like sex, sure it may have practical reasons, but that's not why we do it"
-- Richard P. Feynman
|