DanielaRegards,If the certificate directory you are now linking to is part of a standard UI, a mechanism (yum for the certificates + cron job for the crls) to update it should already be in place, so you shouldn't have to update it again.Hi Frederic,indeed they do, hence they should be installed separately. I try to allude to this in my instructions, but clearly not well enough. I'm tempted to list this as a prerequisite (i.e. install certificates and crl cron job first, before installing the dirac UI), I was just worried it might get to confusing.On 22 September 2015 at 10:53, Frederic Brochu <brochu@hep.phy.cam.ac.uk> wrote:Hi Daniela,
Yes, doing it solved all my problems.
Here is the output of dirac-proxy-init:
-sh-4.1$ dirac-proxy-init -g gridpp_user -M
Generating proxy...
Enter Certificate password:
Added VOMS attribute /gridpp
Uploading proxy for gridpp_user...
Proxy generated:
subject : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu/CN=proxy/CN=proxy
issuer : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu/CN=proxy
identity : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu
timeleft : 23:53:59
DIRAC group : gridpp_user
path : /tmp/x509up_u1008
username : frederic.brochu
properties : NormalUser
VOMS : True
VOMS fqan : ['/gridpp']
Proxies uploaded:
DN | Group | Until (GMT)
/C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu | gridpp_user | 2016/07/28 15:12
and the output of dirac-dms-add-file
dirac-dms-add-file /gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7 XRay_phaseSpace360_7 UKI-NORTHGRID-LIV-HEP-disk
Uploading /gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7
Successfully uploaded file to UKI-NORTHGRID-LIV-HEP-disk
Thank you very much,
Frederic
P.S: This is however opening another can of worms, as I expect these certificates will require updates that are more frequent than dirac client updates.
On Tue, 22 Sep 2015, Daniela Bauer wrote:
Hi Frederic,
I think this might be related to the fact that the dirac ui has no way to
automatically update the certs, crls etc.
In your dirac UI, can you link etc/grid-security/certificates to whereever
your standard grid UI is getting these files from (possibly
/etc/grid-security/certificates or whatever X509_CERT_DIR is set to) and let
me know if that helps.
Cheers,
Daniela
On 22 September 2015 at 09:52, Frederic Brochu <brochu@hep.phy.cam.ac.uk>
wrote:
Dear all,
I am no longer able to copy and register files with
dirac-dms-add-file.
This command line used to work:
dirac-dms-add-file
/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_5
XRay_phaseSpace360_5 UKI-NORTHGRID-LIV-HEP-disk
But when I am doing it now with a different file, I am getting:
h-4.1$ dirac-dms-add-file
/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7
XRay_phaseSpace360_7 UKI-NORTHGRID-LIV-HEP-disk
Uploading
/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7
createDirectory: Failed to create directory on storage.
srm://hepgrid11.ph.liv.ac.uk:8446/srm/managerv2?SFN=/dpm/ph.liv.ac.uk/home/
gridpp/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360:
SRM2Storage.__gfal_exec(gfal_ls): Execution failed. [SE][Ls][]
httpg://hepgrid11.ph.liv.ac.uk:8446/srm/managerv2: CGSI-gSOAP
running on pcjp reports Error initializing context
GSS Major Status: Authentication Failed
GSS Minor Status Error Chain:
globus_gsi_gssapi: SSLv3 handshake problems
globus_gsi_callb
Error: failed to upload
/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7
to UKI-NORTHGRID-LIV-HEP-disk
This is also true for any other site.
Further to this, dirac-proxy-init also complains:
dirac-proxy-init -g gridpp_user -M
Generating proxy...
Enter Certificate password:
Could not add VOMS extensions to the proxy
Failed adding VOMS attribute: Failed to set VOMS attributes.
Command: voms-proxy-init -cert "/tmp/x509up_u1008" -key
"/tmp/x509up_u1008" -out "/tmp/brochu/tmpuSlB4v" -voms
"gridpp:/gridpp" -valid "23:54" -vomses
"/var/clus/usera/brochu/gridpp/dirac_ui/etc/grid-security/vomses";
StdOut: Your identity:
/C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu/CN=proxy
Creating temporary proxy Done
Contacting voms.gridpp.ac.uk:15000
[/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk]
"gridpp" Failed
Trying next server for gridpp.
Creating temporary proxy Done
Contacting voms03.gridpp.ac.uk:15000
[/C=UK/O=eScience/OU=Imperial/L=Physics/CN=voms03.gridpp.ac.uk]
"gridpp" Failed
Trying next server for gridpp.
Creating temporary proxy Done
Contacting voms02.gridpp.ac.uk:15000
[/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk]
"gridpp" Failed
; StdErr: .....................................................
Error: Error during SSL
handshake:error:80066405:lib(128):verify_callback:outdated CRL
found, revoking all certs till you get new CRL:sslutils.c:2115
outdated CRL found, revoking all certs till you get new CRL
Function: verify_callback
error:80066411:lib(128):verify_callback:certificate failed
verify::sslutils.c:2318
error =CRL has expired
subject=/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk
issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science
CA 2B
certificate failed verify:
error =CRL has expired
subject=/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk
issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science
CA 2B
Function: verify_callback
error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed:s3_clnt.c:1172
certificate verify failed
Function: SSL3_GET_SERVER_CERTIFICATE
.....................................................
Error: Error during SSL
handshake:error:80066405:lib(128):verify_callback:outdated CRL
found, revoking all certs till you get new CRL:sslutils.c:2115
outdated CRL found, revoking all certs till you get new CRL
Function: verify_callback
error:80066411:lib(128):verify_callback:certificate failed
verify::sslutils.c:2318
error =CRL has expired
subject=/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk
issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science
CA 2B
certificate failed verify:
error =CRL has expired
subject=/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk
issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science
CA 2B
Function: verify_callback
error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed:s3_clnt.c:1172
certificate verify failed
Function: SSL3_GET_SERVER_CERTIFICATE
None of the contacted servers for gridpp were capable
of returning a valid AC for the user.
Are you sure you are properly registered in the VO?
Uploading proxy for gridpp_user...
Proxy generated:
subject : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic
brochu/CN=proxy
issuer : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic
brochu
identity : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic
brochu
timeleft : 23:59:58
DIRAC group : gridpp_user
path : /tmp/x509up_u1008
username : frederic.brochu
properties : NormalUser
Proxies uploaded:
DN | Group
| Until (GMT)
/C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu |
gridpp_user | 2016/07/28 15:12
On the other hand, voms-proxy-init works a charm:
-sh-4.1$ voms-proxy-init -voms gridpp
Enter GRID pass phrase for this identity:
Contacting voms03.gridpp.ac.uk:15000
[/C=UK/O=eScience/OU=Imperial/L=Physics/CN=voms03.gridpp.ac.uk]
"gridpp"...
Remote VOMS server contacted succesfully.
Created proxy in /tmp/x509up_u1008.
Your proxy is valid until Tue Sep 22 21:48:30 BST 2015
All this is only affecting my ability to upload and register
data to storage elements. Job submission and output collection
are still working fine.
Any idea? I am using the dirac version mentioned in the subject.
Best regards,
Frederic
--
_______________________________________________
Gridpp-Dirac-Users mailing list
Gridpp-Dirac-Users@imperial.ac.uk
https://mailman.ic.ac.uk/mailman/listinfo/gridpp-dirac-users
--
Sent from the pit of despair
-----------------------------------------------------------
daniela.bauer@imperial.ac.uk
HEP Group/Physics Dep
Imperial College
London, SW7 2BW
Tel: +44-(0)20-75947810
http://www.hep.ph.ic.ac.uk/~dbauer/
--Sent from the pit of despair
-----------------------------------------------------------
daniela.bauer@imperial.ac.uk
HEP Group/Physics Dep
Imperial College
London, SW7 2BW
Tel: +44-(0)20-75947810
http://www.hep.ph.ic.ac.uk/~dbauer/