Hi Steve, Actually, just from reading the initial error message in the first email in this thread, the issue that Frederic had was precisely with CRL freshness and not the CAs themselves (and Daniela actually does mention that in her reply). It so happens that the dirac tool for "getting CAs" also gets an up-to-date CRL for each CA cert as well, which is what fixes the problem in this instance. (Most, if not all, tools which rely on X509 authentication will reject CA chains with a stale CRL for that CA, as they can't guarantee that the cert presented has not been revoked since the last time they refreshed the CRL. That's what was happening here.) Sam On Tue, 22 Sep 2015 at 15:47 Stephen Jones <sjones@hep.ph.liv.ac.uk> wrote:
Hi Sam,
Fetch-crl is (I think) another thing to think about. I believe CRLs are put out in order to ban bad apples. We update them on systems that might do user authentication, i.e. our CEs, WNs, our ARGUS server and our DPM systems. Since we use ARGUS for the CEs and WNs, I suspect fetch-crl is not needed there. But it happens, for historical reasons.
But do UIs need fetch-crl? Who knows the most about this sort of thing?
In any-case, just to make it work, it looks like we need the CAs to be done 'now and again'.
Cheers,
Steve
On 09/22/2015 02:38 PM, Sam Skipsey wrote:
Hi,
So, certainly, the CRLs should be updated on at least a 24 hour basis (most services with a fetch-crl actually do it every 8 hours or so). Running it once at the start of the day should probably be sufficient?
Sam
On Tue, 22 Sep 2015 at 14:36 Raja Nandakumar <raja.nandakumar@cern.ch <mailto:raja.nandakumar@cern.ch>> wrote:
Apologies for butting in - but the CAs are supposed to be updated on a daily basis I understand. Maybe so too the cron?
Cheers, Raja.
On 22/09/15 14:33, Stephen Jones wrote: > Hi Daniela, > > Re: instructions > > Suggest we mention cron to make it clear, e.g. > > ------------- > If there is no regularly maintained set of CAs available, run the following command periodically (e.g. with a cron): > # source bashrc; dirac-admin-get-CAs > ------------- > > But how often do you suggest? > > Cheers, > > Steve > > > > On 09/22/2015 10:58 AM, Daniela Bauer wrote: >> Hi Frederic, >> >> indeed they do, hence they should be installed separately. I try to allude to this in my instructions, but clearly not well enough. I'm tempted to list this as a prerequisite (i.e. install certificates and crl cron job first, before installing the dirac UI), I was just worried it might get to confusing. >> If the certificate directory you are now linking to is part of a standard UI, a mechanism (yum for the certificates + cron job for the crls) to update it should already be in place, so you shouldn't have to update it again. >> >> Regards, >> Daniela >> >> On 22 September 2015 at 10:53, Frederic Brochu <brochu@hep.phy.cam.ac.uk <mailto:brochu@hep.phy.cam.ac.uk> <mailto:brochu@hep.phy.cam.ac.uk <mailto:brochu@hep.phy.cam.ac.uk>>> wrote: >> >> Hi Daniela, >> >> Yes, doing it solved all my problems. >> Here is the output of dirac-proxy-init: >> -sh-4.1$ dirac-proxy-init -g gridpp_user -M >> Generating proxy... >> Enter Certificate password: >> Added VOMS attribute /gridpp >> Uploading proxy for gridpp_user... >> Proxy generated: >> subject : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic >> brochu/CN=proxy/CN=proxy >> issuer : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic >> brochu/CN=proxy >> identity : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu >> timeleft : 23:53:59 >> DIRAC group : gridpp_user >> path : /tmp/x509up_u1008 >> username : frederic.brochu >> properties : NormalUser >> VOMS : True >> VOMS fqan : ['/gridpp'] >> >> Proxies uploaded: >> DN | Group | Until (GMT) >> /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu | >> gridpp_user | 2016/07/28 15:12 >> >> and the output of dirac-dms-add-file >> dirac-dms-add-file >>
/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7
>> XRay_phaseSpace360_7 UKI-NORTHGRID-LIV-HEP-disk >> >> Uploading >>
/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7
>> Successfully uploaded file to UKI-NORTHGRID-LIV-HEP-disk >> >> >> Thank you very much, >> >> Frederic >> >> P.S: This is however opening another can of worms, as I expect >> these certificates will require updates that are more frequent >> than dirac client updates. >> >> >> >> On Tue, 22 Sep 2015, Daniela Bauer wrote: >> >> Hi Frederic, >> >> I think this might be related to the fact that the dirac
ui
>> has no way to >> automatically update the certs, crls etc. >> In your dirac UI, can you link etc/grid-security/certificates >> to whereever >> your standard grid UI is getting these files from (possibly >> /etc/grid-security/certificates or whatever X509_CERT_DIR is >> set to) and let >> me know if that helps. >> >> Cheers, >> Daniela >> >> >> >> On 22 September 2015 at 09:52, Frederic Brochu >> <brochu@hep.phy.cam.ac.uk <mailto:brochu@hep.phy.cam.ac.uk> <mailto:brochu@hep.phy.cam.ac.uk <mailto:brochu@hep.phy.cam.ac.uk>>> >> wrote: >> Dear all, >> >> I am no longer able to copy and register files with >> dirac-dms-add-file. >> >> This command line used to work: >> dirac-dms-add-file >>
/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_5
>> XRay_phaseSpace360_5 UKI-NORTHGRID-LIV-HEP-disk >> >> But when I am doing it now with a different file, I am >> getting: >> >> h-4.1$ dirac-dms-add-file >>
/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7
>> XRay_phaseSpace360_7 UKI-NORTHGRID-LIV-HEP-disk >> >> Uploading >>
/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7
>> createDirectory: Failed to create directory on storage. >> srm://
hepgrid11.ph.liv.ac.uk:8446/srm/managerv2?SFN=/dpm/ph.liv.ac.uk/home/
<
http://hepgrid11.ph.liv.ac.uk:8446/srm/managerv2?SFN=/dpm/ph.liv.ac.uk/home/
>> <
http://hepgrid11.ph.liv.ac.uk:8446/srm/managerv2?SFN=/dpm/ph.liv.ac.uk/home/
>> gridpp/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360: >> SRM2Storage.__gfal_exec(gfal_ls): Execution failed. >> [SE][Ls][] >> httpg://hepgrid11.ph.liv.ac.uk:8446/srm/managerv2 <http://hepgrid11.ph.liv.ac.uk:8446/srm/managerv2> >> <http://hepgrid11.ph.liv.ac.uk:8446/srm/managerv2>: CGSI-gSOAP >> running on pcjp reports Error initializing context >> GSS Major Status: Authentication Failed >> >> GSS Minor Status Error Chain: >> globus_gsi_gssapi: SSLv3 handshake problems >> globus_gsi_callb >> Error: failed to upload >>
/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7
>> to UKI-NORTHGRID-LIV-HEP-disk >> >> This is also true for any other site. >> >> Further to this, dirac-proxy-init also complains: >> >> dirac-proxy-init -g gridpp_user -M >> Generating proxy... >> Enter Certificate password: >> Could not add VOMS extensions to the proxy >> Failed adding VOMS attribute: Failed to set VOMS attributes. >> Command: voms-proxy-init -cert "/tmp/x509up_u1008" -key >> "/tmp/x509up_u1008" -out "/tmp/brochu/tmpuSlB4v" -voms >> "gridpp:/gridpp" -valid "23:54" -vomses >>
"/var/clus/usera/brochu/gridpp/dirac_ui/etc/grid-security/vomses";
>> StdOut: Your identity: >> /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic >> brochu/CN=proxy >> Creating temporary proxy Done >> Contacting voms.gridpp.ac.uk:15000 <http://voms.gridpp.ac.uk:15000> >> <http://voms.gridpp.ac.uk:15000> >> [/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk <http://voms.gridpp.ac.uk> >> <http://voms.gridpp.ac.uk>] >> "gridpp" Failed >> >> Trying next server for gridpp. >> Creating temporary proxy Done >> Contacting voms03.gridpp.ac.uk:15000 <http://voms03.gridpp.ac.uk:15000> >> <http://voms03.gridpp.ac.uk:15000> >> [/C=UK/O=eScience/OU=Imperial/L=Physics/CN=voms03.gridpp.ac.uk <http://voms03.gridpp.ac.uk> >> <http://voms03.gridpp.ac.uk>] >> "gridpp" Failed >> >> Trying next server for gridpp. >> Creating temporary proxy Done >> Contacting voms02.gridpp.ac.uk:15000 <http://voms02.gridpp.ac.uk:15000> >> <http://voms02.gridpp.ac.uk:15000> >> [/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk <http://voms02.gridpp.ac.uk> >> <http://voms02.gridpp.ac.uk>] >> "gridpp" Failed >> ; StdErr: >> ..................................................... >> Error: Error during SSL >> handshake:error:80066405:lib(128):verify_callback:outdated CRL >> found, revoking all certs till you get new >> CRL:sslutils.c:2115 >> outdated CRL found, revoking all certs till you get new CRL >> Function: verify_callback >> error:80066411:lib(128):verify_callback:certificate failed >> verify::sslutils.c:2318 >> error =CRL has expired >> >> subject=/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk <http://voms.gridpp.ac.uk> >> <http://voms.gridpp.ac.uk> >> issuer
=/C=UK/O=eScienceCA/OU=Authority/CN=UK
>> e-Science >> CA 2B >> certificate failed verify: >> error =CRL has expired >> >> subject=/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk <http://voms.gridpp.ac.uk> >> <http://voms.gridpp.ac.uk> >> issuer
=/C=UK/O=eScienceCA/OU=Authority/CN=UK
>> e-Science >> CA 2B >> Function: verify_callback >> error:14090086:SSL >> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify >> failed:s3_clnt.c:1172 >> certificate verify failed >> Function: SSL3_GET_SERVER_CERTIFICATE >> >> ..................................................... >> Error: Error during SSL >> handshake:error:80066405:lib(128):verify_callback:outdated CRL >> found, revoking all certs till you get new >> CRL:sslutils.c:2115 >> outdated CRL found, revoking all certs till you get new CRL >> Function: verify_callback >> error:80066411:lib(128):verify_callback:certificate failed >> verify::sslutils.c:2318 >> error =CRL has expired >> >> subject=/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk <http://voms02.gridpp.ac.uk> >> <http://voms02.gridpp.ac.uk> >> issuer
=/C=UK/O=eScienceCA/OU=Authority/CN=UK
>> e-Science >> CA 2B >> certificate failed verify: >> error =CRL has expired >> >> subject=/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk <http://voms02.gridpp.ac.uk> >> <http://voms02.gridpp.ac.uk> >> issuer
=/C=UK/O=eScienceCA/OU=Authority/CN=UK
>> e-Science >> CA 2B >> Function: verify_callback >> error:14090086:SSL >> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify >> failed:s3_clnt.c:1172 >> certificate verify failed >> Function: SSL3_GET_SERVER_CERTIFICATE >> >> None of the contacted servers for gridpp were
capable
>> of returning a valid AC for the user. >> >> >> Are you sure you are properly registered in the VO? >> Uploading proxy for gridpp_user... >> Proxy generated: >> subject : >> /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic >> brochu/CN=proxy >> issuer : >> /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic >> brochu >> identity : >> /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic >> brochu >> timeleft : 23:59:58 >> DIRAC group : gridpp_user >> path : /tmp/x509up_u1008 >> username : frederic.brochu >> properties : NormalUser >> Proxies uploaded: >> DN | Group >> | Until (GMT) >> /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu | >> gridpp_user | 2016/07/28 15:12 >> >> >> On the other hand, voms-proxy-init works a charm: >> -sh-4.1$ voms-proxy-init -voms gridpp >> Enter GRID pass phrase for this identity: >> Contacting voms03.gridpp.ac.uk:15000 <http://voms03.gridpp.ac.uk:15000> >> <http://voms03.gridpp.ac.uk:15000> >> [/C=UK/O=eScience/OU=Imperial/L=Physics/CN=voms03.gridpp.ac.uk <http://voms03.gridpp.ac.uk> >> <http://voms03.gridpp.ac.uk>] >> "gridpp"... >> Remote VOMS server contacted succesfully. >> >> >> Created proxy in /tmp/x509up_u1008. >> >> Your proxy is valid until Tue Sep 22 21:48:30 BST 2015 >> >> >> All this is only affecting my ability to upload and register >> data to storage elements. Job submission and output >> collection >> are still working fine. >> >> Any idea? I am using the dirac version mentioned in the >> subject. >> >> Best regards, >> >> Frederic >> >> >> -- >> _______________________________________________ >> Gridpp-Dirac-Users mailing list >> Gridpp-Dirac-Users@imperial.ac.uk <mailto:Gridpp-Dirac-Users@imperial.ac.uk> >> <mailto:Gridpp-Dirac-Users@imperial.ac.uk <mailto:Gridpp-Dirac-Users@imperial.ac.uk>> >> https://mailman.ic.ac.uk/mailman/listinfo/gridpp-dirac-users >> >> >> >> >> -- >> Sent from the pit of despair >> >> ----------------------------------------------------------- >> daniela.bauer@imperial.ac.uk <mailto:daniela.bauer@imperial.ac.uk> <mailto:daniela.bauer@imperial.ac.uk <mailto:daniela.bauer@imperial.ac.uk>> >> HEP Group/Physics Dep >> Imperial College >> London, SW7 2BW >> Tel: +44-(0)20-75947810 <tel:%2B44-%280%2920-75947810> >> http://www.hep.ph.ic.ac.uk/~dbauer/ <http://www.hep.ph.ic.ac.uk/%7Edbauer/> >> <http://www.hep.ph.ic.ac.uk/%7Edbauer/> >> >> >> >> >> -- >> Sent from the pit of despair >> >> ----------------------------------------------------------- >> daniela.bauer@imperial.ac.uk <mailto:daniela.bauer@imperial.ac.uk> <mailto:daniela.bauer@imperial.ac.uk <mailto:daniela.bauer@imperial.ac.uk>> >> HEP Group/Physics Dep >> Imperial College >> London, SW7 2BW >> Tel: +44-(0)20-75947810 >> http://www.hep.ph.ic.ac.uk/~dbauer/ <http://www.hep.ph.ic.ac.uk/%7Edbauer/> <http://www.hep.ph.ic.ac.uk/%7Edbauer/> >> >> >> This body part will be downloaded on demand. > >
-- _______________________________________________ Gridpp-Dirac-Users mailing list Gridpp-Dirac-Users@imperial.ac.uk <mailto:Gridpp-Dirac-Users@imperial.ac.uk> https://mailman.ic.ac.uk/mailman/listinfo/gridpp-dirac-users
This body part will be downloaded on demand.
-- Steve Jones sjones@hep.ph.liv.ac.uk Grid System Administrator office: 220 High Energy Physics Division tel (int): 43396 Oliver Lodge Laboratory tel (ext): +44 (0)151 794 3396 University of Liverpool http://www.liv.ac.uk/physics/hep/