On Tue, 22 Sep 2015 at 14:36 Raja Nandakumar <raja.nandakumar@cern.ch> wrote:

Apologies for butting in - but the CAs are supposed to be updated on a daily basis I understand. Maybe so too the cron?

Cheers,
Raja.

On 22/09/15 14:33, Stephen Jones wrote:
> Hi Daniela,
>
> Re: instructions
>
> Suggest we mention cron to make it clear, e.g.
>
> -------------
> If there is no regularly maintained set of CAs available, run the following command periodically (e.g. with a cron):
> # source bashrc; dirac-admin-get-CAs
> -------------
>
> But how often do you suggest?
>
> Cheers,
>
> Steve
>
>
>
> On 09/22/2015 10:58 AM, Daniela Bauer wrote:
>> Hi Frederic,
>>
>> indeed they do, hence they should be installed separately. I try to allude to this in my instructions, but clearly not well enough. I'm tempted to list this as a prerequisite (i.e. install certificates and crl cron job first, before installing the dirac UI), I was just worried it might get to confusing.
>> If the certificate directory you are now linking to is part of a standard UI, a mechanism (yum for the certificates + cron job for the crls) to update it should already be in place, so you shouldn't have to update it again.
>>
>> Regards,
>> Daniela
>>
>> On 22 September 2015 at 10:53, Frederic Brochu <brochu@hep.phy.cam.ac.uk <mailto:brochu@hep.phy.cam.ac.uk>> wrote:
>>
>> Hi Daniela,
>>
>> Yes, doing it solved all my problems.
>> Here is the output of dirac-proxy-init:
>> -sh-4.1$ dirac-proxy-init -g gridpp_user -M
>> Generating proxy...
>> Enter Certificate password:
>> Added VOMS attribute /gridpp
>> Uploading proxy for gridpp_user...
>> Proxy generated:
>> subject : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic
>> brochu/CN=proxy/CN=proxy
>> issuer : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic
>> brochu/CN=proxy
>> identity : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu
>> timeleft : 23:53:59
>> DIRAC group : gridpp_user
>> path : /tmp/x509up_u1008
>> username : frederic.brochu
>> properties : NormalUser
>> VOMS : True
>> VOMS fqan : ['/gridpp']
>>
>> Proxies uploaded:
>> DN | Group | Until (GMT)
>> /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu |
>> gridpp_user | 2016/07/28 15:12
>>
>> and the output of dirac-dms-add-file
>> dirac-dms-add-file
>> /gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7
>> XRay_phaseSpace360_7 UKI-NORTHGRID-LIV-HEP-disk
>>
>> Uploading
>> /gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7
>> Successfully uploaded file to UKI-NORTHGRID-LIV-HEP-disk
>>
>>
>> Thank you very much,
>>
>> Frederic
>>
>> P.S: This is however opening another can of worms, as I expect
>> these certificates will require updates that are more frequent
>> than dirac client updates.
>>
>>
>>
>> On Tue, 22 Sep 2015, Daniela Bauer wrote:
>>
>> Hi Frederic,
>>
>> I think this might be related to the fact that the dirac ui
>> has no way to
>> automatically update the certs, crls etc.
>> In your dirac UI, can you link etc/grid-security/certificates
>> to whereever
>> your standard grid UI is getting these files from (possibly
>> /etc/grid-security/certificates or whatever X509_CERT_DIR is
>> set to) and let
>> me know if that helps.
>>
>> Cheers,
>> Daniela
>>
>>
>>
>> On 22 September 2015 at 09:52, Frederic Brochu
>> <brochu@hep.phy.cam.ac.uk <mailto:brochu@hep.phy.cam.ac.uk>>
>> wrote:
>> Dear all,
>>
>> I am no longer able to copy and register files with
>> dirac-dms-add-file.
>>
>> This command line used to work:
>> dirac-dms-add-file
>> /gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_5
>> XRay_phaseSpace360_5 UKI-NORTHGRID-LIV-HEP-disk
>>
>> But when I am doing it now with a different file, I am
>> getting:
>>
>> h-4.1$ dirac-dms-add-file
>> /gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7
>> XRay_phaseSpace360_7 UKI-NORTHGRID-LIV-HEP-disk
>>
>> Uploading
>> /gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7
>> createDirectory: Failed to create directory on storage.
>> srm://hepgrid11.ph.liv.ac.uk:8446/srm/managerv2?SFN=/dpm/ph.liv.ac.uk/home/
>> <http://hepgrid11.ph.liv.ac.uk:8446/srm/managerv2?SFN=/dpm/ph.liv.ac.uk/home/>
>> gridpp/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360:
>> SRM2Storage.__gfal_exec(gfal_ls): Execution failed.
>> [SE][Ls][]
>> httpg://hepgrid11.ph.liv.ac.uk:8446/srm/managerv2
>> <http://hepgrid11.ph.liv.ac.uk:8446/srm/managerv2>: CGSI-gSOAP
>> running on pcjp reports Error initializing context
>> GSS Major Status: Authentication Failed
>>
>> GSS Minor Status Error Chain:
>> globus_gsi_gssapi: SSLv3 handshake problems
>> globus_gsi_callb
>> Error: failed to upload
>> /gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7
>> to UKI-NORTHGRID-LIV-HEP-disk
>>
>> This is also true for any other site.
>>
>> Further to this, dirac-proxy-init also complains:
>>
>> dirac-proxy-init -g gridpp_user -M
>> Generating proxy...
>> Enter Certificate password:
>> Could not add VOMS extensions to the proxy
>> Failed adding VOMS attribute: Failed to set VOMS attributes.
>> Command: voms-proxy-init -cert "/tmp/x509up_u1008" -key
>> "/tmp/x509up_u1008" -out "/tmp/brochu/tmpuSlB4v" -voms
>> "gridpp:/gridpp" -valid "23:54" -vomses
>> "/var/clus/usera/brochu/gridpp/dirac_ui/etc/grid-security/vomses";
>> StdOut: Your identity:
>> /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic
>> brochu/CN=proxy
>> Creating temporary proxy Done
>> Contacting voms.gridpp.ac.uk:15000
>> <http://voms.gridpp.ac.uk:15000>
>> [/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk
>> <http://voms.gridpp.ac.uk>]
>> "gridpp" Failed
>>
>> Trying next server for gridpp.
>> Creating temporary proxy Done
>> Contacting voms03.gridpp.ac.uk:15000
>> <http://voms03.gridpp.ac.uk:15000>
>> [/C=UK/O=eScience/OU=Imperial/L=Physics/CN=voms03.gridpp.ac.uk
>> <http://voms03.gridpp.ac.uk>]
>> "gridpp" Failed
>>
>> Trying next server for gridpp.
>> Creating temporary proxy Done
>> Contacting voms02.gridpp.ac.uk:15000
>> <http://voms02.gridpp.ac.uk:15000>
>> [/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk
>> <http://voms02.gridpp.ac.uk>]
>> "gridpp" Failed
>> ; StdErr:
>> .....................................................
>> Error: Error during SSL
>> handshake:error:80066405:lib(128):verify_callback:outdated CRL
>> found, revoking all certs till you get new
>> CRL:sslutils.c:2115
>> outdated CRL found, revoking all certs till you get new CRL
>> Function: verify_callback
>> error:80066411:lib(128):verify_callback:certificate failed
>> verify::sslutils.c:2318
>> error =CRL has expired
>>
>> subject=/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk
>> <http://voms.gridpp.ac.uk>
>> issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK
>> e-Science
>> CA 2B
>> certificate failed verify:
>> error =CRL has expired
>>
>> subject=/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk
>> <http://voms.gridpp.ac.uk>
>> issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK
>> e-Science
>> CA 2B
>> Function: verify_callback
>> error:14090086:SSL
>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
>> failed:s3_clnt.c:1172
>> certificate verify failed
>> Function: SSL3_GET_SERVER_CERTIFICATE
>>
>> .....................................................
>> Error: Error during SSL
>> handshake:error:80066405:lib(128):verify_callback:outdated CRL
>> found, revoking all certs till you get new
>> CRL:sslutils.c:2115
>> outdated CRL found, revoking all certs till you get new CRL
>> Function: verify_callback
>> error:80066411:lib(128):verify_callback:certificate failed
>> verify::sslutils.c:2318
>> error =CRL has expired
>>
>> subject=/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk
>> <http://voms02.gridpp.ac.uk>
>> issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK
>> e-Science
>> CA 2B
>> certificate failed verify:
>> error =CRL has expired
>>
>> subject=/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk
>> <http://voms02.gridpp.ac.uk>
>> issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK
>> e-Science
>> CA 2B
>> Function: verify_callback
>> error:14090086:SSL
>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
>> failed:s3_clnt.c:1172
>> certificate verify failed
>> Function: SSL3_GET_SERVER_CERTIFICATE
>>
>> None of the contacted servers for gridpp were capable
>> of returning a valid AC for the user.
>>
>>
>> Are you sure you are properly registered in the VO?
>> Uploading proxy for gridpp_user...
>> Proxy generated:
>> subject :
>> /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic
>> brochu/CN=proxy
>> issuer :
>> /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic
>> brochu
>> identity :
>> /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic
>> brochu
>> timeleft : 23:59:58
>> DIRAC group : gridpp_user
>> path : /tmp/x509up_u1008
>> username : frederic.brochu
>> properties : NormalUser
>> Proxies uploaded:
>> DN | Group
>> | Until (GMT)
>> /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu |
>> gridpp_user | 2016/07/28 15:12
>>
>>
>> On the other hand, voms-proxy-init works a charm:
>> -sh-4.1$ voms-proxy-init -voms gridpp
>> Enter GRID pass phrase for this identity:
>> Contacting voms03.gridpp.ac.uk:15000
>> <http://voms03.gridpp.ac.uk:15000>
>> [/C=UK/O=eScience/OU=Imperial/L=Physics/CN=voms03.gridpp.ac.uk
>> <http://voms03.gridpp.ac.uk>]
>> "gridpp"...
>> Remote VOMS server contacted succesfully.
>>
>>
>> Created proxy in /tmp/x509up_u1008.
>>
>> Your proxy is valid until Tue Sep 22 21:48:30 BST 2015
>>
>>
>> All this is only affecting my ability to upload and register
>> data to storage elements. Job submission and output
>> collection
>> are still working fine.
>>
>> Any idea? I am using the dirac version mentioned in the
>> subject.
>>
>> Best regards,
>>
>> Frederic
>>
>>
>> --
>> _______________________________________________
>> Gridpp-Dirac-Users mailing list
>> Gridpp-Dirac-Users@imperial.ac.uk
>> <mailto:Gridpp-Dirac-Users@imperial.ac.uk>
>> https://mailman.ic.ac.uk/mailman/listinfo/gridpp-dirac-users
>>
>>
>>
>>
>> --
>> Sent from the pit of despair
>>
>> -----------------------------------------------------------
>> daniela.bauer@imperial.ac.uk <mailto:daniela.bauer@imperial.ac.uk>
>> HEP Group/Physics Dep
>> Imperial College
>> London, SW7 2BW
>> Tel: +44-(0)20-75947810 <tel:%2B44-%280%2920-75947810>
>> http://www.hep.ph.ic.ac.uk/~dbauer/
>> <http://www.hep.ph.ic.ac.uk/%7Edbauer/>
>>
>>
>>
>>
>> --
>> Sent from the pit of despair
>>
>> -----------------------------------------------------------
>> daniela.bauer@imperial.ac.uk <mailto:daniela.bauer@imperial.ac.uk>
>> HEP Group/Physics Dep
>> Imperial College
>> London, SW7 2BW
>> Tel: +44-(0)20-75947810
>> http://www.hep.ph.ic.ac.uk/~dbauer/ <http://www.hep.ph.ic.ac.uk/%7Edbauer/>
>>
>>
>> This body part will be downloaded on demand.
>
>

--
_______________________________________________
Gridpp-Dirac-Users mailing list
Gridpp-Dirac-Users@imperial.ac.uk
https://mailman.ic.ac.uk/mailman/listinfo/gridpp-dirac-users