@Steve: Whenever it stops working :-D [insert rant from Simon about my flippant attitude to security here] As for Rajas questions, I think Frederic got caught out by the crls rather than the CAs, the dirac-admin-get-CAs command will update both. I don't think the average user cares and I can't image a sysadmin who has an up-to-date CA directory, but doesn't update the crls. My UI certainly updates its crls every 6 h. If someone bans one of my users I don't want to be the one allowing them to escape into the wild. Cheers, Daniela On 22 September 2015 at 14:33, Stephen Jones <sjones@hep.ph.liv.ac.uk> wrote:
Hi Daniela,
Re: instructions
Suggest we mention cron to make it clear, e.g.
------------- If there is no regularly maintained set of CAs available, run the following command periodically (e.g. with a cron): # source bashrc; dirac-admin-get-CAs -------------
But how often do you suggest?
Cheers,
Steve
On 09/22/2015 10:58 AM, Daniela Bauer wrote:
Hi Frederic,
indeed they do, hence they should be installed separately. I try to allude to this in my instructions, but clearly not well enough. I'm tempted to list this as a prerequisite (i.e. install certificates and crl cron job first, before installing the dirac UI), I was just worried it might get to confusing. If the certificate directory you are now linking to is part of a standard UI, a mechanism (yum for the certificates + cron job for the crls) to update it should already be in place, so you shouldn't have to update it again.
Regards, Daniela
On 22 September 2015 at 10:53, Frederic Brochu <brochu@hep.phy.cam.ac.uk <mailto:brochu@hep.phy.cam.ac.uk>> wrote:
Hi Daniela,
Yes, doing it solved all my problems. Here is the output of dirac-proxy-init: -sh-4.1$ dirac-proxy-init -g gridpp_user -M Generating proxy... Enter Certificate password: Added VOMS attribute /gridpp Uploading proxy for gridpp_user... Proxy generated: subject : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu/CN=proxy/CN=proxy issuer : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu/CN=proxy identity : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu timeleft : 23:53:59 DIRAC group : gridpp_user path : /tmp/x509up_u1008 username : frederic.brochu properties : NormalUser VOMS : True VOMS fqan : ['/gridpp']
Proxies uploaded: DN | Group | Until (GMT) /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu | gridpp_user | 2016/07/28 15:12
and the output of dirac-dms-add-file dirac-dms-add-file /gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7 XRay_phaseSpace360_7 UKI-NORTHGRID-LIV-HEP-disk
Uploading /gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7 Successfully uploaded file to UKI-NORTHGRID-LIV-HEP-disk
Thank you very much,
Frederic
P.S: This is however opening another can of worms, as I expect these certificates will require updates that are more frequent than dirac client updates.
On Tue, 22 Sep 2015, Daniela Bauer wrote:
Hi Frederic,
I think this might be related to the fact that the dirac ui has no way to automatically update the certs, crls etc. In your dirac UI, can you link etc/grid-security/certificates to whereever your standard grid UI is getting these files from (possibly /etc/grid-security/certificates or whatever X509_CERT_DIR is set to) and let me know if that helps.
Cheers, Daniela
On 22 September 2015 at 09:52, Frederic Brochu <brochu@hep.phy.cam.ac.uk <mailto:brochu@hep.phy.cam.ac.uk>> wrote: Dear all,
I am no longer able to copy and register files with dirac-dms-add-file.
This command line used to work: dirac-dms-add-file
/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_5 XRay_phaseSpace360_5 UKI-NORTHGRID-LIV-HEP-disk
But when I am doing it now with a different file, I am getting:
h-4.1$ dirac-dms-add-file
/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7 XRay_phaseSpace360_7 UKI-NORTHGRID-LIV-HEP-disk
Uploading
/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7 createDirectory: Failed to create directory on storage. srm:// hepgrid11.ph.liv.ac.uk:8446/srm/managerv2?SFN=/dpm/ph.liv.ac.uk/home/ < http://hepgrid11.ph.liv.ac.uk:8446/srm/managerv2?SFN=/dpm/ph.liv.ac.uk/home/
gridpp/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360: SRM2Storage.__gfal_exec(gfal_ls): Execution failed. [SE][Ls][] httpg://hepgrid11.ph.liv.ac.uk:8446/srm/managerv2 <http://hepgrid11.ph.liv.ac.uk:8446/srm/managerv2>: CGSI-gSOAP running on pcjp reports Error initializing context GSS Major Status: Authentication Failed
GSS Minor Status Error Chain: globus_gsi_gssapi: SSLv3 handshake problems globus_gsi_callb Error: failed to upload
/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7 to UKI-NORTHGRID-LIV-HEP-disk
This is also true for any other site.
Further to this, dirac-proxy-init also complains:
dirac-proxy-init -g gridpp_user -M Generating proxy... Enter Certificate password: Could not add VOMS extensions to the proxy Failed adding VOMS attribute: Failed to set VOMS attributes. Command: voms-proxy-init -cert "/tmp/x509up_u1008" -key "/tmp/x509up_u1008" -out "/tmp/brochu/tmpuSlB4v" -voms "gridpp:/gridpp" -valid "23:54" -vomses "/var/clus/usera/brochu/gridpp/dirac_ui/etc/grid-security/vomses"; StdOut: Your identity: /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu/CN=proxy Creating temporary proxy Done Contacting voms.gridpp.ac.uk:15000 <http://voms.gridpp.ac.uk:15000> [/C=UK/O=eScience/OU=Manchester/L=HEP/CN= voms.gridpp.ac.uk <http://voms.gridpp.ac.uk>] "gridpp" Failed
Trying next server for gridpp. Creating temporary proxy Done Contacting voms03.gridpp.ac.uk:15000 <http://voms03.gridpp.ac.uk:15000> [/C=UK/O=eScience/OU=Imperial/L=Physics/CN= voms03.gridpp.ac.uk <http://voms03.gridpp.ac.uk>] "gridpp" Failed
Trying next server for gridpp. Creating temporary proxy Done Contacting voms02.gridpp.ac.uk:15000 <http://voms02.gridpp.ac.uk:15000> [/C=UK/O=eScience/OU=Oxford/L=OeSC/CN= voms02.gridpp.ac.uk <http://voms02.gridpp.ac.uk>] "gridpp" Failed ; StdErr: ..................................................... Error: Error during SSL handshake:error:80066405:lib(128):verify_callback:outdated CRL found, revoking all certs till you get new CRL:sslutils.c:2115 outdated CRL found, revoking all certs till you get new CRL Function: verify_callback error:80066411:lib(128):verify_callback:certificate failed verify::sslutils.c:2318 error =CRL has expired
subject=/C=UK/O=eScience/OU=Manchester/L=HEP/CN= voms.gridpp.ac.uk <http://voms.gridpp.ac.uk> issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B certificate failed verify: error =CRL has expired
subject=/C=UK/O=eScience/OU=Manchester/L=HEP/CN= voms.gridpp.ac.uk <http://voms.gridpp.ac.uk> issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B Function: verify_callback error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1172 certificate verify failed Function: SSL3_GET_SERVER_CERTIFICATE
..................................................... Error: Error during SSL handshake:error:80066405:lib(128):verify_callback:outdated CRL found, revoking all certs till you get new CRL:sslutils.c:2115 outdated CRL found, revoking all certs till you get new CRL Function: verify_callback error:80066411:lib(128):verify_callback:certificate failed verify::sslutils.c:2318 error =CRL has expired
subject=/C=UK/O=eScience/OU=Oxford/L=OeSC/CN= voms02.gridpp.ac.uk <http://voms02.gridpp.ac.uk> issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B certificate failed verify: error =CRL has expired
subject=/C=UK/O=eScience/OU=Oxford/L=OeSC/CN= voms02.gridpp.ac.uk <http://voms02.gridpp.ac.uk>
issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B Function: verify_callback error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1172 certificate verify failed Function: SSL3_GET_SERVER_CERTIFICATE
None of the contacted servers for gridpp were capable of returning a valid AC for the user.
Are you sure you are properly registered in the VO? Uploading proxy for gridpp_user... Proxy generated: subject : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu/CN=proxy issuer : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu identity : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu timeleft : 23:59:58 DIRAC group : gridpp_user path : /tmp/x509up_u1008 username : frederic.brochu properties : NormalUser Proxies uploaded: DN | Group | Until (GMT) /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu | gridpp_user | 2016/07/28 15:12
On the other hand, voms-proxy-init works a charm: -sh-4.1$ voms-proxy-init -voms gridpp Enter GRID pass phrase for this identity: Contacting voms03.gridpp.ac.uk:15000 <http://voms03.gridpp.ac.uk:15000> [/C=UK/O=eScience/OU=Imperial/L=Physics/CN= voms03.gridpp.ac.uk <http://voms03.gridpp.ac.uk>] "gridpp"... Remote VOMS server contacted succesfully.
Created proxy in /tmp/x509up_u1008.
Your proxy is valid until Tue Sep 22 21:48:30 BST 2015
All this is only affecting my ability to upload and register data to storage elements. Job submission and output collection are still working fine.
Any idea? I am using the dirac version mentioned in the subject.
Best regards,
Frederic
-- _______________________________________________ Gridpp-Dirac-Users mailing list Gridpp-Dirac-Users@imperial.ac.uk <mailto:Gridpp-Dirac-Users@imperial.ac.uk> https://mailman.ic.ac.uk/mailman/listinfo/gridpp-dirac-users
-- Sent from the pit of despair
----------------------------------------------------------- daniela.bauer@imperial.ac.uk <mailto:daniela.bauer@imperial.ac.uk
HEP Group/Physics Dep Imperial College London, SW7 2BW Tel: +44-(0)20-75947810 <tel:%2B44-%280%2920-75947810> http://www.hep.ph.ic.ac.uk/~dbauer/ <http://www.hep.ph.ic.ac.uk/%7Edbauer/>
-- Sent from the pit of despair
----------------------------------------------------------- daniela.bauer@imperial.ac.uk <mailto:daniela.bauer@imperial.ac.uk> HEP Group/Physics Dep Imperial College London, SW7 2BW Tel: +44-(0)20-75947810 http://www.hep.ph.ic.ac.uk/~dbauer/ < http://www.hep.ph.ic.ac.uk/%7Edbauer/>
This body part will be downloaded on demand.
-- Steve Jones sjones@hep.ph.liv.ac.uk Grid System Administrator office: 220 High Energy Physics Division tel (int): 43396 Oliver Lodge Laboratory tel (ext): +44 (0)151 794 3396 University of Liverpool http://www.liv.ac.uk/physics/hep/
-- Sent from the pit of despair ----------------------------------------------------------- daniela.bauer@imperial.ac.uk HEP Group/Physics Dep Imperial College London, SW7 2BW Tel: +44-(0)20-75947810 http://www.hep.ph.ic.ac.uk/~dbauer/