Hi Daniela,
Re: instructions
Suggest we mention cron to make it clear, e.g.
-------------
If there is no regularly maintained set of CAs available, run the following command periodically (e.g. with a cron):
# source bashrc; dirac-admin-get-CAs
-------------
But how often do you suggest?
Cheers,
Steve
On 09/22/2015 10:58 AM, Daniela Bauer wrote:
Hi Frederic,
indeed they do, hence they should be installed separately. I try to allude to this in my instructions, but clearly not well enough. I'm tempted to list this as a prerequisite (i.e. install certificates and crl cron job first, before installing the dirac UI), I was just worried it might get to confusing.
If the certificate directory you are now linking to is part of a standard UI, a mechanism (yum for the certificates + cron job for the crls) to update it should already be in place, so you shouldn't have to update it again.
Regards,
Daniela
<brochu@hep.phy.cam.ac.uk <mailto:brochu@hep.phy.cam.ac.uk>>On 22 September 2015 at 10:53, Frederic Brochu <brochu@hep.phy.cam.ac.uk <mailto:brochu@hep.phy.cam.ac.uk>> wrote:
Hi Daniela,
Yes, doing it solved all my problems.
Here is the output of dirac-proxy-init:
-sh-4.1$ dirac-proxy-init -g gridpp_user -M
Generating proxy...
Enter Certificate password:
Added VOMS attribute /gridpp
Uploading proxy for gridpp_user...
Proxy generated:
subject : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic
brochu/CN=proxy/CN=proxy
issuer : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic
brochu/CN=proxy
identity : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu
timeleft : 23:53:59
DIRAC group : gridpp_user
path : /tmp/x509up_u1008
username : frederic.brochu
properties : NormalUser
VOMS : True
VOMS fqan : ['/gridpp']
Proxies uploaded:
DN | Group | Until (GMT)
/C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu |
gridpp_user | 2016/07/28 15:12
and the output of dirac-dms-add-file
dirac-dms-add-file
/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7
XRay_phaseSpace360_7 UKI-NORTHGRID-LIV-HEP-disk
Uploading
/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7
Successfully uploaded file to UKI-NORTHGRID-LIV-HEP-disk
Thank you very much,
Frederic
P.S: This is however opening another can of worms, as I expect
these certificates will require updates that are more frequent
than dirac client updates.
On Tue, 22 Sep 2015, Daniela Bauer wrote:
Hi Frederic,
I think this might be related to the fact that the dirac ui
has no way to
automatically update the certs, crls etc.
In your dirac UI, can you link etc/grid-security/certificates
to whereever
your standard grid UI is getting these files from (possibly
/etc/grid-security/certificates or whatever X509_CERT_DIR is
set to) and let
me know if that helps.
Cheers,
Daniela
On 22 September 2015 at 09:52, Frederic Brochu
wrote:
Dear all,
I am no longer able to copy and register files with
dirac-dms-add-file.
This command line used to work:
dirac-dms-add-file
/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_5
XRay_phaseSpace360_5 UKI-NORTHGRID-LIV-HEP-disk
But when I am doing it now with a different file, I am
getting:
h-4.1$ dirac-dms-add-file
/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7
XRay_phaseSpace360_7 UKI-NORTHGRID-LIV-HEP-disk
Uploading
/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7
createDirectory: Failed to create directory on storage.
srm://hepgrid11.ph.liv.ac.uk:8446/srm/managerv2?SFN=/dpm/ph.liv.ac.uk/home/
<http://hepgrid11.ph.liv.ac.uk:8446/srm/managerv2?SFN=/dpm/ph.liv.ac.uk/home/>
gridpp/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360:
SRM2Storage.__gfal_exec(gfal_ls): Execution failed.
[SE][Ls][]
httpg://hepgrid11.ph.liv.ac.uk:8446/srm/managerv2
<http://hepgrid11.ph.liv.ac.uk:8446/srm/managerv2>: CGSI-gSOAP
running on pcjp reports Error initializing context
GSS Major Status: Authentication Failed
GSS Minor Status Error Chain:
globus_gsi_gssapi: SSLv3 handshake problems
globus_gsi_callb
Error: failed to upload
/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7
to UKI-NORTHGRID-LIV-HEP-disk
This is also true for any other site.
Further to this, dirac-proxy-init also complains:
dirac-proxy-init -g gridpp_user -M
Generating proxy...
Enter Certificate password:
Could not add VOMS extensions to the proxy
Failed adding VOMS attribute: Failed to set VOMS attributes.
Command: voms-proxy-init -cert "/tmp/x509up_u1008" -key
"/tmp/x509up_u1008" -out "/tmp/brochu/tmpuSlB4v" -voms
"gridpp:/gridpp" -valid "23:54" -vomses
"/var/clus/usera/brochu/gridpp/dirac_ui/etc/grid-security/vomses";
StdOut: Your identity:
/C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic
brochu/CN=proxy
Creating temporary proxy Done
Contacting voms.gridpp.ac.uk:15000
<http://voms.gridpp.ac.uk:15000>
[/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk
<http://voms.gridpp.ac.uk>]
"gridpp" Failed
Trying next server for gridpp.
Creating temporary proxy Done
Contacting voms03.gridpp.ac.uk:15000
<http://voms03.gridpp.ac.uk:15000>
[/C=UK/O=eScience/OU=Imperial/L=Physics/CN=voms03.gridpp.ac.uk
<http://voms03.gridpp.ac.uk>]
"gridpp" Failed
Trying next server for gridpp.
Creating temporary proxy Done
Contacting voms02.gridpp.ac.uk:15000
<http://voms02.gridpp.ac.uk:15000>
[/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk
<http://voms02.gridpp.ac.uk>]
"gridpp" Failed
; StdErr:
.....................................................
Error: Error during SSL
handshake:error:80066405:lib(128):verify_callback:outdated CRL
found, revoking all certs till you get new
CRL:sslutils.c:2115
outdated CRL found, revoking all certs till you get new CRL
Function: verify_callback
error:80066411:lib(128):verify_callback:certificate failed
verify::sslutils.c:2318
error =CRL has expired
subject=/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk
<http://voms.gridpp.ac.uk>
issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK
e-Science
CA 2B
certificate failed verify:
error =CRL has expired
subject=/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk
<http://voms.gridpp.ac.uk>
issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK
e-Science
CA 2B
Function: verify_callback
error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed:s3_clnt.c:1172
certificate verify failed
Function: SSL3_GET_SERVER_CERTIFICATE
.....................................................
Error: Error during SSL
handshake:error:80066405:lib(128):verify_callback:outdated CRL
found, revoking all certs till you get new
CRL:sslutils.c:2115
outdated CRL found, revoking all certs till you get new CRL
Function: verify_callback
error:80066411:lib(128):verify_callback:certificate failed
verify::sslutils.c:2318
error =CRL has expired
subject=/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk
<http://voms02.gridpp.ac.uk>
issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK
e-Science
CA 2B
certificate failed verify:
error =CRL has expired
subject=/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk
<http://voms02.gridpp.ac.uk><http://voms03.gridpp.ac.uk:15000>
issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK
e-Science
CA 2B
Function: verify_callback
error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed:s3_clnt.c:1172
certificate verify failed
Function: SSL3_GET_SERVER_CERTIFICATE
None of the contacted servers for gridpp were capable
of returning a valid AC for the user.
Are you sure you are properly registered in the VO?
Uploading proxy for gridpp_user...
Proxy generated:
subject :
/C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic
brochu/CN=proxy
issuer :
/C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic
brochu
identity :
/C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic
brochu
timeleft : 23:59:58
DIRAC group : gridpp_user
path : /tmp/x509up_u1008
username : frederic.brochu
properties : NormalUser
Proxies uploaded:
DN | Group
| Until (GMT)
/C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu |
gridpp_user | 2016/07/28 15:12
On the other hand, voms-proxy-init works a charm:
-sh-4.1$ voms-proxy-init -voms gridpp
Enter GRID pass phrase for this identity:
Contacting voms03.gridpp.ac.uk:15000
[/C=UK/O=eScience/OU=Imperial/L=Physics/CN=voms03.gridpp.ac.uk
<http://voms03.gridpp.ac.uk>]
"gridpp"...
Remote VOMS server contacted succesfully.
Created proxy in /tmp/x509up_u1008.
Your proxy is valid until Tue Sep 22 21:48:30 BST 2015
All this is only affecting my ability to upload and register
data to storage elements. Job submission and output
collection
are still working fine.
Any idea? I am using the dirac version mentioned in the
subject.
Best regards,
Frederic
--
_______________________________________________
Gridpp-Dirac-Users mailing list
Gridpp-Dirac-Users@imperial.ac.uk
<mailto:Gridpp-Dirac-Users@imperial.ac.uk>
https://mailman.ic.ac.uk/mailman/listinfo/gridpp-dirac-users
--
Sent from the pit of despair
-----------------------------------------------------------
daniela.bauer@imperial.ac.uk <mailto:daniela.bauer@imperial.ac.uk>
HEP Group/Physics Dep
Imperial College
London, SW7 2BW
Tel: +44-(0)20-75947810 <tel:%2B44-%280%2920-75947810>
http://www.hep.ph.ic.ac.uk/~dbauer/
<http://www.hep.ph.ic.ac.uk/%7Edbauer/>
--
Sent from the pit of despair
-----------------------------------------------------------
daniela.bauer@imperial.ac.uk <mailto:daniela.bauer@imperial.ac.uk>
HEP Group/Physics Dep
Imperial College
London, SW7 2BW
Tel: +44-(0)20-75947810
http://www.hep.ph.ic.ac.uk/~dbauer/ <http://www.hep.ph.ic.ac.uk/%7Edbauer/>
This body part will be downloaded on demand.
--
Steve Jones sjones@hep.ph.liv.ac.uk
Grid System Administrator office: 220
High Energy Physics Division tel (int): 43396
Oliver Lodge Laboratory tel (ext): +44 (0)151 794 3396
University of Liverpool http://www.liv.ac.uk/physics/hep/