Hi, I am having trouble creating replicas - probably because of these errors below. Any idea how to fix this? Cheers +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Steve Lloyd Emeritus Professor, School of Physics and Astronomy Queen Mary University of London, Mile End Road, London E1 4NS, UK E-mail: s.l.lloyd@qmul.ac.uk +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ [lloyd@atlastest1 gridtests]$ ~/dirac_ui/scripts/dirac-proxy-init --group gridpp_user --out /users/lloyd/.globus/x509_lloyd_gridpp_user --VOMS --pwstdin xxxxxxxxxxxx Generating proxy... Your CRLs appear to be outdated, but you have no access to update them. Could not add VOMS extensions to the proxy Failed adding VOMS attribute: VOMS Error ( 1121 : Failed to set VOMS attributes. Command: voms-proxy-init -cert "/users/lloyd/.globus/x509_lloyd_gridpp_user" -key "/users/lloyd/.globus/x509_lloyd_gridpp_user" -out "/tmp/tmpDIg0xW" -voms "gridpp:/gridpp" -valid "23:54" -vomses "/tmp/tmpFlrWYB/vomses"; StdOut: Your identity: /C=UK/O=eScience/OU=QueenMaryLondon/L=Physics/CN=steve lloyd/CN=proxy Creating temporary proxy Done Contacting voms02.gridpp.ac.uk:15000 [/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk] "gridpp" Failed Trying next server for gridpp. Creating temporary proxy Done Contacting voms.gridpp.ac.uk:15000 [/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk] "gridpp" Failed Trying next server for gridpp. Creating temporary proxy Done Contacting voms03.gridpp.ac.uk:15000 [/C=UK/O=eScience/OU=Imperial/L=Physics/CN=voms03.gridpp.ac.uk] "gridpp" Failed ; StdErr: .................................... Error: Error during SSL handshake:error:80066405:lib(128):verify_callback:outdated CRL found, revoking all certs till you get new CRL:sslutils.c:2115 outdated CRL found, revoking all certs till you get new CRL Function: verify_callback error:80066411:lib(128):verify_callback:certificate failed verify::sslutils.c:2318 error =CRL has expired subject=/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B certificate failed verify: error =CRL has expired subject=/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B Function: verify_callback error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1178 certificate verify failed Function: SSL3_GET_SERVER_CERTIFICATE ................................................ Error: Error during SSL handshake:error:80066405:lib(128):verify_callback:outdated CRL found, revoking all certs till you get new CRL:sslutils.c:2115 outdated CRL found, revoking all certs till you get new CRL Function: verify_callback error:80066411:lib(128):verify_callback:certificate failed verify::sslutils.c:2318 error =CRL has expired subject=/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B certificate failed verify: error =CRL has expired subject=/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B Function: verify_callback error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1178 certificate verify failed Function: SSL3_GET_SERVER_CERTIFICATE .......................................... Error: Error during SSL handshake:error:80066405:lib(128):verify_callback:outdated CRL found, revoking all certs till you get new CRL:sslutils.c:2115 outdated CRL found, revoking all certs till you get new CRL Function: verify_callback error:80066411:lib(128):verify_callback:certificate failed verify::sslutils.c:2318 error =CRL has expired subject=/C=UK/O=eScience/OU=Imperial/L=Physics/CN=voms03.gridpp.ac.uk issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B certificate failed verify: error =CRL has expired subject=/C=UK/O=eScience/OU=Imperial/L=Physics/CN=voms03.gridpp.ac.uk issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B Function: verify_callback error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1178 certificate verify failed Function: SSL3_GET_SERVER_CERTIFICATE None of the contacted servers for gridpp were capable of returning a valid AC for the user. ) Are you sure you are properly registered in the VO? Uploading proxy for gridpp_user... Proxy generated: subject : /C=UK/O=eScience/OU=QueenMaryLondon/L=Physics/CN=steve lloyd/CN=proxy issuer : /C=UK/O=eScience/OU=QueenMaryLondon/L=Physics/CN=steve lloyd identity : /C=UK/O=eScience/OU=QueenMaryLondon/L=Physics/CN=steve lloyd timeleft : 23:59:59 DIRAC group : gridpp_user rfc : False path : /users/lloyd/.globus/x509_lloyd_gridpp_user username : steve.lloyd properties : NormalUser, JobMonitor Proxies uploaded: DN | Group | Until (GMT) /C=UK/O=eScience/OU=QueenMaryLondon/L=Physics/CN=steve lloyd | gridpp_user | 2018/08/03 15:11 [lloyd@atlastest1 gridtests]$
Hi Steve, It looks like your CRLs have expired... The DIRAC UI normally tries to update these automatically from the server, but it's failing to do this on your machine (from the log message "Your CRLs appear to be outdated, but you have no access to update them."). I suggest checking that you have write permissions on the ~/dirac_ui/etc/grid-security/certificates directory (or if it's a symlink to a central directory, ensure that the CRLs are updated in the target by some other means). Regards, Simon On Sat, Nov 11, 2017 at 07:20:44PM +0000, Steve Lloyd wrote:
Hi, I am having trouble creating replicas - probably because of these errors below. Any idea how to fix this? Cheers +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Steve Lloyd Emeritus Professor, School of Physics and Astronomy Queen Mary University of London, Mile End Road, London E1 4NS, UK E-mail: s.l.lloyd@qmul.ac.uk +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[lloyd@atlastest1 gridtests]$ ~/dirac_ui/scripts/dirac-proxy-init --group gridpp_user --out /users/lloyd/.globus/x509_lloyd_gridpp_user --VOMS --pwstdin xxxxxxxxxxxx Generating proxy... Your CRLs appear to be outdated, but you have no access to update them. Could not add VOMS extensions to the proxy Failed adding VOMS attribute: VOMS Error ( 1121 : Failed to set VOMS attributes. Command: voms-proxy-init -cert "/users/lloyd/.globus/x509_lloyd_gridpp_user" -key "/users/lloyd/.globus/x509_lloyd_gridpp_user" -out "/tmp/tmpDIg0xW" -voms "gridpp:/gridpp" -valid "23:54" -vomses "/tmp/tmpFlrWYB/vomses"; StdOut: Your identity: /C=UK/O=eScience/OU=QueenMaryLondon/L=Physics/CN=steve lloyd/CN=proxy Creating temporary proxy Done Contacting voms02.gridpp.ac.uk:15000 [/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk] "gridpp" Failed
Trying next server for gridpp. Creating temporary proxy Done Contacting voms.gridpp.ac.uk:15000 [/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk] "gridpp" Failed
Trying next server for gridpp. Creating temporary proxy Done Contacting voms03.gridpp.ac.uk:15000 [/C=UK/O=eScience/OU=Imperial/L=Physics/CN=voms03.gridpp.ac.uk] "gridpp" Failed ; StdErr: .................................... Error: Error during SSL handshake:error:80066405:lib(128):verify_callback:outdated CRL found, revoking all certs till you get new CRL:sslutils.c:2115 outdated CRL found, revoking all certs till you get new CRL Function: verify_callback error:80066411:lib(128):verify_callback:certificate failed verify::sslutils.c:2318 error =CRL has expired subject=/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B certificate failed verify: error =CRL has expired subject=/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B Function: verify_callback error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1178 certificate verify failed Function: SSL3_GET_SERVER_CERTIFICATE
................................................ Error: Error during SSL handshake:error:80066405:lib(128):verify_callback:outdated CRL found, revoking all certs till you get new CRL:sslutils.c:2115 outdated CRL found, revoking all certs till you get new CRL Function: verify_callback error:80066411:lib(128):verify_callback:certificate failed verify::sslutils.c:2318 error =CRL has expired subject=/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B certificate failed verify: error =CRL has expired subject=/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B Function: verify_callback error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1178 certificate verify failed Function: SSL3_GET_SERVER_CERTIFICATE
.......................................... Error: Error during SSL handshake:error:80066405:lib(128):verify_callback:outdated CRL found, revoking all certs till you get new CRL:sslutils.c:2115 outdated CRL found, revoking all certs till you get new CRL Function: verify_callback error:80066411:lib(128):verify_callback:certificate failed verify::sslutils.c:2318 error =CRL has expired subject=/C=UK/O=eScience/OU=Imperial/L=Physics/CN=voms03.gridpp.ac.uk issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B certificate failed verify: error =CRL has expired subject=/C=UK/O=eScience/OU=Imperial/L=Physics/CN=voms03.gridpp.ac.uk issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B Function: verify_callback error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1178 certificate verify failed Function: SSL3_GET_SERVER_CERTIFICATE
None of the contacted servers for gridpp were capable of returning a valid AC for the user. )
Are you sure you are properly registered in the VO? Uploading proxy for gridpp_user... Proxy generated: subject : /C=UK/O=eScience/OU=QueenMaryLondon/L=Physics/CN=steve lloyd/CN=proxy issuer : /C=UK/O=eScience/OU=QueenMaryLondon/L=Physics/CN=steve lloyd identity : /C=UK/O=eScience/OU=QueenMaryLondon/L=Physics/CN=steve lloyd timeleft : 23:59:59 DIRAC group : gridpp_user rfc : False path : /users/lloyd/.globus/x509_lloyd_gridpp_user username : steve.lloyd properties : NormalUser, JobMonitor
Proxies uploaded: DN | Group | Until (GMT) /C=UK/O=eScience/OU=QueenMaryLondon/L=Physics/CN=steve lloyd | gridpp_user | 2018/08/03 15:11 [lloyd@atlastest1 gridtests]$
Hi Simon, I seem to own the directory and all the files in it. Can I update them manually somehow? Cheers +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Steve Lloyd Emeritus Professor, School of Physics and Astronomy Queen Mary University of London, Mile End Road, London E1 4NS, UK E-mail: s.l.lloyd@qmul.ac.uk +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
On 11 Nov 2017, at 23:39, Simon Fayer <simon.fayer05@imperial.ac.uk> wrote:
Hi Steve,
It looks like your CRLs have expired... The DIRAC UI normally tries to update these automatically from the server, but it's failing to do this on your machine (from the log message "Your CRLs appear to be outdated, but you have no access to update them.").
I suggest checking that you have write permissions on the ~/dirac_ui/etc/grid-security/certificates directory (or if it's a symlink to a central directory, ensure that the CRLs are updated in the target by some other means).
Regards, Simon
On Sat, Nov 11, 2017 at 07:20:44PM +0000, Steve Lloyd wrote:
Hi, I am having trouble creating replicas - probably because of these errors below. Any idea how to fix this? Cheers +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Steve Lloyd Emeritus Professor, School of Physics and Astronomy Queen Mary University of London, Mile End Road, London E1 4NS, UK E-mail: s.l.lloyd@qmul.ac.uk +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[lloyd@atlastest1 gridtests]$ ~/dirac_ui/scripts/dirac-proxy-init --group gridpp_user --out /users/lloyd/.globus/x509_lloyd_gridpp_user --VOMS --pwstdin xxxxxxxxxxxx Generating proxy... Your CRLs appear to be outdated, but you have no access to update them. Could not add VOMS extensions to the proxy Failed adding VOMS attribute: VOMS Error ( 1121 : Failed to set VOMS attributes. Command: voms-proxy-init -cert "/users/lloyd/.globus/x509_lloyd_gridpp_user" -key "/users/lloyd/.globus/x509_lloyd_gridpp_user" -out "/tmp/tmpDIg0xW" -voms "gridpp:/gridpp" -valid "23:54" -vomses "/tmp/tmpFlrWYB/vomses"; StdOut: Your identity: /C=UK/O=eScience/OU=QueenMaryLondon/L=Physics/CN=steve lloyd/CN=proxy Creating temporary proxy Done Contacting voms02.gridpp.ac.uk:15000 [/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk] "gridpp" Failed
Trying next server for gridpp. Creating temporary proxy Done Contacting voms.gridpp.ac.uk:15000 [/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk] "gridpp" Failed
Trying next server for gridpp. Creating temporary proxy Done Contacting voms03.gridpp.ac.uk:15000 [/C=UK/O=eScience/OU=Imperial/L=Physics/CN=voms03.gridpp.ac.uk] "gridpp" Failed ; StdErr: .................................... Error: Error during SSL handshake:error:80066405:lib(128):verify_callback:outdated CRL found, revoking all certs till you get new CRL:sslutils.c:2115 outdated CRL found, revoking all certs till you get new CRL Function: verify_callback error:80066411:lib(128):verify_callback:certificate failed verify::sslutils.c:2318 error =CRL has expired subject=/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B certificate failed verify: error =CRL has expired subject=/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B Function: verify_callback error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1178 certificate verify failed Function: SSL3_GET_SERVER_CERTIFICATE
................................................ Error: Error during SSL handshake:error:80066405:lib(128):verify_callback:outdated CRL found, revoking all certs till you get new CRL:sslutils.c:2115 outdated CRL found, revoking all certs till you get new CRL Function: verify_callback error:80066411:lib(128):verify_callback:certificate failed verify::sslutils.c:2318 error =CRL has expired subject=/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B certificate failed verify: error =CRL has expired subject=/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B Function: verify_callback error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1178 certificate verify failed Function: SSL3_GET_SERVER_CERTIFICATE
.......................................... Error: Error during SSL handshake:error:80066405:lib(128):verify_callback:outdated CRL found, revoking all certs till you get new CRL:sslutils.c:2115 outdated CRL found, revoking all certs till you get new CRL Function: verify_callback error:80066411:lib(128):verify_callback:certificate failed verify::sslutils.c:2318 error =CRL has expired subject=/C=UK/O=eScience/OU=Imperial/L=Physics/CN=voms03.gridpp.ac.uk issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B certificate failed verify: error =CRL has expired subject=/C=UK/O=eScience/OU=Imperial/L=Physics/CN=voms03.gridpp.ac.uk issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B Function: verify_callback error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1178 certificate verify failed Function: SSL3_GET_SERVER_CERTIFICATE
None of the contacted servers for gridpp were capable of returning a valid AC for the user. )
Are you sure you are properly registered in the VO? Uploading proxy for gridpp_user... Proxy generated: subject : /C=UK/O=eScience/OU=QueenMaryLondon/L=Physics/CN=steve lloyd/CN=proxy issuer : /C=UK/O=eScience/OU=QueenMaryLondon/L=Physics/CN=steve lloyd identity : /C=UK/O=eScience/OU=QueenMaryLondon/L=Physics/CN=steve lloyd timeleft : 23:59:59 DIRAC group : gridpp_user rfc : False path : /users/lloyd/.globus/x509_lloyd_gridpp_user username : steve.lloyd properties : NormalUser, JobMonitor
Proxies uploaded: DN | Group | Until (GMT) /C=UK/O=eScience/OU=QueenMaryLondon/L=Physics/CN=steve lloyd | gridpp_user | 2018/08/03 15:11 [lloyd@atlastest1 gridtests]$
-- _______________________________________________ Gridpp-Dirac-Users mailing list Gridpp-Dirac-Users@imperial.ac.uk https://mailman.ic.ac.uk/mailman/listinfo/gridpp-dirac-users
Hi Steve, You can try the dirac-admin-get-CAs command to update the directory manually (it doesn't need any parameters). Alternatively, if you have CVMFS on the machine, you could move the certificates directory out of the way and replace it with a symlink to /cvmfs/grid.cern.ch/etc/grid-security/certificates instead. Regards, Simon On Sun, Nov 12, 2017 at 11:34:16AM +0000, Steve Lloyd wrote:
Hi Simon, I seem to own the directory and all the files in it. Can I update them manually somehow? Cheers +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Steve Lloyd Emeritus Professor, School of Physics and Astronomy Queen Mary University of London, Mile End Road, London E1 4NS, UK E-mail: s.l.lloyd@qmul.ac.uk +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
On 11 Nov 2017, at 23:39, Simon Fayer <simon.fayer05@imperial.ac.uk> wrote:
Hi Steve,
It looks like your CRLs have expired... The DIRAC UI normally tries to update these automatically from the server, but it's failing to do this on your machine (from the log message "Your CRLs appear to be outdated, but you have no access to update them.").
I suggest checking that you have write permissions on the ~/dirac_ui/etc/grid-security/certificates directory (or if it's a symlink to a central directory, ensure that the CRLs are updated in the target by some other means).
Regards, Simon
On Sat, Nov 11, 2017 at 07:20:44PM +0000, Steve Lloyd wrote:
Hi, I am having trouble creating replicas - probably because of these errors below. Any idea how to fix this? Cheers +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Steve Lloyd Emeritus Professor, School of Physics and Astronomy Queen Mary University of London, Mile End Road, London E1 4NS, UK E-mail: s.l.lloyd@qmul.ac.uk +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[lloyd@atlastest1 gridtests]$ ~/dirac_ui/scripts/dirac-proxy-init --group gridpp_user --out /users/lloyd/.globus/x509_lloyd_gridpp_user --VOMS --pwstdin xxxxxxxxxxxx Generating proxy... Your CRLs appear to be outdated, but you have no access to update them. Could not add VOMS extensions to the proxy Failed adding VOMS attribute: VOMS Error ( 1121 : Failed to set VOMS attributes. Command: voms-proxy-init -cert "/users/lloyd/.globus/x509_lloyd_gridpp_user" -key "/users/lloyd/.globus/x509_lloyd_gridpp_user" -out "/tmp/tmpDIg0xW" -voms "gridpp:/gridpp" -valid "23:54" -vomses "/tmp/tmpFlrWYB/vomses"; StdOut: Your identity: /C=UK/O=eScience/OU=QueenMaryLondon/L=Physics/CN=steve lloyd/CN=proxy Creating temporary proxy Done Contacting voms02.gridpp.ac.uk:15000 [/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk] "gridpp" Failed
Trying next server for gridpp. Creating temporary proxy Done Contacting voms.gridpp.ac.uk:15000 [/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk] "gridpp" Failed
Trying next server for gridpp. Creating temporary proxy Done Contacting voms03.gridpp.ac.uk:15000 [/C=UK/O=eScience/OU=Imperial/L=Physics/CN=voms03.gridpp.ac.uk] "gridpp" Failed ; StdErr: .................................... Error: Error during SSL handshake:error:80066405:lib(128):verify_callback:outdated CRL found, revoking all certs till you get new CRL:sslutils.c:2115 outdated CRL found, revoking all certs till you get new CRL Function: verify_callback error:80066411:lib(128):verify_callback:certificate failed verify::sslutils.c:2318 error =CRL has expired subject=/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B certificate failed verify: error =CRL has expired subject=/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B Function: verify_callback error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1178 certificate verify failed Function: SSL3_GET_SERVER_CERTIFICATE
................................................ Error: Error during SSL handshake:error:80066405:lib(128):verify_callback:outdated CRL found, revoking all certs till you get new CRL:sslutils.c:2115 outdated CRL found, revoking all certs till you get new CRL Function: verify_callback error:80066411:lib(128):verify_callback:certificate failed verify::sslutils.c:2318 error =CRL has expired subject=/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B certificate failed verify: error =CRL has expired subject=/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B Function: verify_callback error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1178 certificate verify failed Function: SSL3_GET_SERVER_CERTIFICATE
.......................................... Error: Error during SSL handshake:error:80066405:lib(128):verify_callback:outdated CRL found, revoking all certs till you get new CRL:sslutils.c:2115 outdated CRL found, revoking all certs till you get new CRL Function: verify_callback error:80066411:lib(128):verify_callback:certificate failed verify::sslutils.c:2318 error =CRL has expired subject=/C=UK/O=eScience/OU=Imperial/L=Physics/CN=voms03.gridpp.ac.uk issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B certificate failed verify: error =CRL has expired subject=/C=UK/O=eScience/OU=Imperial/L=Physics/CN=voms03.gridpp.ac.uk issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B Function: verify_callback error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1178 certificate verify failed Function: SSL3_GET_SERVER_CERTIFICATE
None of the contacted servers for gridpp were capable of returning a valid AC for the user. )
Are you sure you are properly registered in the VO? Uploading proxy for gridpp_user... Proxy generated: subject : /C=UK/O=eScience/OU=QueenMaryLondon/L=Physics/CN=steve lloyd/CN=proxy issuer : /C=UK/O=eScience/OU=QueenMaryLondon/L=Physics/CN=steve lloyd identity : /C=UK/O=eScience/OU=QueenMaryLondon/L=Physics/CN=steve lloyd timeleft : 23:59:59 DIRAC group : gridpp_user rfc : False path : /users/lloyd/.globus/x509_lloyd_gridpp_user username : steve.lloyd properties : NormalUser, JobMonitor
Proxies uploaded: DN | Group | Until (GMT) /C=UK/O=eScience/OU=QueenMaryLondon/L=Physics/CN=steve lloyd | gridpp_user | 2018/08/03 15:11 [lloyd@atlastest1 gridtests]$
Hi Simon, I switched to cvmfs but it didn't make any difference - the error messages are the same. Cheers +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Steve Lloyd Emeritus Professor, School of Physics and Astronomy Queen Mary University of London, Mile End Road, London E1 4NS, UK E-mail: s.l.lloyd@qmul.ac.uk +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
On 12 Nov 2017, at 11:49, Simon Fayer <simon.fayer05@imperial.ac.uk> wrote:
Hi Steve,
You can try the dirac-admin-get-CAs command to update the directory manually (it doesn't need any parameters).
Alternatively, if you have CVMFS on the machine, you could move the certificates directory out of the way and replace it with a symlink to /cvmfs/grid.cern.ch/etc/grid-security/certificates instead.
Regards, Simon
On Sun, Nov 12, 2017 at 11:34:16AM +0000, Steve Lloyd wrote:
Hi Simon, I seem to own the directory and all the files in it. Can I update them manually somehow? Cheers +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Steve Lloyd Emeritus Professor, School of Physics and Astronomy Queen Mary University of London, Mile End Road, London E1 4NS, UK E-mail: s.l.lloyd@qmul.ac.uk +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
On 11 Nov 2017, at 23:39, Simon Fayer <simon.fayer05@imperial.ac.uk> wrote:
Hi Steve,
It looks like your CRLs have expired... The DIRAC UI normally tries to update these automatically from the server, but it's failing to do this on your machine (from the log message "Your CRLs appear to be outdated, but you have no access to update them.").
I suggest checking that you have write permissions on the ~/dirac_ui/etc/grid-security/certificates directory (or if it's a symlink to a central directory, ensure that the CRLs are updated in the target by some other means).
Regards, Simon
On Sat, Nov 11, 2017 at 07:20:44PM +0000, Steve Lloyd wrote:
Hi, I am having trouble creating replicas - probably because of these errors below. Any idea how to fix this? Cheers +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Steve Lloyd Emeritus Professor, School of Physics and Astronomy Queen Mary University of London, Mile End Road, London E1 4NS, UK E-mail: s.l.lloyd@qmul.ac.uk +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[lloyd@atlastest1 gridtests]$ ~/dirac_ui/scripts/dirac-proxy-init --group gridpp_user --out /users/lloyd/.globus/x509_lloyd_gridpp_user --VOMS --pwstdin xxxxxxxxxxxx Generating proxy... Your CRLs appear to be outdated, but you have no access to update them. Could not add VOMS extensions to the proxy Failed adding VOMS attribute: VOMS Error ( 1121 : Failed to set VOMS attributes. Command: voms-proxy-init -cert "/users/lloyd/.globus/x509_lloyd_gridpp_user" -key "/users/lloyd/.globus/x509_lloyd_gridpp_user" -out "/tmp/tmpDIg0xW" -voms "gridpp:/gridpp" -valid "23:54" -vomses "/tmp/tmpFlrWYB/vomses"; StdOut: Your identity: /C=UK/O=eScience/OU=QueenMaryLondon/L=Physics/CN=steve lloyd/CN=proxy Creating temporary proxy Done Contacting voms02.gridpp.ac.uk:15000 [/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk] "gridpp" Failed
Trying next server for gridpp. Creating temporary proxy Done Contacting voms.gridpp.ac.uk:15000 [/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk] "gridpp" Failed
Trying next server for gridpp. Creating temporary proxy Done Contacting voms03.gridpp.ac.uk:15000 [/C=UK/O=eScience/OU=Imperial/L=Physics/CN=voms03.gridpp.ac.uk] "gridpp" Failed ; StdErr: .................................... Error: Error during SSL handshake:error:80066405:lib(128):verify_callback:outdated CRL found, revoking all certs till you get new CRL:sslutils.c:2115 outdated CRL found, revoking all certs till you get new CRL Function: verify_callback error:80066411:lib(128):verify_callback:certificate failed verify::sslutils.c:2318 error =CRL has expired subject=/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B certificate failed verify: error =CRL has expired subject=/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B Function: verify_callback error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1178 certificate verify failed Function: SSL3_GET_SERVER_CERTIFICATE
................................................ Error: Error during SSL handshake:error:80066405:lib(128):verify_callback:outdated CRL found, revoking all certs till you get new CRL:sslutils.c:2115 outdated CRL found, revoking all certs till you get new CRL Function: verify_callback error:80066411:lib(128):verify_callback:certificate failed verify::sslutils.c:2318 error =CRL has expired subject=/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B certificate failed verify: error =CRL has expired subject=/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B Function: verify_callback error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1178 certificate verify failed Function: SSL3_GET_SERVER_CERTIFICATE
.......................................... Error: Error during SSL handshake:error:80066405:lib(128):verify_callback:outdated CRL found, revoking all certs till you get new CRL:sslutils.c:2115 outdated CRL found, revoking all certs till you get new CRL Function: verify_callback error:80066411:lib(128):verify_callback:certificate failed verify::sslutils.c:2318 error =CRL has expired subject=/C=UK/O=eScience/OU=Imperial/L=Physics/CN=voms03.gridpp.ac.uk issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B certificate failed verify: error =CRL has expired subject=/C=UK/O=eScience/OU=Imperial/L=Physics/CN=voms03.gridpp.ac.uk issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B Function: verify_callback error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1178 certificate verify failed Function: SSL3_GET_SERVER_CERTIFICATE
None of the contacted servers for gridpp were capable of returning a valid AC for the user. )
Are you sure you are properly registered in the VO? Uploading proxy for gridpp_user... Proxy generated: subject : /C=UK/O=eScience/OU=QueenMaryLondon/L=Physics/CN=steve lloyd/CN=proxy issuer : /C=UK/O=eScience/OU=QueenMaryLondon/L=Physics/CN=steve lloyd identity : /C=UK/O=eScience/OU=QueenMaryLondon/L=Physics/CN=steve lloyd timeleft : 23:59:59 DIRAC group : gridpp_user rfc : False path : /users/lloyd/.globus/x509_lloyd_gridpp_user username : steve.lloyd properties : NormalUser, JobMonitor
Proxies uploaded: DN | Group | Until (GMT) /C=UK/O=eScience/OU=QueenMaryLondon/L=Physics/CN=steve lloyd | gridpp_user | 2018/08/03 15:11 [lloyd@atlastest1 gridtests]$
-- _______________________________________________ Gridpp-Dirac-Users mailing list Gridpp-Dirac-Users@imperial.ac.uk https://mailman.ic.ac.uk/mailman/listinfo/gridpp-dirac-users
Hi Steve, Hmm, interesting... Can you please verify that the time is set correctly on the machine? If that all looks OK, then please send me the output from the following commands off-list and we'll investigate further: env dirac-version ls -l $DIRAC/etc/{,grid-security} ~/.globus ls -l $DIRAC/etc/grid-security/certificates/{530f7122,7ed47087,98ef0ee5,ffc3d59b}.* openssl crl -in $DIRAC/etc/grid-security/certificates/530f7122.r0 -lastupdate -nextupdate -noout Regards, Simon On Sun, Nov 12, 2017 at 01:46:29PM +0000, Steve Lloyd wrote:
Hi Simon, I switched to cvmfs but it didn't make any difference - the error messages are the same. Cheers +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Steve Lloyd Emeritus Professor, School of Physics and Astronomy Queen Mary University of London, Mile End Road, London E1 4NS, UK E-mail: s.l.lloyd@qmul.ac.uk +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
participants (2)
-
Simon Fayer
-
Steve Lloyd