authentication issues with Dirac v6r13p9
Dear all, I am no longer able to copy and register files with dirac-dms-add-file. This command line used to work: dirac-dms-add-file /gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_5 XRay_phaseSpace360_5 UKI-NORTHGRID-LIV-HEP-disk But when I am doing it now with a different file, I am getting: h-4.1$ dirac-dms-add-file /gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7 XRay_phaseSpace360_7 UKI-NORTHGRID-LIV-HEP-disk Uploading /gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7 createDirectory: Failed to create directory on storage. srm://hepgrid11.ph.liv.ac.uk:8446/srm/managerv2?SFN=/dpm/ph.liv.ac.uk/home/gridpp/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360: SRM2Storage.__gfal_exec(gfal_ls): Execution failed. [SE][Ls][] httpg://hepgrid11.ph.liv.ac.uk:8446/srm/managerv2: CGSI-gSOAP running on pcjp reports Error initializing context GSS Major Status: Authentication Failed GSS Minor Status Error Chain: globus_gsi_gssapi: SSLv3 handshake problems globus_gsi_callb Error: failed to upload /gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7 to UKI-NORTHGRID-LIV-HEP-disk This is also true for any other site. Further to this, dirac-proxy-init also complains: dirac-proxy-init -g gridpp_user -M Generating proxy... Enter Certificate password: Could not add VOMS extensions to the proxy Failed adding VOMS attribute: Failed to set VOMS attributes. Command: voms-proxy-init -cert "/tmp/x509up_u1008" -key "/tmp/x509up_u1008" -out "/tmp/brochu/tmpuSlB4v" -voms "gridpp:/gridpp" -valid "23:54" -vomses "/var/clus/usera/brochu/gridpp/dirac_ui/etc/grid-security/vomses"; StdOut: Your identity: /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu/CN=proxy Creating temporary proxy Done Contacting voms.gridpp.ac.uk:15000 [/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk] "gridpp" Failed Trying next server for gridpp. Creating temporary proxy Done Contacting voms03.gridpp.ac.uk:15000 [/C=UK/O=eScience/OU=Imperial/L=Physics/CN=voms03.gridpp.ac.uk] "gridpp" Failed Trying next server for gridpp. Creating temporary proxy Done Contacting voms02.gridpp.ac.uk:15000 [/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk] "gridpp" Failed ; StdErr: ..................................................... Error: Error during SSL handshake:error:80066405:lib(128):verify_callback:outdated CRL found, revoking all certs till you get new CRL:sslutils.c:2115 outdated CRL found, revoking all certs till you get new CRL Function: verify_callback error:80066411:lib(128):verify_callback:certificate failed verify::sslutils.c:2318 error =CRL has expired subject=/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B certificate failed verify: error =CRL has expired subject=/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B Function: verify_callback error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1172 certificate verify failed Function: SSL3_GET_SERVER_CERTIFICATE ..................................................... Error: Error during SSL handshake:error:80066405:lib(128):verify_callback:outdated CRL found, revoking all certs till you get new CRL:sslutils.c:2115 outdated CRL found, revoking all certs till you get new CRL Function: verify_callback error:80066411:lib(128):verify_callback:certificate failed verify::sslutils.c:2318 error =CRL has expired subject=/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B certificate failed verify: error =CRL has expired subject=/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B Function: verify_callback error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1172 certificate verify failed Function: SSL3_GET_SERVER_CERTIFICATE None of the contacted servers for gridpp were capable of returning a valid AC for the user. Are you sure you are properly registered in the VO? Uploading proxy for gridpp_user... Proxy generated: subject : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu/CN=proxy issuer : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu identity : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu timeleft : 23:59:58 DIRAC group : gridpp_user path : /tmp/x509up_u1008 username : frederic.brochu properties : NormalUser Proxies uploaded: DN | Group | Until (GMT) /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu | gridpp_user | 2016/07/28 15:12 On the other hand, voms-proxy-init works a charm: -sh-4.1$ voms-proxy-init -voms gridpp Enter GRID pass phrase for this identity: Contacting voms03.gridpp.ac.uk:15000 [/C=UK/O=eScience/OU=Imperial/L=Physics/CN=voms03.gridpp.ac.uk] "gridpp"... Remote VOMS server contacted succesfully. Created proxy in /tmp/x509up_u1008. Your proxy is valid until Tue Sep 22 21:48:30 BST 2015 All this is only affecting my ability to upload and register data to storage elements. Job submission and output collection are still working fine. Any idea? I am using the dirac version mentioned in the subject. Best regards, Frederic
Hi Frederic, I think this might be related to the fact that the dirac ui has no way to automatically update the certs, crls etc. In your dirac UI, can you link etc/grid-security/certificates to whereever your standard grid UI is getting these files from (possibly /etc/grid-security/certificates or whatever X509_CERT_DIR is set to) and let me know if that helps. Cheers, Daniela On 22 September 2015 at 09:52, Frederic Brochu <brochu@hep.phy.cam.ac.uk> wrote:
Dear all,
I am no longer able to copy and register files with dirac-dms-add-file.
This command line used to work: dirac-dms-add-file /gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_5 XRay_phaseSpace360_5 UKI-NORTHGRID-LIV-HEP-disk
But when I am doing it now with a different file, I am getting:
h-4.1$ dirac-dms-add-file /gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7 XRay_phaseSpace360_7 UKI-NORTHGRID-LIV-HEP-disk
Uploading /gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7 createDirectory: Failed to create directory on storage. srm:// hepgrid11.ph.liv.ac.uk:8446/srm/managerv2?SFN=/dpm/ph.liv.ac.uk/home/gridpp/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360 : SRM2Storage.__gfal_exec(gfal_ls): Execution failed. [SE][Ls][] httpg:// hepgrid11.ph.liv.ac.uk:8446/srm/managerv2: CGSI-gSOAP running on pcjp reports Error initializing context GSS Major Status: Authentication Failed
GSS Minor Status Error Chain: globus_gsi_gssapi: SSLv3 handshake problems globus_gsi_callb Error: failed to upload /gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7 to UKI-NORTHGRID-LIV-HEP-disk
This is also true for any other site.
Further to this, dirac-proxy-init also complains:
dirac-proxy-init -g gridpp_user -M Generating proxy... Enter Certificate password: Could not add VOMS extensions to the proxy Failed adding VOMS attribute: Failed to set VOMS attributes. Command: voms-proxy-init -cert "/tmp/x509up_u1008" -key "/tmp/x509up_u1008" -out "/tmp/brochu/tmpuSlB4v" -voms "gridpp:/gridpp" -valid "23:54" -vomses "/var/clus/usera/brochu/gridpp/dirac_ui/etc/grid-security/vomses"; StdOut: Your identity: /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu/CN=proxy Creating temporary proxy Done Contacting voms.gridpp.ac.uk:15000 [/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk] "gridpp" Failed
Trying next server for gridpp. Creating temporary proxy Done Contacting voms03.gridpp.ac.uk:15000 [/C=UK/O=eScience/OU=Imperial/L=Physics/CN=voms03.gridpp.ac.uk] "gridpp" Failed
Trying next server for gridpp. Creating temporary proxy Done Contacting voms02.gridpp.ac.uk:15000 [/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk] "gridpp" Failed ; StdErr: ..................................................... Error: Error during SSL handshake:error:80066405:lib(128):verify_callback:outdated CRL found, revoking all certs till you get new CRL:sslutils.c:2115 outdated CRL found, revoking all certs till you get new CRL Function: verify_callback error:80066411:lib(128):verify_callback:certificate failed verify::sslutils.c:2318 error =CRL has expired subject=/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B certificate failed verify: error =CRL has expired subject=/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B Function: verify_callback error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1172 certificate verify failed Function: SSL3_GET_SERVER_CERTIFICATE
..................................................... Error: Error during SSL handshake:error:80066405:lib(128):verify_callback:outdated CRL found, revoking all certs till you get new CRL:sslutils.c:2115 outdated CRL found, revoking all certs till you get new CRL Function: verify_callback error:80066411:lib(128):verify_callback:certificate failed verify::sslutils.c:2318 error =CRL has expired subject=/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B certificate failed verify: error =CRL has expired subject=/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B Function: verify_callback error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1172 certificate verify failed Function: SSL3_GET_SERVER_CERTIFICATE
None of the contacted servers for gridpp were capable of returning a valid AC for the user.
Are you sure you are properly registered in the VO? Uploading proxy for gridpp_user... Proxy generated: subject : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu/CN=proxy issuer : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu identity : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu timeleft : 23:59:58 DIRAC group : gridpp_user path : /tmp/x509up_u1008 username : frederic.brochu properties : NormalUser Proxies uploaded: DN | Group | Until (GMT) /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu | gridpp_user | 2016/07/28 15:12
On the other hand, voms-proxy-init works a charm: -sh-4.1$ voms-proxy-init -voms gridpp Enter GRID pass phrase for this identity: Contacting voms03.gridpp.ac.uk:15000 [/C=UK/O=eScience/OU=Imperial/L=Physics/CN=voms03.gridpp.ac.uk] "gridpp"... Remote VOMS server contacted succesfully.
Created proxy in /tmp/x509up_u1008.
Your proxy is valid until Tue Sep 22 21:48:30 BST 2015
All this is only affecting my ability to upload and register data to storage elements. Job submission and output collection are still working fine.
Any idea? I am using the dirac version mentioned in the subject.
Best regards,
Frederic
-- _______________________________________________ Gridpp-Dirac-Users mailing list Gridpp-Dirac-Users@imperial.ac.uk https://mailman.ic.ac.uk/mailman/listinfo/gridpp-dirac-users
-- Sent from the pit of despair ----------------------------------------------------------- daniela.bauer@imperial.ac.uk HEP Group/Physics Dep Imperial College London, SW7 2BW Tel: +44-(0)20-75947810 http://www.hep.ph.ic.ac.uk/~dbauer/
Hi Daniela, Yes, doing it solved all my problems. Here is the output of dirac-proxy-init: -sh-4.1$ dirac-proxy-init -g gridpp_user -M Generating proxy... Enter Certificate password: Added VOMS attribute /gridpp Uploading proxy for gridpp_user... Proxy generated: subject : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu/CN=proxy/CN=proxy issuer : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu/CN=proxy identity : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu timeleft : 23:53:59 DIRAC group : gridpp_user path : /tmp/x509up_u1008 username : frederic.brochu properties : NormalUser VOMS : True VOMS fqan : ['/gridpp'] Proxies uploaded: DN | Group | Until (GMT) /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu | gridpp_user | 2016/07/28 15:12 and the output of dirac-dms-add-file dirac-dms-add-file /gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7 XRay_phaseSpace360_7 UKI-NORTHGRID-LIV-HEP-disk Uploading /gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7 Successfully uploaded file to UKI-NORTHGRID-LIV-HEP-disk Thank you very much, Frederic P.S: This is however opening another can of worms, as I expect these certificates will require updates that are more frequent than dirac client updates. On Tue, 22 Sep 2015, Daniela Bauer wrote:
Hi Frederic,
I think this might be related to the fact that the dirac ui has no way to automatically update the certs, crls etc. In your dirac UI, can you link etc/grid-security/certificates to whereever your standard grid UI is getting these files from (possibly /etc/grid-security/certificates or whatever X509_CERT_DIR is set to) and let me know if that helps.
Cheers, Daniela
On 22 September 2015 at 09:52, Frederic Brochu <brochu@hep.phy.cam.ac.uk> wrote: Dear all,
I am no longer able to copy and register files with dirac-dms-add-file.
This command line used to work: dirac-dms-add-file /gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_5 XRay_phaseSpace360_5 UKI-NORTHGRID-LIV-HEP-disk
But when I am doing it now with a different file, I am getting:
h-4.1$ dirac-dms-add-file /gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7 XRay_phaseSpace360_7 UKI-NORTHGRID-LIV-HEP-disk
Uploading /gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7 createDirectory: Failed to create directory on storage. srm://hepgrid11.ph.liv.ac.uk:8446/srm/managerv2?SFN=/dpm/ph.liv.ac.uk/home/ gridpp/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360: SRM2Storage.__gfal_exec(gfal_ls): Execution failed. [SE][Ls][] httpg://hepgrid11.ph.liv.ac.uk:8446/srm/managerv2: CGSI-gSOAP running on pcjp reports Error initializing context GSS Major Status: Authentication Failed
GSS Minor Status Error Chain: globus_gsi_gssapi: SSLv3 handshake problems globus_gsi_callb Error: failed to upload /gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7 to UKI-NORTHGRID-LIV-HEP-disk
This is also true for any other site.
Further to this, dirac-proxy-init also complains:
dirac-proxy-init -g gridpp_user -M Generating proxy... Enter Certificate password: Could not add VOMS extensions to the proxy Failed adding VOMS attribute: Failed to set VOMS attributes. Command: voms-proxy-init -cert "/tmp/x509up_u1008" -key "/tmp/x509up_u1008" -out "/tmp/brochu/tmpuSlB4v" -voms "gridpp:/gridpp" -valid "23:54" -vomses "/var/clus/usera/brochu/gridpp/dirac_ui/etc/grid-security/vomses"; StdOut: Your identity: /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu/CN=proxy Creating temporary proxy Done Contacting voms.gridpp.ac.uk:15000 [/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk] "gridpp" Failed
Trying next server for gridpp. Creating temporary proxy Done Contacting voms03.gridpp.ac.uk:15000 [/C=UK/O=eScience/OU=Imperial/L=Physics/CN=voms03.gridpp.ac.uk] "gridpp" Failed
Trying next server for gridpp. Creating temporary proxy Done Contacting voms02.gridpp.ac.uk:15000 [/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk] "gridpp" Failed ; StdErr: ..................................................... Error: Error during SSL handshake:error:80066405:lib(128):verify_callback:outdated CRL found, revoking all certs till you get new CRL:sslutils.c:2115 outdated CRL found, revoking all certs till you get new CRL Function: verify_callback error:80066411:lib(128):verify_callback:certificate failed verify::sslutils.c:2318 error =CRL has expired subject=/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B certificate failed verify: error =CRL has expired subject=/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B Function: verify_callback error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1172 certificate verify failed Function: SSL3_GET_SERVER_CERTIFICATE
..................................................... Error: Error during SSL handshake:error:80066405:lib(128):verify_callback:outdated CRL found, revoking all certs till you get new CRL:sslutils.c:2115 outdated CRL found, revoking all certs till you get new CRL Function: verify_callback error:80066411:lib(128):verify_callback:certificate failed verify::sslutils.c:2318 error =CRL has expired subject=/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B certificate failed verify: error =CRL has expired subject=/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B Function: verify_callback error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1172 certificate verify failed Function: SSL3_GET_SERVER_CERTIFICATE
None of the contacted servers for gridpp were capable of returning a valid AC for the user.
Are you sure you are properly registered in the VO? Uploading proxy for gridpp_user... Proxy generated: subject : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu/CN=proxy issuer : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu identity : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu timeleft : 23:59:58 DIRAC group : gridpp_user path : /tmp/x509up_u1008 username : frederic.brochu properties : NormalUser Proxies uploaded: DN | Group | Until (GMT) /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu | gridpp_user | 2016/07/28 15:12
On the other hand, voms-proxy-init works a charm: -sh-4.1$ voms-proxy-init -voms gridpp Enter GRID pass phrase for this identity: Contacting voms03.gridpp.ac.uk:15000 [/C=UK/O=eScience/OU=Imperial/L=Physics/CN=voms03.gridpp.ac.uk] "gridpp"... Remote VOMS server contacted succesfully.
Created proxy in /tmp/x509up_u1008.
Your proxy is valid until Tue Sep 22 21:48:30 BST 2015
All this is only affecting my ability to upload and register data to storage elements. Job submission and output collection are still working fine.
Any idea? I am using the dirac version mentioned in the subject.
Best regards,
Frederic
-- _______________________________________________ Gridpp-Dirac-Users mailing list Gridpp-Dirac-Users@imperial.ac.uk https://mailman.ic.ac.uk/mailman/listinfo/gridpp-dirac-users
-- Sent from the pit of despair
----------------------------------------------------------- daniela.bauer@imperial.ac.uk HEP Group/Physics Dep Imperial College London, SW7 2BW Tel: +44-(0)20-75947810 http://www.hep.ph.ic.ac.uk/~dbauer/
Hi Frederic, indeed they do, hence they should be installed separately. I try to allude to this in my instructions, but clearly not well enough. I'm tempted to list this as a prerequisite (i.e. install certificates and crl cron job first, before installing the dirac UI), I was just worried it might get to confusing. If the certificate directory you are now linking to is part of a standard UI, a mechanism (yum for the certificates + cron job for the crls) to update it should already be in place, so you shouldn't have to update it again. Regards, Daniela On 22 September 2015 at 10:53, Frederic Brochu <brochu@hep.phy.cam.ac.uk> wrote:
Hi Daniela,
Yes, doing it solved all my problems. Here is the output of dirac-proxy-init: -sh-4.1$ dirac-proxy-init -g gridpp_user -M Generating proxy... Enter Certificate password: Added VOMS attribute /gridpp Uploading proxy for gridpp_user... Proxy generated: subject : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu/CN=proxy/CN=proxy issuer : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu/CN=proxy identity : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu timeleft : 23:53:59 DIRAC group : gridpp_user path : /tmp/x509up_u1008 username : frederic.brochu properties : NormalUser VOMS : True VOMS fqan : ['/gridpp']
Proxies uploaded: DN | Group | Until (GMT) /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu | gridpp_user | 2016/07/28 15:12
and the output of dirac-dms-add-file dirac-dms-add-file /gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7 XRay_phaseSpace360_7 UKI-NORTHGRID-LIV-HEP-disk
Uploading /gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7 Successfully uploaded file to UKI-NORTHGRID-LIV-HEP-disk
Thank you very much,
Frederic
P.S: This is however opening another can of worms, as I expect these certificates will require updates that are more frequent than dirac client updates.
On Tue, 22 Sep 2015, Daniela Bauer wrote:
Hi Frederic,
I think this might be related to the fact that the dirac ui has no way to automatically update the certs, crls etc. In your dirac UI, can you link etc/grid-security/certificates to whereever your standard grid UI is getting these files from (possibly /etc/grid-security/certificates or whatever X509_CERT_DIR is set to) and let me know if that helps.
Cheers, Daniela
On 22 September 2015 at 09:52, Frederic Brochu <brochu@hep.phy.cam.ac.uk> wrote: Dear all,
I am no longer able to copy and register files with dirac-dms-add-file.
This command line used to work: dirac-dms-add-file
/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_5 XRay_phaseSpace360_5 UKI-NORTHGRID-LIV-HEP-disk
But when I am doing it now with a different file, I am getting:
h-4.1$ dirac-dms-add-file
/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7 XRay_phaseSpace360_7 UKI-NORTHGRID-LIV-HEP-disk
Uploading
/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7 createDirectory: Failed to create directory on storage. srm:// hepgrid11.ph.liv.ac.uk:8446/srm/managerv2?SFN=/dpm/ph.liv.ac.uk/home/ gridpp/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360: SRM2Storage.__gfal_exec(gfal_ls): Execution failed. [SE][Ls][] httpg://hepgrid11.ph.liv.ac.uk:8446/srm/managerv2: CGSI-gSOAP running on pcjp reports Error initializing context GSS Major Status: Authentication Failed
GSS Minor Status Error Chain: globus_gsi_gssapi: SSLv3 handshake problems globus_gsi_callb Error: failed to upload
/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7 to UKI-NORTHGRID-LIV-HEP-disk
This is also true for any other site.
Further to this, dirac-proxy-init also complains:
dirac-proxy-init -g gridpp_user -M Generating proxy... Enter Certificate password: Could not add VOMS extensions to the proxy Failed adding VOMS attribute: Failed to set VOMS attributes. Command: voms-proxy-init -cert "/tmp/x509up_u1008" -key "/tmp/x509up_u1008" -out "/tmp/brochu/tmpuSlB4v" -voms "gridpp:/gridpp" -valid "23:54" -vomses "/var/clus/usera/brochu/gridpp/dirac_ui/etc/grid-security/vomses"; StdOut: Your identity: /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu/CN=proxy Creating temporary proxy Done Contacting voms.gridpp.ac.uk:15000 [/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk] "gridpp" Failed
Trying next server for gridpp. Creating temporary proxy Done Contacting voms03.gridpp.ac.uk:15000 [/C=UK/O=eScience/OU=Imperial/L=Physics/CN=voms03.gridpp.ac.uk] "gridpp" Failed
Trying next server for gridpp. Creating temporary proxy Done Contacting voms02.gridpp.ac.uk:15000 [/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk] "gridpp" Failed ; StdErr: ..................................................... Error: Error during SSL handshake:error:80066405:lib(128):verify_callback:outdated CRL found, revoking all certs till you get new CRL:sslutils.c:2115 outdated CRL found, revoking all certs till you get new CRL Function: verify_callback error:80066411:lib(128):verify_callback:certificate failed verify::sslutils.c:2318 error =CRL has expired
subject=/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B certificate failed verify: error =CRL has expired
subject=/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B Function: verify_callback error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1172 certificate verify failed Function: SSL3_GET_SERVER_CERTIFICATE
..................................................... Error: Error during SSL handshake:error:80066405:lib(128):verify_callback:outdated CRL found, revoking all certs till you get new CRL:sslutils.c:2115 outdated CRL found, revoking all certs till you get new CRL Function: verify_callback error:80066411:lib(128):verify_callback:certificate failed verify::sslutils.c:2318 error =CRL has expired
subject=/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B certificate failed verify: error =CRL has expired
subject=/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B Function: verify_callback error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1172 certificate verify failed Function: SSL3_GET_SERVER_CERTIFICATE
None of the contacted servers for gridpp were capable of returning a valid AC for the user.
Are you sure you are properly registered in the VO? Uploading proxy for gridpp_user... Proxy generated: subject : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu/CN=proxy issuer : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu identity : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu timeleft : 23:59:58 DIRAC group : gridpp_user path : /tmp/x509up_u1008 username : frederic.brochu properties : NormalUser Proxies uploaded: DN | Group | Until (GMT) /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu | gridpp_user | 2016/07/28 15:12
On the other hand, voms-proxy-init works a charm: -sh-4.1$ voms-proxy-init -voms gridpp Enter GRID pass phrase for this identity: Contacting voms03.gridpp.ac.uk:15000 [/C=UK/O=eScience/OU=Imperial/L=Physics/CN=voms03.gridpp.ac.uk] "gridpp"... Remote VOMS server contacted succesfully.
Created proxy in /tmp/x509up_u1008.
Your proxy is valid until Tue Sep 22 21:48:30 BST 2015
All this is only affecting my ability to upload and register data to storage elements. Job submission and output collection are still working fine.
Any idea? I am using the dirac version mentioned in the subject.
Best regards,
Frederic
-- _______________________________________________ Gridpp-Dirac-Users mailing list Gridpp-Dirac-Users@imperial.ac.uk https://mailman.ic.ac.uk/mailman/listinfo/gridpp-dirac-users
-- Sent from the pit of despair
----------------------------------------------------------- daniela.bauer@imperial.ac.uk HEP Group/Physics Dep Imperial College London, SW7 2BW Tel: +44-(0)20-75947810 http://www.hep.ph.ic.ac.uk/~dbauer/
-- Sent from the pit of despair ----------------------------------------------------------- daniela.bauer@imperial.ac.uk HEP Group/Physics Dep Imperial College London, SW7 2BW Tel: +44-(0)20-75947810 http://www.hep.ph.ic.ac.uk/~dbauer/
As Simon points out to me, for a true standalone install you can run dirac-admin-get-CAs after you run "source bashrc". If you do that e.g. once a day (or whenever you want to do something with dirac) that should also fix the problem. Regards, Daniela On 22 September 2015 at 10:58, Daniela Bauer < daniela.bauer.grid@googlemail.com> wrote:
Hi Frederic,
indeed they do, hence they should be installed separately. I try to allude to this in my instructions, but clearly not well enough. I'm tempted to list this as a prerequisite (i.e. install certificates and crl cron job first, before installing the dirac UI), I was just worried it might get to confusing. If the certificate directory you are now linking to is part of a standard UI, a mechanism (yum for the certificates + cron job for the crls) to update it should already be in place, so you shouldn't have to update it again.
Regards, Daniela
On 22 September 2015 at 10:53, Frederic Brochu <brochu@hep.phy.cam.ac.uk> wrote:
Hi Daniela,
Yes, doing it solved all my problems. Here is the output of dirac-proxy-init: -sh-4.1$ dirac-proxy-init -g gridpp_user -M Generating proxy... Enter Certificate password: Added VOMS attribute /gridpp Uploading proxy for gridpp_user... Proxy generated: subject : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu/CN=proxy/CN=proxy issuer : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu/CN=proxy identity : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu timeleft : 23:53:59 DIRAC group : gridpp_user path : /tmp/x509up_u1008 username : frederic.brochu properties : NormalUser VOMS : True VOMS fqan : ['/gridpp']
Proxies uploaded: DN | Group | Until (GMT) /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu | gridpp_user | 2016/07/28 15:12
and the output of dirac-dms-add-file dirac-dms-add-file /gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7 XRay_phaseSpace360_7 UKI-NORTHGRID-LIV-HEP-disk
Uploading /gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7 Successfully uploaded file to UKI-NORTHGRID-LIV-HEP-disk
Thank you very much,
Frederic
P.S: This is however opening another can of worms, as I expect these certificates will require updates that are more frequent than dirac client updates.
On Tue, 22 Sep 2015, Daniela Bauer wrote:
Hi Frederic,
I think this might be related to the fact that the dirac ui has no way to automatically update the certs, crls etc. In your dirac UI, can you link etc/grid-security/certificates to whereever your standard grid UI is getting these files from (possibly /etc/grid-security/certificates or whatever X509_CERT_DIR is set to) and let me know if that helps.
Cheers, Daniela
On 22 September 2015 at 09:52, Frederic Brochu <brochu@hep.phy.cam.ac.uk
wrote: Dear all,
I am no longer able to copy and register files with dirac-dms-add-file.
This command line used to work: dirac-dms-add-file
/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_5 XRay_phaseSpace360_5 UKI-NORTHGRID-LIV-HEP-disk
But when I am doing it now with a different file, I am getting:
h-4.1$ dirac-dms-add-file
/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7 XRay_phaseSpace360_7 UKI-NORTHGRID-LIV-HEP-disk
Uploading
/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7 createDirectory: Failed to create directory on storage. srm:// hepgrid11.ph.liv.ac.uk:8446/srm/managerv2?SFN=/dpm/ph.liv.ac.uk/home/ gridpp/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360: SRM2Storage.__gfal_exec(gfal_ls): Execution failed. [SE][Ls][] httpg://hepgrid11.ph.liv.ac.uk:8446/srm/managerv2: CGSI-gSOAP running on pcjp reports Error initializing context GSS Major Status: Authentication Failed
GSS Minor Status Error Chain: globus_gsi_gssapi: SSLv3 handshake problems globus_gsi_callb Error: failed to upload
/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7 to UKI-NORTHGRID-LIV-HEP-disk
This is also true for any other site.
Further to this, dirac-proxy-init also complains:
dirac-proxy-init -g gridpp_user -M Generating proxy... Enter Certificate password: Could not add VOMS extensions to the proxy Failed adding VOMS attribute: Failed to set VOMS attributes. Command: voms-proxy-init -cert "/tmp/x509up_u1008" -key "/tmp/x509up_u1008" -out "/tmp/brochu/tmpuSlB4v" -voms "gridpp:/gridpp" -valid "23:54" -vomses "/var/clus/usera/brochu/gridpp/dirac_ui/etc/grid-security/vomses"; StdOut: Your identity: /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu/CN=proxy Creating temporary proxy Done Contacting voms.gridpp.ac.uk:15000 [/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk] "gridpp" Failed
Trying next server for gridpp. Creating temporary proxy Done Contacting voms03.gridpp.ac.uk:15000 [/C=UK/O=eScience/OU=Imperial/L=Physics/CN=voms03.gridpp.ac.uk] "gridpp" Failed
Trying next server for gridpp. Creating temporary proxy Done Contacting voms02.gridpp.ac.uk:15000 [/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk] "gridpp" Failed ; StdErr: ..................................................... Error: Error during SSL handshake:error:80066405:lib(128):verify_callback:outdated CRL found, revoking all certs till you get new CRL:sslutils.c:2115 outdated CRL found, revoking all certs till you get new CRL Function: verify_callback error:80066411:lib(128):verify_callback:certificate failed verify::sslutils.c:2318 error =CRL has expired
subject=/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B certificate failed verify: error =CRL has expired
subject=/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B Function: verify_callback error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1172 certificate verify failed Function: SSL3_GET_SERVER_CERTIFICATE
..................................................... Error: Error during SSL handshake:error:80066405:lib(128):verify_callback:outdated CRL found, revoking all certs till you get new CRL:sslutils.c:2115 outdated CRL found, revoking all certs till you get new CRL Function: verify_callback error:80066411:lib(128):verify_callback:certificate failed verify::sslutils.c:2318 error =CRL has expired
subject=/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B certificate failed verify: error =CRL has expired
subject=/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B Function: verify_callback error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1172 certificate verify failed Function: SSL3_GET_SERVER_CERTIFICATE
None of the contacted servers for gridpp were capable of returning a valid AC for the user.
Are you sure you are properly registered in the VO? Uploading proxy for gridpp_user... Proxy generated: subject : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu/CN=proxy issuer : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu identity : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu timeleft : 23:59:58 DIRAC group : gridpp_user path : /tmp/x509up_u1008 username : frederic.brochu properties : NormalUser Proxies uploaded: DN | Group | Until (GMT) /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu | gridpp_user | 2016/07/28 15:12
On the other hand, voms-proxy-init works a charm: -sh-4.1$ voms-proxy-init -voms gridpp Enter GRID pass phrase for this identity: Contacting voms03.gridpp.ac.uk:15000 [/C=UK/O=eScience/OU=Imperial/L=Physics/CN=voms03.gridpp.ac.uk] "gridpp"... Remote VOMS server contacted succesfully.
Created proxy in /tmp/x509up_u1008.
Your proxy is valid until Tue Sep 22 21:48:30 BST 2015
All this is only affecting my ability to upload and register data to storage elements. Job submission and output collection are still working fine.
Any idea? I am using the dirac version mentioned in the subject.
Best regards,
Frederic
-- _______________________________________________ Gridpp-Dirac-Users mailing list Gridpp-Dirac-Users@imperial.ac.uk https://mailman.ic.ac.uk/mailman/listinfo/gridpp-dirac-users
-- Sent from the pit of despair
----------------------------------------------------------- daniela.bauer@imperial.ac.uk HEP Group/Physics Dep Imperial College London, SW7 2BW Tel: +44-(0)20-75947810 http://www.hep.ph.ic.ac.uk/~dbauer/
-- Sent from the pit of despair
----------------------------------------------------------- daniela.bauer@imperial.ac.uk HEP Group/Physics Dep Imperial College London, SW7 2BW Tel: +44-(0)20-75947810 http://www.hep.ph.ic.ac.uk/~dbauer/
-- Sent from the pit of despair ----------------------------------------------------------- daniela.bauer@imperial.ac.uk HEP Group/Physics Dep Imperial College London, SW7 2BW Tel: +44-(0)20-75947810 http://www.hep.ph.ic.ac.uk/~dbauer/
Hi Daniela, Re: instructions Suggest we mention cron to make it clear, e.g. ------------- If there is no regularly maintained set of CAs available, run the following command periodically (e.g. with a cron): # source bashrc; dirac-admin-get-CAs ------------- But how often do you suggest? Cheers, Steve On 09/22/2015 10:58 AM, Daniela Bauer wrote:
Hi Frederic,
indeed they do, hence they should be installed separately. I try to allude to this in my instructions, but clearly not well enough. I'm tempted to list this as a prerequisite (i.e. install certificates and crl cron job first, before installing the dirac UI), I was just worried it might get to confusing. If the certificate directory you are now linking to is part of a standard UI, a mechanism (yum for the certificates + cron job for the crls) to update it should already be in place, so you shouldn't have to update it again.
Regards, Daniela
On 22 September 2015 at 10:53, Frederic Brochu <brochu@hep.phy.cam.ac.uk <mailto:brochu@hep.phy.cam.ac.uk>> wrote:
Hi Daniela,
Yes, doing it solved all my problems. Here is the output of dirac-proxy-init: -sh-4.1$ dirac-proxy-init -g gridpp_user -M Generating proxy... Enter Certificate password: Added VOMS attribute /gridpp Uploading proxy for gridpp_user... Proxy generated: subject : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu/CN=proxy/CN=proxy issuer : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu/CN=proxy identity : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu timeleft : 23:53:59 DIRAC group : gridpp_user path : /tmp/x509up_u1008 username : frederic.brochu properties : NormalUser VOMS : True VOMS fqan : ['/gridpp']
Proxies uploaded: DN | Group | Until (GMT) /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu | gridpp_user | 2016/07/28 15:12
and the output of dirac-dms-add-file dirac-dms-add-file /gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7 XRay_phaseSpace360_7 UKI-NORTHGRID-LIV-HEP-disk
Uploading /gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7 Successfully uploaded file to UKI-NORTHGRID-LIV-HEP-disk
Thank you very much,
Frederic
P.S: This is however opening another can of worms, as I expect these certificates will require updates that are more frequent than dirac client updates.
On Tue, 22 Sep 2015, Daniela Bauer wrote:
Hi Frederic,
I think this might be related to the fact that the dirac ui has no way to automatically update the certs, crls etc. In your dirac UI, can you link etc/grid-security/certificates to whereever your standard grid UI is getting these files from (possibly /etc/grid-security/certificates or whatever X509_CERT_DIR is set to) and let me know if that helps.
Cheers, Daniela
On 22 September 2015 at 09:52, Frederic Brochu <brochu@hep.phy.cam.ac.uk <mailto:brochu@hep.phy.cam.ac.uk>> wrote: Dear all,
I am no longer able to copy and register files with dirac-dms-add-file.
This command line used to work: dirac-dms-add-file /gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_5 XRay_phaseSpace360_5 UKI-NORTHGRID-LIV-HEP-disk
But when I am doing it now with a different file, I am getting:
h-4.1$ dirac-dms-add-file /gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7 XRay_phaseSpace360_7 UKI-NORTHGRID-LIV-HEP-disk
Uploading /gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7 createDirectory: Failed to create directory on storage. srm://hepgrid11.ph.liv.ac.uk:8446/srm/managerv2?SFN=/dpm/ph.liv.ac.uk/home/ <http://hepgrid11.ph.liv.ac.uk:8446/srm/managerv2?SFN=/dpm/ph.liv.ac.uk/home/> gridpp/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360: SRM2Storage.__gfal_exec(gfal_ls): Execution failed. [SE][Ls][] httpg://hepgrid11.ph.liv.ac.uk:8446/srm/managerv2 <http://hepgrid11.ph.liv.ac.uk:8446/srm/managerv2>: CGSI-gSOAP running on pcjp reports Error initializing context GSS Major Status: Authentication Failed
GSS Minor Status Error Chain: globus_gsi_gssapi: SSLv3 handshake problems globus_gsi_callb Error: failed to upload /gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7 to UKI-NORTHGRID-LIV-HEP-disk
This is also true for any other site.
Further to this, dirac-proxy-init also complains:
dirac-proxy-init -g gridpp_user -M Generating proxy... Enter Certificate password: Could not add VOMS extensions to the proxy Failed adding VOMS attribute: Failed to set VOMS attributes. Command: voms-proxy-init -cert "/tmp/x509up_u1008" -key "/tmp/x509up_u1008" -out "/tmp/brochu/tmpuSlB4v" -voms "gridpp:/gridpp" -valid "23:54" -vomses "/var/clus/usera/brochu/gridpp/dirac_ui/etc/grid-security/vomses"; StdOut: Your identity: /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu/CN=proxy Creating temporary proxy Done Contacting voms.gridpp.ac.uk:15000 <http://voms.gridpp.ac.uk:15000>
[/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk <http://voms.gridpp.ac.uk>] "gridpp" Failed
Trying next server for gridpp. Creating temporary proxy Done Contacting voms03.gridpp.ac.uk:15000 <http://voms03.gridpp.ac.uk:15000>
[/C=UK/O=eScience/OU=Imperial/L=Physics/CN=voms03.gridpp.ac.uk <http://voms03.gridpp.ac.uk>] "gridpp" Failed
Trying next server for gridpp. Creating temporary proxy Done Contacting voms02.gridpp.ac.uk:15000 <http://voms02.gridpp.ac.uk:15000>
[/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk <http://voms02.gridpp.ac.uk>] "gridpp" Failed ; StdErr: ..................................................... Error: Error during SSL handshake:error:80066405:lib(128):verify_callback:outdated CRL found, revoking all certs till you get new CRL:sslutils.c:2115 outdated CRL found, revoking all certs till you get new CRL Function: verify_callback error:80066411:lib(128):verify_callback:certificate failed verify::sslutils.c:2318 error =CRL has expired
subject=/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk <http://voms.gridpp.ac.uk> issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B certificate failed verify: error =CRL has expired
subject=/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk <http://voms.gridpp.ac.uk> issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B Function: verify_callback error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1172 certificate verify failed Function: SSL3_GET_SERVER_CERTIFICATE
..................................................... Error: Error during SSL handshake:error:80066405:lib(128):verify_callback:outdated CRL found, revoking all certs till you get new CRL:sslutils.c:2115 outdated CRL found, revoking all certs till you get new CRL Function: verify_callback error:80066411:lib(128):verify_callback:certificate failed verify::sslutils.c:2318 error =CRL has expired
subject=/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk <http://voms02.gridpp.ac.uk> issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B certificate failed verify: error =CRL has expired
subject=/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk <http://voms02.gridpp.ac.uk> issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B Function: verify_callback error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1172 certificate verify failed Function: SSL3_GET_SERVER_CERTIFICATE
None of the contacted servers for gridpp were capable of returning a valid AC for the user.
Are you sure you are properly registered in the VO? Uploading proxy for gridpp_user... Proxy generated: subject : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu/CN=proxy issuer : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu identity : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu timeleft : 23:59:58 DIRAC group : gridpp_user path : /tmp/x509up_u1008 username : frederic.brochu properties : NormalUser Proxies uploaded: DN | Group | Until (GMT) /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu | gridpp_user | 2016/07/28 15:12
On the other hand, voms-proxy-init works a charm: -sh-4.1$ voms-proxy-init -voms gridpp Enter GRID pass phrase for this identity: Contacting voms03.gridpp.ac.uk:15000 <http://voms03.gridpp.ac.uk:15000>
[/C=UK/O=eScience/OU=Imperial/L=Physics/CN=voms03.gridpp.ac.uk <http://voms03.gridpp.ac.uk>] "gridpp"... Remote VOMS server contacted succesfully.
Created proxy in /tmp/x509up_u1008.
Your proxy is valid until Tue Sep 22 21:48:30 BST 2015
All this is only affecting my ability to upload and register data to storage elements. Job submission and output collection are still working fine.
Any idea? I am using the dirac version mentioned in the subject.
Best regards,
Frederic
-- _______________________________________________ Gridpp-Dirac-Users mailing list Gridpp-Dirac-Users@imperial.ac.uk <mailto:Gridpp-Dirac-Users@imperial.ac.uk> https://mailman.ic.ac.uk/mailman/listinfo/gridpp-dirac-users
-- Sent from the pit of despair
----------------------------------------------------------- daniela.bauer@imperial.ac.uk <mailto:daniela.bauer@imperial.ac.uk> HEP Group/Physics Dep Imperial College London, SW7 2BW Tel: +44-(0)20-75947810 <tel:%2B44-%280%2920-75947810> http://www.hep.ph.ic.ac.uk/~dbauer/ <http://www.hep.ph.ic.ac.uk/%7Edbauer/>
-- Sent from the pit of despair
----------------------------------------------------------- daniela.bauer@imperial.ac.uk <mailto:daniela.bauer@imperial.ac.uk> HEP Group/Physics Dep Imperial College London, SW7 2BW Tel: +44-(0)20-75947810 http://www.hep.ph.ic.ac.uk/~dbauer/ <http://www.hep.ph.ic.ac.uk/%7Edbauer/>
This body part will be downloaded on demand.
-- Steve Jones sjones@hep.ph.liv.ac.uk Grid System Administrator office: 220 High Energy Physics Division tel (int): 43396 Oliver Lodge Laboratory tel (ext): +44 (0)151 794 3396 University of Liverpool http://www.liv.ac.uk/physics/hep/
Apologies for butting in - but the CAs are supposed to be updated on a daily basis I understand. Maybe so too the cron? Cheers, Raja. On 22/09/15 14:33, Stephen Jones wrote:
Hi Daniela,
Re: instructions
Suggest we mention cron to make it clear, e.g.
------------- If there is no regularly maintained set of CAs available, run the following command periodically (e.g. with a cron): # source bashrc; dirac-admin-get-CAs -------------
But how often do you suggest?
Cheers,
Steve
On 09/22/2015 10:58 AM, Daniela Bauer wrote:
Hi Frederic,
indeed they do, hence they should be installed separately. I try to allude to this in my instructions, but clearly not well enough. I'm tempted to list this as a prerequisite (i.e. install certificates and crl cron job first, before installing the dirac UI), I was just worried it might get to confusing. If the certificate directory you are now linking to is part of a standard UI, a mechanism (yum for the certificates + cron job for the crls) to update it should already be in place, so you shouldn't have to update it again.
Regards, Daniela
On 22 September 2015 at 10:53, Frederic Brochu <brochu@hep.phy.cam.ac.uk <mailto:brochu@hep.phy.cam.ac.uk>> wrote:
Hi Daniela,
Yes, doing it solved all my problems. Here is the output of dirac-proxy-init: -sh-4.1$ dirac-proxy-init -g gridpp_user -M Generating proxy... Enter Certificate password: Added VOMS attribute /gridpp Uploading proxy for gridpp_user... Proxy generated: subject : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu/CN=proxy/CN=proxy issuer : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu/CN=proxy identity : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu timeleft : 23:53:59 DIRAC group : gridpp_user path : /tmp/x509up_u1008 username : frederic.brochu properties : NormalUser VOMS : True VOMS fqan : ['/gridpp']
Proxies uploaded: DN | Group | Until (GMT) /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu | gridpp_user | 2016/07/28 15:12
and the output of dirac-dms-add-file dirac-dms-add-file /gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7 XRay_phaseSpace360_7 UKI-NORTHGRID-LIV-HEP-disk
Uploading /gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7 Successfully uploaded file to UKI-NORTHGRID-LIV-HEP-disk
Thank you very much,
Frederic
P.S: This is however opening another can of worms, as I expect these certificates will require updates that are more frequent than dirac client updates.
On Tue, 22 Sep 2015, Daniela Bauer wrote:
Hi Frederic,
I think this might be related to the fact that the dirac ui has no way to automatically update the certs, crls etc. In your dirac UI, can you link etc/grid-security/certificates to whereever your standard grid UI is getting these files from (possibly /etc/grid-security/certificates or whatever X509_CERT_DIR is set to) and let me know if that helps.
Cheers, Daniela
On 22 September 2015 at 09:52, Frederic Brochu <brochu@hep.phy.cam.ac.uk <mailto:brochu@hep.phy.cam.ac.uk>> wrote: Dear all,
I am no longer able to copy and register files with dirac-dms-add-file.
This command line used to work: dirac-dms-add-file /gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_5 XRay_phaseSpace360_5 UKI-NORTHGRID-LIV-HEP-disk
But when I am doing it now with a different file, I am getting:
h-4.1$ dirac-dms-add-file /gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7 XRay_phaseSpace360_7 UKI-NORTHGRID-LIV-HEP-disk
Uploading /gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7 createDirectory: Failed to create directory on storage. srm://hepgrid11.ph.liv.ac.uk:8446/srm/managerv2?SFN=/dpm/ph.liv.ac.uk/home/ <http://hepgrid11.ph.liv.ac.uk:8446/srm/managerv2?SFN=/dpm/ph.liv.ac.uk/home/> gridpp/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360: SRM2Storage.__gfal_exec(gfal_ls): Execution failed. [SE][Ls][] httpg://hepgrid11.ph.liv.ac.uk:8446/srm/managerv2 <http://hepgrid11.ph.liv.ac.uk:8446/srm/managerv2>: CGSI-gSOAP running on pcjp reports Error initializing context GSS Major Status: Authentication Failed
GSS Minor Status Error Chain: globus_gsi_gssapi: SSLv3 handshake problems globus_gsi_callb Error: failed to upload /gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7 to UKI-NORTHGRID-LIV-HEP-disk
This is also true for any other site.
Further to this, dirac-proxy-init also complains:
dirac-proxy-init -g gridpp_user -M Generating proxy... Enter Certificate password: Could not add VOMS extensions to the proxy Failed adding VOMS attribute: Failed to set VOMS attributes. Command: voms-proxy-init -cert "/tmp/x509up_u1008" -key "/tmp/x509up_u1008" -out "/tmp/brochu/tmpuSlB4v" -voms "gridpp:/gridpp" -valid "23:54" -vomses "/var/clus/usera/brochu/gridpp/dirac_ui/etc/grid-security/vomses"; StdOut: Your identity: /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu/CN=proxy Creating temporary proxy Done Contacting voms.gridpp.ac.uk:15000 <http://voms.gridpp.ac.uk:15000> [/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk <http://voms.gridpp.ac.uk>] "gridpp" Failed
Trying next server for gridpp. Creating temporary proxy Done Contacting voms03.gridpp.ac.uk:15000 <http://voms03.gridpp.ac.uk:15000> [/C=UK/O=eScience/OU=Imperial/L=Physics/CN=voms03.gridpp.ac.uk <http://voms03.gridpp.ac.uk>] "gridpp" Failed
Trying next server for gridpp. Creating temporary proxy Done Contacting voms02.gridpp.ac.uk:15000 <http://voms02.gridpp.ac.uk:15000> [/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk <http://voms02.gridpp.ac.uk>] "gridpp" Failed ; StdErr: ..................................................... Error: Error during SSL handshake:error:80066405:lib(128):verify_callback:outdated CRL found, revoking all certs till you get new CRL:sslutils.c:2115 outdated CRL found, revoking all certs till you get new CRL Function: verify_callback error:80066411:lib(128):verify_callback:certificate failed verify::sslutils.c:2318 error =CRL has expired
subject=/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk <http://voms.gridpp.ac.uk> issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B certificate failed verify: error =CRL has expired
subject=/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk <http://voms.gridpp.ac.uk> issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B Function: verify_callback error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1172 certificate verify failed Function: SSL3_GET_SERVER_CERTIFICATE
..................................................... Error: Error during SSL handshake:error:80066405:lib(128):verify_callback:outdated CRL found, revoking all certs till you get new CRL:sslutils.c:2115 outdated CRL found, revoking all certs till you get new CRL Function: verify_callback error:80066411:lib(128):verify_callback:certificate failed verify::sslutils.c:2318 error =CRL has expired
subject=/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk <http://voms02.gridpp.ac.uk> issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B certificate failed verify: error =CRL has expired
subject=/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk <http://voms02.gridpp.ac.uk> issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B Function: verify_callback error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1172 certificate verify failed Function: SSL3_GET_SERVER_CERTIFICATE
None of the contacted servers for gridpp were capable of returning a valid AC for the user.
Are you sure you are properly registered in the VO? Uploading proxy for gridpp_user... Proxy generated: subject : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu/CN=proxy issuer : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu identity : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu timeleft : 23:59:58 DIRAC group : gridpp_user path : /tmp/x509up_u1008 username : frederic.brochu properties : NormalUser Proxies uploaded: DN | Group | Until (GMT) /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu | gridpp_user | 2016/07/28 15:12
On the other hand, voms-proxy-init works a charm: -sh-4.1$ voms-proxy-init -voms gridpp Enter GRID pass phrase for this identity: Contacting voms03.gridpp.ac.uk:15000 <http://voms03.gridpp.ac.uk:15000> [/C=UK/O=eScience/OU=Imperial/L=Physics/CN=voms03.gridpp.ac.uk <http://voms03.gridpp.ac.uk>] "gridpp"... Remote VOMS server contacted succesfully.
Created proxy in /tmp/x509up_u1008.
Your proxy is valid until Tue Sep 22 21:48:30 BST 2015
All this is only affecting my ability to upload and register data to storage elements. Job submission and output collection are still working fine.
Any idea? I am using the dirac version mentioned in the subject.
Best regards,
Frederic
-- _______________________________________________ Gridpp-Dirac-Users mailing list Gridpp-Dirac-Users@imperial.ac.uk <mailto:Gridpp-Dirac-Users@imperial.ac.uk> https://mailman.ic.ac.uk/mailman/listinfo/gridpp-dirac-users
-- Sent from the pit of despair
----------------------------------------------------------- daniela.bauer@imperial.ac.uk <mailto:daniela.bauer@imperial.ac.uk> HEP Group/Physics Dep Imperial College London, SW7 2BW Tel: +44-(0)20-75947810 <tel:%2B44-%280%2920-75947810> http://www.hep.ph.ic.ac.uk/~dbauer/ <http://www.hep.ph.ic.ac.uk/%7Edbauer/>
-- Sent from the pit of despair
----------------------------------------------------------- daniela.bauer@imperial.ac.uk <mailto:daniela.bauer@imperial.ac.uk> HEP Group/Physics Dep Imperial College London, SW7 2BW Tel: +44-(0)20-75947810 http://www.hep.ph.ic.ac.uk/~dbauer/ <http://www.hep.ph.ic.ac.uk/%7Edbauer/>
This body part will be downloaded on demand.
Hi, So, certainly, the CRLs should be updated on at least a 24 hour basis (most services with a fetch-crl actually do it every 8 hours or so). Running it once at the start of the day should probably be sufficient? Sam On Tue, 22 Sep 2015 at 14:36 Raja Nandakumar <raja.nandakumar@cern.ch> wrote:
Apologies for butting in - but the CAs are supposed to be updated on a daily basis I understand. Maybe so too the cron?
Cheers, Raja.
On 22/09/15 14:33, Stephen Jones wrote:
Hi Daniela,
Re: instructions
Suggest we mention cron to make it clear, e.g.
------------- If there is no regularly maintained set of CAs available, run the following command periodically (e.g. with a cron): # source bashrc; dirac-admin-get-CAs -------------
But how often do you suggest?
Cheers,
Steve
On 09/22/2015 10:58 AM, Daniela Bauer wrote:
Hi Frederic,
indeed they do, hence they should be installed separately. I try to allude to this in my instructions, but clearly not well enough. I'm tempted to list this as a prerequisite (i.e. install certificates and crl cron job first, before installing the dirac UI), I was just worried it might get to confusing. If the certificate directory you are now linking to is part of a standard UI, a mechanism (yum for the certificates + cron job for the crls) to update it should already be in place, so you shouldn't have to update it again.
Regards, Daniela
On 22 September 2015 at 10:53, Frederic Brochu < brochu@hep.phy.cam.ac.uk <mailto:brochu@hep.phy.cam.ac.uk>> wrote:
Hi Daniela,
Yes, doing it solved all my problems. Here is the output of dirac-proxy-init: -sh-4.1$ dirac-proxy-init -g gridpp_user -M Generating proxy... Enter Certificate password: Added VOMS attribute /gridpp Uploading proxy for gridpp_user... Proxy generated: subject : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu/CN=proxy/CN=proxy issuer : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu/CN=proxy identity : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu timeleft : 23:53:59 DIRAC group : gridpp_user path : /tmp/x509up_u1008 username : frederic.brochu properties : NormalUser VOMS : True VOMS fqan : ['/gridpp']
Proxies uploaded: DN | Group | Until (GMT) /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu | gridpp_user | 2016/07/28 15:12
and the output of dirac-dms-add-file dirac-dms-add-file
/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7
XRay_phaseSpace360_7 UKI-NORTHGRID-LIV-HEP-disk
Uploading
/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7
Successfully uploaded file to UKI-NORTHGRID-LIV-HEP-disk
Thank you very much,
Frederic
P.S: This is however opening another can of worms, as I expect these certificates will require updates that are more frequent than dirac client updates.
On Tue, 22 Sep 2015, Daniela Bauer wrote:
Hi Frederic,
I think this might be related to the fact that the dirac ui has no way to automatically update the certs, crls etc. In your dirac UI, can you link etc/grid-security/certificates to whereever your standard grid UI is getting these files from (possibly /etc/grid-security/certificates or whatever X509_CERT_DIR is set to) and let me know if that helps.
Cheers, Daniela
On 22 September 2015 at 09:52, Frederic Brochu <brochu@hep.phy.cam.ac.uk <mailto:brochu@hep.phy.cam.ac.uk>> wrote: Dear all,
I am no longer able to copy and register files with dirac-dms-add-file.
This command line used to work: dirac-dms-add-file
/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_5
XRay_phaseSpace360_5 UKI-NORTHGRID-LIV-HEP-disk
But when I am doing it now with a different file, I am getting:
h-4.1$ dirac-dms-add-file
/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7
XRay_phaseSpace360_7 UKI-NORTHGRID-LIV-HEP-disk
Uploading
/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7
createDirectory: Failed to create directory on storage. srm://
hepgrid11.ph.liv.ac.uk:8446/srm/managerv2?SFN=/dpm/ph.liv.ac.uk/home/
<
http://hepgrid11.ph.liv.ac.uk:8446/srm/managerv2?SFN=/dpm/ph.liv.ac.uk/home/
gridpp/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360: SRM2Storage.__gfal_exec(gfal_ls): Execution failed. [SE][Ls][] httpg://hepgrid11.ph.liv.ac.uk:8446/srm/managerv2 <http://hepgrid11.ph.liv.ac.uk:8446/srm/managerv2>: CGSI-gSOAP running on pcjp reports Error initializing context GSS Major Status: Authentication Failed
GSS Minor Status Error Chain: globus_gsi_gssapi: SSLv3 handshake problems globus_gsi_callb Error: failed to upload
/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7
to UKI-NORTHGRID-LIV-HEP-disk
This is also true for any other site.
Further to this, dirac-proxy-init also complains:
dirac-proxy-init -g gridpp_user -M Generating proxy... Enter Certificate password: Could not add VOMS extensions to the proxy Failed adding VOMS attribute: Failed to set VOMS
attributes.
Command: voms-proxy-init -cert "/tmp/x509up_u1008" -key "/tmp/x509up_u1008" -out "/tmp/brochu/tmpuSlB4v" -voms "gridpp:/gridpp" -valid "23:54" -vomses
"/var/clus/usera/brochu/gridpp/dirac_ui/etc/grid-security/vomses";
StdOut: Your identity: /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu/CN=proxy Creating temporary proxy Done Contacting voms.gridpp.ac.uk:15000 <http://voms.gridpp.ac.uk:15000> [/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk <http://voms.gridpp.ac.uk>] "gridpp" Failed
Trying next server for gridpp. Creating temporary proxy Done Contacting voms03.gridpp.ac.uk:15000 <http://voms03.gridpp.ac.uk:15000> [/C=UK/O=eScience/OU=Imperial/L=Physics/CN=voms03.gridpp.ac.uk <http://voms03.gridpp.ac.uk>] "gridpp" Failed
Trying next server for gridpp. Creating temporary proxy Done Contacting voms02.gridpp.ac.uk:15000 <http://voms02.gridpp.ac.uk:15000> [/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk <http://voms02.gridpp.ac.uk>] "gridpp" Failed ; StdErr: ..................................................... Error: Error during SSL handshake:error:80066405:lib(128):verify_callback:outdated CRL found, revoking all certs till you get new CRL:sslutils.c:2115 outdated CRL found, revoking all certs till you get new
CRL
Function: verify_callback error:80066411:lib(128):verify_callback:certificate failed verify::sslutils.c:2318 error =CRL has expired
subject=/C=UK/O=eScience/OU=Manchester/L=HEP/CN=
voms.gridpp.ac.uk
<http://voms.gridpp.ac.uk> issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B certificate failed verify: error =CRL has expired
subject=/C=UK/O=eScience/OU=Manchester/L=HEP/CN=
voms.gridpp.ac.uk
<http://voms.gridpp.ac.uk> issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B Function: verify_callback error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1172 certificate verify failed Function: SSL3_GET_SERVER_CERTIFICATE
..................................................... Error: Error during SSL handshake:error:80066405:lib(128):verify_callback:outdated CRL found, revoking all certs till you get new CRL:sslutils.c:2115 outdated CRL found, revoking all certs till you get new
CRL
Function: verify_callback error:80066411:lib(128):verify_callback:certificate failed verify::sslutils.c:2318 error =CRL has expired
subject=/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=
voms02.gridpp.ac.uk
<http://voms02.gridpp.ac.uk> issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B certificate failed verify: error =CRL has expired
subject=/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=
voms02.gridpp.ac.uk
<http://voms02.gridpp.ac.uk> issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B Function: verify_callback error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1172 certificate verify failed Function: SSL3_GET_SERVER_CERTIFICATE
None of the contacted servers for gridpp were capable of returning a valid AC for the user.
Are you sure you are properly registered in the VO? Uploading proxy for gridpp_user... Proxy generated: subject : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu/CN=proxy issuer : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu identity : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu timeleft : 23:59:58 DIRAC group : gridpp_user path : /tmp/x509up_u1008 username : frederic.brochu properties : NormalUser Proxies uploaded: DN | Group | Until (GMT) /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu | gridpp_user | 2016/07/28 15:12
On the other hand, voms-proxy-init works a charm: -sh-4.1$ voms-proxy-init -voms gridpp Enter GRID pass phrase for this identity: Contacting voms03.gridpp.ac.uk:15000 <http://voms03.gridpp.ac.uk:15000> [/C=UK/O=eScience/OU=Imperial/L=Physics/CN=voms03.gridpp.ac.uk <http://voms03.gridpp.ac.uk>] "gridpp"... Remote VOMS server contacted succesfully.
Created proxy in /tmp/x509up_u1008.
Your proxy is valid until Tue Sep 22 21:48:30 BST 2015
All this is only affecting my ability to upload and
register
data to storage elements. Job submission and output collection are still working fine.
Any idea? I am using the dirac version mentioned in the subject.
Best regards,
Frederic
-- _______________________________________________ Gridpp-Dirac-Users mailing list Gridpp-Dirac-Users@imperial.ac.uk <mailto:Gridpp-Dirac-Users@imperial.ac.uk> https://mailman.ic.ac.uk/mailman/listinfo/gridpp-dirac-users
-- Sent from the pit of despair
----------------------------------------------------------- daniela.bauer@imperial.ac.uk <mailto:
daniela.bauer@imperial.ac.uk>
HEP Group/Physics Dep Imperial College London, SW7 2BW Tel: +44-(0)20-75947810 <tel:%2B44-%280%2920-75947810> http://www.hep.ph.ic.ac.uk/~dbauer/ <http://www.hep.ph.ic.ac.uk/%7Edbauer/>
-- Sent from the pit of despair
----------------------------------------------------------- daniela.bauer@imperial.ac.uk <mailto:daniela.bauer@imperial.ac.uk> HEP Group/Physics Dep Imperial College London, SW7 2BW Tel: +44-(0)20-75947810 http://www.hep.ph.ic.ac.uk/~dbauer/ <
http://www.hep.ph.ic.ac.uk/%7Edbauer/>
This body part will be downloaded on demand.
-- _______________________________________________ Gridpp-Dirac-Users mailing list Gridpp-Dirac-Users@imperial.ac.uk https://mailman.ic.ac.uk/mailman/listinfo/gridpp-dirac-users
Hi Sam, Fetch-crl is (I think) another thing to think about. I believe CRLs are put out in order to ban bad apples. We update them on systems that might do user authentication, i.e. our CEs, WNs, our ARGUS server and our DPM systems. Since we use ARGUS for the CEs and WNs, I suspect fetch-crl is not needed there. But it happens, for historical reasons. But do UIs need fetch-crl? Who knows the most about this sort of thing? In any-case, just to make it work, it looks like we need the CAs to be done 'now and again'. Cheers, Steve On 09/22/2015 02:38 PM, Sam Skipsey wrote:
Hi,
So, certainly, the CRLs should be updated on at least a 24 hour basis (most services with a fetch-crl actually do it every 8 hours or so). Running it once at the start of the day should probably be sufficient?
Sam
On Tue, 22 Sep 2015 at 14:36 Raja Nandakumar <raja.nandakumar@cern.ch <mailto:raja.nandakumar@cern.ch>> wrote:
Apologies for butting in - but the CAs are supposed to be updated on a daily basis I understand. Maybe so too the cron?
Cheers, Raja.
On 22/09/15 14:33, Stephen Jones wrote: > Hi Daniela, > > Re: instructions > > Suggest we mention cron to make it clear, e.g. > > ------------- > If there is no regularly maintained set of CAs available, run the following command periodically (e.g. with a cron): > # source bashrc; dirac-admin-get-CAs > ------------- > > But how often do you suggest? > > Cheers, > > Steve > > > > On 09/22/2015 10:58 AM, Daniela Bauer wrote: >> Hi Frederic, >> >> indeed they do, hence they should be installed separately. I try to allude to this in my instructions, but clearly not well enough. I'm tempted to list this as a prerequisite (i.e. install certificates and crl cron job first, before installing the dirac UI), I was just worried it might get to confusing. >> If the certificate directory you are now linking to is part of a standard UI, a mechanism (yum for the certificates + cron job for the crls) to update it should already be in place, so you shouldn't have to update it again. >> >> Regards, >> Daniela >> >> On 22 September 2015 at 10:53, Frederic Brochu <brochu@hep.phy.cam.ac.uk <mailto:brochu@hep.phy.cam.ac.uk> <mailto:brochu@hep.phy.cam.ac.uk <mailto:brochu@hep.phy.cam.ac.uk>>> wrote: >> >> Hi Daniela, >> >> Yes, doing it solved all my problems. >> Here is the output of dirac-proxy-init: >> -sh-4.1$ dirac-proxy-init -g gridpp_user -M >> Generating proxy... >> Enter Certificate password: >> Added VOMS attribute /gridpp >> Uploading proxy for gridpp_user... >> Proxy generated: >> subject : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic >> brochu/CN=proxy/CN=proxy >> issuer : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic >> brochu/CN=proxy >> identity : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu >> timeleft : 23:53:59 >> DIRAC group : gridpp_user >> path : /tmp/x509up_u1008 >> username : frederic.brochu >> properties : NormalUser >> VOMS : True >> VOMS fqan : ['/gridpp'] >> >> Proxies uploaded: >> DN | Group | Until (GMT) >> /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu | >> gridpp_user | 2016/07/28 15:12 >> >> and the output of dirac-dms-add-file >> dirac-dms-add-file >> /gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7 >> XRay_phaseSpace360_7 UKI-NORTHGRID-LIV-HEP-disk >> >> Uploading >> /gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7 >> Successfully uploaded file to UKI-NORTHGRID-LIV-HEP-disk >> >> >> Thank you very much, >> >> Frederic >> >> P.S: This is however opening another can of worms, as I expect >> these certificates will require updates that are more frequent >> than dirac client updates. >> >> >> >> On Tue, 22 Sep 2015, Daniela Bauer wrote: >> >> Hi Frederic, >> >> I think this might be related to the fact that the dirac ui >> has no way to >> automatically update the certs, crls etc. >> In your dirac UI, can you link etc/grid-security/certificates >> to whereever >> your standard grid UI is getting these files from (possibly >> /etc/grid-security/certificates or whatever X509_CERT_DIR is >> set to) and let >> me know if that helps. >> >> Cheers, >> Daniela >> >> >> >> On 22 September 2015 at 09:52, Frederic Brochu >> <brochu@hep.phy.cam.ac.uk <mailto:brochu@hep.phy.cam.ac.uk> <mailto:brochu@hep.phy.cam.ac.uk <mailto:brochu@hep.phy.cam.ac.uk>>> >> wrote: >> Dear all, >> >> I am no longer able to copy and register files with >> dirac-dms-add-file. >> >> This command line used to work: >> dirac-dms-add-file >> /gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_5 >> XRay_phaseSpace360_5 UKI-NORTHGRID-LIV-HEP-disk >> >> But when I am doing it now with a different file, I am >> getting: >> >> h-4.1$ dirac-dms-add-file >> /gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7 >> XRay_phaseSpace360_7 UKI-NORTHGRID-LIV-HEP-disk >> >> Uploading >> /gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7 >> createDirectory: Failed to create directory on storage. >> srm://hepgrid11.ph.liv.ac.uk:8446/srm/managerv2?SFN=/dpm/ph.liv.ac.uk/home/ <http://hepgrid11.ph.liv.ac.uk:8446/srm/managerv2?SFN=/dpm/ph.liv.ac.uk/home/> >> <http://hepgrid11.ph.liv.ac.uk:8446/srm/managerv2?SFN=/dpm/ph.liv.ac.uk/home/> >> gridpp/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360: >> SRM2Storage.__gfal_exec(gfal_ls): Execution failed. >> [SE][Ls][] >> httpg://hepgrid11.ph.liv.ac.uk:8446/srm/managerv2 <http://hepgrid11.ph.liv.ac.uk:8446/srm/managerv2> >> <http://hepgrid11.ph.liv.ac.uk:8446/srm/managerv2>: CGSI-gSOAP >> running on pcjp reports Error initializing context >> GSS Major Status: Authentication Failed >> >> GSS Minor Status Error Chain: >> globus_gsi_gssapi: SSLv3 handshake problems >> globus_gsi_callb >> Error: failed to upload >> /gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7 >> to UKI-NORTHGRID-LIV-HEP-disk >> >> This is also true for any other site. >> >> Further to this, dirac-proxy-init also complains: >> >> dirac-proxy-init -g gridpp_user -M >> Generating proxy... >> Enter Certificate password: >> Could not add VOMS extensions to the proxy >> Failed adding VOMS attribute: Failed to set VOMS attributes. >> Command: voms-proxy-init -cert "/tmp/x509up_u1008" -key >> "/tmp/x509up_u1008" -out "/tmp/brochu/tmpuSlB4v" -voms >> "gridpp:/gridpp" -valid "23:54" -vomses >> "/var/clus/usera/brochu/gridpp/dirac_ui/etc/grid-security/vomses"; >> StdOut: Your identity: >> /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic >> brochu/CN=proxy >> Creating temporary proxy Done >> Contacting voms.gridpp.ac.uk:15000 <http://voms.gridpp.ac.uk:15000> >> <http://voms.gridpp.ac.uk:15000> >> [/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk <http://voms.gridpp.ac.uk> >> <http://voms.gridpp.ac.uk>] >> "gridpp" Failed >> >> Trying next server for gridpp. >> Creating temporary proxy Done >> Contacting voms03.gridpp.ac.uk:15000 <http://voms03.gridpp.ac.uk:15000> >> <http://voms03.gridpp.ac.uk:15000> >> [/C=UK/O=eScience/OU=Imperial/L=Physics/CN=voms03.gridpp.ac.uk <http://voms03.gridpp.ac.uk> >> <http://voms03.gridpp.ac.uk>] >> "gridpp" Failed >> >> Trying next server for gridpp. >> Creating temporary proxy Done >> Contacting voms02.gridpp.ac.uk:15000 <http://voms02.gridpp.ac.uk:15000> >> <http://voms02.gridpp.ac.uk:15000> >> [/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk <http://voms02.gridpp.ac.uk> >> <http://voms02.gridpp.ac.uk>] >> "gridpp" Failed >> ; StdErr: >> ..................................................... >> Error: Error during SSL >> handshake:error:80066405:lib(128):verify_callback:outdated CRL >> found, revoking all certs till you get new >> CRL:sslutils.c:2115 >> outdated CRL found, revoking all certs till you get new CRL >> Function: verify_callback >> error:80066411:lib(128):verify_callback:certificate failed >> verify::sslutils.c:2318 >> error =CRL has expired >> >> subject=/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk <http://voms.gridpp.ac.uk> >> <http://voms.gridpp.ac.uk> >> issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK >> e-Science >> CA 2B >> certificate failed verify: >> error =CRL has expired >> >> subject=/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk <http://voms.gridpp.ac.uk> >> <http://voms.gridpp.ac.uk> >> issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK >> e-Science >> CA 2B >> Function: verify_callback >> error:14090086:SSL >> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify >> failed:s3_clnt.c:1172 >> certificate verify failed >> Function: SSL3_GET_SERVER_CERTIFICATE >> >> ..................................................... >> Error: Error during SSL >> handshake:error:80066405:lib(128):verify_callback:outdated CRL >> found, revoking all certs till you get new >> CRL:sslutils.c:2115 >> outdated CRL found, revoking all certs till you get new CRL >> Function: verify_callback >> error:80066411:lib(128):verify_callback:certificate failed >> verify::sslutils.c:2318 >> error =CRL has expired >> >> subject=/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk <http://voms02.gridpp.ac.uk> >> <http://voms02.gridpp.ac.uk> >> issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK >> e-Science >> CA 2B >> certificate failed verify: >> error =CRL has expired >> >> subject=/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk <http://voms02.gridpp.ac.uk> >> <http://voms02.gridpp.ac.uk> >> issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK >> e-Science >> CA 2B >> Function: verify_callback >> error:14090086:SSL >> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify >> failed:s3_clnt.c:1172 >> certificate verify failed >> Function: SSL3_GET_SERVER_CERTIFICATE >> >> None of the contacted servers for gridpp were capable >> of returning a valid AC for the user. >> >> >> Are you sure you are properly registered in the VO? >> Uploading proxy for gridpp_user... >> Proxy generated: >> subject : >> /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic >> brochu/CN=proxy >> issuer : >> /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic >> brochu >> identity : >> /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic >> brochu >> timeleft : 23:59:58 >> DIRAC group : gridpp_user >> path : /tmp/x509up_u1008 >> username : frederic.brochu >> properties : NormalUser >> Proxies uploaded: >> DN | Group >> | Until (GMT) >> /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu | >> gridpp_user | 2016/07/28 15:12 >> >> >> On the other hand, voms-proxy-init works a charm: >> -sh-4.1$ voms-proxy-init -voms gridpp >> Enter GRID pass phrase for this identity: >> Contacting voms03.gridpp.ac.uk:15000 <http://voms03.gridpp.ac.uk:15000> >> <http://voms03.gridpp.ac.uk:15000> >> [/C=UK/O=eScience/OU=Imperial/L=Physics/CN=voms03.gridpp.ac.uk <http://voms03.gridpp.ac.uk> >> <http://voms03.gridpp.ac.uk>] >> "gridpp"... >> Remote VOMS server contacted succesfully. >> >> >> Created proxy in /tmp/x509up_u1008. >> >> Your proxy is valid until Tue Sep 22 21:48:30 BST 2015 >> >> >> All this is only affecting my ability to upload and register >> data to storage elements. Job submission and output >> collection >> are still working fine. >> >> Any idea? I am using the dirac version mentioned in the >> subject. >> >> Best regards, >> >> Frederic >> >> >> -- >> _______________________________________________ >> Gridpp-Dirac-Users mailing list >> Gridpp-Dirac-Users@imperial.ac.uk <mailto:Gridpp-Dirac-Users@imperial.ac.uk> >> <mailto:Gridpp-Dirac-Users@imperial.ac.uk <mailto:Gridpp-Dirac-Users@imperial.ac.uk>> >> https://mailman.ic.ac.uk/mailman/listinfo/gridpp-dirac-users >> >> >> >> >> -- >> Sent from the pit of despair >> >> ----------------------------------------------------------- >> daniela.bauer@imperial.ac.uk <mailto:daniela.bauer@imperial.ac.uk> <mailto:daniela.bauer@imperial.ac.uk <mailto:daniela.bauer@imperial.ac.uk>> >> HEP Group/Physics Dep >> Imperial College >> London, SW7 2BW >> Tel: +44-(0)20-75947810 <tel:%2B44-%280%2920-75947810> >> http://www.hep.ph.ic.ac.uk/~dbauer/ <http://www.hep.ph.ic.ac.uk/%7Edbauer/> >> <http://www.hep.ph.ic.ac.uk/%7Edbauer/> >> >> >> >> >> -- >> Sent from the pit of despair >> >> ----------------------------------------------------------- >> daniela.bauer@imperial.ac.uk <mailto:daniela.bauer@imperial.ac.uk> <mailto:daniela.bauer@imperial.ac.uk <mailto:daniela.bauer@imperial.ac.uk>> >> HEP Group/Physics Dep >> Imperial College >> London, SW7 2BW >> Tel: +44-(0)20-75947810 >> http://www.hep.ph.ic.ac.uk/~dbauer/ <http://www.hep.ph.ic.ac.uk/%7Edbauer/> <http://www.hep.ph.ic.ac.uk/%7Edbauer/> >> >> >> This body part will be downloaded on demand. > >
-- _______________________________________________ Gridpp-Dirac-Users mailing list Gridpp-Dirac-Users@imperial.ac.uk <mailto:Gridpp-Dirac-Users@imperial.ac.uk> https://mailman.ic.ac.uk/mailman/listinfo/gridpp-dirac-users
This body part will be downloaded on demand.
-- Steve Jones sjones@hep.ph.liv.ac.uk Grid System Administrator office: 220 High Energy Physics Division tel (int): 43396 Oliver Lodge Laboratory tel (ext): +44 (0)151 794 3396 University of Liverpool http://www.liv.ac.uk/physics/hep/
Hi Steve, Actually, just from reading the initial error message in the first email in this thread, the issue that Frederic had was precisely with CRL freshness and not the CAs themselves (and Daniela actually does mention that in her reply). It so happens that the dirac tool for "getting CAs" also gets an up-to-date CRL for each CA cert as well, which is what fixes the problem in this instance. (Most, if not all, tools which rely on X509 authentication will reject CA chains with a stale CRL for that CA, as they can't guarantee that the cert presented has not been revoked since the last time they refreshed the CRL. That's what was happening here.) Sam On Tue, 22 Sep 2015 at 15:47 Stephen Jones <sjones@hep.ph.liv.ac.uk> wrote:
Hi Sam,
Fetch-crl is (I think) another thing to think about. I believe CRLs are put out in order to ban bad apples. We update them on systems that might do user authentication, i.e. our CEs, WNs, our ARGUS server and our DPM systems. Since we use ARGUS for the CEs and WNs, I suspect fetch-crl is not needed there. But it happens, for historical reasons.
But do UIs need fetch-crl? Who knows the most about this sort of thing?
In any-case, just to make it work, it looks like we need the CAs to be done 'now and again'.
Cheers,
Steve
On 09/22/2015 02:38 PM, Sam Skipsey wrote:
Hi,
So, certainly, the CRLs should be updated on at least a 24 hour basis (most services with a fetch-crl actually do it every 8 hours or so). Running it once at the start of the day should probably be sufficient?
Sam
On Tue, 22 Sep 2015 at 14:36 Raja Nandakumar <raja.nandakumar@cern.ch <mailto:raja.nandakumar@cern.ch>> wrote:
Apologies for butting in - but the CAs are supposed to be updated on a daily basis I understand. Maybe so too the cron?
Cheers, Raja.
On 22/09/15 14:33, Stephen Jones wrote: > Hi Daniela, > > Re: instructions > > Suggest we mention cron to make it clear, e.g. > > ------------- > If there is no regularly maintained set of CAs available, run the following command periodically (e.g. with a cron): > # source bashrc; dirac-admin-get-CAs > ------------- > > But how often do you suggest? > > Cheers, > > Steve > > > > On 09/22/2015 10:58 AM, Daniela Bauer wrote: >> Hi Frederic, >> >> indeed they do, hence they should be installed separately. I try to allude to this in my instructions, but clearly not well enough. I'm tempted to list this as a prerequisite (i.e. install certificates and crl cron job first, before installing the dirac UI), I was just worried it might get to confusing. >> If the certificate directory you are now linking to is part of a standard UI, a mechanism (yum for the certificates + cron job for the crls) to update it should already be in place, so you shouldn't have to update it again. >> >> Regards, >> Daniela >> >> On 22 September 2015 at 10:53, Frederic Brochu <brochu@hep.phy.cam.ac.uk <mailto:brochu@hep.phy.cam.ac.uk> <mailto:brochu@hep.phy.cam.ac.uk <mailto:brochu@hep.phy.cam.ac.uk>>> wrote: >> >> Hi Daniela, >> >> Yes, doing it solved all my problems. >> Here is the output of dirac-proxy-init: >> -sh-4.1$ dirac-proxy-init -g gridpp_user -M >> Generating proxy... >> Enter Certificate password: >> Added VOMS attribute /gridpp >> Uploading proxy for gridpp_user... >> Proxy generated: >> subject : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic >> brochu/CN=proxy/CN=proxy >> issuer : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic >> brochu/CN=proxy >> identity : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu >> timeleft : 23:53:59 >> DIRAC group : gridpp_user >> path : /tmp/x509up_u1008 >> username : frederic.brochu >> properties : NormalUser >> VOMS : True >> VOMS fqan : ['/gridpp'] >> >> Proxies uploaded: >> DN | Group | Until (GMT) >> /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu | >> gridpp_user | 2016/07/28 15:12 >> >> and the output of dirac-dms-add-file >> dirac-dms-add-file >>
/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7
>> XRay_phaseSpace360_7 UKI-NORTHGRID-LIV-HEP-disk >> >> Uploading >>
/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7
>> Successfully uploaded file to UKI-NORTHGRID-LIV-HEP-disk >> >> >> Thank you very much, >> >> Frederic >> >> P.S: This is however opening another can of worms, as I expect >> these certificates will require updates that are more frequent >> than dirac client updates. >> >> >> >> On Tue, 22 Sep 2015, Daniela Bauer wrote: >> >> Hi Frederic, >> >> I think this might be related to the fact that the dirac
ui
>> has no way to >> automatically update the certs, crls etc. >> In your dirac UI, can you link etc/grid-security/certificates >> to whereever >> your standard grid UI is getting these files from (possibly >> /etc/grid-security/certificates or whatever X509_CERT_DIR is >> set to) and let >> me know if that helps. >> >> Cheers, >> Daniela >> >> >> >> On 22 September 2015 at 09:52, Frederic Brochu >> <brochu@hep.phy.cam.ac.uk <mailto:brochu@hep.phy.cam.ac.uk> <mailto:brochu@hep.phy.cam.ac.uk <mailto:brochu@hep.phy.cam.ac.uk>>> >> wrote: >> Dear all, >> >> I am no longer able to copy and register files with >> dirac-dms-add-file. >> >> This command line used to work: >> dirac-dms-add-file >>
/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_5
>> XRay_phaseSpace360_5 UKI-NORTHGRID-LIV-HEP-disk >> >> But when I am doing it now with a different file, I am >> getting: >> >> h-4.1$ dirac-dms-add-file >>
/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7
>> XRay_phaseSpace360_7 UKI-NORTHGRID-LIV-HEP-disk >> >> Uploading >>
/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7
>> createDirectory: Failed to create directory on storage. >> srm://
hepgrid11.ph.liv.ac.uk:8446/srm/managerv2?SFN=/dpm/ph.liv.ac.uk/home/
<
http://hepgrid11.ph.liv.ac.uk:8446/srm/managerv2?SFN=/dpm/ph.liv.ac.uk/home/
>> <
http://hepgrid11.ph.liv.ac.uk:8446/srm/managerv2?SFN=/dpm/ph.liv.ac.uk/home/
>> gridpp/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360: >> SRM2Storage.__gfal_exec(gfal_ls): Execution failed. >> [SE][Ls][] >> httpg://hepgrid11.ph.liv.ac.uk:8446/srm/managerv2 <http://hepgrid11.ph.liv.ac.uk:8446/srm/managerv2> >> <http://hepgrid11.ph.liv.ac.uk:8446/srm/managerv2>: CGSI-gSOAP >> running on pcjp reports Error initializing context >> GSS Major Status: Authentication Failed >> >> GSS Minor Status Error Chain: >> globus_gsi_gssapi: SSLv3 handshake problems >> globus_gsi_callb >> Error: failed to upload >>
/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7
>> to UKI-NORTHGRID-LIV-HEP-disk >> >> This is also true for any other site. >> >> Further to this, dirac-proxy-init also complains: >> >> dirac-proxy-init -g gridpp_user -M >> Generating proxy... >> Enter Certificate password: >> Could not add VOMS extensions to the proxy >> Failed adding VOMS attribute: Failed to set VOMS attributes. >> Command: voms-proxy-init -cert "/tmp/x509up_u1008" -key >> "/tmp/x509up_u1008" -out "/tmp/brochu/tmpuSlB4v" -voms >> "gridpp:/gridpp" -valid "23:54" -vomses >>
"/var/clus/usera/brochu/gridpp/dirac_ui/etc/grid-security/vomses";
>> StdOut: Your identity: >> /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic >> brochu/CN=proxy >> Creating temporary proxy Done >> Contacting voms.gridpp.ac.uk:15000 <http://voms.gridpp.ac.uk:15000> >> <http://voms.gridpp.ac.uk:15000> >> [/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk <http://voms.gridpp.ac.uk> >> <http://voms.gridpp.ac.uk>] >> "gridpp" Failed >> >> Trying next server for gridpp. >> Creating temporary proxy Done >> Contacting voms03.gridpp.ac.uk:15000 <http://voms03.gridpp.ac.uk:15000> >> <http://voms03.gridpp.ac.uk:15000> >> [/C=UK/O=eScience/OU=Imperial/L=Physics/CN=voms03.gridpp.ac.uk <http://voms03.gridpp.ac.uk> >> <http://voms03.gridpp.ac.uk>] >> "gridpp" Failed >> >> Trying next server for gridpp. >> Creating temporary proxy Done >> Contacting voms02.gridpp.ac.uk:15000 <http://voms02.gridpp.ac.uk:15000> >> <http://voms02.gridpp.ac.uk:15000> >> [/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk <http://voms02.gridpp.ac.uk> >> <http://voms02.gridpp.ac.uk>] >> "gridpp" Failed >> ; StdErr: >> ..................................................... >> Error: Error during SSL >> handshake:error:80066405:lib(128):verify_callback:outdated CRL >> found, revoking all certs till you get new >> CRL:sslutils.c:2115 >> outdated CRL found, revoking all certs till you get new CRL >> Function: verify_callback >> error:80066411:lib(128):verify_callback:certificate failed >> verify::sslutils.c:2318 >> error =CRL has expired >> >> subject=/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk <http://voms.gridpp.ac.uk> >> <http://voms.gridpp.ac.uk> >> issuer
=/C=UK/O=eScienceCA/OU=Authority/CN=UK
>> e-Science >> CA 2B >> certificate failed verify: >> error =CRL has expired >> >> subject=/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk <http://voms.gridpp.ac.uk> >> <http://voms.gridpp.ac.uk> >> issuer
=/C=UK/O=eScienceCA/OU=Authority/CN=UK
>> e-Science >> CA 2B >> Function: verify_callback >> error:14090086:SSL >> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify >> failed:s3_clnt.c:1172 >> certificate verify failed >> Function: SSL3_GET_SERVER_CERTIFICATE >> >> ..................................................... >> Error: Error during SSL >> handshake:error:80066405:lib(128):verify_callback:outdated CRL >> found, revoking all certs till you get new >> CRL:sslutils.c:2115 >> outdated CRL found, revoking all certs till you get new CRL >> Function: verify_callback >> error:80066411:lib(128):verify_callback:certificate failed >> verify::sslutils.c:2318 >> error =CRL has expired >> >> subject=/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk <http://voms02.gridpp.ac.uk> >> <http://voms02.gridpp.ac.uk> >> issuer
=/C=UK/O=eScienceCA/OU=Authority/CN=UK
>> e-Science >> CA 2B >> certificate failed verify: >> error =CRL has expired >> >> subject=/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk <http://voms02.gridpp.ac.uk> >> <http://voms02.gridpp.ac.uk> >> issuer
=/C=UK/O=eScienceCA/OU=Authority/CN=UK
>> e-Science >> CA 2B >> Function: verify_callback >> error:14090086:SSL >> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify >> failed:s3_clnt.c:1172 >> certificate verify failed >> Function: SSL3_GET_SERVER_CERTIFICATE >> >> None of the contacted servers for gridpp were
capable
>> of returning a valid AC for the user. >> >> >> Are you sure you are properly registered in the VO? >> Uploading proxy for gridpp_user... >> Proxy generated: >> subject : >> /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic >> brochu/CN=proxy >> issuer : >> /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic >> brochu >> identity : >> /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic >> brochu >> timeleft : 23:59:58 >> DIRAC group : gridpp_user >> path : /tmp/x509up_u1008 >> username : frederic.brochu >> properties : NormalUser >> Proxies uploaded: >> DN | Group >> | Until (GMT) >> /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu | >> gridpp_user | 2016/07/28 15:12 >> >> >> On the other hand, voms-proxy-init works a charm: >> -sh-4.1$ voms-proxy-init -voms gridpp >> Enter GRID pass phrase for this identity: >> Contacting voms03.gridpp.ac.uk:15000 <http://voms03.gridpp.ac.uk:15000> >> <http://voms03.gridpp.ac.uk:15000> >> [/C=UK/O=eScience/OU=Imperial/L=Physics/CN=voms03.gridpp.ac.uk <http://voms03.gridpp.ac.uk> >> <http://voms03.gridpp.ac.uk>] >> "gridpp"... >> Remote VOMS server contacted succesfully. >> >> >> Created proxy in /tmp/x509up_u1008. >> >> Your proxy is valid until Tue Sep 22 21:48:30 BST 2015 >> >> >> All this is only affecting my ability to upload and register >> data to storage elements. Job submission and output >> collection >> are still working fine. >> >> Any idea? I am using the dirac version mentioned in the >> subject. >> >> Best regards, >> >> Frederic >> >> >> -- >> _______________________________________________ >> Gridpp-Dirac-Users mailing list >> Gridpp-Dirac-Users@imperial.ac.uk <mailto:Gridpp-Dirac-Users@imperial.ac.uk> >> <mailto:Gridpp-Dirac-Users@imperial.ac.uk <mailto:Gridpp-Dirac-Users@imperial.ac.uk>> >> https://mailman.ic.ac.uk/mailman/listinfo/gridpp-dirac-users >> >> >> >> >> -- >> Sent from the pit of despair >> >> ----------------------------------------------------------- >> daniela.bauer@imperial.ac.uk <mailto:daniela.bauer@imperial.ac.uk> <mailto:daniela.bauer@imperial.ac.uk <mailto:daniela.bauer@imperial.ac.uk>> >> HEP Group/Physics Dep >> Imperial College >> London, SW7 2BW >> Tel: +44-(0)20-75947810 <tel:%2B44-%280%2920-75947810> >> http://www.hep.ph.ic.ac.uk/~dbauer/ <http://www.hep.ph.ic.ac.uk/%7Edbauer/> >> <http://www.hep.ph.ic.ac.uk/%7Edbauer/> >> >> >> >> >> -- >> Sent from the pit of despair >> >> ----------------------------------------------------------- >> daniela.bauer@imperial.ac.uk <mailto:daniela.bauer@imperial.ac.uk> <mailto:daniela.bauer@imperial.ac.uk <mailto:daniela.bauer@imperial.ac.uk>> >> HEP Group/Physics Dep >> Imperial College >> London, SW7 2BW >> Tel: +44-(0)20-75947810 >> http://www.hep.ph.ic.ac.uk/~dbauer/ <http://www.hep.ph.ic.ac.uk/%7Edbauer/> <http://www.hep.ph.ic.ac.uk/%7Edbauer/> >> >> >> This body part will be downloaded on demand. > >
-- _______________________________________________ Gridpp-Dirac-Users mailing list Gridpp-Dirac-Users@imperial.ac.uk <mailto:Gridpp-Dirac-Users@imperial.ac.uk> https://mailman.ic.ac.uk/mailman/listinfo/gridpp-dirac-users
This body part will be downloaded on demand.
-- Steve Jones sjones@hep.ph.liv.ac.uk Grid System Administrator office: 220 High Energy Physics Division tel (int): 43396 Oliver Lodge Laboratory tel (ext): +44 (0)151 794 3396 University of Liverpool http://www.liv.ac.uk/physics/hep/
OK. In that case, it must be every day. Cheers, Steve On 09/22/2015 03:53 PM, Sam Skipsey wrote:
Hi Steve,
Actually, just from reading the initial error message in the first email in this thread, the issue that Frederic had was precisely with CRL freshness and not the CAs themselves (and Daniela actually does mention that in her reply). It so happens that the dirac tool for "getting CAs" also gets an up-to-date CRL for each CA cert as well, which is what fixes the problem in this instance.
(Most, if not all, tools which rely on X509 authentication will reject CA chains with a stale CRL for that CA, as they can't guarantee that the cert presented has not been revoked since the last time they refreshed the CRL. That's what was happening here.)
Sam
-- Steve Jones sjones@hep.ph.liv.ac.uk Grid System Administrator office: 220 High Energy Physics Division tel (int): 43396 Oliver Lodge Laboratory tel (ext): +44 (0)151 794 3396 University of Liverpool http://www.liv.ac.uk/physics/hep/
@Steve: Whenever it stops working :-D [insert rant from Simon about my flippant attitude to security here] As for Rajas questions, I think Frederic got caught out by the crls rather than the CAs, the dirac-admin-get-CAs command will update both. I don't think the average user cares and I can't image a sysadmin who has an up-to-date CA directory, but doesn't update the crls. My UI certainly updates its crls every 6 h. If someone bans one of my users I don't want to be the one allowing them to escape into the wild. Cheers, Daniela On 22 September 2015 at 14:33, Stephen Jones <sjones@hep.ph.liv.ac.uk> wrote:
Hi Daniela,
Re: instructions
Suggest we mention cron to make it clear, e.g.
------------- If there is no regularly maintained set of CAs available, run the following command periodically (e.g. with a cron): # source bashrc; dirac-admin-get-CAs -------------
But how often do you suggest?
Cheers,
Steve
On 09/22/2015 10:58 AM, Daniela Bauer wrote:
Hi Frederic,
indeed they do, hence they should be installed separately. I try to allude to this in my instructions, but clearly not well enough. I'm tempted to list this as a prerequisite (i.e. install certificates and crl cron job first, before installing the dirac UI), I was just worried it might get to confusing. If the certificate directory you are now linking to is part of a standard UI, a mechanism (yum for the certificates + cron job for the crls) to update it should already be in place, so you shouldn't have to update it again.
Regards, Daniela
On 22 September 2015 at 10:53, Frederic Brochu <brochu@hep.phy.cam.ac.uk <mailto:brochu@hep.phy.cam.ac.uk>> wrote:
Hi Daniela,
Yes, doing it solved all my problems. Here is the output of dirac-proxy-init: -sh-4.1$ dirac-proxy-init -g gridpp_user -M Generating proxy... Enter Certificate password: Added VOMS attribute /gridpp Uploading proxy for gridpp_user... Proxy generated: subject : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu/CN=proxy/CN=proxy issuer : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu/CN=proxy identity : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu timeleft : 23:53:59 DIRAC group : gridpp_user path : /tmp/x509up_u1008 username : frederic.brochu properties : NormalUser VOMS : True VOMS fqan : ['/gridpp']
Proxies uploaded: DN | Group | Until (GMT) /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu | gridpp_user | 2016/07/28 15:12
and the output of dirac-dms-add-file dirac-dms-add-file /gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7 XRay_phaseSpace360_7 UKI-NORTHGRID-LIV-HEP-disk
Uploading /gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7 Successfully uploaded file to UKI-NORTHGRID-LIV-HEP-disk
Thank you very much,
Frederic
P.S: This is however opening another can of worms, as I expect these certificates will require updates that are more frequent than dirac client updates.
On Tue, 22 Sep 2015, Daniela Bauer wrote:
Hi Frederic,
I think this might be related to the fact that the dirac ui has no way to automatically update the certs, crls etc. In your dirac UI, can you link etc/grid-security/certificates to whereever your standard grid UI is getting these files from (possibly /etc/grid-security/certificates or whatever X509_CERT_DIR is set to) and let me know if that helps.
Cheers, Daniela
On 22 September 2015 at 09:52, Frederic Brochu <brochu@hep.phy.cam.ac.uk <mailto:brochu@hep.phy.cam.ac.uk>> wrote: Dear all,
I am no longer able to copy and register files with dirac-dms-add-file.
This command line used to work: dirac-dms-add-file
/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_5 XRay_phaseSpace360_5 UKI-NORTHGRID-LIV-HEP-disk
But when I am doing it now with a different file, I am getting:
h-4.1$ dirac-dms-add-file
/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7 XRay_phaseSpace360_7 UKI-NORTHGRID-LIV-HEP-disk
Uploading
/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7 createDirectory: Failed to create directory on storage. srm:// hepgrid11.ph.liv.ac.uk:8446/srm/managerv2?SFN=/dpm/ph.liv.ac.uk/home/ < http://hepgrid11.ph.liv.ac.uk:8446/srm/managerv2?SFN=/dpm/ph.liv.ac.uk/home/
gridpp/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360: SRM2Storage.__gfal_exec(gfal_ls): Execution failed. [SE][Ls][] httpg://hepgrid11.ph.liv.ac.uk:8446/srm/managerv2 <http://hepgrid11.ph.liv.ac.uk:8446/srm/managerv2>: CGSI-gSOAP running on pcjp reports Error initializing context GSS Major Status: Authentication Failed
GSS Minor Status Error Chain: globus_gsi_gssapi: SSLv3 handshake problems globus_gsi_callb Error: failed to upload
/gridpp/user/f/f.brochu/TomoTherapy/phaseSpace360/XRay_phaseSpace360_7 to UKI-NORTHGRID-LIV-HEP-disk
This is also true for any other site.
Further to this, dirac-proxy-init also complains:
dirac-proxy-init -g gridpp_user -M Generating proxy... Enter Certificate password: Could not add VOMS extensions to the proxy Failed adding VOMS attribute: Failed to set VOMS attributes. Command: voms-proxy-init -cert "/tmp/x509up_u1008" -key "/tmp/x509up_u1008" -out "/tmp/brochu/tmpuSlB4v" -voms "gridpp:/gridpp" -valid "23:54" -vomses "/var/clus/usera/brochu/gridpp/dirac_ui/etc/grid-security/vomses"; StdOut: Your identity: /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu/CN=proxy Creating temporary proxy Done Contacting voms.gridpp.ac.uk:15000 <http://voms.gridpp.ac.uk:15000> [/C=UK/O=eScience/OU=Manchester/L=HEP/CN= voms.gridpp.ac.uk <http://voms.gridpp.ac.uk>] "gridpp" Failed
Trying next server for gridpp. Creating temporary proxy Done Contacting voms03.gridpp.ac.uk:15000 <http://voms03.gridpp.ac.uk:15000> [/C=UK/O=eScience/OU=Imperial/L=Physics/CN= voms03.gridpp.ac.uk <http://voms03.gridpp.ac.uk>] "gridpp" Failed
Trying next server for gridpp. Creating temporary proxy Done Contacting voms02.gridpp.ac.uk:15000 <http://voms02.gridpp.ac.uk:15000> [/C=UK/O=eScience/OU=Oxford/L=OeSC/CN= voms02.gridpp.ac.uk <http://voms02.gridpp.ac.uk>] "gridpp" Failed ; StdErr: ..................................................... Error: Error during SSL handshake:error:80066405:lib(128):verify_callback:outdated CRL found, revoking all certs till you get new CRL:sslutils.c:2115 outdated CRL found, revoking all certs till you get new CRL Function: verify_callback error:80066411:lib(128):verify_callback:certificate failed verify::sslutils.c:2318 error =CRL has expired
subject=/C=UK/O=eScience/OU=Manchester/L=HEP/CN= voms.gridpp.ac.uk <http://voms.gridpp.ac.uk> issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B certificate failed verify: error =CRL has expired
subject=/C=UK/O=eScience/OU=Manchester/L=HEP/CN= voms.gridpp.ac.uk <http://voms.gridpp.ac.uk> issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B Function: verify_callback error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1172 certificate verify failed Function: SSL3_GET_SERVER_CERTIFICATE
..................................................... Error: Error during SSL handshake:error:80066405:lib(128):verify_callback:outdated CRL found, revoking all certs till you get new CRL:sslutils.c:2115 outdated CRL found, revoking all certs till you get new CRL Function: verify_callback error:80066411:lib(128):verify_callback:certificate failed verify::sslutils.c:2318 error =CRL has expired
subject=/C=UK/O=eScience/OU=Oxford/L=OeSC/CN= voms02.gridpp.ac.uk <http://voms02.gridpp.ac.uk> issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B certificate failed verify: error =CRL has expired
subject=/C=UK/O=eScience/OU=Oxford/L=OeSC/CN= voms02.gridpp.ac.uk <http://voms02.gridpp.ac.uk>
issuer =/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B Function: verify_callback error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1172 certificate verify failed Function: SSL3_GET_SERVER_CERTIFICATE
None of the contacted servers for gridpp were capable of returning a valid AC for the user.
Are you sure you are properly registered in the VO? Uploading proxy for gridpp_user... Proxy generated: subject : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu/CN=proxy issuer : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu identity : /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu timeleft : 23:59:58 DIRAC group : gridpp_user path : /tmp/x509up_u1008 username : frederic.brochu properties : NormalUser Proxies uploaded: DN | Group | Until (GMT) /C=UK/O=eScience/OU=Cambridge/L=UCS/CN=frederic brochu | gridpp_user | 2016/07/28 15:12
On the other hand, voms-proxy-init works a charm: -sh-4.1$ voms-proxy-init -voms gridpp Enter GRID pass phrase for this identity: Contacting voms03.gridpp.ac.uk:15000 <http://voms03.gridpp.ac.uk:15000> [/C=UK/O=eScience/OU=Imperial/L=Physics/CN= voms03.gridpp.ac.uk <http://voms03.gridpp.ac.uk>] "gridpp"... Remote VOMS server contacted succesfully.
Created proxy in /tmp/x509up_u1008.
Your proxy is valid until Tue Sep 22 21:48:30 BST 2015
All this is only affecting my ability to upload and register data to storage elements. Job submission and output collection are still working fine.
Any idea? I am using the dirac version mentioned in the subject.
Best regards,
Frederic
-- _______________________________________________ Gridpp-Dirac-Users mailing list Gridpp-Dirac-Users@imperial.ac.uk <mailto:Gridpp-Dirac-Users@imperial.ac.uk> https://mailman.ic.ac.uk/mailman/listinfo/gridpp-dirac-users
-- Sent from the pit of despair
----------------------------------------------------------- daniela.bauer@imperial.ac.uk <mailto:daniela.bauer@imperial.ac.uk
HEP Group/Physics Dep Imperial College London, SW7 2BW Tel: +44-(0)20-75947810 <tel:%2B44-%280%2920-75947810> http://www.hep.ph.ic.ac.uk/~dbauer/ <http://www.hep.ph.ic.ac.uk/%7Edbauer/>
-- Sent from the pit of despair
----------------------------------------------------------- daniela.bauer@imperial.ac.uk <mailto:daniela.bauer@imperial.ac.uk> HEP Group/Physics Dep Imperial College London, SW7 2BW Tel: +44-(0)20-75947810 http://www.hep.ph.ic.ac.uk/~dbauer/ < http://www.hep.ph.ic.ac.uk/%7Edbauer/>
This body part will be downloaded on demand.
-- Steve Jones sjones@hep.ph.liv.ac.uk Grid System Administrator office: 220 High Energy Physics Division tel (int): 43396 Oliver Lodge Laboratory tel (ext): +44 (0)151 794 3396 University of Liverpool http://www.liv.ac.uk/physics/hep/
-- Sent from the pit of despair ----------------------------------------------------------- daniela.bauer@imperial.ac.uk HEP Group/Physics Dep Imperial College London, SW7 2BW Tel: +44-(0)20-75947810 http://www.hep.ph.ic.ac.uk/~dbauer/
participants (5)
-
Daniela Bauer
-
Frederic Brochu
-
Raja Nandakumar
-
Sam Skipsey
-
Stephen Jones