TWiki
>
Main Web
>
LCGGridDeployment
>
LCGgliteTestInventory
>
VOMSTesting
>
VOMSCore
(2011-07-13,
WooChunPark
)
(raw view)
E
dit
A
ttach
P
DF
-- Main.MariaALANDESPRADILLO - 16 Aug 2006 ---++ VOMS core troubleshooting %TOC% ---+++ Wrong host certificate subject in the vomses file It is possible that after renewing a host certificate, the host certificate subject changes and the vomses file containing the VOMS server information is not updated accordingly. The client side message is like in the following example: <verbatim> bash-2.05b$ voms-proxy-init -voms mysql_vo1 -userconf ~/vomses Your identity: /C=CH/O=CERN/OU=GRID/CN=Maria Alandes Pradillo 5561 Enter GRID pass phrase: Creating temporary proxy ....................................... Done Contacting lxb0769.cern.ch:15001 [/C=CH/O=CERN/OU=GRID/CN=lxb0769.cern.ch] "mysql_vo1" Failed Error: Could not establish authenticated connection with the server. GSS Major Status: Unexpected Gatekeeper or Service Name GSS Minor Status Error Chain: an unknown error occurred Failed to contact servers for mysql_vo1. </verbatim> The server log file contains the following lines: <verbatim> Wed Aug 16 11:04:48 2006:lxb0769.cern.ch:vomsd(4341):ERROR:REQUEST:AcceptGSIAuthentication home/glbuild/GLITE_3_0_0_final/org.glite.security.voms/src/socklib/Server.cpp:259):Failed to establish security context (accept):.GSS Major Status: General failure.GSS Minor Status Error Chain:..accept_sec_context.c:305:gss_accept_sec_context: Error during delegation: Delegation protocol violation </verbatim> In this case it's good that you check whether the vomses file contains the correct host certificate subject. To check what's your VOMS host certificate subject, run the following command: <verbatim> [root@lxb0769 root]# openssl x509 -in /etc/grid-security/hostcert.pem -noout -subject subject= /C=CH/O=CERN/OU=GRID/CN=host/lxb0769.cern.ch </verbatim> And check in the vomses file that the certificate subject is correct: <verbatim> bash-2.05b$ more vomses ... "mysql_vo1" "lxb0769.cern.ch" "15001" "/C=CH/O=CERN/OU=GRID/CN=host/lxb0769.cern.ch" "mysql_vo1" ... </verbatim> ---+++ Wrong port number in the vomses file It is possible that after a VOMS server reconfiguration, the post number changes and the vomses file containing the VOMS server information is not updated accordingly. The client side message is like in the following example: <verbatim> [lxb1420] /afs/cern.ch/user/m/malandes > voms-proxy-init -voms dteam Enter GRID pass phrase: Your identity: /C=CH/O=CERN/OU=GRID/CN=Maria Alandes Pradillo 5561 Cannot find file or dir: /afs/cern.ch/user/m/malandes/.glite/vomses Creating temporary proxy .................................... Done Contacting lxb2176.cern.ch:15012 [/C=CH/O=CERN/OU=GRID/CN=host/lxb2176.cern.ch] "dteam" Failed Error: Could not connect to socket. Connection refused None of the contacted servers for dteam were capable of returning a valid AC for the user. </verbatim> The server log file doesn't contain any message since it couldn't be reached. In this case it's good that you check whether the vomses file contains the correct port. You can confirm this infomation by checking the configuration information of the VOMS server in: https://<VOMS_hostname>:8443/voms/<VO_name>/webui/config ---+++ VOMS server is down: edg-voms process When the VOMS server is down, more specifically, the edg-voms process has died in the VOMS server, when trying to get a proxy you will get the same error as in the previous scenario: <verbatim> Error: Could not connect to socket. Connection refused </verbatim> If you check that your vomses files contains the right port, then the error is very likely to be because the VOMS server is down. ---+++ VOMS server is down: middleman process When the VOMS server is down, more specifically, the middleman process has died in the VOMS server, when trying to get a proxy you will get the following error: <verbatim> [lxb1420] /afs/cern.ch/user/m/malandes > voms-proxy-init -voms dteam -userconf ~/vomses-lxb2176 Cannot find file or dir: /opt/glite/etc/vomses Enter GRID pass phrase: Your identity: /C=CH/O=CERN/OU=GRID/CN=Maria Alandes Pradillo 5561 Cannot find file or dir: /opt/glite/etc/vomses Creating temporary proxy ................................. Done Contacting lxb2176.cern.ch:15002 [/C=CH/O=CERN/OU=GRID/CN=host/lxb2176.cern.ch] "dteam" Failed Error: dteam: User unknown to this VO. None of the contacted servers for dteam were capable of returning a valid AC for the user. </verbatim> If you are pretty sure you are a member of the VO, then it is very likely that the VOMS server is down. You can check you are actually a member of the VO with the following voms-admin command: bash-2.05b$ voms-admin -host <VO_hostname> -vo=<VO_name> list-users or in the following URL: https://<VOMS_hostname>:8443/voms/<VO_name>/webui/admin/users/list There is a bug for this error message which is misleading: https://savannah.cern.ch/bugs/?func=detailitem&item_id=18367 ---+++ Outdated or missing VOMS CA in the /etc/grid-security/certificates directory of the UI It's possible that the CA that signs the host certificate of the VOMS server you want to contact is not present in /etc/grid-security/certificates or that you forgot to update its files. The client side message is like in the following example: <verbatim> bash-2.05b$ voms-proxy-init -voms mysql_vo1 -userconf ~/vomses Your identity: /C=CH/O=CERN/OU=GRID/CN=Maria Alandes Pradillo 5561 Enter GRID pass phrase: Creating temporary proxy ....................................... Done Contacting lxb0769.cern.ch:15001 [/C=CH/O=CERN/OU=GRID/CN=lxb0769.cern.ch] "mysql_vo1" Failed Error: Could not establish authenticated connection with the server. GSS Major Status: Unexpected Gatekeeper or Service Name GSS Minor Status Error Chain: an unknown error occurred Failed to contact servers for mysql_vo1. </verbatim> The server log file contains the following lines: <verbatim> Wed Aug 16 11:04:48 2006:lxb0769.cern.ch:vomsd(4341):ERROR:REQUEST:AcceptGSIAuthentication home/glbuild/GLITE_3_0_0_final/org.glite.security.voms/src/socklib/Server.cpp:259):Failed to establish security context (accept):.GSS Major Status: General failure.GSS Minor Status Error Chain:..accept_sec_context.c:305:gss_accept_sec_context: Error during delegation: Delegation protocol violation </verbatim> The solution is to update the CA files, check that the APT string of the CAs repository is correct and apply the necessary updates. ---+++ Missing user CA in the /etc/grid-security/certificates directory of the VOMS server If for some reason, the user CA is not present in the VOMS server /etc/grid-security/certificates directory, the client side message is like in the following example: <verbatim> [lxb1420] /afs/cern.ch/user/m/malandes > voms-proxy-init -voms dteam -userconf ~/vomses-lxb2176 -cert ~malandes/test-certs/test_user_1_cert.pem -key ~malandes/test-certs/test_user_1_key.pem Cannot find file or dir: /opt/glite/etc/vomses Enter GRID pass phrase: Your identity: /C=CH/O=CERN/OU=GD/CN=Test user 1 Cannot find file or dir: /opt/glite/etc/vomses Creating temporary proxy .............................. Done Contacting lxb2176.cern.ch:15002 [/C=CH/O=CERN/OU=GRID/CN=host/lxb2176.cern.ch] "dteam" Failed Error: Could not establish authenticated connection with the server. globus_gss_assist token :-1: read failure: unknown None of the contacted servers for dteam were capable of returning a valid AC for the user. </verbatim> The server log file contains the following lines: <verbatim> Wed Jan 17 12:21:44 2007:lxb2176.cern.ch:vomsd(9318):ERROR:REQUEST:AcceptGSIAuthentication (/home/glbuild/GLITE_3_0_3_RC1/org.glite.security.voms/src/socklib/Server.cpp:262):Failed to establish security context (accept):.GSS Major Status: Authentication Failed.GSS Minor Status Error Chain: ..accept_sec_context.c:170: gss_accept_sec_context: SSLv3 handshake problems.globus_i_gsi_gss_utils.c:881: globus_i_gsi_gss_handshake: Unable to verify remote side's credentials.globus_i_gsi_gss_utils.c:854: globus_i_gsi_gss_handshake: SSLv3 handshake problems: Couldn't do ssl handshake.OpenSSL Error: s3_srvr.c:1816: in library: SSL routines, function SSL3_GET_CLIENT_CERTIFICATE: no certificate returned.globus_gsi_callback.c:351: globus_i_gsi_callback_handshake_callback: Could not verify credential.globus_gsi_callback.c:429: globus_i_gsi_callback_cred_verify: Can't get the local trusted CA certificate: Cannot find issuer certificate for local credential with subject: /C=CH/O=CERN/OU=GD/CN=Test user 1 </verbatim> The solution is to update the CAs in /etc/grid-security/certificates and install the one that it's missing. ---+++ User interface machine that had a terrible drift of more than 500000 sec Should be resynchronize the time by /usr/sbin/ntpdate -b pool.ntp.org otherwise you will see the same message as <verbatim> Error: Could not establish authenticated connection with the server. globus_gss_assist token :-1: read failure: unknown </verbatim> ---+++ Expired user CA CRL in the /etc/grid-security/certificates directory of the VOMS server It's possible that in the VOMS server, the fetch-crl cron job has failed to update your user CA CRL in /etc/grid-security/certificates. The client side message is like in the following example: <verbatim> [lxb1420] /afs/cern.ch/user/m/malandes > voms-proxy-init -voms dteam -userconf ~/vomses-lxb2176 -cert ~malandes/test-certs/test_user_1_cert.pem -key ~malandes/test-certs/test_user_1_key.pem Cannot find file or dir: /opt/glite/etc/vomses Enter GRID pass phrase: Your identity: /C=CH/O=CERN/OU=GD/CN=Test user 1 Cannot find file or dir: /opt/glite/etc/vomses Creating temporary proxy .............................. Done Contacting lxb2176.cern.ch:15002 [/C=CH/O=CERN/OU=GRID/CN=host/lxb2176.cern.ch] "dteam" Failed Error: Could not establish authenticated connection with the server. globus_gss_assist token :-1: read failure: unknown None of the contacted servers for dteam were capable of returning a valid AC for the user. </verbatim> The server log file contains the following lines: <verbatim> Wed Jan 17 11:48:20 2007:lxb2176.cern.ch:vomsd (5943):ERROR:REQUEST:AcceptGSIAuthentication (/home/glbuild/GLITE_3_0_3_RC1/org.glite.security.voms/src/socklib/Server.cpp:262):Failed to establish security context (accept):.GSS Major Status: Authentication Failed.GSS Minor Status Error Chain:..accept_sec_context.c:170: gss_accept_sec_context: SSLv3 handshake problems.globus_i_gsi_gss_utils.c:881: globus_i_gsi_gss_handshake: Unable to verify remote side's credentials.globus_i_gsi_gss_utils.c:854: globus_i_gsi_gss_handshake: SSLv3 handshake problems: Couldn't do ssl handshake.OpenSSL Error: s3_srvr.c:1816: in library: SSL routines, function SSL3_GET_CLIENT_CERTIFICATE: no certificate returned.globus_gsi_callback.c:351: globus_i_gsi_callback_handshake_callback: Could not verify credential.globus_gsi_callback.c:477: globus_i_gsi_callback_cred_verify: Could not verify credential.globus_gsi_callback.c: 769: globus_i_gsi_callback_check_revoked: Invalid CRL: The available CRL has expired </verbatim> In that case you have to update your CRL.
E
dit
|
A
ttach
|
Watch
|
P
rint version
|
H
istory
: r4
<
r3
<
r2
<
r1
|
B
acklinks
|
V
iew topic
|
WYSIWYG
|
M
ore topic actions
Topic revision: r4 - 2011-07-13
-
WooChunPark
Log In
Main
Home
Index
Search
User Search
Changes
Notifications
RSS Feed
Documentation
Support
Webs
Main
Main Archive
Plugins
Sandbox for tests
Public webs
Public webs
ABATBEA
ACPP
ADCgroup
AEGIS
AfricaMap
AgileInfrastructure
ALICE
AliceEbyE
AliceSPD
AliceSSD
AliceTOF
AliFemto
ALPHA
Altair
ArdaGrid
ASACUSA
AthenaFCalTBAna
Atlas
AtlasLBNL
AXIALPET
CAE
CALICE
CDS
CENF
CERNSearch
CLIC
Cloud
CloudServices
CMS
Controls
CTA
CvmFS
DB
DefaultWeb
DESgroup
DPHEP
DM-LHC
DSSGroup
EGEE
EgeePtf
ELFms
EMI
ETICS
FIOgroup
FlukaTeam
Frontier
Gaudi
GeneratorServices
GuidesInfo
HardwareLabs
HCC
HEPIX
ILCBDSColl
ILCTPC
IMWG
Inspire
IPv6
IT
ItCommTeam
ITCoord
ITdeptTechForum
ITDRP
ITGT
ITSDC
LAr
LCG
LCGAAWorkbook
Leade
LHCAccess
LHCAtHome
LHCb
LHCgas
LHCONE
LHCOPN
LinuxSupport
Main
Medipix
Messaging
MPGD
NA49
NA61
NA62
NTOF
Openlab
PDBService
Persistency
PESgroup
Plugins
PSAccess
PSBUpgrade
R2Eproject
RCTF
RD42
RFCond12
RFLowLevel
ROXIE
Sandbox
SocialActivities
SPI
SRMDev
SSM
Student
SuperComputing
Support
SwfCatalogue
TMVA
TOTEM
TWiki
UNOSAT
Virtualization
VOBox
WITCH
XTCA
Welcome Guest
Login
or
Register
Cern Search
TWiki Search
Google Search
Main
All webs
Copyright &© 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
or Ideas, requests, problems regarding TWiki? use
Discourse
or
Send feedback