[gin-auth] [gin-ops] start Savannah run

Tue Dec 12 09:18:17 CST 2006

Thanks Colin!  This is very helpful information about the problem.   
I'll get back to you once we figure out what we can do here.

-Stu

On Dec 11, 2006, at Dec 11, 10:22 PM, Colin Enticott wrote:

> Hi Stuart,
>
> The errors are below.  Yes, as you can see the gt4 error said it was a
> connection error.  Arguably, unable to establish trust is a connection
> error, but yes, we started to investigate firewall problems rather  
> than CA
> issues.
>
> Seeing as we are discussing error reporting, I always found the  
> gt2.4 error
> messages hard to read.  After a while, I started to look for key  
> words in
> the message (and in this case it was the word trust) and work my  
> way from
> there.  It always wasn't clear if it was an error message from the  
> client or
> the server.
>
> What I propose is the first line should say "Error from client/ 
> server" and
> weather if it is a socket or trust error and if so, which socket or
> certificate has caused the problem.  I believe this would save a few
> headaches for test-bed creators.
>
> GT4 error:
> $ globusrun -a -r tg-grid1.uc.teragrid.org
>
> GRAM Authentication test failure: connecting to the job manager  
> failed.
> Possible reasons: job terminated, invalid job contact, network  
> problems, ...
>
> GT2.4 error:
> $ globusrun -a -r tg-grid1.uc.teragrid.org
>
> GRAM Authentication test failure: authentication failed:
> GSS Major Status: Authentication Failed
> GSS Minor Status Error Chain:
>
> init.c:499: globus_gss_assist_init_sec_context_async: Error during  
> context
> initialization
> init_sec_context.c:171: gss_init_sec_context: SSLv3 handshake problems
> globus_i_gsi_gss_utils.c:881: globus_i_gsi_gss_handshake: Unable to  
> verify
> remote side's credentials
> globus_i_gsi_gss_utils.c:854: globus_i_gsi_gss_handshake: SSLv3  
> handshake
> problems: Couldn't do ssl handshake
> OpenSSL Error: s3_clnt.c:840: in library: SSL routines, function
> SSL3_GET_SERVER_CERTIFICATE: certificate verify failed
> globus_gsi_callback.c:351:  
> globus_i_gsi_callback_handshake_callback: Could
> not verify credential
> globus_gsi_callback.c:490: globus_i_gsi_callback_cred_verify: Could  
> not
> verify credential
> globus_gsi_callback.c:850:  
> globus_i_gsi_callback_check_signing_policy: Error
> with signing policy
> globus_gsi_callback.c:990: globus_i_gsi_callback_check_gaa_auth:  
> Error in
> OLD GAA code: Error checking certificate with subject
> /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1against
> signing policy file /etc/grid-security/certificates/ 
> d1b603c3.signing_policy
>
>
> Thanks,
> Colin
>
> ---
> Colin Enticott, Research Scientist, Ph: +61 03 9903 2215
> Room H7.26, Level 7, Building H, Monash University Caulfield 3145,  
> Australia
>
>
>> -----Original Message-----
>> From: Stuart Martin [mailto:smartin at mcs.anl.gov]
>> Sent: Friday, 8 December 2006 2:52 AM
>> To: Colin Enticott
>> Cc: 'JP Navarro'; gin-auth at ggf.org; D.Bannon at vpac.org; gin- 
>> ops at ggf.org;
>> 'Terrence Martin'
>> Subject: Re: [gin-ops] [gin-auth] start Savannah run
>>
>> Hi Colin,
>>
>> Can you provide the error output for the gt4 commands you tried in
>> this situation?  If the error reporting has become less effective,
>> then we (GT) need to fix that.
>>
>> Thanks,
>> Stu
>>
>> On Dec 5, 2006, at Dec 5, 6:34 PM, Colin Enticott wrote:
>>> I've noticed in the past the gt4 gives less error messages than
>>> gtk2.4, so I
>>> tried globusrun with gtk2.4.3 and got this error:
>>>
>>> ...
>>> globus_gsi_callback.c:990: globus_i_gsi_callback_check_gaa_auth:
>>> Error in
>>> OLD GAA code: Error checking certificate with subject
>>> /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA  
>>> 1against
>>> signing policy file /etc/grid-security/certificates/
>>> d1b603c3.signing_policy
>