Difference between revisions of "Tools/Manuals/TS10"
(Created page with '{{TOC_right}} Category:FAQ ------ Back to Troubleshooting Guide ------ = sslv3 alert bad certificate = There are (at least)…') |
|||
(4 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
{{Template:Op menubar}} | |||
{{Template:Doc_menubar}} | |||
[[Category:Operations Manuals]] | |||
{{TOC_right}} | {{TOC_right}} | ||
------ | ------ | ||
Back to [[Manuals | Back to [[Tools/Manuals/SiteProblemsFollowUp|Troubleshooting Guide]] | ||
------ | ------ | ||
Line 20: | Line 23: | ||
init_sec_context.c:171: gss_init_sec_context: SSLv3 handshake problems | init_sec_context.c:171: gss_init_sec_context: SSLv3 handshake problems | ||
globus_i_gsi_gss_utils.c:888: globus_i_gsi_gss_handshake: Unable to verify remote side's credentials | globus_i_gsi_gss_utils.c:888: globus_i_gsi_gss_handshake: Unable to verify remote side's credentials | ||
globus_i_gsi_gss_utils.c:847: globus_i_gsi_gss_handshake: Unable to verify remote side's credentials: Couldn't verify the remote certificate | globus_i_gsi_gss_utils.c:847: globus_i_gsi_gss_handshake: Unable to verify remote side's credentials: | ||
Couldn't verify the remote certificate | |||
OpenSSL Error: s3_pkt.c:1046: in library: SSL routines, function SSL3_READ_BYTES: sslv3 alert bad certificate | OpenSSL Error: s3_pkt.c:1046: in library: SSL routines, function SSL3_READ_BYTES: sslv3 alert bad certificate | ||
Line 41: | Line 45: | ||
$ glite-wms-job-submit -a myjob.jdl | $ glite-wms-job-submit -a myjob.jdl | ||
Connecting to the service https://wms211.cern.ch:7443/glite_wms_wmproxy_server | Connecting to the service <nowiki>https://wms211.cern.ch:7443/glite_wms_wmproxy_server</nowiki> | ||
Connection failed: SSL_ERROR_SSL | Connection failed: SSL_ERROR_SSL | ||
Line 55: | Line 59: | ||
Error while calling the "edg_wll_RegisterJobSync" native api | Error while calling the "edg_wll_RegisterJobSync" native api | ||
Unable to Register the Job: | Unable to Register the Job: | ||
https://boszwijn.nikhef.nl:9000/TkTGXbByfpIuJWPbRN6wxg | <nowiki>https://boszwijn.nikhef.nl:9000/TkTGXbByfpIuJWPbRN6wxg</nowiki> | ||
to the LB logger at: boszwijn.nikhef.nl | to the LB logger at: boszwijn.nikhef.nl | ||
SSL Error (sslv3 alert bad certificate) | SSL Error (sslv3 alert bad certificate) | ||
=== Diagnosis === | === Diagnosis === |
Latest revision as of 13:23, 23 November 2012
Main | EGI.eu operations services | Support | Documentation | Tools | Activities | Performance | Technology | Catch-all Services | Resource Allocation | Security |
Documentation menu: | Home • | Manuals • | Procedures • | Training • | Other • | Contact ► | For: | VO managers • | Administrators |
Back to Troubleshooting Guide
sslv3 alert bad certificate
There are (at least) 2 cases in which this message can pop up:
1. Proxy used too soon
Full message
$ myproxy-info -d -s myproxy.cern.ch Error authenticating: GSS Major Status: Authentication Failed GSS Minor Status Error Chain: init.c:266: globus_gss_assist_init_sec_context: Error during context initialization init_sec_context.c:171: gss_init_sec_context: SSLv3 handshake problems globus_i_gsi_gss_utils.c:888: globus_i_gsi_gss_handshake: Unable to verify remote side's credentials globus_i_gsi_gss_utils.c:847: globus_i_gsi_gss_handshake: Unable to verify remote side's credentials: Couldn't verify the remote certificate OpenSSL Error: s3_pkt.c:1046: in library: SSL routines, function SSL3_READ_BYTES: sslv3 alert bad certificate
Diagnosis
This exact error message typically occurs when a proxy is used before it becomes valid. This happens when the proxy was created on a machine that has its system date more than 5 minutes in the future, and the proxy is used too early. When the same proxy is used again at a later time, the failed command "suddenly" works, giving the false impression that the problem somehow was fixed...
Solution
Correct the system date on the machines involved and keep it synchronized with a nearby time server e.g. through the ntpd service or via a regular cron job invoking the rdate command.
2. (pre-)RFC style proxy used against WMS or RB
Full message
$ glite-wms-job-submit -a myjob.jdl Connecting to the service https://wms211.cern.ch:7443/glite_wms_wmproxy_server Connection failed: SSL_ERROR_SSL error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown SSL connect failed in tcp_connect() Error code: SOAP-ENV:Client
$ edg-job-submit --vo whatever Myjob.jdl Selected Virtual Organisation name (from --vo option): whatever Connecting to host boszwijn.nikhef.nl, port 7772 Logging to host boszwijn.nikhef.nl, port 9002 **** Error: API_NATIVE_ERROR **** Error while calling the "edg_wll_RegisterJobSync" native api Unable to Register the Job: https://boszwijn.nikhef.nl:9000/TkTGXbByfpIuJWPbRN6wxg to the LB logger at: boszwijn.nikhef.nl SSL Error (sslv3 alert bad certificate)
Diagnosis
The error can also occur when a proxy of the wrong type is used: pre-RFC and RFC proxies are not yet supported by all gLite services, in particular not by the WMS. Note that by default voms-proxy-init will generate proxies of a type supported by all gLite services, whereas the grid-proxy-init command by default uses an unsupported type:
$ grid-proxy-info subject : /O=dutchgrid/O=users/O=nikhef/CN=Jan Just Keijser/CN=843775619 issuer : /O=dutchgrid/O=users/O=nikhef/CN=Jan Just Keijser identity : /O=dutchgrid/O=users/O=nikhef/CN=Jan Just Keijser type : Proxy draft (pre-RFC) compliant impersonation proxy strength : 512 bits path : /tmp/x509up_u7651 timeleft : 5:35:50
Solution
Use voms-proxy-init without -rfc or -proxyver. A plain grid proxy with the correct type can be generated as follows:
voms-proxy-init grid-proxy-init -old