Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @

Difference between revisions of "Tools/Manuals/TS08"

From EGIWiki
Jump to navigation Jump to search
Line 2: Line 2:
Back to [[Manuals/Troubleshooting/SiteProblemsFollowUp|Troubleshooting Guide]]
Back to [[Tools/Manuals/SiteProblemsFollowUp|Troubleshooting Guide]]

Revision as of 07:23, 31 March 2011

Back to Troubleshooting Guide

Invalid CRL: The available CRL has expired

Full message

One of the possible GridFTP error messages looks like this:

GridFTP: exist operation failed. the server sent an error response: 535 535-FTPD GSSAPI error: GSS Major Status: Authentication Failed
535-FTPD GSSAPI error: GSS Minor Status Error Chain:
535-FTPD GSSAPI error: 
535-FTPD GSSAPI error: accept_sec_context.c:170: gss_accept_sec_context: SSLv3 handshake problems
535-FTPD GSSAPI error: globus_i_gsi_gss_utils.c:881: globus_i_gsi_gss_handshake: Unable to verify remote side's credentials
535-FTPD GSSAPI error: globus_i_gsi_gss_utils.c:854: globus_i_gsi_gss_handshake: SSLv3 handshake problems: Couldn't do ssl handshake
535-FTPD GSSAPI error: OpenSSL Error: s3_srvr.c:1816: in library: SSL routines, function SSL3_GET_CLIENT_CERTIFICATE: no certificate returned
535-FTPD GSSAPI error: globus_gsi_callback.c:351: globus_i_gsi_callback_handshake_callback: Could not verify credential
535-FTPD GSSAPI error: globus_gsi_callback.c:477: globus_i_gsi_callback_cred_verify: Could not verify credential
535-FTPD GSSAPI error: globus_gsi_callback.c:769: globus_i_gsi_callback_check_revoked: Invalid CRL: The available CRL has expired
535 FTPD GSSAPI error: accepting context


Some certificate revocation lists (CRL) in *.r0 files are outdated on the GridFTP server or the client. The CRL files are located in the $X509_CERT_DIR directory or /etc/grid-security/certificates by default.


Make sure that the following cron entry exists on the server:


Check /var/log/fetch-crl-cron.log for errors. A non-relocated client installation also should have that cron job. A relocated (tar ball) UI or WN may have a cron job whose name or location cannot be predicted. For example, for the AFS UI at CERN the cron job is run from an "acrontab" owned by the service admin account.