Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "Tools/Manuals/TS08"

From EGIWiki
Jump to navigation Jump to search
 
(2 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{Template:Op menubar}}
{{Template:Doc_menubar}}
[[Category:Operations Manuals]]
{{TOC_right}}
{{TOC_right}}
[[Category:FAQ]]
------
------
Back to [[Manuals/Troubleshooting/SiteProblemsFollowUp|Troubleshooting Guide]]
Back to [[Tools/Manuals/SiteProblemsFollowUp|Troubleshooting Guide]]
------
------


Line 11: Line 14:
One of the possible GridFTP error messages looks like this:
One of the possible GridFTP error messages looks like this:


  GridFTP: exist operation failed. the server sent an error response: 535 535-FTPD GSSAPI error: GSS Major Status: Authentication Failed
  GridFTP: exist operation failed. the server sent an error response:
535 535-FTPD GSSAPI error: GSS Major Status: Authentication Failed
  535-FTPD GSSAPI error: GSS Minor Status Error Chain:
  535-FTPD GSSAPI error: GSS Minor Status Error Chain:
  535-FTPD GSSAPI error:  
  535-FTPD GSSAPI error:  
  535-FTPD GSSAPI error: accept_sec_context.c:170: gss_accept_sec_context: SSLv3 handshake problems
  535-FTPD GSSAPI error: accept_sec_context.c:170: gss_accept_sec_context:
  535-FTPD GSSAPI error: globus_i_gsi_gss_utils.c:881: globus_i_gsi_gss_handshake: Unable to verify remote side's credentials
SSLv3 handshake problems
  535-FTPD GSSAPI error: globus_i_gsi_gss_utils.c:854: globus_i_gsi_gss_handshake: SSLv3 handshake problems: Couldn't do ssl handshake
  535-FTPD GSSAPI error: globus_i_gsi_gss_utils.c:881: globus_i_gsi_gss_handshake:
  535-FTPD GSSAPI error: OpenSSL Error: s3_srvr.c:1816: in library: SSL routines, function SSL3_GET_CLIENT_CERTIFICATE: no certificate returned
Unable to verify remote side's credentials
  535-FTPD GSSAPI error: globus_gsi_callback.c:351: globus_i_gsi_callback_handshake_callback: Could not verify credential
  535-FTPD GSSAPI error: globus_i_gsi_gss_utils.c:854: globus_i_gsi_gss_handshake:
  535-FTPD GSSAPI error: globus_gsi_callback.c:477: globus_i_gsi_callback_cred_verify: Could not verify credential
SSLv3 handshake problems: Couldn't do ssl handshake
  535-FTPD GSSAPI error: globus_gsi_callback.c:769: globus_i_gsi_callback_check_revoked: Invalid CRL: The available CRL has expired
  535-FTPD GSSAPI error: OpenSSL Error: s3_srvr.c:1816: in library: SSL routines,
function SSL3_GET_CLIENT_CERTIFICATE: no certificate returned
  535-FTPD GSSAPI error: globus_gsi_callback.c:351:
globus_i_gsi_callback_handshake_callback: Could not verify credential
  535-FTPD GSSAPI error: globus_gsi_callback.c:477:
globus_i_gsi_callback_cred_verify: Could not verify credential
  535-FTPD GSSAPI error: globus_gsi_callback.c:769:
globus_i_gsi_callback_check_revoked: Invalid CRL: The available CRL has expired
  535 FTPD GSSAPI error: accepting context
  535 FTPD GSSAPI error: accepting context



Latest revision as of 12:23, 23 November 2012

Main EGI.eu operations services Support Documentation Tools Activities Performance Technology Catch-all Services Resource Allocation Security


Documentation menu: Home Manuals Procedures Training Other Contact For: VO managers Administrators



Back to Troubleshooting Guide


Invalid CRL: The available CRL has expired

Full message

One of the possible GridFTP error messages looks like this:

GridFTP: exist operation failed. the server sent an error response:
535 535-FTPD GSSAPI error: GSS Major Status: Authentication Failed
535-FTPD GSSAPI error: GSS Minor Status Error Chain:
535-FTPD GSSAPI error: 
535-FTPD GSSAPI error: accept_sec_context.c:170: gss_accept_sec_context:
SSLv3 handshake problems
535-FTPD GSSAPI error: globus_i_gsi_gss_utils.c:881: globus_i_gsi_gss_handshake:
Unable to verify remote side's credentials
535-FTPD GSSAPI error: globus_i_gsi_gss_utils.c:854: globus_i_gsi_gss_handshake:
SSLv3 handshake problems: Couldn't do ssl handshake
535-FTPD GSSAPI error: OpenSSL Error: s3_srvr.c:1816: in library: SSL routines,
function SSL3_GET_CLIENT_CERTIFICATE: no certificate returned
535-FTPD GSSAPI error: globus_gsi_callback.c:351:
globus_i_gsi_callback_handshake_callback: Could not verify credential
535-FTPD GSSAPI error: globus_gsi_callback.c:477:
globus_i_gsi_callback_cred_verify: Could not verify credential
535-FTPD GSSAPI error: globus_gsi_callback.c:769:
globus_i_gsi_callback_check_revoked: Invalid CRL: The available CRL has expired
535 FTPD GSSAPI error: accepting context

Diagnosis

Some certificate revocation lists (CRL) in *.r0 files are outdated on the GridFTP server or the client. The CRL files are located in the $X509_CERT_DIR directory or /etc/grid-security/certificates by default.

Solution

Make sure that the following cron entry exists on the server:

/etc/cron.d/fetch-crl

Check /var/log/fetch-crl-cron.log for errors. A non-relocated client installation also should have that cron job. A relocated (tar ball) UI or WN may have a cron job whose name or location cannot be predicted. For example, for the AFS UI at CERN the cron job is run from an "acrontab" owned by the service admin account.