Tools/Manuals/TS08
< Tools
Jump to navigation
Jump to search
Back to Troubleshooting Guide
Invalid CRL: The available CRL has expired
Full message
One of the possible GridFTP error messages looks like this:
GridFTP: exist operation failed. the server sent an error response: 535 535-FTPD GSSAPI error: GSS Major Status: Authentication Failed 535-FTPD GSSAPI error: GSS Minor Status Error Chain: 535-FTPD GSSAPI error: 535-FTPD GSSAPI error: accept_sec_context.c:170: gss_accept_sec_context: SSLv3 handshake problems 535-FTPD GSSAPI error: globus_i_gsi_gss_utils.c:881: globus_i_gsi_gss_handshake: Unable to verify remote side's credentials 535-FTPD GSSAPI error: globus_i_gsi_gss_utils.c:854: globus_i_gsi_gss_handshake: SSLv3 handshake problems: Couldn't do ssl handshake 535-FTPD GSSAPI error: OpenSSL Error: s3_srvr.c:1816: in library: SSL routines, function SSL3_GET_CLIENT_CERTIFICATE: no certificate returned 535-FTPD GSSAPI error: globus_gsi_callback.c:351: globus_i_gsi_callback_handshake_callback: Could not verify credential 535-FTPD GSSAPI error: globus_gsi_callback.c:477: globus_i_gsi_callback_cred_verify: Could not verify credential 535-FTPD GSSAPI error: globus_gsi_callback.c:769: globus_i_gsi_callback_check_revoked: Invalid CRL: The available CRL has expired 535 FTPD GSSAPI error: accepting context
Diagnosis
Some certificate revocation lists (CRL) in *.r0 files are outdated on the GridFTP server or the client. The CRL files are located in the $X509_CERT_DIR directory or /etc/grid-security/certificates by default.
Solution
Make sure that the following cron entry exists on the server:
/etc/cron.d/fetch-crl
Check /var/log/fetch-crl-cron.log for errors. A non-relocated client installation also should have that cron job. A relocated (tar ball) UI or WN may have a cron job whose name or location cannot be predicted. For example, for the AFS UI at CERN the cron job is run from an "acrontab" owned by the service admin account.