From EGIWiki
Jump to: navigation, search
Main operations services Support Documentation Tools Activities Performance Technology Catch-all Services Resource Allocation Security

Documentation menu: Home Manuals Procedures Training Other Contact For: VO managers Administrators

Back to Troubleshooting Guide

sslv3 alert bad certificate

There are (at least) 2 cases in which this message can pop up:

1. Proxy used too soon

Full message

$ myproxy-info -d -s
Error authenticating: GSS Major Status: Authentication Failed
GSS Minor Status Error Chain:

init.c:266: globus_gss_assist_init_sec_context: Error during context initialization
init_sec_context.c:171: gss_init_sec_context: SSLv3 handshake problems
globus_i_gsi_gss_utils.c:888: globus_i_gsi_gss_handshake: Unable to verify remote side's credentials
globus_i_gsi_gss_utils.c:847: globus_i_gsi_gss_handshake: Unable to verify remote side's credentials:
Couldn't verify the remote certificate
OpenSSL Error: s3_pkt.c:1046: in library: SSL routines, function SSL3_READ_BYTES: sslv3 alert bad certificate


This exact error message typically occurs when a proxy is used before it becomes valid. This happens when the proxy was created on a machine that has its system date more than 5 minutes in the future, and the proxy is used too early. When the same proxy is used again at a later time, the failed command "suddenly" works, giving the false impression that the problem somehow was fixed...


Correct the system date on the machines involved and keep it synchronized with a nearby time server e.g. through the ntpd service or via a regular cron job invoking the rdate command.

2. (pre-)RFC style proxy used against WMS or RB

Full message

$ glite-wms-job-submit -a myjob.jdl

Connecting to the service

Connection failed: SSL_ERROR_SSL
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
SSL connect failed in tcp_connect()
Error code: SOAP-ENV:Client
$ edg-job-submit --vo whatever Myjob.jdl
Selected Virtual Organisation name (from --vo option): whatever
Connecting to host, port 7772
Logging to host, port 9002
**** Error: API_NATIVE_ERROR ****
Error while calling the "edg_wll_RegisterJobSync" native api
Unable to Register the Job:
to the LB logger at:
SSL Error (sslv3 alert bad certificate)


The error can also occur when a proxy of the wrong type is used: pre-RFC and RFC proxies are not yet supported by all gLite services, in particular not by the WMS. Note that by default voms-proxy-init will generate proxies of a type supported by all gLite services, whereas the grid-proxy-init command by default uses an unsupported type:

$ grid-proxy-info
subject  : /O=dutchgrid/O=users/O=nikhef/CN=Jan Just Keijser/CN=843775619
issuer   : /O=dutchgrid/O=users/O=nikhef/CN=Jan Just Keijser
identity : /O=dutchgrid/O=users/O=nikhef/CN=Jan Just Keijser
type     : Proxy draft (pre-RFC) compliant impersonation proxy
strength : 512 bits
path     : /tmp/x509up_u7651
timeleft : 5:35:50


Use voms-proxy-init without -rfc or -proxyver. A plain grid proxy with the correct type can be generated as follows:

grid-proxy-init -old