Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Tools/Manuals/TS10

From EGIWiki
Jump to navigation Jump to search
Main EGI.eu operations services Support Documentation Tools Activities Performance Technology Catch-all Services Resource Allocation Security


Documentation menu: Home Manuals Procedures Training Other Contact For: VO managers Administrators



Back to Troubleshooting Guide


sslv3 alert bad certificate

There are (at least) 2 cases in which this message can pop up:

1. Proxy used too soon

Full message

$ myproxy-info -d -s myproxy.cern.ch
Error authenticating: GSS Major Status: Authentication Failed
GSS Minor Status Error Chain:

init.c:266: globus_gss_assist_init_sec_context: Error during context initialization
init_sec_context.c:171: gss_init_sec_context: SSLv3 handshake problems
globus_i_gsi_gss_utils.c:888: globus_i_gsi_gss_handshake: Unable to verify remote side's credentials
globus_i_gsi_gss_utils.c:847: globus_i_gsi_gss_handshake: Unable to verify remote side's credentials:
Couldn't verify the remote certificate
OpenSSL Error: s3_pkt.c:1046: in library: SSL routines, function SSL3_READ_BYTES: sslv3 alert bad certificate

Diagnosis

This exact error message typically occurs when a proxy is used before it becomes valid. This happens when the proxy was created on a machine that has its system date more than 5 minutes in the future, and the proxy is used too early. When the same proxy is used again at a later time, the failed command "suddenly" works, giving the false impression that the problem somehow was fixed...

Solution

Correct the system date on the machines involved and keep it synchronized with a nearby time server e.g. through the ntpd service or via a regular cron job invoking the rdate command.

2. (pre-)RFC style proxy used against WMS or RB

Full message

$ glite-wms-job-submit -a myjob.jdl

Connecting to the service https://wms211.cern.ch:7443/glite_wms_wmproxy_server

Connection failed: SSL_ERROR_SSL
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
SSL connect failed in tcp_connect()
Error code: SOAP-ENV:Client
$ edg-job-submit --vo whatever Myjob.jdl
Selected Virtual Organisation name (from --vo option): whatever
Connecting to host boszwijn.nikhef.nl, port 7772
Logging to host boszwijn.nikhef.nl, port 9002
**** Error: API_NATIVE_ERROR ****
Error while calling the "edg_wll_RegisterJobSync" native api
Unable to Register the Job:
https://boszwijn.nikhef.nl:9000/TkTGXbByfpIuJWPbRN6wxg
to the LB logger at: boszwijn.nikhef.nl
SSL Error (sslv3 alert bad certificate)

Diagnosis

The error can also occur when a proxy of the wrong type is used: pre-RFC and RFC proxies are not yet supported by all gLite services, in particular not by the WMS. Note that by default voms-proxy-init will generate proxies of a type supported by all gLite services, whereas the grid-proxy-init command by default uses an unsupported type:

$ grid-proxy-info
subject  : /O=dutchgrid/O=users/O=nikhef/CN=Jan Just Keijser/CN=843775619
issuer   : /O=dutchgrid/O=users/O=nikhef/CN=Jan Just Keijser
identity : /O=dutchgrid/O=users/O=nikhef/CN=Jan Just Keijser
type     : Proxy draft (pre-RFC) compliant impersonation proxy
strength : 512 bits
path     : /tmp/x509up_u7651
timeleft : 5:35:50

Solution

Use voms-proxy-init without -rfc or -proxyver. A plain grid proxy with the correct type can be generated as follows:

voms-proxy-init
grid-proxy-init -old