|Main||EGI.eu operations services||Support||Documentation||Tools||Activities||Performance||Technology||Catch-all Services||Resource Allocation||Security|
|Documentation menu:||Home •||Manuals •||Procedures •||Training •||Other •||Contact ►||For:||VO managers •||Administrators|
Back to Troubleshooting Guide
sslv3 alert bad certificate
There are (at least) 2 cases in which this message can pop up:
1. Proxy used too soon
$ myproxy-info -d -s myproxy.cern.ch Error authenticating: GSS Major Status: Authentication Failed GSS Minor Status Error Chain: init.c:266: globus_gss_assist_init_sec_context: Error during context initialization init_sec_context.c:171: gss_init_sec_context: SSLv3 handshake problems globus_i_gsi_gss_utils.c:888: globus_i_gsi_gss_handshake: Unable to verify remote side's credentials globus_i_gsi_gss_utils.c:847: globus_i_gsi_gss_handshake: Unable to verify remote side's credentials: Couldn't verify the remote certificate OpenSSL Error: s3_pkt.c:1046: in library: SSL routines, function SSL3_READ_BYTES: sslv3 alert bad certificate
This exact error message typically occurs when a proxy is used before it becomes valid. This happens when the proxy was created on a machine that has its system date more than 5 minutes in the future, and the proxy is used too early. When the same proxy is used again at a later time, the failed command "suddenly" works, giving the false impression that the problem somehow was fixed...
Correct the system date on the machines involved and keep it synchronized with a nearby time server e.g. through the ntpd service or via a regular cron job invoking the rdate command.
2. (pre-)RFC style proxy used against WMS or RB
$ glite-wms-job-submit -a myjob.jdl Connecting to the service https://wms211.cern.ch:7443/glite_wms_wmproxy_server Connection failed: SSL_ERROR_SSL error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown SSL connect failed in tcp_connect() Error code: SOAP-ENV:Client
$ edg-job-submit --vo whatever Myjob.jdl Selected Virtual Organisation name (from --vo option): whatever Connecting to host boszwijn.nikhef.nl, port 7772 Logging to host boszwijn.nikhef.nl, port 9002 **** Error: API_NATIVE_ERROR **** Error while calling the "edg_wll_RegisterJobSync" native api Unable to Register the Job: https://boszwijn.nikhef.nl:9000/TkTGXbByfpIuJWPbRN6wxg to the LB logger at: boszwijn.nikhef.nl SSL Error (sslv3 alert bad certificate)
The error can also occur when a proxy of the wrong type is used: pre-RFC and RFC proxies are not yet supported by all gLite services, in particular not by the WMS. Note that by default voms-proxy-init will generate proxies of a type supported by all gLite services, whereas the grid-proxy-init command by default uses an unsupported type:
$ grid-proxy-info subject : /O=dutchgrid/O=users/O=nikhef/CN=Jan Just Keijser/CN=843775619 issuer : /O=dutchgrid/O=users/O=nikhef/CN=Jan Just Keijser identity : /O=dutchgrid/O=users/O=nikhef/CN=Jan Just Keijser type : Proxy draft (pre-RFC) compliant impersonation proxy strength : 512 bits path : /tmp/x509up_u7651 timeleft : 5:35:50
Use voms-proxy-init without -rfc or -proxyver. A plain grid proxy with the correct type can be generated as follows:
voms-proxy-init grid-proxy-init -old