[AG-DEV] Certificate handling in CVS code

Christoph Willing willing at vislab.uq.edu.au
Sun Jan 14 06:42:02 CST 2007


There seems to be a problem with certificate handling in the current  
AG code in CVS. I'm not sure if it should be reported here or  
bugzilla'd (CVS is assumed to be buggy isn't it?).


When running certmgr for a new user, the following error occurs -

1) d5:~ % mv .AccessGrid3 .AccessGrid3ZZZ
2) d5:~ % certmgr3.py
Traceback (most recent call last):
   File "/usr/bin/certmgr3.py", line 807, in ?
     main()
   File "/usr/bin/certmgr3.py", line 778, in main
     cmd = CertMgrCmdProcessor(app.GetCertificateManager(), app.GetLog 
())
   File "/usr/bin/certmgr3.py", line 46, in __init__
     self.certMgrUI = CmdlineApplication.instance 
().GetCertificateManagerUI()
   File "/usr/lib/python2.4/site-packages/AccessGrid3/AccessGrid/ 
Toolkit.py", line 484, in GetCertificateManagerUI
     if self.GetDefaultSubject() is None:
   File "/usr/lib/python2.4/site-packages/AccessGrid3/AccessGrid/ 
Toolkit.py", line 452, in GetDefaultSubject
     ident = self.GetCertificateManager().GetDefaultIdentity()
   File "/usr/lib/python2.4/site-packages/AccessGrid3/AccessGrid/ 
Security/CertificateManager.py", line 732, in GetDefaultIdentity
     raise NoCertificates
AccessGrid.Security.CertificateManager.NoCertificates
3) d5:~ %

i.e. certmgr doesn't even run far enough to display the user prompt.  
The error seems to say that since there's no certificate installed,  
certmgr can't proceed. Does that mean that no default certificate is  
being installed when a new user config is being generated?

The full log for this transaction is attached here -

-------------- next part --------------
A non-text attachment was scrubbed...
Name: CertificateManager.log
Type: application/octet-stream
Size: 4871 bytes
Desc: not available
URL: <http://lists.mcs.anl.gov/pipermail/ag-dev/attachments/20070114/e4626450/attachment.obj>
-------------- next part --------------


This means that I can't install a certificate with the current CVS code.

I had to back out to a standard 3.0.2 installation in order to  
install a certificate. When I then changed over to the CVS code  
again, certmgr worked to the extent that I could list the certificate  
imported under 3.0.2 but thats about all I could do. The following  
transcript shows the certificate being listed. It then shows a failed  
attempt to import another certificate (anon_b.pem). Then trying to  
"show" the existing certificate produces another error and I'm booted  
back out to the shell -

23) d5:~/AGcerts % certmgr3.py
(ID mode) > list
1. (Default) /O=Access Grid/O=Argonne National Laboratory/OU=Futures  
Lab Anonymous Authority/CN=Anonymous User  
ab37c621c58efdea9e98ad5439dfa6e7
(ID mode) > import anon_b.pem
Private key found in certificate file anon_b.pem; ignoring  
key                 file anon_b.pem
Error importing certificate from anon_b.pem keyfile anon_b.pem:
(ID mode) > list
1. (Default) /O=Access Grid/O=Argonne National Laboratory/OU=Futures  
Lab Anonymous Authority/CN=Anonymous User  
ab37c621c58efdea9e98ad5439dfa6e7
(ID mode) > show 1
Subject:  /O=Access Grid/O=Argonne National Laboratory/OU=Futures Lab  
Anonymous Authority/CN=Anonymous User ab37c621c58efdea9e98ad5439dfa6e7
Issuer:  /O=Access Grid/O=Argonne National Laboratory/OU=Futures Lab  
Anonymous Authority/CN=Anonymous Certificate Authority
Traceback (most recent call last):
   File "/usr/bin/certmgr3.py", line 807, in ?
     main()
   File "/usr/bin/certmgr3.py", line 790, in main
     cmd.cmdloop()
   File "/usr/lib/python2.4/cmd.py", line 142, in cmdloop
     stop = self.onecmd(line)
   File "/usr/lib/python2.4/cmd.py", line 219, in onecmd
     return func(arg)
   File "/usr/bin/certmgr3.py", line 188, in do_show
     print self.certs[num].GetVerboseText()
   File "/usr/lib/python2.4/site-packages/AccessGrid3/AccessGrid/ 
Security/CertificateRepository.py", line 1300, in GetVerboseText
     return self.cert.GetVerboseText()
   File "/usr/lib/python2.4/site-packages/AccessGrid3/AccessGrid/ 
Security/CertificateRepository.py", line 1663, in GetVerboseText
     fmt += "%s Fingerprint: %s\n"  % (ctype,
   File "/usr/lib/python2.4/site-packages/AccessGrid3/AccessGrid/ 
Security/CertificateRepository.py", line 1664, in <lambda>
     string.join(map(lambda a: "%02X" % (a), fp), ":"))
TypeError: int argument required
24) d5:~/AGcerts %


And here is the log file for that transaction -

-------------- next part --------------
A non-text attachment was scrubbed...
Name: CertificateManager.log
Type: application/octet-stream
Size: 1785 bytes
Desc: not available
URL: <http://lists.mcs.anl.gov/pipermail/ag-dev/attachments/20070114/e4626450/attachment-0001.obj>
-------------- next part --------------



There's more ...
when I run a VenueServer, a VenueClient connects to it OK. However I  
can't connect to it with the VenueManagement tool. The error message is:
VenueManagement   01/14/2007 10:18:01 PM ERROR  
VenueManagementClient.ConnectToServer: Can not connect.:
Traceback (most recent call last):
   File "/usr/bin/VenueManagement3.py", line 446, in ConnectToServer
     vl = self.server.GetVenues()
   File "/usr/lib/python2.4/site-packages/AccessGrid3/AccessGrid/ 
interfaces/VenueServer_client.py", line 142, in GetVenues
     self.binding.Send(None, None, request,  
soapaction="urn:#GetVenues", **kw)
   File "/usr/lib/python2.4/site-packages/ZSI/client.py", line 254,  
in Send
     self.h.connect()
   File "/usr/lib/python2.4/site-packages/M2Crypto/httpslib.py", line  
47, in connect
     self.sock.connect((self.host, self.port))
   File "/usr/lib/python2.4/site-packages/M2Crypto/SSL/ 
Connection.py", line 154, in connect
     ret = self.connect_ssl()
   File "/usr/lib/python2.4/site-packages/M2Crypto/SSL/ 
Connection.py", line 147, in connect_ssl
     return m2.ssl_connect(self.ssl)
SSLError: certificate verify failed



The VenueServer's log says:
Traceback (most recent call last):
   File "/usr/lib/python2.4/site-packages/M2Crypto/SSL/SSLServer.py",  
line 29, in handle_request
     request, client_address = self.get_request()
   File "/usr/lib/python2.4/SocketServer.py", line 373, in get_request
     return self.socket.accept()
   File "/usr/lib/python2.4/site-packages/AccessGrid3/AccessGrid/ 
hosting/ZSI/ServiceContainer.py", line 152, in M2CryptoConnectionAccept
     ret = ssl.accept_ssl()
   File "/usr/lib/python2.4/site-packages/M2Crypto/SSL/ 
Connection.py", line 125, in accept_ssl
     return m2.ssl_accept(self.ssl)
SSLError: tlsv1 alert unknown ca
----------------------------------------


The VenueManagement tool is running on the same machine as the  
VenueServer, using the same anonymous certificate as was loaded in  
the certmgr saga above. I've tried a service certificate as well, but  
same result.


chris


Christoph Willing                       +61 7 3365 8350
QCIF Access Grid Manager
University of Queensland





More information about the ag-dev mailing list