[AG-DEV] Certificate handling in CVS code
Christoph Willing
willing at vislab.uq.edu.au
Sun Jan 14 06:42:02 CST 2007
There seems to be a problem with certificate handling in the current
AG code in CVS. I'm not sure if it should be reported here or
bugzilla'd (CVS is assumed to be buggy isn't it?).
When running certmgr for a new user, the following error occurs -
1) d5:~ % mv .AccessGrid3 .AccessGrid3ZZZ
2) d5:~ % certmgr3.py
Traceback (most recent call last):
File "/usr/bin/certmgr3.py", line 807, in ?
main()
File "/usr/bin/certmgr3.py", line 778, in main
cmd = CertMgrCmdProcessor(app.GetCertificateManager(), app.GetLog
())
File "/usr/bin/certmgr3.py", line 46, in __init__
self.certMgrUI = CmdlineApplication.instance
().GetCertificateManagerUI()
File "/usr/lib/python2.4/site-packages/AccessGrid3/AccessGrid/
Toolkit.py", line 484, in GetCertificateManagerUI
if self.GetDefaultSubject() is None:
File "/usr/lib/python2.4/site-packages/AccessGrid3/AccessGrid/
Toolkit.py", line 452, in GetDefaultSubject
ident = self.GetCertificateManager().GetDefaultIdentity()
File "/usr/lib/python2.4/site-packages/AccessGrid3/AccessGrid/
Security/CertificateManager.py", line 732, in GetDefaultIdentity
raise NoCertificates
AccessGrid.Security.CertificateManager.NoCertificates
3) d5:~ %
i.e. certmgr doesn't even run far enough to display the user prompt.
The error seems to say that since there's no certificate installed,
certmgr can't proceed. Does that mean that no default certificate is
being installed when a new user config is being generated?
The full log for this transaction is attached here -
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CertificateManager.log
Type: application/octet-stream
Size: 4871 bytes
Desc: not available
URL: <http://lists.mcs.anl.gov/pipermail/ag-dev/attachments/20070114/e4626450/attachment.obj>
-------------- next part --------------
This means that I can't install a certificate with the current CVS code.
I had to back out to a standard 3.0.2 installation in order to
install a certificate. When I then changed over to the CVS code
again, certmgr worked to the extent that I could list the certificate
imported under 3.0.2 but thats about all I could do. The following
transcript shows the certificate being listed. It then shows a failed
attempt to import another certificate (anon_b.pem). Then trying to
"show" the existing certificate produces another error and I'm booted
back out to the shell -
23) d5:~/AGcerts % certmgr3.py
(ID mode) > list
1. (Default) /O=Access Grid/O=Argonne National Laboratory/OU=Futures
Lab Anonymous Authority/CN=Anonymous User
ab37c621c58efdea9e98ad5439dfa6e7
(ID mode) > import anon_b.pem
Private key found in certificate file anon_b.pem; ignoring
key file anon_b.pem
Error importing certificate from anon_b.pem keyfile anon_b.pem:
(ID mode) > list
1. (Default) /O=Access Grid/O=Argonne National Laboratory/OU=Futures
Lab Anonymous Authority/CN=Anonymous User
ab37c621c58efdea9e98ad5439dfa6e7
(ID mode) > show 1
Subject: /O=Access Grid/O=Argonne National Laboratory/OU=Futures Lab
Anonymous Authority/CN=Anonymous User ab37c621c58efdea9e98ad5439dfa6e7
Issuer: /O=Access Grid/O=Argonne National Laboratory/OU=Futures Lab
Anonymous Authority/CN=Anonymous Certificate Authority
Traceback (most recent call last):
File "/usr/bin/certmgr3.py", line 807, in ?
main()
File "/usr/bin/certmgr3.py", line 790, in main
cmd.cmdloop()
File "/usr/lib/python2.4/cmd.py", line 142, in cmdloop
stop = self.onecmd(line)
File "/usr/lib/python2.4/cmd.py", line 219, in onecmd
return func(arg)
File "/usr/bin/certmgr3.py", line 188, in do_show
print self.certs[num].GetVerboseText()
File "/usr/lib/python2.4/site-packages/AccessGrid3/AccessGrid/
Security/CertificateRepository.py", line 1300, in GetVerboseText
return self.cert.GetVerboseText()
File "/usr/lib/python2.4/site-packages/AccessGrid3/AccessGrid/
Security/CertificateRepository.py", line 1663, in GetVerboseText
fmt += "%s Fingerprint: %s\n" % (ctype,
File "/usr/lib/python2.4/site-packages/AccessGrid3/AccessGrid/
Security/CertificateRepository.py", line 1664, in <lambda>
string.join(map(lambda a: "%02X" % (a), fp), ":"))
TypeError: int argument required
24) d5:~/AGcerts %
And here is the log file for that transaction -
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CertificateManager.log
Type: application/octet-stream
Size: 1785 bytes
Desc: not available
URL: <http://lists.mcs.anl.gov/pipermail/ag-dev/attachments/20070114/e4626450/attachment-0001.obj>
-------------- next part --------------
There's more ...
when I run a VenueServer, a VenueClient connects to it OK. However I
can't connect to it with the VenueManagement tool. The error message is:
VenueManagement 01/14/2007 10:18:01 PM ERROR
VenueManagementClient.ConnectToServer: Can not connect.:
Traceback (most recent call last):
File "/usr/bin/VenueManagement3.py", line 446, in ConnectToServer
vl = self.server.GetVenues()
File "/usr/lib/python2.4/site-packages/AccessGrid3/AccessGrid/
interfaces/VenueServer_client.py", line 142, in GetVenues
self.binding.Send(None, None, request,
soapaction="urn:#GetVenues", **kw)
File "/usr/lib/python2.4/site-packages/ZSI/client.py", line 254,
in Send
self.h.connect()
File "/usr/lib/python2.4/site-packages/M2Crypto/httpslib.py", line
47, in connect
self.sock.connect((self.host, self.port))
File "/usr/lib/python2.4/site-packages/M2Crypto/SSL/
Connection.py", line 154, in connect
ret = self.connect_ssl()
File "/usr/lib/python2.4/site-packages/M2Crypto/SSL/
Connection.py", line 147, in connect_ssl
return m2.ssl_connect(self.ssl)
SSLError: certificate verify failed
The VenueServer's log says:
Traceback (most recent call last):
File "/usr/lib/python2.4/site-packages/M2Crypto/SSL/SSLServer.py",
line 29, in handle_request
request, client_address = self.get_request()
File "/usr/lib/python2.4/SocketServer.py", line 373, in get_request
return self.socket.accept()
File "/usr/lib/python2.4/site-packages/AccessGrid3/AccessGrid/
hosting/ZSI/ServiceContainer.py", line 152, in M2CryptoConnectionAccept
ret = ssl.accept_ssl()
File "/usr/lib/python2.4/site-packages/M2Crypto/SSL/
Connection.py", line 125, in accept_ssl
return m2.ssl_accept(self.ssl)
SSLError: tlsv1 alert unknown ca
----------------------------------------
The VenueManagement tool is running on the same machine as the
VenueServer, using the same anonymous certificate as was loaded in
the certmgr saga above. I've tried a service certificate as well, but
same result.
chris
Christoph Willing +61 7 3365 8350
QCIF Access Grid Manager
University of Queensland
More information about the ag-dev
mailing list