[AG-DEV] Re: Certificate handling in CVS code
Christoph Willing
willing at vislab.uq.edu.au
Tue Jan 16 05:51:56 CST 2007
A bit more info on this problem ...
When the CVS VenueClient starts, I see this in the log:
01/16/2007 08:44:50 PM -1211955520 NodeService AGNodeService.py:
638 INFO NodeService.GetConfigurations
01/16/2007 08:44:50 PM -1211955520 CertificateManager
CertificateManager.py:234 DEBUG initializing repository
01/16/2007 08:44:50 PM -1211955520 CertificateManager
CertificateManager.py:249 DEBUG Initializing from /etc/AccessGrid3/
Config/CAcertificates
01/16/2007 08:44:50 PM -1211955520 CertificateManager
CertificateManager.py:277 INFO /etc/AccessGrid3/Config/
CAcertificates/1c3f2ca8.0 might be a cert
01/16/2007 08:44:50 PM -1211955520 CertificateManager
CertificateManager.py:307 ERROR failure importing /etc/AccessGrid3/
Config/CAcertificates/1c3f2ca8.0
Traceback (most recent call last):
File "/usr/lib/python2.4/site-packages/AccessGrid3/AccessGrid/
Security/CertificateManager.py", line 303, in ImportCACertificates
log.info("Imported cert as %s.0", desc.GetSubject().get_hash())
File "/usr/lib/python2.4/site-packages/M2Crypto/X509.py", line
236, in __getattr__
raise AttributeError, (self, attr)
AttributeError: (<M2Crypto.X509.X509_Name instance at 0xb59d51ec>,
'get_hash')
01/16/2007 08:44:50 PM -1211955520 CertificateManager
CertificateManager.py:277 INFO /etc/AccessGrid3/Config/
CAcertificates/45cc9e80.0 might be a cert
01/16/2007 08:44:50 PM -1211955520 CertificateManager
CertificateManager.py:307 ERROR failure importing /etc/AccessGrid3/
Config/CAcertificates/45cc9e80.0
Traceback (most recent call last):
File "/usr/lib/python2.4/site-packages/AccessGrid3/AccessGrid/
Security/CertificateManager.py", line 303, in ImportCACertificates
log.info("Imported cert as %s.0", desc.GetSubject().get_hash())
File "/usr/lib/python2.4/site-packages/M2Crypto/X509.py", line
236, in __getattr__
raise AttributeError, (self, attr)
AttributeError: (<M2Crypto.X509.X509_Name instance at 0xb59d552c>,
'get_hash')
01/16/2007 08:44:50 PM -1211955520 CertificateManager
CertificateManager.py:277 INFO /etc/AccessGrid3/Config/
CAcertificates/d1b603c3.0 might be a cert
01/16/2007 08:44:50 PM -1211955520 CertificateManager
CertificateManager.py:307 ERROR failure importing /etc/AccessGrid3/
Config/CAcertificates/d1b603c3.0
Traceback (most recent call last):
File "/usr/lib/python2.4/site-packages/AccessGrid3/AccessGrid/
Security/CertificateManager.py", line 303, in ImportCACertificates
log.info("Imported cert as %s.0", desc.GetSubject().get_hash())
File "/usr/lib/python2.4/site-packages/M2Crypto/X509.py", line
236, in __getattr__
raise AttributeError, (self, attr)
AttributeError: (<M2Crypto.X509.X509_Name instance at 0xb59d576c>,
'get_hash')
01/16/2007 08:44:50 PM -1211955520 CertificateManager
CertificateManager.py:277 INFO /etc/AccessGrid3/Config/
CAcertificates/f18fa857.0 might be a cert
01/16/2007 08:44:51 PM -1211955520 CertificateManager
CertificateManager.py:307 ERROR failure importing /etc/AccessGrid3/
Config/CAcertificates/f18fa857.0
Traceback (most recent call last):
File "/usr/lib/python2.4/site-packages/AccessGrid3/AccessGrid/
Security/CertificateManager.py", line 303, in ImportCACertificates
log.info("Imported cert as %s.0", desc.GetSubject().get_hash())
File "/usr/lib/python2.4/site-packages/M2Crypto/X509.py", line
236, in __getattr__
raise AttributeError, (self, attr)
AttributeError: (<M2Crypto.X509.X509_Name instance at 0xb59d54ec>,
'get_hash')
01/16/2007 08:44:51 PM -1211955520 Toolkit Toolkit.py:469 INFO
Initialized certificate manager.
chris
On 14/01/2007, at 10:42 PM, Christoph Willing wrote:
> There seems to be a problem with certificate handling in the
> current AG code in CVS. I'm not sure if it should be reported here
> or bugzilla'd (CVS is assumed to be buggy isn't it?).
>
>
> When running certmgr for a new user, the following error occurs -
>
> 1) d5:~ % mv .AccessGrid3 .AccessGrid3ZZZ
> 2) d5:~ % certmgr3.py
> Traceback (most recent call last):
> File "/usr/bin/certmgr3.py", line 807, in ?
> main()
> File "/usr/bin/certmgr3.py", line 778, in main
> cmd = CertMgrCmdProcessor(app.GetCertificateManager(),
> app.GetLog())
> File "/usr/bin/certmgr3.py", line 46, in __init__
> self.certMgrUI = CmdlineApplication.instance
> ().GetCertificateManagerUI()
> File "/usr/lib/python2.4/site-packages/AccessGrid3/AccessGrid/
> Toolkit.py", line 484, in GetCertificateManagerUI
> if self.GetDefaultSubject() is None:
> File "/usr/lib/python2.4/site-packages/AccessGrid3/AccessGrid/
> Toolkit.py", line 452, in GetDefaultSubject
> ident = self.GetCertificateManager().GetDefaultIdentity()
> File "/usr/lib/python2.4/site-packages/AccessGrid3/AccessGrid/
> Security/CertificateManager.py", line 732, in GetDefaultIdentity
> raise NoCertificates
> AccessGrid.Security.CertificateManager.NoCertificates
> 3) d5:~ %
>
> i.e. certmgr doesn't even run far enough to display the user
> prompt. The error seems to say that since there's no certificate
> installed, certmgr can't proceed. Does that mean that no default
> certificate is being installed when a new user config is being
> generated?
>
> The full log for this transaction is attached here -
>
> <CertificateManager.log>
>
>
> This means that I can't install a certificate with the current CVS
> code.
>
> I had to back out to a standard 3.0.2 installation in order to
> install a certificate. When I then changed over to the CVS code
> again, certmgr worked to the extent that I could list the
> certificate imported under 3.0.2 but thats about all I could do.
> The following transcript shows the certificate being listed. It
> then shows a failed attempt to import another certificate
> (anon_b.pem). Then trying to "show" the existing certificate
> produces another error and I'm booted back out to the shell -
>
> 23) d5:~/AGcerts % certmgr3.py
> (ID mode) > list
> 1. (Default) /O=Access Grid/O=Argonne National Laboratory/
> OU=Futures Lab Anonymous Authority/CN=Anonymous User
> ab37c621c58efdea9e98ad5439dfa6e7
> (ID mode) > import anon_b.pem
> Private key found in certificate file anon_b.pem; ignoring
> key file anon_b.pem
> Error importing certificate from anon_b.pem keyfile anon_b.pem:
> (ID mode) > list
> 1. (Default) /O=Access Grid/O=Argonne National Laboratory/
> OU=Futures Lab Anonymous Authority/CN=Anonymous User
> ab37c621c58efdea9e98ad5439dfa6e7
> (ID mode) > show 1
> Subject: /O=Access Grid/O=Argonne National Laboratory/OU=Futures
> Lab Anonymous Authority/CN=Anonymous User
> ab37c621c58efdea9e98ad5439dfa6e7
> Issuer: /O=Access Grid/O=Argonne National Laboratory/OU=Futures
> Lab Anonymous Authority/CN=Anonymous Certificate Authority
> Traceback (most recent call last):
> File "/usr/bin/certmgr3.py", line 807, in ?
> main()
> File "/usr/bin/certmgr3.py", line 790, in main
> cmd.cmdloop()
> File "/usr/lib/python2.4/cmd.py", line 142, in cmdloop
> stop = self.onecmd(line)
> File "/usr/lib/python2.4/cmd.py", line 219, in onecmd
> return func(arg)
> File "/usr/bin/certmgr3.py", line 188, in do_show
> print self.certs[num].GetVerboseText()
> File "/usr/lib/python2.4/site-packages/AccessGrid3/AccessGrid/
> Security/CertificateRepository.py", line 1300, in GetVerboseText
> return self.cert.GetVerboseText()
> File "/usr/lib/python2.4/site-packages/AccessGrid3/AccessGrid/
> Security/CertificateRepository.py", line 1663, in GetVerboseText
> fmt += "%s Fingerprint: %s\n" % (ctype,
> File "/usr/lib/python2.4/site-packages/AccessGrid3/AccessGrid/
> Security/CertificateRepository.py", line 1664, in <lambda>
> string.join(map(lambda a: "%02X" % (a), fp), ":"))
> TypeError: int argument required
> 24) d5:~/AGcerts %
>
>
> And here is the log file for that transaction -
>
> <CertificateManager.log>
>
>
>
> There's more ...
> when I run a VenueServer, a VenueClient connects to it OK. However
> I can't connect to it with the VenueManagement tool. The error
> message is:
> VenueManagement 01/14/2007 10:18:01 PM ERROR
> VenueManagementClient.ConnectToServer: Can not connect.:
> Traceback (most recent call last):
> File "/usr/bin/VenueManagement3.py", line 446, in ConnectToServer
> vl = self.server.GetVenues()
> File "/usr/lib/python2.4/site-packages/AccessGrid3/AccessGrid/
> interfaces/VenueServer_client.py", line 142, in GetVenues
> self.binding.Send(None, None, request,
> soapaction="urn:#GetVenues", **kw)
> File "/usr/lib/python2.4/site-packages/ZSI/client.py", line 254,
> in Send
> self.h.connect()
> File "/usr/lib/python2.4/site-packages/M2Crypto/httpslib.py",
> line 47, in connect
> self.sock.connect((self.host, self.port))
> File "/usr/lib/python2.4/site-packages/M2Crypto/SSL/
> Connection.py", line 154, in connect
> ret = self.connect_ssl()
> File "/usr/lib/python2.4/site-packages/M2Crypto/SSL/
> Connection.py", line 147, in connect_ssl
> return m2.ssl_connect(self.ssl)
> SSLError: certificate verify failed
>
>
>
> The VenueServer's log says:
> Traceback (most recent call last):
> File "/usr/lib/python2.4/site-packages/M2Crypto/SSL/
> SSLServer.py", line 29, in handle_request
> request, client_address = self.get_request()
> File "/usr/lib/python2.4/SocketServer.py", line 373, in get_request
> return self.socket.accept()
> File "/usr/lib/python2.4/site-packages/AccessGrid3/AccessGrid/
> hosting/ZSI/ServiceContainer.py", line 152, in
> M2CryptoConnectionAccept
> ret = ssl.accept_ssl()
> File "/usr/lib/python2.4/site-packages/M2Crypto/SSL/
> Connection.py", line 125, in accept_ssl
> return m2.ssl_accept(self.ssl)
> SSLError: tlsv1 alert unknown ca
> ----------------------------------------
>
>
> The VenueManagement tool is running on the same machine as the
> VenueServer, using the same anonymous certificate as was loaded in
> the certmgr saga above. I've tried a service certificate as well,
> but same result.
>
>
> chris
>
>
> Christoph Willing +61 7 3365 8350
> QCIF Access Grid Manager
> University of Queensland
>
>
>
Christoph Willing +61 7 3365 8350
QCIF Access Grid Manager
University of Queensland
More information about the ag-dev
mailing list