[AG-TECH] Venue Server question

Thomas Uram turam at mcs.anl.gov
Fri Jan 29 06:39:10 CST 2010 

Mike:

A suitable workaround for now would be to drop back to an earlier  
m2crypto version.

Chris: Have you isolated the problem to a particular m2crypto version?

Tom

On Jan 29, 2010, at 5:42 AM, Mike Weaver wrote:

> Thanks Chris!  I've been working with Tom at Argonne and we've come to
> pretty much the same conclusion. Waiting to see if we're going to  
> file a
> bug, or find a work-around.
>
> Thanks for your investigation,
>
> Mike
>
> -----Original Message-----
> From: Christoph Willing [mailto:c.willing at uq.edu.au]
> Sent: Thursday, January 28, 2010 7:37 PM
> To: weaver at ascr.doe.gov
> Cc: AG-Tech at mcs.anl.gov
> Subject: Re: [AG-TECH] Venue Server question
>
> Mike,
>
> We've been able to replicate the problem here. Its due to the
> inability to load the AG Dev CA. You can confirm it by running a
> certmgr session as below. In particular, notice the error when trying
> to import 45cc9e80.0 (the AG Dev CA).
>
> [ag at agn-display ~]$ cd /etc/AccessGrid3/Config/CAcertificates/
> [ag at agn-display CAcertificates]$ certmgr_agtk
> /usr/lib/python2.6/site-packages/AccessGrid3/AccessGrid/
> ClientProfile.py:22: DeprecationWarning: the md5 module is deprecated;
> use hashlib instead
>  import md5
> /usr/lib/python2.6/site-packages/AccessGrid3/AccessGrid/Security/
> ProxyGen.py:19: DeprecationWarning: The popen2 module is deprecated.
> Use the subprocess module.
>  import popen2
> (ID mode) > ca
> (CA mode) > import 45cc9e80.0
> Error importing certificate from 45cc9e80.0: long too large to convert
> to int
> (CA mode) > quit
>
>
> We believe the error is due to the newer m2crypto version being used
> in Fedora 12 (both 32 and 64 bit).
>
>
> For now, I think your only Fedora based option is to use an earlier
> release (F11 looks OK).
>
>
> chris
>
>
> On 28/01/2010, at 1:05 AM, Mike Weaver wrote:
>
>> total 32
>> -rw-r--r--. 1 root root 1436 2007-12-18 02:09 1c3f2ca8.0
>> -rw-r--r--. 1 root root 2276 2004-05-06 14:51 1c3f2ca8.signing_policy
>> -rw-r--r--. 1 root root  912 2007-05-02 18:03 45cc9e80.0
>> -rw-r--r--. 1 root root 1334 2004-03-25 09:25 45cc9e80.signing_policy
>> -rw-r--r--. 1 root root 1448 2004-04-19 18:00 d1b603c3.0
>> -rw-r--r--. 1 root root 2263 2004-03-25 09:25 d1b603c3.signing_policy
>> -rw-r--r--. 1 root root 1334 2004-09-06 01:26 f18fa857.0
>> -rw-r--r--. 1 root root  571 2004-09-06 01:26 f18fa857.signing_policy
>>
>> Interesting, Certificate Managers not seeing one?  This was from a
>> fresh
>> installation on Fedora 12 using Jason's Install Guide and your
>> packages.
>> I've exported my certificates.  I'm going to try rebuilding.
>>
>> Mike
>>
>> -----Original Message-----
>> From: Christoph Willing [mailto:c.willing at uq.edu.au]
>> Sent: Tuesday, January 26, 2010 3:17 PM
>> To: weaver at ascr.doe.gov
>> Cc: AG-Tech at mcs.anl.gov
>> Subject: Re: [AG-TECH] Venue Server question
>>
>>
>> On 27/01/2010, at 5:40 AM, Mike Weaver wrote:
>>
>>> I'm trying to set up & experiment with the AG 3 Venue Server.  Got  
>>> my
>>> service certificate approved & installed and the Venue Server  
>>> started
>>> successfully, but can't connect with the Venue Manager.  The
>>> relevant part
>>> of the VenueServer.log file looks like this:
>>>
>>> 01/26/10 14:26:52 -1260389520 Hosting     ServiceContainer.py:187
>>> ERROR None
>>> Traceback (most recent call last):
>>> File "/usr/lib/python2.6/site-packages/M2Crypto/SSL/SSLServer.py",
>>> line
>>> 33, in handle_request
>>>  request, client_address = self.get_request()
>>> File "/usr/lib/python2.6/SocketServer.py", line 444, in get_request
>>>  return self.socket.accept()
>>> File
>>> "/usr/lib/python2.6/site-packages/AccessGrid3/AccessGrid/hosting/ 
>>> ZSI/
>>> Service
>>> Container.py", line 156, in M2CryptoConnectionAccept
>>>  ret = ssl.accept_ssl()
>>> File "/usr/lib/python2.6/site-packages/M2Crypto/SSL/Connection.py",
>>> line
>>> 152, in accept_ssl
>>>  return m2.ssl_accept(self.ssl, self._timeout)
>>> SSLError: tlsv1 alert unknown ca
>>>
>>> Seems to say that the CA for my certificate is unknown.  Running the
>>> Certificate Manager shows 3 trusted CAs - "DOEGrids CA 1", "ESnet
>>> Root CA 1"
>>> & "Anonymous Certificate Authority" (issued by ANL Futures lab).   
>>> The
>>> service certificate was issued by the "Access Grid Developers CA".
>>> Did I
>>> miss a step or do something wrong?
>>
>>
>> Mike,
>>
>> There should be four CA's so one of them is either missing or  
>> expired.
>> Could you send a long listing (ls -l) of /etc/AccessGrid3/Config/
>> CAcertificates please?
>>
>>
>> chris
>>
>>
>> Christoph Willing                       +61 7 3365 8316
>> QCIF Access Grid Manager
>> University of Queensland
>>
>
> Christoph Willing                       +61 7 3365 8316
> QCIF Access Grid Manager
> University of Queensland
>

More information about the ag-tech mailing list