Thanks Colin! This is very helpful information about the problem. I'll get back to you once we figure out what we can do here. -Stu On Dec 11, 2006, at Dec 11, 10:22 PM, Colin Enticott wrote:
Hi Stuart,
The errors are below. Yes, as you can see the gt4 error said it was a connection error. Arguably, unable to establish trust is a connection error, but yes, we started to investigate firewall problems rather than CA issues.
Seeing as we are discussing error reporting, I always found the gt2.4 error messages hard to read. After a while, I started to look for key words in the message (and in this case it was the word trust) and work my way from there. It always wasn't clear if it was an error message from the client or the server.
What I propose is the first line should say "Error from client/ server" and weather if it is a socket or trust error and if so, which socket or certificate has caused the problem. I believe this would save a few headaches for test-bed creators.
GT4 error: $ globusrun -a -r tg-grid1.uc.teragrid.org
GRAM Authentication test failure: connecting to the job manager failed. Possible reasons: job terminated, invalid job contact, network problems, ...
GT2.4 error: $ globusrun -a -r tg-grid1.uc.teragrid.org
GRAM Authentication test failure: authentication failed: GSS Major Status: Authentication Failed GSS Minor Status Error Chain:
init.c:499: globus_gss_assist_init_sec_context_async: Error during context initialization init_sec_context.c:171: gss_init_sec_context: SSLv3 handshake problems globus_i_gsi_gss_utils.c:881: globus_i_gsi_gss_handshake: Unable to verify remote side's credentials globus_i_gsi_gss_utils.c:854: globus_i_gsi_gss_handshake: SSLv3 handshake problems: Couldn't do ssl handshake OpenSSL Error: s3_clnt.c:840: in library: SSL routines, function SSL3_GET_SERVER_CERTIFICATE: certificate verify failed globus_gsi_callback.c:351: globus_i_gsi_callback_handshake_callback: Could not verify credential globus_gsi_callback.c:490: globus_i_gsi_callback_cred_verify: Could not verify credential globus_gsi_callback.c:850: globus_i_gsi_callback_check_signing_policy: Error with signing policy globus_gsi_callback.c:990: globus_i_gsi_callback_check_gaa_auth: Error in OLD GAA code: Error checking certificate with subject /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1against signing policy file /etc/grid-security/certificates/ d1b603c3.signing_policy
Thanks, Colin
--- Colin Enticott, Research Scientist, Ph: +61 03 9903 2215 Room H7.26, Level 7, Building H, Monash University Caulfield 3145, Australia
-----Original Message----- From: Stuart Martin [mailto:smartin@mcs.anl.gov] Sent: Friday, 8 December 2006 2:52 AM To: Colin Enticott Cc: 'JP Navarro'; gin-auth@ggf.org; D.Bannon@vpac.org; gin- ops@ggf.org; 'Terrence Martin' Subject: Re: [gin-ops] [gin-auth] start Savannah run
Hi Colin,
Can you provide the error output for the gt4 commands you tried in this situation? If the error reporting has become less effective, then we (GT) need to fix that.
Thanks, Stu
On Dec 5, 2006, at Dec 5, 6:34 PM, Colin Enticott wrote:
I've noticed in the past the gt4 gives less error messages than gtk2.4, so I tried globusrun with gtk2.4.3 and got this error:
... globus_gsi_callback.c:990: globus_i_gsi_callback_check_gaa_auth: Error in OLD GAA code: Error checking certificate with subject /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1against signing policy file /etc/grid-security/certificates/ d1b603c3.signing_policy