voms-proxy-init2 (dirac-proxy-init) problem

[ernst pijper]

Hi,

I'm running into a problem with the voms-proxy-init2 (dirac-proxy-init) from the diracos environment. 

To obtain a vomsified local proxy, we add the --VOMS <voms vo> option to the dirac-proxy-init command. This works perfect except for the escape VO. We are seeing the following error message (below is actually for voms-proxy-init2 but for dirac-proxy-init it is the same):

--------------------------------------------------------------------------------------

voms-proxy-init2 --voms escape Enter GRID pass phrase: Your identity: <user dn> Creating temporary proxy ................................................................ Done Contacting voms-escape.cloud.cnaf.infn.it:15000 [/DC=org/DC=terena/DC=tcs/C=IT/ST=Roma/O=Istituto Nazionale di Fisica Nucleare - INFN/OU=CNAF/CN=voms-escape.cloud.cnaf.infn.it] "escape" Failed Error: Error during SSL handshake:error:80066411:lib(128):proxy_verify_callback:certificate validation error:sslutils.c:2110: self signed certificate in certificate chain [subject=/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services,issuer=/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services] certificate validation error: self signed certificate in certificate chain [subject=/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services,issuer=/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services] Function: proxy_verify_callback error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1188 certificate verify failed Function: SSL3_GET_SERVER_CERTIFICATE None of the contacted servers for escape were capable of returning a valid AC for the user. --------------------------------------------------------------------------------------

The user is a member of the escape VO. I made sure the vomses and vomsdir information are accurate.

I also installed voms-proxy-init2 from the UMD4 repository. That one runs without any problems and creates a local vomsified proxy. 

What could be the problem here?

Ernst

[Andrei Tsaregorodtsev]

Hi Ernst,

The dirac-proxy-init command -M/--VOMS option does not assume an argument, the VOMS extension to be added is taken from the group

configuration (VOMSRole option in the Registry/Groups/<group> section). So, the command should look something  like:

> dirac-proxy-init -g escape_user --VOMS

Having said that, I am not sure that this is the cause of the problem. Have you tried to use directly the voms-proxy-init2 command which is

shipped together with DIRAC ?

  Cheers,

  Andrei

[ernst pijper]

Hi Andrei,

Ah yes good point about the -M/--VOMS option!

That's actually what I did above. The error message shown is from directly running the voms-proxy-init2 command that ships with DIRAC.

When I use the voms-proxy-init2 command from UMD4 it works fine, even when I use the vomses and vomsdir directories from the dirac environment.

And this only occurs for the escape VO.

Ernst

Op donderdag 2 december 2021 om 10:39:42 UTC+1 schreef Andrei Tsaregorodtsev:

[Andrei Tsaregorodtsev]

Does it happen for ALL the users in the escape VO ? Are you sure that this is a problem of escape VO and not of this particular user ?

  Cheers,

  Andrei

[Andrei Tsaregorodtsev]

I can reproduce the problem. DIRAC ships voms-proxy-init2 version 2.0.14. This one fails with the error that you have reported. If I use later version

2.0.16 it works. The VOMS server certificate indeed is issued by a chain of CAs with the root CA Comodo. But the latter is not present (its certificate).

This looks strange to me. Somehow 2.0.16 is more permissive than 2.0.14. Should be further investigated.

  Andrei

[Andrei Tsaregorodtsev]

After some further investigation I have found out that the "standard" set of CA certificates does not contain the certificates of the CAs used to issue the

VOMS server certificate. If I add these CA certificates (picked up from the output of openssl s_client -showcerts -connect voms-escape.cloud.cnaf.infn.it:15000),

then the dirac-proxy-init works as expected:

$ dirac-proxy-init -g escape_user --VOMS
Generating proxy...
Enter Certificate password: ********
Added VOMS attribute /escape
Uploading proxy..
Proxy generated:
subject      : /O=GRID-FR/C=FR/O=CNRS/OU=CPPM/CN=Andrei Tsaregorodtsev/CN=1646024061/CN=2243040696
issuer       : /O=GRID-FR/C=FR/O=CNRS/OU=CPPM/CN=Andrei Tsaregorodtsev/CN=1646024061
identity     : /O=GRID-FR/C=FR/O=CNRS/OU=CPPM/CN=Andrei Tsaregorodtsev
timeleft     : 23:53:59
DIRAC group  : escape_user
path         : /tmp/x509up_u1885
username     : atsareg
properties   : NormalUser
VOMS         : True
VOMS fqan    : ['/escape']

  So, CAs used on the client side in your installation are to be checked/updated.

  Cheers,

  Andrei

[ernst pijper]

Hi Andrei,

Found the problem.

Diracos is shipped with openssl-libs-1.0.1e which has been out of support since 1st January 2017 (according to the openssl website).

If I link <some path>/diracos/usr/lib64/libcrypto.so.10 -> /usr/lib64/libcrypto.so.1.0.2k it works again.

Ernst

Op donderdag 2 december 2021 om 11:14:56 UTC+1 schreef Andrei Tsaregorodtsev:

[ernst pijper]

I have also installed 2.0.14 from the UMD4 repo. That one works. But it uses openssl-1.0.2k because that's what's installed one my system.

I also discovered that on their git documentation page it says:

The latest supported VOMS clients are required (i.e., voms-proxy-init v. >=3 ). Also note that this VO is supported by IAM, i.e. there are no VOMS Admin endpoints that can be used to generate Gridmap files.

So maybe it's a combination of factors.

Op donderdag 2 december 2021 om 13:24:53 UTC+1 schreef Andrei Tsaregorodtsev:

[Federico Stagni]

Hi Ernst,

it seems you are using the python2 version of DIRAC (you didn't mention it, but seems clear). Which version of DIRAC are you running?

The python2 version comes with outdated "externals" (==DIRACOS) while the python3 one comes with DIRACOS2 package containing also openssl 1.2

Cheers,

Federico

[ernst pijper]

Hi Federico,

Yes I'm indeed using the python2 version. I will try to not forget to mention the versions I'm using next time. 

I'm using DIRAC version v7r2p27. Does that one work with DIRACOS2?

In the manual read that

An experimental support for python3 server installations is also offered from DIRAC version 7.3

Thanks,

Ernst

Op donderdag 9 december 2021 om 13:12:19 UTC+1 schreef sta...@gmail.com:

[Federico Stagni]

Hi Ernst,

basically:

v7r2: 

- server: py2

- client: py2 and py3

v7r3 (7.3): 

- server: py2 and py3

- client: (py2 and) py3

8.0 (in development): py3 only

--
You received this message because you are subscribed to the Google Groups "diracgrid-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to diracgrid-for...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/diracgrid-forum/daaaeb2c-ea6f-452e-9dc9-28b7e1169e76n%40googlegroups.com.

[ernst pijper]

Thank Federico, I will try that. 

Op vrijdag 10 december 2021 om 11:59:40 UTC+1 schreef sta...@gmail.com:

[ernst pijper]

Hi Federico,

I have installed diracos2. For the pip install, I started with the latest version (7.3.14). I ran into an error when trying to get the status of my job:

WARN: Could not obtain job status information 

ERROR: Unknown method getJobsStates

Then I tried 7.2.27 and after that 7.2.38 (im running dirac 7.2.27). For both, the status command and output retrieval command worked.

I then tried the voms-proxy-init command. This failed with:

Your identity: <MY DN here>

error:08064066:object identifier routines:OBJ_create:oid exists:crypto/objects/obj_dat.c:698

oid exists

Function: OBJ_create

However, the dirac-proxy-init command with the -M or ---VOMS options works just fine and gives me a proxy with both dirac and voms information. So im wondering if it's the intention that the voms-proxy-init command should be able to be run on its own.

Do you recommend to always use the same version for the pip DIRAC install as the dirac server version?

Ernst

Op vrijdag 10 december 2021 om 11:59:40 UTC+1 schreef sta...@gmail.com:

[Federico Stagni]

Hi Ernst,

there should usually be no need to run `voms-proxy-init` but it should in any case be working fine.

Regarding the versioning: we do run a number of tests to try and assure compatibility between server/client versions, but we normally do it the other way around, so the client could be a 7.2 client for a 7.3 server installation.

Cheers,

Federico

To view this discussion on the web visit https://groups.google.com/d/msgid/diracgrid-forum/dcc68ea7-f681-46d9-ae28-78de7c1b9036n%40googlegroups.com.