Mike: A suitable workaround for now would be to drop back to an earlier m2crypto version.
Chris: Have you isolated the problem to a particular m2crypto version? Tom On Jan 29, 2010, at 5:42 AM, Mike Weaver wrote: > Thanks Chris! I've been working with Tom at Argonne and we've come to > pretty much the same conclusion. Waiting to see if we're going to > file a > bug, or find a work-around. > > Thanks for your investigation, > > Mike > > -----Original Message----- > From: Christoph Willing [mailto:[email protected]] > Sent: Thursday, January 28, 2010 7:37 PM > To: [email protected] > Cc: [email protected] > Subject: Re: [AG-TECH] Venue Server question > > Mike, > > We've been able to replicate the problem here. Its due to the > inability to load the AG Dev CA. You can confirm it by running a > certmgr session as below. In particular, notice the error when trying > to import 45cc9e80.0 (the AG Dev CA). > > [ag@agn-display ~]$ cd /etc/AccessGrid3/Config/CAcertificates/ > [ag@agn-display CAcertificates]$ certmgr_agtk > /usr/lib/python2.6/site-packages/AccessGrid3/AccessGrid/ > ClientProfile.py:22: DeprecationWarning: the md5 module is deprecated; > use hashlib instead > import md5 > /usr/lib/python2.6/site-packages/AccessGrid3/AccessGrid/Security/ > ProxyGen.py:19: DeprecationWarning: The popen2 module is deprecated. > Use the subprocess module. > import popen2 > (ID mode) > ca > (CA mode) > import 45cc9e80.0 > Error importing certificate from 45cc9e80.0: long too large to convert > to int > (CA mode) > quit > > > We believe the error is due to the newer m2crypto version being used > in Fedora 12 (both 32 and 64 bit). > > > For now, I think your only Fedora based option is to use an earlier > release (F11 looks OK). > > > chris > > > On 28/01/2010, at 1:05 AM, Mike Weaver wrote: > >> total 32 >> -rw-r--r--. 1 root root 1436 2007-12-18 02:09 1c3f2ca8.0 >> -rw-r--r--. 1 root root 2276 2004-05-06 14:51 1c3f2ca8.signing_policy >> -rw-r--r--. 1 root root 912 2007-05-02 18:03 45cc9e80.0 >> -rw-r--r--. 1 root root 1334 2004-03-25 09:25 45cc9e80.signing_policy >> -rw-r--r--. 1 root root 1448 2004-04-19 18:00 d1b603c3.0 >> -rw-r--r--. 1 root root 2263 2004-03-25 09:25 d1b603c3.signing_policy >> -rw-r--r--. 1 root root 1334 2004-09-06 01:26 f18fa857.0 >> -rw-r--r--. 1 root root 571 2004-09-06 01:26 f18fa857.signing_policy >> >> Interesting, Certificate Managers not seeing one? This was from a >> fresh >> installation on Fedora 12 using Jason's Install Guide and your >> packages. >> I've exported my certificates. I'm going to try rebuilding. >> >> Mike >> >> -----Original Message----- >> From: Christoph Willing [mailto:[email protected]] >> Sent: Tuesday, January 26, 2010 3:17 PM >> To: [email protected] >> Cc: [email protected] >> Subject: Re: [AG-TECH] Venue Server question >> >> >> On 27/01/2010, at 5:40 AM, Mike Weaver wrote: >> >>> I'm trying to set up & experiment with the AG 3 Venue Server. Got >>> my >>> service certificate approved & installed and the Venue Server >>> started >>> successfully, but can't connect with the Venue Manager. The >>> relevant part >>> of the VenueServer.log file looks like this: >>> >>> 01/26/10 14:26:52 -1260389520 Hosting ServiceContainer.py:187 >>> ERROR None >>> Traceback (most recent call last): >>> File "/usr/lib/python2.6/site-packages/M2Crypto/SSL/SSLServer.py", >>> line >>> 33, in handle_request >>> request, client_address = self.get_request() >>> File "/usr/lib/python2.6/SocketServer.py", line 444, in get_request >>> return self.socket.accept() >>> File >>> "/usr/lib/python2.6/site-packages/AccessGrid3/AccessGrid/hosting/ >>> ZSI/ >>> Service >>> Container.py", line 156, in M2CryptoConnectionAccept >>> ret = ssl.accept_ssl() >>> File "/usr/lib/python2.6/site-packages/M2Crypto/SSL/Connection.py", >>> line >>> 152, in accept_ssl >>> return m2.ssl_accept(self.ssl, self._timeout) >>> SSLError: tlsv1 alert unknown ca >>> >>> Seems to say that the CA for my certificate is unknown. Running the >>> Certificate Manager shows 3 trusted CAs - "DOEGrids CA 1", "ESnet >>> Root CA 1" >>> & "Anonymous Certificate Authority" (issued by ANL Futures lab). >>> The >>> service certificate was issued by the "Access Grid Developers CA". >>> Did I >>> miss a step or do something wrong? >> >> >> Mike, >> >> There should be four CA's so one of them is either missing or >> expired. >> Could you send a long listing (ls -l) of /etc/AccessGrid3/Config/ >> CAcertificates please? >> >> >> chris >> >> >> Christoph Willing +61 7 3365 8316 >> QCIF Access Grid Manager >> University of Queensland >> > > Christoph Willing +61 7 3365 8316 > QCIF Access Grid Manager > University of Queensland >
