Actually, I did use -d:3 when testing, I just didn't mention it. With these security directives: sec.protocol gsi -d:3 -crl:0 -ca:1 xrootd.seclib /usr/lib64/libXrdSec.so I get this result: [root@vm08 ~]# sudo -u xrootd xrootd -c /etc/xrootd/xrootd-clustered.cfg 120706 18:07:16 1860 Scalla is starting. . . Copr. 2010 Stanford University, xrd version v3.2.2 ++++++ xrootd [log in to unmask] initialization started. Config using configuration file /etc/xrootd/xrootd-clustered.cfg =====> xrd.report vm08:3333,vm08:4444 every 5m all =====> all.adminpath /var/spool/xrootd Config maximum number of connections restricted to 65500 Copr. 2007 Stanford University, xrootd version 2.9.7 build v3.2.2 ++++++ xrootd protocol initialization started. =====> all.export /data =====> all.pidpath /var/run/xrootd =====> xrootd.seclib /usr/lib64/libXrdSec.so Config exporting /data ++++++ Authentication system initialization started. 120706 18:07:16 1860 secgsi_InitOpts: *** ------------------------------------------------------------ *** 120706 18:07:16 1860 secgsi_InitOpts: Mode: server 120706 18:07:16 1860 secgsi_InitOpts: Debug: 3 120706 18:07:16 1860 secgsi_InitOpts: CA dir: /etc/grid-security/certificates/ 120706 18:07:16 1860 secgsi_InitOpts: CA verification level: 1 120706 18:07:16 1860 secgsi_InitOpts: CRL dir: /etc/grid-security/certificates/ 120706 18:07:16 1860 secgsi_InitOpts: CRL extension: .r0 120706 18:07:16 1860 secgsi_InitOpts: CRL check level: 0 120706 18:07:16 1860 secgsi_InitOpts: Certificate: /etc/grid-security/xrd/xrdcert.pem 120706 18:07:16 1860 secgsi_InitOpts: Key: /etc/grid-security/xrd/xrdkey.pem 120706 18:07:16 1860 secgsi_InitOpts: Proxy delegation option: 0 120706 18:07:16 1860 secgsi_InitOpts: GRIDmap file: /etc/grid-security/grid-mapfile 120706 18:07:16 1860 secgsi_InitOpts: GRIDmap option: 1 120706 18:07:16 1860 secgsi_InitOpts: GRIDmap cache entries expiration (secs): -1 120706 18:07:16 1860 secgsi_InitOpts: Client proxy availability in XrdSecEntity.endorsement: 0 120706 18:07:16 1860 secgsi_InitOpts: VOMS option: 1 120706 18:07:16 1860 secgsi_InitOpts: MonInfo option: 0 120706 18:07:16 1860 secgsi_InitOpts: Crypto modules: ssl 120706 18:07:16 1860 secgsi_InitOpts: Ciphers: aes-128-cbc:bf-cbc:des-ede3-cbc 120706 18:07:16 1860 secgsi_InitOpts: MDigests: sha1:md5 120706 18:07:16 1860 secgsi_InitOpts: *** ------------------------------------------------------------ *** 120706 18:07:16 1860 secgsi_Init: option CACheck: 1 120706 18:07:16 1860 secgsi_Init: using CA dir(s): /etc/grid-security/certificates/ 120706 18:07:16 1860 secgsi_Init: option CRLCheck: 0 ('do-not-care'; download? no) 120706 18:07:16 1860 secgsi_Init: CRL information refreshed every 86400 secs 120706 18:07:16 1860 crypto_Factory::GetCryptoFactory: loading ssl crypto factory object from libXrdCrypto.so 120706 18:07:16 1860 crypto_Factory::GetCryptoFactory: loading ssl crypto factory object from libXrdCryptossl.so 120706 18:07:16 1860 sut_Rndm::GetBuffer: enter: len: 32 120706 18:07:16 1860 sut_Rndm::Init: taking seed from /dev/urandom 120706 18:07:16 1860 cryptossl_sslCipher::XrdCryptosslCipher: generate DH full key 120706 18:07:16 1860 sut_Cache::Init: cache allocated for 100 entries 120706 18:07:16 1860 sut_Cache::Rehash: Hash table updated (found 0 active entries) 120706 18:07:16 1860 sut_Cache::Init: cache allocated for 10 entries 120706 18:07:16 1860 sut_Cache::Rehash: Hash table updated (found 0 active entries) 120706 18:07:16 1860 sut_Cache::Get: locating entry for ID: ssl 120706 18:07:16 1860 sut_Cache::Rehash: hash table is up-to-date 120706 18:07:16 1860 cryptossl_X509::XrdCryptosslX509_file: certificate successfully loaded 120706 18:07:16 1860 cryptossl_X509::IsCA: certificate has 4 extensions Enter PEM pass phrase: 120706 18:07:18 1860 cryptossl_X509::XrdCryptosslX509_file: RSA key completed 120706 18:07:18 1860 cryptossl_X509::Export: BIO data: 969 bytes at 0x0x1144d00 120706 18:07:18 1860 cryptossl_X509::Export: result of serialization: 969 bytes 120706 18:07:18 1860 secgsi_GetCA: Querying cache for tag: 1f83beb0.0:1 (timestamp:1341583638, refresh fq:86400) 120706 18:07:18 1860 sut_Cache::Get: locating entry for ID: 1f83beb0.0:1 120706 18:07:18 1860 sut_Cache::Rehash: hash table is up-to-date 120706 18:07:18 1860 secgsi_GetCA: trying to load CA certificate from /etc/grid-security/certificates/1f83beb0.0 120706 18:07:18 1860 cryptossl_X509::IsCA: certificate has 4 extensions 120706 18:07:18 1860 cryptossl_X509ParseFile: certificate for '/C=RU/ST=Moscow/O=JINR/OU=LIT/CN=TestCA'added to the chain - ord: 1 120706 18:07:18 1860 cryptossl_X509ParseFile: no RSA private key found in file /etc/grid-security/certificates/1f83beb0.0 120706 18:07:18 1860 secgsi_GetSrvCertEnt: failed to initialized CRL for issuing CA '1f83beb0.0' 120706 18:07:18 1860 secgsi_Init: problems loading srv cert 120706 18:07:18 1860 sut_Cache::Rehash: Hash table updated (found 0 active entries) 120706 18:07:18 1860 secgsi_ErrF: Secgsi: ErrError: no valid server certificate found 120706 18:07:18 1860 secgsi_Init: Secgsi: ErrError: no valid server certificate found 120706 18:07:18 1860 sec_Config: Secgsi: ErrError: no valid server certificate found =====> sec.protocol gsi -d:3 -crl:0 -ca:1 Config 1 authentication directives processed in /etc/xrootd/xrootd-clustered.cfg ------ Authentication system initialization failed. 120706 18:07:18 1860 XrootdConfig: Unable to create security service object via /usr/lib64/libXrdSec.so 120706 18:07:18 1860 XrootdConfig: Unable to load security system. ------ xrootd protocol initialization failed. 120706 18:07:18 1860 XrdProtocol: Protocol xrootd could not be loaded ------ xrootd [log in to unmask]:-1 initialization failed. 2012/7/4 Gerardo Ganis <[log in to unmask]>: > > Hi, > > Thanks for reporting these issues. > I am fixing the error reports and the obvious bug for ca:0, self-signed > CA. > > However, even without these fixes, I was not able to reproduce your > start-up failure with a self-signed CA. > You should get some additional verbosity by adding '-d:3' in the > 'sec.protocol' directive. Does that give any > hint? Can you post the full log you get in such a case? > > G. Ganis > > On 6/28/12 2:35 PM, Иван Кадочников wrote: > > Hi all, > > I'm trying to use sec.protocol gsi with the server certificate signed by a > self-signed CA for testing purposes, however I'm having trouble getting the > server to start. > 3.1 hanged on some operation with XrdSutCache while starting, updating to > 3.2.2 fixed the issue. > > Now the server fails to start with the error "failed to initialized CRL for > issuing CA" in XrdSecProtocolgsi::GetCA. Setting "crl:0" did not help. I did > create an empty crl to see if it resolved it, but it seems the problem lies > elsewhere. > > I looked into the source and found the following. > In XrdSecProtocolgsi::GetCA neither "CRL is expired" nor "CRL is missing" > messages are displayed in my case, but the return value is obviously 2 > (because the CRL error is displayed). So the variable ok = 0. That probably > means verified = 0. > This brings me to the first problem: shouldn't the message when CA > verification fails be different from when CRL fails to initialize? > > Looking into XrdSecProtocolgsi::VerifyCA, I found another problem: if CA is > self-signed and CACheck = 0, CA is not checked, but the variable "verified" > is never set either and remains 0. Which means when option ca:0 is used, > self-signed CA is rejected outright. Is it the intended behavior? > > I set ca:1, but nothing changed in the server output. Third problem: the > certificate chain verification functions don't seem to produce any debugging > output so I don't know what the actual problem with my CA certificate is. > > I think I'll try using a certificate from a "real" CA instead. But I wanted > to report these possible problems so that they can be resolved in the future > versions. > > Thanks. > > Ivan Kadochnikov > > ________________________________ > > Use REPLY-ALL to reply to list > > To unsubscribe from the XROOTD-L list, click the following link: > https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1 > > > > -- > +--------------------------------------------------------------------------+ > Gerardo GANIS CERN, PH Dept, SFT group, CH 1211 Geneve 23 > room: 32-RC-017, tel: +41 22 7676439 > email: [log in to unmask], fax: +41 22 7669133 > +--------------------------------------------------------------------------+ ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-L list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1