I believe it is the certificate that is being presented by gfal-copy, that is the client certificate. On Mon, 6 Mar 2023, Fabio Andrijauskas wrote: > I can't find any expired certificates on the server. > > *--Fábio Andrijauskas* > > > On Mon, Mar 6, 2023 at 7:35?PM Andrew Hanushevsky ***@***.***> > wrote: > >> Well, according to the server log the error is "the certificate is not yet >> valid: the notBefore date is after the current time." (at least that'w >> what is implied). The failure occured at 230307 01:21:07 so, what was the >> "notBefore" date/time? I suppose that information is gone as its likely a >> proxy cert but if this is a scipt running the gfal copy then dumping out >> the cert when you get this error may tell us something. >> >> On Mon, 6 Mar 2023, Fabio Andrijauskas wrote: >> >>> Hi All, >>> >>> Anohter case: >>> >>> ``` >>> gfal-copy error: 13 (Permission denied) - Could not stat the source: >> Result (Neon): SSL handshake failed: sslv3 alert bad certificate after 1 >> attempts >>> Mon Mar 6 18:21:12 PST 2023 >>> gfal-copy error: 13 (Permission denied) - Could not stat the source: >> Result (Neon): SSL handshake failed: sslv3 alert bad certificate after 1 >> attempts >>> Mon Mar 6 18:21:12 PST 2023 >>> gfal-copy error: 13 (Permission denied) - Could not stat the source: >> Result (Neon): SSL handshake failed: sslv3 alert bad certificate after 1 >> attempts >>> Mon Mar 6 18:21:14 PST 2023 >>> gfal-copy error: 13 (Permission denied) - Could not stat the source: >> Result (Neon): SSL handshake failed: sslv3 alert bad certificate after 1 >> attempts >>> Mon Mar 6 18:21:14 PST 2023 >>> Copying >> https://cf-ac-uk-cache.nationalresearchplatform.org:8443/user/ligo/test_access/access_ligo >> [DONE] after 0s >>> Mon Mar 6 18:21:16 PST 2023 >>> Copying >> https://cf-ac-uk-cache.nationalresearchplatform.org:8443/user/ligo/test_access/access_ligo >> [DONE] after 0s >>> Mon Mar 6 18:21:16 PST 2023 >>> Copying >> https://cf-ac-uk-cache.nationalresearchplatform.org:8443/user/ligo/test_access/access_ligo >> [DONE] after 0s >>> Mon Mar 6 18:21:18 PST 2023 >>> Copying >> https://cf-ac-uk-cache.nationalresearchplatform.org:8443/user/ligo/test_access/access_ligo >> [DONE] after 0s >>> Mon Mar 6 18:21:18 PST 2023 >>> ``` >>> >>> >>> ``` >>> 230307 01:21:07 882 ***@***.*** http_Protocol: received dump: 22 03 01 >> 02 00 01 00 01 -04 03 03 -02 -120 -99 83 00 >>> 230307 01:21:07 882 ***@***.*** http_Protocol: This does not look like >> http at pos 0 >>> 230307 01:21:07 882 ***@***.*** http_Protocol: This may look like https >>> 230307 01:21:07 882 ***@***.*** http_Protocol: Protocol matched. https: >> True >>> 230307 01:21:07 882 http_Protocol: Reset >>> 230307 01:21:07 882 http_Req: XrdHttpReq request ended. >>> 230307 01:21:07 882 Xrd_ProtLoad: matched port 8443 protocol http >>> 230307 01:21:07 882 ***@***.*** Xrd_Poll: FD 43 attached to poller 0; >> num=1 >>> 230307 01:21:07 882 ***@***.*** http_Protocol: Process. lp:0x41ea260 >> reqstate: 0 >>> 230307 01:21:07 882 ***@***.*** http_Protocol: Setting host: >> [::ffff:131.215.113.168] >>> 230307 01:21:07 882 ***@***.*** http_Protocol: Entering SSL_accept... >>> 230307 01:21:07 863 Xrd_Inet: Accepted connection on port 8443 from >> ***@***.*** >>> 230307 01:21:07 863 ***@***.*** http_Protocol: received dlen: 16 >>> 230307 01:21:07 863 ***@***.*** http_Protocol: received dump: 22 03 01 >> 02 00 01 00 01 -04 03 03 00 14 74 -37 00 >>> 230307 01:21:07 863 ***@***.*** http_Protocol: This does not look like >> http at pos 0 >>> 230307 01:21:07 863 ***@***.*** http_Protocol: This may look like https >>> 230307 01:21:07 863 ***@***.*** http_Protocol: Protocol matched. https: >> True >>> 230307 01:21:07 863 http_Protocol: Reset >>> 230307 01:21:07 863 http_Req: XrdHttpReq request ended. >>> 230307 01:21:07 863 Xrd_ProtLoad: matched port 8443 protocol http >>> 230307 01:21:07 863 ***@***.*** Xrd_Poll: FD 39 attached to poller 1; >> num=1 >>> 230307 01:21:07 863 ***@***.*** http_Protocol: Process. lp:0x41e9640 >> reqstate: 0 >>> 230307 01:21:07 863 ***@***.*** http_Protocol: Setting host: >> [::ffff:131.215.113.168] >>> 230307 01:21:07 863 ***@***.*** http_Protocol: Entering SSL_accept... >>> 230307 01:21:07 884 Xrd_Inet: Accepted connection on port 8443 from >> ***@***.*** >>> 230307 01:21:07 884 ***@***.*** http_Protocol: received dlen: 16 >>> 230307 01:21:07 884 ***@***.*** http_Protocol: received dump: 22 03 01 >> 02 00 01 00 01 -04 03 03 52 -90 -90 -82 00 >>> 230307 01:21:07 884 ***@***.*** http_Protocol: This does not look like >> http at pos 0 >>> 230307 01:21:07 884 ***@***.*** http_Protocol: This may look like https >>> 230307 01:21:07 884 ***@***.*** http_Protocol: Protocol matched. https: >> True >>> 230307 01:21:07 884 http_Protocol: Reset >>> 230307 01:21:07 884 http_Req: XrdHttpReq request ended. >>> 230307 01:21:07 884 Xrd_ProtLoad: matched port 8443 protocol http >>> 230307 01:21:07 884 ***@***.*** Xrd_Poll: FD 47 attached to poller 2; >> num=1 >>> 230307 01:21:07 884 ***@***.*** http_Protocol: Process. lp:0x41eae80 >> reqstate: 0 >>> 230307 01:21:07 884 ***@***.*** http_Protocol: Setting host: >> [::ffff:131.215.113.168] >>> 230307 01:21:07 884 ***@***.*** http_Protocol: Entering SSL_accept... >>> 230307 01:21:07 883 Xrd_Inet: Accepted connection on port 8443 from >> ***@***.*** >>> 230307 01:21:07 883 ***@***.*** http_Protocol: received dlen: 16 >>> 230307 01:21:07 883 ***@***.*** http_Protocol: received dump: 22 03 01 >> 02 00 01 00 01 -04 03 03 -117 14 -49 118 00 >>> 230307 01:21:07 883 ***@***.*** http_Protocol: This does not look like >> http at pos 0 >>> 230307 01:21:07 883 ***@***.*** http_Protocol: This may look like https >>> 230307 01:21:07 883 ***@***.*** http_Protocol: Protocol matched. https: >> True >>> 230307 01:21:07 883 http_Protocol: Reset >>> 230307 01:21:07 883 http_Req: XrdHttpReq request ended. >>> 230307 01:21:07 883 Xrd_ProtLoad: matched port 8443 protocol http >>> 230307 01:21:07 883 ***@***.*** Xrd_Poll: FD 45 attached to poller 0; >> num=2 >>> 230307 01:21:07 883 ***@***.*** http_Protocol: Process. lp:0x41ea870 >> reqstate: 0 >>> 230307 01:21:07 883 ***@***.*** http_Protocol: Setting host: >> [::ffff:131.215.113.168] >>> 230307 01:21:07 883 ***@***.*** http_Protocol: Entering SSL_accept... >>> 230307 01:21:07 862 Xrd_Inet: Accepted connection on port 8443 from >> ***@***.*** >>> 230307 01:21:07 862 ***@***.*** http_Protocol: received dlen: 16 >>> 230307 01:21:07 862 ***@***.*** http_Protocol: received dump: 22 03 01 >> 02 00 01 00 01 -04 03 03 -34 -76 -122 -69 00 >>> 230307 01:21:07 862 ***@***.*** http_Protocol: This does not look like >> http at pos 0 >>> 230307 01:21:07 862 ***@***.*** http_Protocol: This may look like https >>> 230307 01:21:07 862 ***@***.*** http_Protocol: Protocol matched. https: >> True >>> 230307 01:21:07 862 http_Protocol: Reset >>> 230307 01:21:07 862 http_Req: XrdHttpReq request ended. >>> 230307 01:21:07 862 Xrd_ProtLoad: matched port 8443 protocol http >>> 230307 01:21:07 862 ***@***.*** Xrd_Poll: FD 37 attached to poller 1; >> num=2 >>> 230307 01:21:07 862 ***@***.*** http_Protocol: Process. lp:0x41e9030 >> reqstate: 0 >>> 230307 01:21:07 862 ***@***.*** http_Protocol: Setting host: >> [::ffff:131.215.113.168] >>> 230307 01:21:07 862 ***@***.*** http_Protocol: Entering SSL_accept... >>> 230307 01:21:07 882 XrdTLS: CertVerify: Cert verification failed for >> DN=/DC=org/DC=cilogon/C=US/O=LIGO/CN=Fabio Andrijauskas ***@***.*** >>> 230307 01:21:07 863 XrdTLS: CertVerify: Cert verification failed for >> DN=/DC=org/DC=cilogon/C=US/O=LIGO/CN=Fabio Andrijauskas ***@***.*** >>> 230307 01:21:07 882 XrdTLS: CertVerify: Failing cert >> issuer=/DC=org/DC=cilogon/C=US/O=CILogon/CN=CILogon Silver CA 1 >>> 230307 01:21:07 863 XrdTLS: CertVerify: Failing cert >> issuer=/DC=org/DC=cilogon/C=US/O=CILogon/CN=CILogon Silver CA 1 >>> 230307 01:21:07 882 XrdTLS: CertVerify: Error 9 at depth 0 [certificate >> is not yet valid] >>> 230307 01:21:07 863 XrdTLS: CertVerify: Error 9 at depth 0 [certificate >> is not yet valid] >>> 230307 01:21:07 863 XrdTLS: CertVerify: >> 140198909929216:error:0906D06C:PEM routines:PEM_read_bio:no start >> line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE >>> >>> 230307 01:21:07 882 ***@***.*** http_Protocol: SSL_accept returned :-1 >>> 230307 01:21:07 863 ***@***.*** http_Protocol: SSL_accept returned :-1 >>> 140198776727296:error:14089086:SSL >> routines:ssl3_get_client_certificate:certificate verify >> failed:s3_srvr.c:3327: >>> 140198909929216:error:0B06F009:x509 certificate >> routines:X509_load_cert_file:PEM lib:by_file.c:152: >>> 140198909929216:error:14089086:SSL >> routines:ssl3_get_client_certificate:certificate verify >> failed:s3_srvr.c:3327: >>> 230307 01:21:07 863 http_Protocol: Cleanup >>> 230307 01:21:07 863 http_Protocol: Reset >>> 230307 01:21:07 884 XrdTLS: CertVerify: Cert verification failed for >> DN=/DC=org/DC=cilogon/C=US/O=LIGO/CN=Fabio Andrijauskas ***@***.*** >>> 230307 01:21:07 863 http_Req: XrdHttpReq request ended. >>> 230307 01:21:07 884 XrdTLS: CertVerify: Failing cert >> issuer=/DC=org/DC=cilogon/C=US/O=CILogon/CN=CILogon Silver CA 1 >>> 230307 01:21:07 884 XrdTLS: CertVerify: Error 9 at depth 0 [certificate >> is not yet valid] >>> 230307 01:21:07 882 http_Protocol: Cleanup >>> 230307 01:21:07 863 ***@***.*** Xrd_Poll: Poller 1 removing FD 39 >>> 230307 01:21:07 882 http_Protocol: Reset >>> 230307 01:21:07 863 ***@***.*** Xrd_Poll: FD 39 detached from poller 1; >> num=1 >>> 230307 01:21:07 882 http_Req: XrdHttpReq request ended. >>> 230307 01:21:07 884 ***@***.*** http_Protocol: SSL_accept returned :-1 >>> 230307 01:21:07 882 ***@***.*** Xrd_Poll: Poller 0 removing FD 43 >>> 140198772524800:error:14089086:SSL >> routines:ssl3_get_client_certificate:certificate verify >> failed:s3_srvr.c:3327: >>> 230307 01:21:07 882 ***@***.*** Xrd_Poll: FD 43 detached from poller 0; >> num=1 >>> 230307 01:21:07 884 http_Protocol: Cleanup >>> 230307 01:21:07 884 http_Protocol: Reset >>> 230307 01:21:07 884 http_Req: XrdHttpReq request ended. >>> 230307 01:21:07 884 ***@***.*** Xrd_Poll: Poller 2 removing FD 47 >>> 230307 01:21:07 884 ***@***.*** Xrd_Poll: FD 47 detached from poller 2; >> num=0 >>> 230307 01:21:07 883 XrdTLS: CertVerify: Cert verification failed for >> DN=/DC=org/DC=cilogon/C=US/O=LIGO/CN=Fabio Andrijauskas ***@***.*** >>> 230307 01:21:07 883 XrdTLS: CertVerify: Failing cert >> issuer=/DC=org/DC=cilogon/C=US/O=CILogon/CN=CILogon Silver CA 1 >>> 230307 01:21:07 883 XrdTLS: CertVerify: Error 9 at depth 0 [certificate >> is not yet valid] >>> 230307 01:21:07 883 ***@***.*** http_Protocol: SSL_accept returned :-1 >>> 140198774626048:error:14089086:SSL >> routines:ssl3_get_client_certificate:certificate verify >> failed:s3_srvr.c:3327: >>> 230307 01:21:07 883 http_Protocol: Cleanup >>> 230307 01:21:07 883 http_Protocol: Reset >>> 230307 01:21:07 883 http_Req: XrdHttpReq request ended. >>> 230307 01:21:07 883 ***@***.*** Xrd_Poll: Poller 0 removing FD 45 >>> 230307 01:21:07 883 ***@***.*** Xrd_Poll: FD 45 detached from poller 0; >> num=0 >>> 230307 01:21:07 862 XrdTLS: CertVerify: Cert verification failed for >> DN=/DC=org/DC=cilogon/C=US/O=LIGO/CN=Fabio Andrijauskas ***@***.*** >>> 230307 01:21:07 862 XrdTLS: CertVerify: Failing cert >> issuer=/DC=org/DC=cilogon/C=US/O=CILogon/CN=CILogon Silver CA 1 >>> 230307 01:21:07 862 XrdTLS: CertVerify: Error 9 at depth 0 [certificate >> is not yet valid] >>> 230307 01:21:07 862 ***@***.*** http_Protocol: SSL_accept returned :-1 >>> 140198912030464:error:14089086:SSL >> routines:ssl3_get_client_certificate:certificate verify >> failed:s3_srvr.c:3327: >>> 230307 01:21:07 862 http_Protocol: Cleanup >>> 230307 01:21:07 862 http_Protocol: Reset >>> 230307 01:21:07 862 http_Req: XrdHttpReq request ended. >>> 230307 01:21:07 862 ***@***.*** Xrd_Poll: Poller 1 removing FD 37 >>> 230307 01:21:07 862 ***@***.*** Xrd_Poll: FD 37 detached from poller 1; >> num=0 >>> 230307 01:21:08 885 Xrd_Inet: Accepted connection on port 8443 from >> ***@***.*** >>> 230307 01:21:08 886 Xrd_Inet: Accepted connection on port 8443 from >> ***@***.*** >>> 230307 01:21:08 885 ***@***.*** http_Protocol: received dlen: 16 >>> 230307 01:21:08 885 ***@***.*** http_Protocol: received dump: 22 03 01 >> 02 00 01 00 01 -04 03 03 61 -85 -115 -46 00 >>> 230307 01:21:08 885 ***@***.*** http_Protocol: This does not look like >> http at pos 0 >>> 230307 01:21:08 885 ***@***.*** http_Protocol: This may look like https >>> 230307 01:21:08 885 ***@***.*** http_Protocol: Protocol matched. https: >> True >>> 230307 01:21:08 885 Xrd_ProtLoad: matched port 8443 protocol http >>> 230307 01:21:08 885 ***@***.*** Xrd_Poll: FD 49 attached to poller 0; >> num=1 >>> 230307 01:21:08 885 ***@***.*** http_Protocol: Process. lp:0x41eb490 >> reqstate: 0 >>> 230307 01:21:08 885 ***@***.*** http_Protocol: Setting host: >> [::ffff:131.215.113.168] >>> 230307 01:21:08 885 ***@***.*** http_Protocol: Entering SSL_accept... >>> 230307 01:21:08 886 ***@***.*** http_Protocol: received dlen: 16 >>> 230307 01:21:08 886 ***@***.*** http_Protocol: received dump: 22 03 01 >> 02 00 01 00 01 -04 03 03 -81 -82 -27 95 00 >>> 230307 01:21:08 886 ***@***.*** http_Protocol: This does not look like >> http at pos 0 >>> 230307 01:21:08 886 ***@***.*** http_Protocol: This may look like https >>> 230307 01:21:08 886 ***@***.*** http_Protocol: Protocol matched. https: >> True >>> 230307 01:21:08 886 Xrd_ProtLoad: matched port 8443 protocol http >>> 230307 01:21:08 886 ***@***.*** Xrd_Poll: FD 33 attached to poller 1; >> num=1 >>> 230307 01:21:08 886 ***@***.*** http_Protocol: Process. lp:0x41e8410 >> reqstate: 0 >>> 230307 01:21:08 886 ***@***.*** http_Protocol: Setting host: >> [::ffff:131.215.113.168] >>> 230307 01:21:08 886 ***@***.*** http_Protocol: Entering SSL_accept... >>> 230307 01:21:08 863 Xrd_Inet: Accepted connection on port 8443 from >> ***@***.*** >>> 230307 01:21:08 863 ***@***.*** http_Protocol: received dlen: 16 >>> 230307 01:21:08 863 ***@***.*** http_Protocol: received dump: 22 03 01 >> 02 00 01 00 01 -04 03 03 22 82 10 28 00 >>> 230307 01:21:08 863 ***@***.*** http_Protocol: This does not look like >> http at pos 0 >>> 230307 01:21:08 863 ***@***.*** http_Protocol: This may look like https >>> 230307 01:21:08 863 ***@***.*** http_Protocol: Protocol matched. https: >> True >>> 230307 01:21:08 863 Xrd_ProtLoad: matched port 8443 protocol http >>> 230307 01:21:08 863 ***@***.*** Xrd_Poll: FD 35 attached to poller 2; >> num=1 >>> 230307 01:21:08 863 ***@***.*** http_Protocol: Process. lp:0x41e8a20 >> reqstate: 0 >>> 230307 01:21:08 863 ***@***.*** http_Protocol: Setting host: >> [::ffff:131.215.113.168] >>> 230307 01:21:08 863 ***@***.*** http_Protocol: Entering SSL_accept... >>> 230307 01:21:08 882 Xrd_Inet: Accepted connection on port 8443 from >> ***@***.*** >>> 230307 01:21:08 882 ***@***.*** http_Protocol: received dlen: 16 >>> 230307 01:21:08 882 ***@***.*** http_Protocol: received dump: 22 03 01 >> 02 00 01 00 01 -04 03 03 33 -110 -22 -104 00 >>> 230307 01:21:08 882 ***@***.*** http_Protocol: This does not look like >> http at pos 0 >>> 230307 01:21:08 882 ***@***.*** http_Protocol: This may look like https >>> 230307 01:21:08 882 ***@***.*** http_Protocol: Protocol matched. https: >> True >>> 230307 01:21:08 882 Xrd_ProtLoad: matched port 8443 protocol http >>> 230307 01:21:08 882 ***@***.*** Xrd_Poll: FD 34 attached to poller 0; >> num=2 >>> 230307 01:21:08 882 ***@***.*** http_Protocol: Process. lp:0x41e8718 >> reqstate: 0 >>> 230307 01:21:08 882 ***@***.*** http_Protocol: Setting host: >> [::ffff:131.215.113.168] >>> >>> ``` >>> >>> -- >>> Reply to this email directly or view it on GitHub: >>> https://github.com/xrootd/xrootd/issues/1940#issuecomment-1457413663 >>> You are receiving this because you commented. >>> >>> Message ID: ***@***.***> >> >> ? >> Reply to this email directly, view it on GitHub >> <https://github.com/xrootd/xrootd/issues/1940#issuecomment-1457462040>, >> or unsubscribe >> <https://github.com/notifications/unsubscribe-auth/ACEEH77SAKPNQ5V272P3LBTW22UI3ANCNFSM6AAAAAAVO63WBY> >> . >> You are receiving this because you were mentioned.Message ID: >> ***@***.***> >> > > > -- > Reply to this email directly or view it on GitHub: > https://github.com/xrootd/xrootd/issues/1940#issuecomment-1457465676 > You are receiving this because you commented. > > Message ID: ***@***.***> -- Reply to this email directly or view it on GitHub: https://github.com/xrootd/xrootd/issues/1940#issuecomment-1457505535 You are receiving this because you commented. Message ID: <[log in to unmask]> ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1