LISTSERV 16.5 - XROOTD-DEV Archives

I believe it is the certificate that is being presented by gfal-copy, that 
is the client certificate.

On Mon, 6 Mar 2023, Fabio Andrijauskas wrote:

> I can't find any expired certificates on the server.
>
> *--Fábio Andrijauskas*
>
>
> On Mon, Mar 6, 2023 at 7:35?PM Andrew Hanushevsky ***@***.***>
> wrote:
>
>> Well, according to the server log the error is "the certificate is not yet
>> valid: the notBefore date is after the current time." (at least that'w
>> what is implied). The failure occured at 230307 01:21:07 so, what was the
>> "notBefore" date/time? I suppose that information is gone as its likely a
>> proxy cert but if this is a scipt running the gfal copy then dumping out
>> the cert when you get this error may tell us something.
>>
>> On Mon, 6 Mar 2023, Fabio Andrijauskas wrote:
>>
>>> Hi All,
>>>
>>> Anohter case:
>>>
>>> ```
>>> gfal-copy error: 13 (Permission denied) - Could not stat the source:
>> Result (Neon): SSL handshake failed: sslv3 alert bad certificate after 1
>> attempts
>>> Mon Mar 6 18:21:12 PST 2023
>>> gfal-copy error: 13 (Permission denied) - Could not stat the source:
>> Result (Neon): SSL handshake failed: sslv3 alert bad certificate after 1
>> attempts
>>> Mon Mar 6 18:21:12 PST 2023
>>> gfal-copy error: 13 (Permission denied) - Could not stat the source:
>> Result (Neon): SSL handshake failed: sslv3 alert bad certificate after 1
>> attempts
>>> Mon Mar 6 18:21:14 PST 2023
>>> gfal-copy error: 13 (Permission denied) - Could not stat the source:
>> Result (Neon): SSL handshake failed: sslv3 alert bad certificate after 1
>> attempts
>>> Mon Mar 6 18:21:14 PST 2023
>>> Copying
>> https://cf-ac-uk-cache.nationalresearchplatform.org:8443/user/ligo/test_access/access_ligo
>> [DONE] after 0s
>>> Mon Mar 6 18:21:16 PST 2023
>>> Copying
>> https://cf-ac-uk-cache.nationalresearchplatform.org:8443/user/ligo/test_access/access_ligo
>> [DONE] after 0s
>>> Mon Mar 6 18:21:16 PST 2023
>>> Copying
>> https://cf-ac-uk-cache.nationalresearchplatform.org:8443/user/ligo/test_access/access_ligo
>> [DONE] after 0s
>>> Mon Mar 6 18:21:18 PST 2023
>>> Copying
>> https://cf-ac-uk-cache.nationalresearchplatform.org:8443/user/ligo/test_access/access_ligo
>> [DONE] after 0s
>>> Mon Mar 6 18:21:18 PST 2023
>>> ```
>>>
>>>
>>> ```
>>> 230307 01:21:07 882 ***@***.*** http_Protocol: received dump: 22 03 01
>> 02 00 01 00 01 -04 03 03 -02 -120 -99 83 00
>>> 230307 01:21:07 882 ***@***.*** http_Protocol: This does not look like
>> http at pos 0
>>> 230307 01:21:07 882 ***@***.*** http_Protocol: This may look like https
>>> 230307 01:21:07 882 ***@***.*** http_Protocol: Protocol matched. https:
>> True
>>> 230307 01:21:07 882 http_Protocol: Reset
>>> 230307 01:21:07 882 http_Req: XrdHttpReq request ended.
>>> 230307 01:21:07 882 Xrd_ProtLoad: matched port 8443 protocol http
>>> 230307 01:21:07 882 ***@***.*** Xrd_Poll: FD 43 attached to poller 0;
>> num=1
>>> 230307 01:21:07 882 ***@***.*** http_Protocol: Process. lp:0x41ea260
>> reqstate: 0
>>> 230307 01:21:07 882 ***@***.*** http_Protocol: Setting host:
>> [::ffff:131.215.113.168]
>>> 230307 01:21:07 882 ***@***.*** http_Protocol: Entering SSL_accept...
>>> 230307 01:21:07 863 Xrd_Inet: Accepted connection on port 8443 from
>> ***@***.***
>>> 230307 01:21:07 863 ***@***.*** http_Protocol: received dlen: 16
>>> 230307 01:21:07 863 ***@***.*** http_Protocol: received dump: 22 03 01
>> 02 00 01 00 01 -04 03 03 00 14 74 -37 00
>>> 230307 01:21:07 863 ***@***.*** http_Protocol: This does not look like
>> http at pos 0
>>> 230307 01:21:07 863 ***@***.*** http_Protocol: This may look like https
>>> 230307 01:21:07 863 ***@***.*** http_Protocol: Protocol matched. https:
>> True
>>> 230307 01:21:07 863 http_Protocol: Reset
>>> 230307 01:21:07 863 http_Req: XrdHttpReq request ended.
>>> 230307 01:21:07 863 Xrd_ProtLoad: matched port 8443 protocol http
>>> 230307 01:21:07 863 ***@***.*** Xrd_Poll: FD 39 attached to poller 1;
>> num=1
>>> 230307 01:21:07 863 ***@***.*** http_Protocol: Process. lp:0x41e9640
>> reqstate: 0
>>> 230307 01:21:07 863 ***@***.*** http_Protocol: Setting host:
>> [::ffff:131.215.113.168]
>>> 230307 01:21:07 863 ***@***.*** http_Protocol: Entering SSL_accept...
>>> 230307 01:21:07 884 Xrd_Inet: Accepted connection on port 8443 from
>> ***@***.***
>>> 230307 01:21:07 884 ***@***.*** http_Protocol: received dlen: 16
>>> 230307 01:21:07 884 ***@***.*** http_Protocol: received dump: 22 03 01
>> 02 00 01 00 01 -04 03 03 52 -90 -90 -82 00
>>> 230307 01:21:07 884 ***@***.*** http_Protocol: This does not look like
>> http at pos 0
>>> 230307 01:21:07 884 ***@***.*** http_Protocol: This may look like https
>>> 230307 01:21:07 884 ***@***.*** http_Protocol: Protocol matched. https:
>> True
>>> 230307 01:21:07 884 http_Protocol: Reset
>>> 230307 01:21:07 884 http_Req: XrdHttpReq request ended.
>>> 230307 01:21:07 884 Xrd_ProtLoad: matched port 8443 protocol http
>>> 230307 01:21:07 884 ***@***.*** Xrd_Poll: FD 47 attached to poller 2;
>> num=1
>>> 230307 01:21:07 884 ***@***.*** http_Protocol: Process. lp:0x41eae80
>> reqstate: 0
>>> 230307 01:21:07 884 ***@***.*** http_Protocol: Setting host:
>> [::ffff:131.215.113.168]
>>> 230307 01:21:07 884 ***@***.*** http_Protocol: Entering SSL_accept...
>>> 230307 01:21:07 883 Xrd_Inet: Accepted connection on port 8443 from
>> ***@***.***
>>> 230307 01:21:07 883 ***@***.*** http_Protocol: received dlen: 16
>>> 230307 01:21:07 883 ***@***.*** http_Protocol: received dump: 22 03 01
>> 02 00 01 00 01 -04 03 03 -117 14 -49 118 00
>>> 230307 01:21:07 883 ***@***.*** http_Protocol: This does not look like
>> http at pos 0
>>> 230307 01:21:07 883 ***@***.*** http_Protocol: This may look like https
>>> 230307 01:21:07 883 ***@***.*** http_Protocol: Protocol matched. https:
>> True
>>> 230307 01:21:07 883 http_Protocol: Reset
>>> 230307 01:21:07 883 http_Req: XrdHttpReq request ended.
>>> 230307 01:21:07 883 Xrd_ProtLoad: matched port 8443 protocol http
>>> 230307 01:21:07 883 ***@***.*** Xrd_Poll: FD 45 attached to poller 0;
>> num=2
>>> 230307 01:21:07 883 ***@***.*** http_Protocol: Process. lp:0x41ea870
>> reqstate: 0
>>> 230307 01:21:07 883 ***@***.*** http_Protocol: Setting host:
>> [::ffff:131.215.113.168]
>>> 230307 01:21:07 883 ***@***.*** http_Protocol: Entering SSL_accept...
>>> 230307 01:21:07 862 Xrd_Inet: Accepted connection on port 8443 from
>> ***@***.***
>>> 230307 01:21:07 862 ***@***.*** http_Protocol: received dlen: 16
>>> 230307 01:21:07 862 ***@***.*** http_Protocol: received dump: 22 03 01
>> 02 00 01 00 01 -04 03 03 -34 -76 -122 -69 00
>>> 230307 01:21:07 862 ***@***.*** http_Protocol: This does not look like
>> http at pos 0
>>> 230307 01:21:07 862 ***@***.*** http_Protocol: This may look like https
>>> 230307 01:21:07 862 ***@***.*** http_Protocol: Protocol matched. https:
>> True
>>> 230307 01:21:07 862 http_Protocol: Reset
>>> 230307 01:21:07 862 http_Req: XrdHttpReq request ended.
>>> 230307 01:21:07 862 Xrd_ProtLoad: matched port 8443 protocol http
>>> 230307 01:21:07 862 ***@***.*** Xrd_Poll: FD 37 attached to poller 1;
>> num=2
>>> 230307 01:21:07 862 ***@***.*** http_Protocol: Process. lp:0x41e9030
>> reqstate: 0
>>> 230307 01:21:07 862 ***@***.*** http_Protocol: Setting host:
>> [::ffff:131.215.113.168]
>>> 230307 01:21:07 862 ***@***.*** http_Protocol: Entering SSL_accept...
>>> 230307 01:21:07 882 XrdTLS: CertVerify: Cert verification failed for
>> DN=/DC=org/DC=cilogon/C=US/O=LIGO/CN=Fabio Andrijauskas ***@***.***
>>> 230307 01:21:07 863 XrdTLS: CertVerify: Cert verification failed for
>> DN=/DC=org/DC=cilogon/C=US/O=LIGO/CN=Fabio Andrijauskas ***@***.***
>>> 230307 01:21:07 882 XrdTLS: CertVerify: Failing cert
>> issuer=/DC=org/DC=cilogon/C=US/O=CILogon/CN=CILogon Silver CA 1
>>> 230307 01:21:07 863 XrdTLS: CertVerify: Failing cert
>> issuer=/DC=org/DC=cilogon/C=US/O=CILogon/CN=CILogon Silver CA 1
>>> 230307 01:21:07 882 XrdTLS: CertVerify: Error 9 at depth 0 [certificate
>> is not yet valid]
>>> 230307 01:21:07 863 XrdTLS: CertVerify: Error 9 at depth 0 [certificate
>> is not yet valid]
>>> 230307 01:21:07 863 XrdTLS: CertVerify:
>> 140198909929216:error:0906D06C:PEM routines:PEM_read_bio:no start
>> line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE
>>>
>>> 230307 01:21:07 882 ***@***.*** http_Protocol: SSL_accept returned :-1
>>> 230307 01:21:07 863 ***@***.*** http_Protocol: SSL_accept returned :-1
>>> 140198776727296:error:14089086:SSL
>> routines:ssl3_get_client_certificate:certificate verify
>> failed:s3_srvr.c:3327:
>>> 140198909929216:error:0B06F009:x509 certificate
>> routines:X509_load_cert_file:PEM lib:by_file.c:152:
>>> 140198909929216:error:14089086:SSL
>> routines:ssl3_get_client_certificate:certificate verify
>> failed:s3_srvr.c:3327:
>>> 230307 01:21:07 863 http_Protocol: Cleanup
>>> 230307 01:21:07 863 http_Protocol: Reset
>>> 230307 01:21:07 884 XrdTLS: CertVerify: Cert verification failed for
>> DN=/DC=org/DC=cilogon/C=US/O=LIGO/CN=Fabio Andrijauskas ***@***.***
>>> 230307 01:21:07 863 http_Req: XrdHttpReq request ended.
>>> 230307 01:21:07 884 XrdTLS: CertVerify: Failing cert
>> issuer=/DC=org/DC=cilogon/C=US/O=CILogon/CN=CILogon Silver CA 1
>>> 230307 01:21:07 884 XrdTLS: CertVerify: Error 9 at depth 0 [certificate
>> is not yet valid]
>>> 230307 01:21:07 882 http_Protocol: Cleanup
>>> 230307 01:21:07 863 ***@***.*** Xrd_Poll: Poller 1 removing FD 39
>>> 230307 01:21:07 882 http_Protocol: Reset
>>> 230307 01:21:07 863 ***@***.*** Xrd_Poll: FD 39 detached from poller 1;
>> num=1
>>> 230307 01:21:07 882 http_Req: XrdHttpReq request ended.
>>> 230307 01:21:07 884 ***@***.*** http_Protocol: SSL_accept returned :-1
>>> 230307 01:21:07 882 ***@***.*** Xrd_Poll: Poller 0 removing FD 43
>>> 140198772524800:error:14089086:SSL
>> routines:ssl3_get_client_certificate:certificate verify
>> failed:s3_srvr.c:3327:
>>> 230307 01:21:07 882 ***@***.*** Xrd_Poll: FD 43 detached from poller 0;
>> num=1
>>> 230307 01:21:07 884 http_Protocol: Cleanup
>>> 230307 01:21:07 884 http_Protocol: Reset
>>> 230307 01:21:07 884 http_Req: XrdHttpReq request ended.
>>> 230307 01:21:07 884 ***@***.*** Xrd_Poll: Poller 2 removing FD 47
>>> 230307 01:21:07 884 ***@***.*** Xrd_Poll: FD 47 detached from poller 2;
>> num=0
>>> 230307 01:21:07 883 XrdTLS: CertVerify: Cert verification failed for
>> DN=/DC=org/DC=cilogon/C=US/O=LIGO/CN=Fabio Andrijauskas ***@***.***
>>> 230307 01:21:07 883 XrdTLS: CertVerify: Failing cert
>> issuer=/DC=org/DC=cilogon/C=US/O=CILogon/CN=CILogon Silver CA 1
>>> 230307 01:21:07 883 XrdTLS: CertVerify: Error 9 at depth 0 [certificate
>> is not yet valid]
>>> 230307 01:21:07 883 ***@***.*** http_Protocol: SSL_accept returned :-1
>>> 140198774626048:error:14089086:SSL
>> routines:ssl3_get_client_certificate:certificate verify
>> failed:s3_srvr.c:3327:
>>> 230307 01:21:07 883 http_Protocol: Cleanup
>>> 230307 01:21:07 883 http_Protocol: Reset
>>> 230307 01:21:07 883 http_Req: XrdHttpReq request ended.
>>> 230307 01:21:07 883 ***@***.*** Xrd_Poll: Poller 0 removing FD 45
>>> 230307 01:21:07 883 ***@***.*** Xrd_Poll: FD 45 detached from poller 0;
>> num=0
>>> 230307 01:21:07 862 XrdTLS: CertVerify: Cert verification failed for
>> DN=/DC=org/DC=cilogon/C=US/O=LIGO/CN=Fabio Andrijauskas ***@***.***
>>> 230307 01:21:07 862 XrdTLS: CertVerify: Failing cert
>> issuer=/DC=org/DC=cilogon/C=US/O=CILogon/CN=CILogon Silver CA 1
>>> 230307 01:21:07 862 XrdTLS: CertVerify: Error 9 at depth 0 [certificate
>> is not yet valid]
>>> 230307 01:21:07 862 ***@***.*** http_Protocol: SSL_accept returned :-1
>>> 140198912030464:error:14089086:SSL
>> routines:ssl3_get_client_certificate:certificate verify
>> failed:s3_srvr.c:3327:
>>> 230307 01:21:07 862 http_Protocol: Cleanup
>>> 230307 01:21:07 862 http_Protocol: Reset
>>> 230307 01:21:07 862 http_Req: XrdHttpReq request ended.
>>> 230307 01:21:07 862 ***@***.*** Xrd_Poll: Poller 1 removing FD 37
>>> 230307 01:21:07 862 ***@***.*** Xrd_Poll: FD 37 detached from poller 1;
>> num=0
>>> 230307 01:21:08 885 Xrd_Inet: Accepted connection on port 8443 from
>> ***@***.***
>>> 230307 01:21:08 886 Xrd_Inet: Accepted connection on port 8443 from
>> ***@***.***
>>> 230307 01:21:08 885 ***@***.*** http_Protocol: received dlen: 16
>>> 230307 01:21:08 885 ***@***.*** http_Protocol: received dump: 22 03 01
>> 02 00 01 00 01 -04 03 03 61 -85 -115 -46 00
>>> 230307 01:21:08 885 ***@***.*** http_Protocol: This does not look like
>> http at pos 0
>>> 230307 01:21:08 885 ***@***.*** http_Protocol: This may look like https
>>> 230307 01:21:08 885 ***@***.*** http_Protocol: Protocol matched. https:
>> True
>>> 230307 01:21:08 885 Xrd_ProtLoad: matched port 8443 protocol http
>>> 230307 01:21:08 885 ***@***.*** Xrd_Poll: FD 49 attached to poller 0;
>> num=1
>>> 230307 01:21:08 885 ***@***.*** http_Protocol: Process. lp:0x41eb490
>> reqstate: 0
>>> 230307 01:21:08 885 ***@***.*** http_Protocol: Setting host:
>> [::ffff:131.215.113.168]
>>> 230307 01:21:08 885 ***@***.*** http_Protocol: Entering SSL_accept...
>>> 230307 01:21:08 886 ***@***.*** http_Protocol: received dlen: 16
>>> 230307 01:21:08 886 ***@***.*** http_Protocol: received dump: 22 03 01
>> 02 00 01 00 01 -04 03 03 -81 -82 -27 95 00
>>> 230307 01:21:08 886 ***@***.*** http_Protocol: This does not look like
>> http at pos 0
>>> 230307 01:21:08 886 ***@***.*** http_Protocol: This may look like https
>>> 230307 01:21:08 886 ***@***.*** http_Protocol: Protocol matched. https:
>> True
>>> 230307 01:21:08 886 Xrd_ProtLoad: matched port 8443 protocol http
>>> 230307 01:21:08 886 ***@***.*** Xrd_Poll: FD 33 attached to poller 1;
>> num=1
>>> 230307 01:21:08 886 ***@***.*** http_Protocol: Process. lp:0x41e8410
>> reqstate: 0
>>> 230307 01:21:08 886 ***@***.*** http_Protocol: Setting host:
>> [::ffff:131.215.113.168]
>>> 230307 01:21:08 886 ***@***.*** http_Protocol: Entering SSL_accept...
>>> 230307 01:21:08 863 Xrd_Inet: Accepted connection on port 8443 from
>> ***@***.***
>>> 230307 01:21:08 863 ***@***.*** http_Protocol: received dlen: 16
>>> 230307 01:21:08 863 ***@***.*** http_Protocol: received dump: 22 03 01
>> 02 00 01 00 01 -04 03 03 22 82 10 28 00
>>> 230307 01:21:08 863 ***@***.*** http_Protocol: This does not look like
>> http at pos 0
>>> 230307 01:21:08 863 ***@***.*** http_Protocol: This may look like https
>>> 230307 01:21:08 863 ***@***.*** http_Protocol: Protocol matched. https:
>> True
>>> 230307 01:21:08 863 Xrd_ProtLoad: matched port 8443 protocol http
>>> 230307 01:21:08 863 ***@***.*** Xrd_Poll: FD 35 attached to poller 2;
>> num=1
>>> 230307 01:21:08 863 ***@***.*** http_Protocol: Process. lp:0x41e8a20
>> reqstate: 0
>>> 230307 01:21:08 863 ***@***.*** http_Protocol: Setting host:
>> [::ffff:131.215.113.168]
>>> 230307 01:21:08 863 ***@***.*** http_Protocol: Entering SSL_accept...
>>> 230307 01:21:08 882 Xrd_Inet: Accepted connection on port 8443 from
>> ***@***.***
>>> 230307 01:21:08 882 ***@***.*** http_Protocol: received dlen: 16
>>> 230307 01:21:08 882 ***@***.*** http_Protocol: received dump: 22 03 01
>> 02 00 01 00 01 -04 03 03 33 -110 -22 -104 00
>>> 230307 01:21:08 882 ***@***.*** http_Protocol: This does not look like
>> http at pos 0
>>> 230307 01:21:08 882 ***@***.*** http_Protocol: This may look like https
>>> 230307 01:21:08 882 ***@***.*** http_Protocol: Protocol matched. https:
>> True
>>> 230307 01:21:08 882 Xrd_ProtLoad: matched port 8443 protocol http
>>> 230307 01:21:08 882 ***@***.*** Xrd_Poll: FD 34 attached to poller 0;
>> num=2
>>> 230307 01:21:08 882 ***@***.*** http_Protocol: Process. lp:0x41e8718
>> reqstate: 0
>>> 230307 01:21:08 882 ***@***.*** http_Protocol: Setting host:
>> [::ffff:131.215.113.168]
>>>
>>> ```
>>>
>>> --
>>> Reply to this email directly or view it on GitHub:
>>> https://github.com/xrootd/xrootd/issues/1940#issuecomment-1457413663
>>> You are receiving this because you commented.
>>>
>>> Message ID: ***@***.***>
>>
>> ?
>> Reply to this email directly, view it on GitHub
>> <https://github.com/xrootd/xrootd/issues/1940#issuecomment-1457462040>,
>> or unsubscribe
>> <https://github.com/notifications/unsubscribe-auth/ACEEH77SAKPNQ5V272P3LBTW22UI3ANCNFSM6AAAAAAVO63WBY>
>> .
>> You are receiving this because you were mentioned.Message ID:
>> ***@***.***>
>>
>
>
> -- 
> Reply to this email directly or view it on GitHub:
> https://github.com/xrootd/xrootd/issues/1940#issuecomment-1457465676
> You are receiving this because you commented.
>
> Message ID: ***@***.***>

-- 
Reply to this email directly or view it on GitHub:
https://github.com/xrootd/xrootd/issues/1940#issuecomment-1457505535
You are receiving this because you commented.

Message ID: <[log in to unmask]>
########################################################################
Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1