|
Документ взят из кэша поисковой машины. Адрес
оригинального документа
: http://theory.sinp.msu.ru/pipermail/ru-ngi/2015q2/001567.html
Дата изменения: Fri Jun 5 17:17:53 2015 Дата индексирования: Sun Apr 10 18:19:39 2016 Кодировка: |
On Fri, 5 Jun 2015, Eygene Ryabinkin wrote:
> Валерий, добрый день.
>
> Fri, Jun 05, 2015 at 11:33:47AM +0300, Valery Mitsyn wrote:
>> вчера поздно вечером установил новые rpm'ы из
>> ca-policy-egi-core-1.64-1, через некоторое время
>> сломалась авторизация.
>> В оповещение по этому ca-policy есть строка:
>> {{{
>> Updated RDIG CA with extended validity self-signed root (RU)
>> }}}
>> Есть подозрение, что обновление привело к проблемам.
>> Так как у нас директория certificates общая, то
>> проблемы на всех сервисах.
>
> Технически, в корневом сертификате изменился только срок годности,
> поэтому больших проблем быть не должно. И это даже тестировалось
> до того, как сделать такой CA root.
>
> Как я понимаю из чтения остатка этой ветки, где-то Tomcat не подхватил
> новые сертификаты. Очень интересно, какие именно проблемы были,
> поскольку даже старый CA root действует до 7 августа, так что и с ним
> пока проблем тоже не должно было быть.
От tomcat'а и co. "приятные" неожиданности:
не может авторизоваться через argus pep.
Я прицепил кусок glite-ce-cream.log.
>
>> P.S. В логах регионального agrus - b4ng.jirn.ru,
>> вижу диагностику:
>> {{{
>> 2015-06-05 08:27:25.364Z - ERROR [TrustStoreValidationErrorLogger] -
>> Validation error: error at position 0 in c
>> hain, problematic certificate subject:
>> CN=rnag-sb.t1.grid.kiae.ru,OU=grid.kiae.ru,OU=hosts,O=RDIG,C=RU (categor
>> y: CRL): CRL for an expired certificate was not resolved Cause: No CRLs
>> found for issuer "CN=Russian Data-Inten
>> sive Grid CA, O=RDIG, C=RU"
>> }}}
>> Однако 55994d72.r0 совсем свежий: Jun 5 10:47 55994d72.r0
>
> У нас на rnag-sb (который тестовый) не обновили сертификат узла
> в /etc/grid-security/certificates, поэтому он использовал давно
> (в 2014 году) протухший сертификат. Я сейчас это поправил.
> Чего говорит Argus?
>
Теперь авторизует.
--
Best regards,
Valery Mitsyn
-------------- next part --------------
05 Jun 2015 06:25:19,539 ERROR org.glite.authz.pep.client.PEPClient - No PEP Server [https://lcga4ge.jinr.ru:8154/authz] was able to process the request
05 Jun 2015 06:25:19,539 ERROR org.glite.ce.commonj.authz.argus.ArgusPEP - No PEP Server [https://lcga4ge.jinr.ru:8154/authz] was able to process the request
05 Jun 2015 06:25:19,539 ERROR org.glite.ce.commonj.authz.axis2.AuthorizationHandler - Authorization failure: No PEP Server [https://lcga4ge.jinr.ru:8154/authz] was able to process the request
05 Jun 2015 06:25:19,539 ERROR org.apache.axis2.engine.AxisEngine - Authorization error
org.apache.axis2.AxisFault: Authorization error
at org.glite.ce.cream.authz.axis2.AuthorizationHandler.getAuthorizationFault(AuthorizationHandler.java:152)
at org.glite.ce.commonj.authz.axis2.AuthorizationHandler.invoke(AuthorizationHandler.java:170)
at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:262)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:168)
at org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:172)
at org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:146)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Thread.java:701)
05 Jun 2015 06:25:20,473 ERROR org.glite.authz.pep.client.PEPClient - Unable to read response from PEP Server https://lcga4ge.jinr.ru:8154/authz
javax.net.ssl.SSLException: java.lang.NullPointerException
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1824)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1787)
at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1770)
at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1696)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:124)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at java.io.BufferedOutputStream.write(BufferedOutputStream.java:121)
at java.io.FilterOutputStream.write(FilterOutputStream.java:97)
at org.apache.commons.httpclient.methods.StringRequestEntity.writeRequest(StringRequestEntity.java:145)
at org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:499)
at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2114)
at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
at org.glite.authz.pep.client.PEPClient.performRequest(PEPClient.java:193)
at org.glite.authz.pep.client.PEPClient.authorize(PEPClient.java:127)
at org.glite.ce.commonj.authz.argus.ArgusPEP.isPermitted(ArgusPEP.java:201)
at org.glite.ce.commonj.authz.axis2.AuthorizationHandler.invoke(AuthorizationHandler.java:148)
at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:262)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:168)
at org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:172)
at org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:146)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Thread.java:701)
Caused by: java.lang.NullPointerException
at org.bouncycastle.jce.provider.RFC3280CertPathUtilities.processCRLF(RFC3280CertPathUtilities.java:487)
at eu.emi.security.authn.x509.helpers.pkipath.bc.RFC3280CertPathUtilitiesHelper.processCRLF2(RFC3280CertPathUtilitiesHelper.java:540)
at eu.emi.security.authn.x509.helpers.pkipath.bc.RFC3280CertPathUtilitiesHelper.checkCRL(RFC3280CertPathUtilitiesHelper.java:288)
at eu.emi.security.authn.x509.helpers.pkipath.bc.RFC3280CertPathUtilitiesHelper.checkCRLs2(RFC3280CertPathUtilitiesHelper.java:135)
at eu.emi.security.authn.x509.helpers.pkipath.bc.CRLRevocationChecker.checkRevocation(CRLRevocationChecker.java:49)
at eu.emi.security.authn.x509.helpers.pkipath.bc.FixedBCPKIXCertPathReviewer.checkRevocation(FixedBCPKIXCertPathReviewer.java:1745)
at eu.emi.security.authn.x509.helpers.pkipath.bc.FixedBCPKIXCertPathReviewer.checkSignatures(FixedBCPKIXCertPathReviewer.java:738)
at eu.emi.security.authn.x509.helpers.pkipath.bc.FixedBCPKIXCertPathReviewer.doChecks(FixedBCPKIXCertPathReviewer.java:217)
at org.bouncycastle.x509.PKIXCertPathReviewer.getErrors(PKIXCertPathReviewer.java:222)
at eu.emi.security.authn.x509.helpers.pkipath.BCCertPathValidator.checkNonProxyChain(BCCertPathValidator.java:308)
at eu.emi.security.authn.x509.helpers.pkipath.BCCertPathValidator.validate(BCCertPathValidator.java:131)
at eu.emi.security.authn.x509.helpers.pkipath.AbstractValidator.validate(AbstractValidator.java:129)
at eu.emi.security.authn.x509.impl.OpensslCertChainValidator.validate(OpensslCertChainValidator.java:227)
at eu.emi.security.authn.x509.helpers.ssl.SSLTrustManager.checkIfTrusted(SSLTrustManager.java:66)
at eu.emi.security.authn.x509.helpers.ssl.SSLTrustManager.checkServerTrusted(SSLTrustManager.java:61)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1247)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:200)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:848)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:784)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1000)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1308)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:686)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:119)
... 35 more
05 Jun 2015 06:25:20,473 ERROR org.glite.authz.pep.client.PEPClient - Request failed for PEP Server https://lcga4ge.jinr.ru:8154/authz
org.glite.authz.pep.client.PEPClientException: Unable to read response from PEP Server https://lcga4ge.jinr.ru:8154/authz
at org.glite.authz.pep.client.PEPClient.performRequest(PEPClient.java:214)
at org.glite.authz.pep.client.PEPClient.authorize(PEPClient.java:127)
at org.glite.ce.commonj.authz.argus.ArgusPEP.isPermitted(ArgusPEP.java:201)
at org.glite.ce.commonj.authz.axis2.AuthorizationHandler.invoke(AuthorizationHandler.java:148)
at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:262)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:168)
at org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:172)
at org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:146)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Thread.java:701)
Caused by: javax.net.ssl.SSLException: java.lang.NullPointerException
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1824)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1787)
at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1770)
at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1696)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:124)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at java.io.BufferedOutputStream.write(BufferedOutputStream.java:121)
at java.io.FilterOutputStream.write(FilterOutputStream.java:97)
at org.apache.commons.httpclient.methods.StringRequestEntity.writeRequest(StringRequestEntity.java:145)
at org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:499)
at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2114)
at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
at org.glite.authz.pep.client.PEPClient.performRequest(PEPClient.java:193)
... 23 more
Caused by: java.lang.NullPointerException
at org.bouncycastle.jce.provider.RFC3280CertPathUtilities.processCRLF(RFC3280CertPathUtilities.java:487)
at eu.emi.security.authn.x509.helpers.pkipath.bc.RFC3280CertPathUtilitiesHelper.processCRLF2(RFC3280CertPathUtilitiesHelper.java:540)
at eu.emi.security.authn.x509.helpers.pkipath.bc.RFC3280CertPathUtilitiesHelper.checkCRL(RFC3280CertPathUtilitiesHelper.java:288)
at eu.emi.security.authn.x509.helpers.pkipath.bc.RFC3280CertPathUtilitiesHelper.checkCRLs2(RFC3280CertPathUtilitiesHelper.java:135)
at eu.emi.security.authn.x509.helpers.pkipath.bc.CRLRevocationChecker.checkRevocation(CRLRevocationChecker.java:49)
at eu.emi.security.authn.x509.helpers.pkipath.bc.FixedBCPKIXCertPathReviewer.checkRevocation(FixedBCPKIXCertPathReviewer.java:1745)
at eu.emi.security.authn.x509.helpers.pkipath.bc.FixedBCPKIXCertPathReviewer.checkSignatures(FixedBCPKIXCertPathReviewer.java:738)
at eu.emi.security.authn.x509.helpers.pkipath.bc.FixedBCPKIXCertPathReviewer.doChecks(FixedBCPKIXCertPathReviewer.java:217)
at org.bouncycastle.x509.PKIXCertPathReviewer.getErrors(PKIXCertPathReviewer.java:222)
at eu.emi.security.authn.x509.helpers.pkipath.BCCertPathValidator.checkNonProxyChain(BCCertPathValidator.java:308)
at eu.emi.security.authn.x509.helpers.pkipath.BCCertPathValidator.validate(BCCertPathValidator.java:131)
at eu.emi.security.authn.x509.helpers.pkipath.AbstractValidator.validate(AbstractValidator.java:129)
at eu.emi.security.authn.x509.impl.OpensslCertChainValidator.validate(OpensslCertChainValidator.java:227)
at eu.emi.security.authn.x509.helpers.ssl.SSLTrustManager.checkIfTrusted(SSLTrustManager.java:66)
at eu.emi.security.authn.x509.helpers.ssl.SSLTrustManager.checkServerTrusted(SSLTrustManager.java:61)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1247)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:200)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:848)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:784)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1000)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1308)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:686)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:119)
... 35 more