Документ взят из кэша поисковой машины. Адрес
оригинального документа
: http://theory.sinp.msu.ru/pipermail/ru-ngi/2015q2/001567.html
Дата изменения: Fri Jun 5 17:17:53 2015 Дата индексирования: Sun Apr 10 18:19:39 2016 Кодировка: |
On Fri, 5 Jun 2015, Eygene Ryabinkin wrote: > Валерий, добрый день. > > Fri, Jun 05, 2015 at 11:33:47AM +0300, Valery Mitsyn wrote: >> вчера поздно вечером установил новые rpm'ы из >> ca-policy-egi-core-1.64-1, через некоторое время >> сломалась авторизация. >> В оповещение по этому ca-policy есть строка: >> {{{ >> Updated RDIG CA with extended validity self-signed root (RU) >> }}} >> Есть подозрение, что обновление привело к проблемам. >> Так как у нас директория certificates общая, то >> проблемы на всех сервисах. > > Технически, в корневом сертификате изменился только срок годности, > поэтому больших проблем быть не должно. И это даже тестировалось > до того, как сделать такой CA root. > > Как я понимаю из чтения остатка этой ветки, где-то Tomcat не подхватил > новые сертификаты. Очень интересно, какие именно проблемы были, > поскольку даже старый CA root действует до 7 августа, так что и с ним > пока проблем тоже не должно было быть. От tomcat'а и co. "приятные" неожиданности: не может авторизоваться через argus pep. Я прицепил кусок glite-ce-cream.log. > >> P.S. В логах регионального agrus - b4ng.jirn.ru, >> вижу диагностику: >> {{{ >> 2015-06-05 08:27:25.364Z - ERROR [TrustStoreValidationErrorLogger] - >> Validation error: error at position 0 in c >> hain, problematic certificate subject: >> CN=rnag-sb.t1.grid.kiae.ru,OU=grid.kiae.ru,OU=hosts,O=RDIG,C=RU (categor >> y: CRL): CRL for an expired certificate was not resolved Cause: No CRLs >> found for issuer "CN=Russian Data-Inten >> sive Grid CA, O=RDIG, C=RU" >> }}} >> Однако 55994d72.r0 совсем свежий: Jun 5 10:47 55994d72.r0 > > У нас на rnag-sb (который тестовый) не обновили сертификат узла > в /etc/grid-security/certificates, поэтому он использовал давно > (в 2014 году) протухший сертификат. Я сейчас это поправил. > Чего говорит Argus? > Теперь авторизует. -- Best regards, Valery Mitsyn -------------- next part -------------- 05 Jun 2015 06:25:19,539 ERROR org.glite.authz.pep.client.PEPClient - No PEP Server [https://lcga4ge.jinr.ru:8154/authz] was able to process the request 05 Jun 2015 06:25:19,539 ERROR org.glite.ce.commonj.authz.argus.ArgusPEP - No PEP Server [https://lcga4ge.jinr.ru:8154/authz] was able to process the request 05 Jun 2015 06:25:19,539 ERROR org.glite.ce.commonj.authz.axis2.AuthorizationHandler - Authorization failure: No PEP Server [https://lcga4ge.jinr.ru:8154/authz] was able to process the request 05 Jun 2015 06:25:19,539 ERROR org.apache.axis2.engine.AxisEngine - Authorization error org.apache.axis2.AxisFault: Authorization error at org.glite.ce.cream.authz.axis2.AuthorizationHandler.getAuthorizationFault(AuthorizationHandler.java:152) at org.glite.ce.commonj.authz.axis2.AuthorizationHandler.invoke(AuthorizationHandler.java:170) at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340) at org.apache.axis2.engine.Phase.invoke(Phase.java:313) at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:262) at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:168) at org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:172) at org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:146) at javax.servlet.http.HttpServlet.service(HttpServlet.java:637) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) at java.lang.Thread.run(Thread.java:701) 05 Jun 2015 06:25:20,473 ERROR org.glite.authz.pep.client.PEPClient - Unable to read response from PEP Server https://lcga4ge.jinr.ru:8154/authz javax.net.ssl.SSLException: java.lang.NullPointerException at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1824) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1787) at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1770) at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1696) at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:124) at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) at java.io.BufferedOutputStream.write(BufferedOutputStream.java:121) at java.io.FilterOutputStream.write(FilterOutputStream.java:97) at org.apache.commons.httpclient.methods.StringRequestEntity.writeRequest(StringRequestEntity.java:145) at org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:499) at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2114) at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096) at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398) at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323) at org.glite.authz.pep.client.PEPClient.performRequest(PEPClient.java:193) at org.glite.authz.pep.client.PEPClient.authorize(PEPClient.java:127) at org.glite.ce.commonj.authz.argus.ArgusPEP.isPermitted(ArgusPEP.java:201) at org.glite.ce.commonj.authz.axis2.AuthorizationHandler.invoke(AuthorizationHandler.java:148) at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340) at org.apache.axis2.engine.Phase.invoke(Phase.java:313) at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:262) at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:168) at org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:172) at org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:146) at javax.servlet.http.HttpServlet.service(HttpServlet.java:637) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) at java.lang.Thread.run(Thread.java:701) Caused by: java.lang.NullPointerException at org.bouncycastle.jce.provider.RFC3280CertPathUtilities.processCRLF(RFC3280CertPathUtilities.java:487) at eu.emi.security.authn.x509.helpers.pkipath.bc.RFC3280CertPathUtilitiesHelper.processCRLF2(RFC3280CertPathUtilitiesHelper.java:540) at eu.emi.security.authn.x509.helpers.pkipath.bc.RFC3280CertPathUtilitiesHelper.checkCRL(RFC3280CertPathUtilitiesHelper.java:288) at eu.emi.security.authn.x509.helpers.pkipath.bc.RFC3280CertPathUtilitiesHelper.checkCRLs2(RFC3280CertPathUtilitiesHelper.java:135) at eu.emi.security.authn.x509.helpers.pkipath.bc.CRLRevocationChecker.checkRevocation(CRLRevocationChecker.java:49) at eu.emi.security.authn.x509.helpers.pkipath.bc.FixedBCPKIXCertPathReviewer.checkRevocation(FixedBCPKIXCertPathReviewer.java:1745) at eu.emi.security.authn.x509.helpers.pkipath.bc.FixedBCPKIXCertPathReviewer.checkSignatures(FixedBCPKIXCertPathReviewer.java:738) at eu.emi.security.authn.x509.helpers.pkipath.bc.FixedBCPKIXCertPathReviewer.doChecks(FixedBCPKIXCertPathReviewer.java:217) at org.bouncycastle.x509.PKIXCertPathReviewer.getErrors(PKIXCertPathReviewer.java:222) at eu.emi.security.authn.x509.helpers.pkipath.BCCertPathValidator.checkNonProxyChain(BCCertPathValidator.java:308) at eu.emi.security.authn.x509.helpers.pkipath.BCCertPathValidator.validate(BCCertPathValidator.java:131) at eu.emi.security.authn.x509.helpers.pkipath.AbstractValidator.validate(AbstractValidator.java:129) at eu.emi.security.authn.x509.impl.OpensslCertChainValidator.validate(OpensslCertChainValidator.java:227) at eu.emi.security.authn.x509.helpers.ssl.SSLTrustManager.checkIfTrusted(SSLTrustManager.java:66) at eu.emi.security.authn.x509.helpers.ssl.SSLTrustManager.checkServerTrusted(SSLTrustManager.java:61) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1247) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:200) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:848) at sun.security.ssl.Handshaker.process_record(Handshaker.java:784) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1000) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1308) at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:686) at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:119) ... 35 more 05 Jun 2015 06:25:20,473 ERROR org.glite.authz.pep.client.PEPClient - Request failed for PEP Server https://lcga4ge.jinr.ru:8154/authz org.glite.authz.pep.client.PEPClientException: Unable to read response from PEP Server https://lcga4ge.jinr.ru:8154/authz at org.glite.authz.pep.client.PEPClient.performRequest(PEPClient.java:214) at org.glite.authz.pep.client.PEPClient.authorize(PEPClient.java:127) at org.glite.ce.commonj.authz.argus.ArgusPEP.isPermitted(ArgusPEP.java:201) at org.glite.ce.commonj.authz.axis2.AuthorizationHandler.invoke(AuthorizationHandler.java:148) at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340) at org.apache.axis2.engine.Phase.invoke(Phase.java:313) at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:262) at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:168) at org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:172) at org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:146) at javax.servlet.http.HttpServlet.service(HttpServlet.java:637) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) at java.lang.Thread.run(Thread.java:701) Caused by: javax.net.ssl.SSLException: java.lang.NullPointerException at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1824) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1787) at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1770) at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1696) at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:124) at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) at java.io.BufferedOutputStream.write(BufferedOutputStream.java:121) at java.io.FilterOutputStream.write(FilterOutputStream.java:97) at org.apache.commons.httpclient.methods.StringRequestEntity.writeRequest(StringRequestEntity.java:145) at org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:499) at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2114) at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096) at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398) at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323) at org.glite.authz.pep.client.PEPClient.performRequest(PEPClient.java:193) ... 23 more Caused by: java.lang.NullPointerException at org.bouncycastle.jce.provider.RFC3280CertPathUtilities.processCRLF(RFC3280CertPathUtilities.java:487) at eu.emi.security.authn.x509.helpers.pkipath.bc.RFC3280CertPathUtilitiesHelper.processCRLF2(RFC3280CertPathUtilitiesHelper.java:540) at eu.emi.security.authn.x509.helpers.pkipath.bc.RFC3280CertPathUtilitiesHelper.checkCRL(RFC3280CertPathUtilitiesHelper.java:288) at eu.emi.security.authn.x509.helpers.pkipath.bc.RFC3280CertPathUtilitiesHelper.checkCRLs2(RFC3280CertPathUtilitiesHelper.java:135) at eu.emi.security.authn.x509.helpers.pkipath.bc.CRLRevocationChecker.checkRevocation(CRLRevocationChecker.java:49) at eu.emi.security.authn.x509.helpers.pkipath.bc.FixedBCPKIXCertPathReviewer.checkRevocation(FixedBCPKIXCertPathReviewer.java:1745) at eu.emi.security.authn.x509.helpers.pkipath.bc.FixedBCPKIXCertPathReviewer.checkSignatures(FixedBCPKIXCertPathReviewer.java:738) at eu.emi.security.authn.x509.helpers.pkipath.bc.FixedBCPKIXCertPathReviewer.doChecks(FixedBCPKIXCertPathReviewer.java:217) at org.bouncycastle.x509.PKIXCertPathReviewer.getErrors(PKIXCertPathReviewer.java:222) at eu.emi.security.authn.x509.helpers.pkipath.BCCertPathValidator.checkNonProxyChain(BCCertPathValidator.java:308) at eu.emi.security.authn.x509.helpers.pkipath.BCCertPathValidator.validate(BCCertPathValidator.java:131) at eu.emi.security.authn.x509.helpers.pkipath.AbstractValidator.validate(AbstractValidator.java:129) at eu.emi.security.authn.x509.impl.OpensslCertChainValidator.validate(OpensslCertChainValidator.java:227) at eu.emi.security.authn.x509.helpers.ssl.SSLTrustManager.checkIfTrusted(SSLTrustManager.java:66) at eu.emi.security.authn.x509.helpers.ssl.SSLTrustManager.checkServerTrusted(SSLTrustManager.java:61) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1247) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:200) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:848) at sun.security.ssl.Handshaker.process_record(Handshaker.java:784) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1000) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1308) at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:686) at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:119) ... 35 more