search

ESGF / esgf-installer

ESGF P2P Node Installer
https://esgf.llnl.gov/
Other
21 stars 21 forks source link

Myproxy-logon failing post 3.x auto install #597

Closed nathanlcarlson closed 5 years ago

nathanlcarlson commented 5 years ago

myproxy-logon in verbose mode (using the -v flag) reports the following error after providing the correct passphrase.

Failed to receive credentials.
ERROR from myproxy-server:
Certificate generation failure.
Error accepting delegated credentials: server-side error: check server logs

Since the server logs were not specified I read up on the documentation at http://grid.ncsa.illinois.edu/myproxy/man/myproxy-server.config.5.html and found that by default the system logger is used. I was not sure what this meant exactly, but looked in /var/log/messages and got lucky.

/var/log/messages reports the following error:

Oct  2 08:28:42 esgf-dev1 myproxy-server[25089]: Connection from {ip address}
Oct  2 08:28:42 esgf-dev1 myproxy-server[25089]: Authenticated client /O=ESGF/OU=ESGF.ORG/CN=esgf-dev1.llnl.gov
Oct  2 08:28:47 esgf-dev1 myproxy-server[25089]: Received GET request for username rootAdmin
Oct  2 08:28:47 esgf-dev1 PAM_pgsql[25089]: (myproxy) user rootAdmin authenticated.
Oct  2 08:28:47 esgf-dev1 myproxy-server[25089]: PAM authentication succeeded for rootAdmin
Oct  2 08:28:47 esgf-dev1 myproxy-server[25089]: Sending trust roots to /O=ESGF/OU=ESGF.ORG/CN=esgf-dev1.llnl.gov
Oct  2 08:28:48 esgf-dev1 myproxy-server[25089]: Got a cert request for user "rootAdmin", with pubkey hash "{hash}", and lifetime "259200"
Oct  2 08:28:48 esgf-dev1 myproxy-server[25089]: OpenSSL error parsing line 2 of of certificate_extapp call-out output. Internal cert generation failed CA failed to generate certificate 
Oct  2 08:28:48 esgf-dev1 myproxy-server[25089]: Client /O=ESGF/OU=ESGF.ORG/CN=esgf-dev1.llnl.gov disconnected
nathanlcarlson commented 5 years ago

The "certificate_extapp" is defined to be located at /esg/config/myproxy/esg_attribute_callout_app. It is of the same nature as the legacy "myproxy-certificate-mapapp" and is likely failing for the same reason as the legacy "myproxy-certificate-mapapp", as reported in #589. The incorrect database user is being used because of the failing sed command.

nathanlcarlson commented 5 years ago

The first solution that comes to mind is to rewrite it with Python as was with "myproxy-certificate-mapapp" in #482 and the PR #590

nathanlcarlson commented 5 years ago

@sashakames This is likely why there was difference between the ~/.globus/certificate-file on esgf-dev1 that was successful 2.x and cwt-node that was 3.x that we were seeing yesterday.