exit if an AM does not trust the user certificate

[ahelsing]

If a user's certificate is not trusted at an AM, stitcher does not notice and keeps retrying at the SCS.

Bail early

Imported from trac ticket #787, created by ahelsing on 03-05-2015 at 17:01, last modified: 05-15-2015 at 08:56

[ahelsing]

At an SFA AM doing createsliver it gives:

03/05 16:49:34 ERROR    amhandler.py:5949  {'output': ": CreateSliver: Insufficient rights: Access denied: <class 'sfa.util.faults.CertMissingParent'> -- u'[ OU: authority, CN: ff2b8e71-6c70-4c63-9c5b-e88d7010478f, SubjectAltName: email:portal-sandbox-admin@gpolab.bbn.com, URI:urn:publicid:IDN+ch1.gpolab.bbn.com+authority+sa, URI:uuid:ff2b8e71-6c70-4c63-9c5b-e88d7010478f ]: Issuer ch1.gpolab.bbn.com is not one of the 12 trusted roots, and cert has no parent.'", 'geni_api': 2, 'code': {'am_type': 'sfa', 'geni_code': 3, 'am_code': 3}, 'value': ''}

Trac comment by ahelsing on 03-05-2015 at 17:02

[ahelsing]

Another sample:

03/05 16:49:34 ERROR    dossl.py:123 Can't do Check AM properties at max-ig. Server does not trust the CA (4811d309-bc04-4726-b2e7-408d63848087) that signed your (urn:publicid:IDN+ch1.gpolab.bbn.com+user+sedwards) user certificate! Use an account at another clearinghouse or find another server.
03/05 16:49:34 DEBUG    dossl.py:126 Traceback (most recent call last):
  File "/usr/share/geni-ch/portal/gcf-2.8/src/gcf/omnilib/util/dossl.py", line 76, in _do_ssl
    result = fn(*args)
  File "/usr/lib/python2.6/xmlrpclib.py", line 1199, in __call__
    return self.__send(self.__name, args)
  File "/usr/lib/python2.6/xmlrpclib.py", line 1489, in __request
    verbose=self.__verbose
  File "/usr/lib/python2.6/xmlrpclib.py", line 1235, in request
    self.send_content(h, request_body)
  File "/usr/lib/python2.6/xmlrpclib.py", line 1349, in send_content
    connection.endheaders()
  File "/usr/lib/python2.6/httplib.py", line 904, in endheaders
    self._send_output()
  File "/usr/lib/python2.6/httplib.py", line 776, in _send_output
    self.send(msg)
  File "/usr/lib/python2.6/httplib.py", line 735, in send
    self.connect()
  File "/usr/lib/python2.6/httplib.py", line 1112, in connect
    self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file)
  File "/usr/lib/python2.6/ssl.py", line 350, in wrap_socket
    suppress_ragged_eofs=suppress_ragged_eofs)
  File "/usr/lib/python2.6/ssl.py", line 118, in __init__
    self.do_handshake()
  File "/usr/lib/python2.6/ssl.py", line 293, in do_handshake
    self._sslobj.do_handshake()
SSLError: [Errno 1] _ssl.c:480: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca

03/05 16:49:34 DEBUG    amhandler.py:549 Added GetVersion error output to cache for https://www.instageni.maxgigapop.net:12369/protogeni/xmlrpc/am: Server does not trust the CA (4811d309-bc04-4726-b2e7-408d63848087) that signed your (urn:publicid:IDN+ch1.gpolab.bbn.com+user+sedwards) user certificate! Use an account at another clearinghouse or find another server.
03/05 16:49:34 DEBUG    amhandler.py:488 Wrote GetVersionCache to /tmp/omni-invoke-sedwards-HfVQoT/omniVersionCache
03/05 16:49:34 DEBUG    amhandler.py:669 Couldn't get api version supported from GetVersion: AM max-ig failed getversion (empty): Server does not trust the CA (4811d309-bc04-4726-b2e7-408d63848087) that signed your (urn:publicid:IDN+ch1.gpolab.bbn.com+user+sedwards) user certificate! Use an account at another clearinghouse or find another server.
03/05 16:49:34 ERROR    amhandler.py:5949 Aggregate max-ig does not trust your certificate: Server does not trust the CA (4811d309-bc04-4726-b2e7-408d63848087) that signed your (urn:publicid:IDN+ch1.gpolab.bbn.com+user+sedwards) user certificate! Use an account at another clearinghouse or find another server.
03/05 16:49:34 ERROR    objects.py:4112 Failed to listresources at <Aggregate max-ig>: Aggregate max-ig does not trust your certificate: Server does not trust the CA (4811d309-bc04-4726-b2e7-408d63848087) that signed your (urn:publicid:IDN+ch1.gpolab.bbn.com+user+sedwards) user certificate! Use an account at another clearinghouse or find another server.
03/05 16:49:34 DEBUG    objects.py:3985 Failed to list avail resources: Aggregate max-ig does not trust your certificate: Server does not trust the CA (4811d309-bc04-4726-b2e7-408d63848087) that signed your (urn:publicid:IDN+ch1.gpolab.bbn.com+user+sedwards) user certificate! Use an account at another clearinghouse or find another server.

Trac comment by ahelsing on 03-05-2015 at 17:03

[ahelsing]

3/05 16:49:32 DEBUG    stitchhandler.py:2868 Getting extra AM info from Omni for AM <Aggregate urn:publicid:IDN+pks2.sdn.uky.edu+authority+cm>
.....
03/05 16:49:32 ERROR    dossl.py:123 Can't do Check AM properties at ukypks2-ig. Server does not trust the CA (4811d309-bc04-4726-b2e7-408d63848087) that signed your (urn:publicid:IDN+ch1.gpolab.bbn.com+user+sedwards) user certificate! Use an account at another clearinghouse or find another server.
03/05 16:49:32 DEBUG    dossl.py:126 Traceback (most recent call last):
  File "/usr/share/geni-ch/portal/gcf-2.8/src/gcf/omnilib/util/dossl.py", line 76, in _do_ssl
    result = fn(*args)
  File "/usr/lib/python2.6/xmlrpclib.py", line 1199, in __call__
    return self.__send(self.__name, args)
  File "/usr/lib/python2.6/xmlrpclib.py", line 1489, in __request
    verbose=self.__verbose
  File "/usr/lib/python2.6/xmlrpclib.py", line 1235, in request
    self.send_content(h, request_body)
  File "/usr/lib/python2.6/xmlrpclib.py", line 1349, in send_content
    connection.endheaders()
  File "/usr/lib/python2.6/httplib.py", line 904, in endheaders
    self._send_output()
  File "/usr/lib/python2.6/httplib.py", line 776, in _send_output
    self.send(msg)
  File "/usr/lib/python2.6/httplib.py", line 735, in send
    self.connect()
  File "/usr/lib/python2.6/httplib.py", line 1112, in connect
    self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file)
  File "/usr/lib/python2.6/ssl.py", line 350, in wrap_socket
    suppress_ragged_eofs=suppress_ragged_eofs)
  File "/usr/lib/python2.6/ssl.py", line 118, in __init__
    self.do_handshake()
  File "/usr/lib/python2.6/ssl.py", line 293, in do_handshake
    self._sslobj.do_handshake()
SSLError: [Errno 1] _ssl.c:480: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca

03/05 16:49:32 DEBUG    amhandler.py:549 Added GetVersion error output to cache for https://www.pks2.sdn.uky.edu:12369/protogeni/xmlrpc/am: Server does not trust the CA (4811d309-bc04-4726-b2e7-408d63848087) that signed your (urn:publicid:IDN+ch1.gpolab.bbn.com+user+sedwards) user certificate! Use an account at another clearinghouse or find another server.
03/05 16:49:32 DEBUG    amhandler.py:488 Wrote GetVersionCache to /tmp/omni-invoke-sedwards-HfVQoT/omniVersionCache
03/05 16:49:32 DEBUG    amhandler.py:669 Couldn't get api version supported from GetVersion: AM ukypks2-ig failed getversion (empty): Server does not trust the CA (4811d309-bc04-4726-b2e7-408d63848087) that signed your (urn:publicid:IDN+ch1.gpolab.bbn.com+user+sedwards) user certificate! Use an account at another clearinghouse or find another server.
03/05 16:49:32 ERROR    amhandler.py:5949 Aggregate ukypks2-ig does not trust your certificate: Server does not trust the CA (4811d309-bc04-4726-b2e7-408d63848087) that signed your (urn:publicid:IDN+ch1.gpolab.bbn.com+user+sedwards) user certificate! Use an account at another clearinghouse or find another server.
03/05 16:49:32 DEBUG    stitchhandler.py:2999 Got error extracting extra AM info: Aggregate ukypks2-ig does not trust your certificate: Server does not trust the CA (4811d309-bc04-4726-b2e7-408d63848087) that signed your (urn:publicid:IDN+ch1.gpolab.bbn.com+user+sedwards) user certificate! Use an account at another clearinghouse or find another server.
03/05 16:49:32 DEBUG    stitchhandler.py:3001 Traceback (most recent call last):
  File "/usr/share/geni-ch/portal/gcf-2.8/src/gcf/omnilib/stitchhandler.py", line 2869, in add_am_info
    (text, version) = omni.call(omniargs, options_copy)
  File "/usr/share/geni-ch/portal/gcf-2.8/src/gcf/oscript.py", line 765, in call
    return API_call( framework, config, args, opts, verbose=verbose )
  File "/usr/share/geni-ch/portal/gcf-2.8/src/gcf/oscript.py", line 839, in API_call
    result = handler._handle(args)
  File "/usr/share/geni-ch/portal/gcf-2.8/src/gcf/omnilib/handler.py", line 86, in _handle
    msg = self.amhandler._correctAPIVersion(args)
  File "/usr/share/geni-ch/portal/gcf-2.8/src/gcf/omnilib/amhandler.py", line 183, in _correctAPIVersion
    self._raise_omni_error(message)
  File "/usr/share/geni-ch/portal/gcf-2.8/src/gcf/omnilib/amhandler.py", line 5951, in _raise_omni_error
    raise err, msg
OmniError: Aggregate ukypks2-ig does not trust your certificate: Server does not trust the CA (4811d309-bc04-4726-b2e7-408d63848087) that signed your (urn:publicid:IDN+ch1.gpolab.bbn.com+user+sedwards) user certificate! Use an account at another clearinghouse or find another server.

Trac comment by ahelsing on 03-05-2015 at 17:05

[ahelsing]

At EG we'll get:

Unknown SSL error: [Errno 8] _ssl.c:510: EOF occurred in violation of protocol

At AL2S we get:

ProtocolError: <ProtocolError for geni-al2s.net.internet2.edu:3626/foam/gapi/2: 400 Bad Request>

At GRAM we get:

SSLError: [Errno 1] _ssl.c:510: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
...
09:13:19 ERROR   : Aggregate clemson-og does not trust your certificate: Server does not trust the CA (0b2c83d3-369b-4d4e-bb1d-6f5bd1affb4c) that signed your (urn:publicid:IDN+ch-ah.gpolab.bbn.com+user+ahelsing) user certificate! Use an account at another clearinghouse or find another server.

at IG we get:

SSLError: [Errno 1] _ssl.c:510: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
...
09:14:18 ERROR   : Aggregate illinois-ig does not trust your certificate: Server does not trust the CA (0b2c83d3-369b-4d4e-bb1d-6f5bd1affb4c) that signed your (urn:publicid:IDN+ch-ah.gpolab.bbn.com+user+ahelsing) user certificate! Use an account at another clearinghouse or find another server.

Trac comment by ahelsing on 03-06-2015 at 09:16