Mailing List ArchivesPublic Access |
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif){kind=logo}
|
Mailing List ArchivesPublic Access |
|
|
Hi all,
there is a grid site with a CE that works with SciTokens via the internet,
but fails when probed from a local client host via a private network,
while that same host can probe remote CEs OK with SciTokens.
It also can submit jobs to the CE using GSI.
The remarkable observation is that SciTokens first appears to work OK,
as the correct user mapping is determined, but then it finally fails on
another (?) certificate check:
$ _condor_TOOL_DEBUG=D_SECURITY:2 \ _condor_SEC_CLIENT_AUTHENTICATION_METHODS=SCITOKENS \ BEARER_TOKEN_FILE=the-token-file condor_ping -debug \ -pool the-CE:9619 -name the_CE -type schedd write
[...] 04/11/23 18:04:32 SECMAN: received post-auth classad: ReturnCode = "AUTHORIZED" [...] User = "the-expected-user@xxxxxxxxxxxxxxxxxx" [...] 04/11/23 18:04:32 SECMAN: policy to be cached: AuthMethods = "SCITOKENS" [...] MyRemoteUserName = "the-expected-user@xxxxxxxxxxxxxxxxxx" [...] 04/11/23 18:04:32 SECMAN: new session, doing initial authentication. 04/11/23 18:04:32 SECMAN: authenticating RIGHT NOW. 04/11/23 18:04:32 SECMAN: AuthMethodsList: SCITOKENS 04/11/23 18:04:32 SECMAN: Auth methods: SCITOKENS [...] 04/11/23 18:04:32 SSL Auth: post_connection_check. 04/11/23 18:04:32 SSL_get_peer_certificate returned data. 04/11/23 18:04:32 No SSL host name specified. 04/11/23 18:04:32 SSL Auth: Error on check of peer certificate 04/11/23 18:04:32 SSL Auth: application verification failure 04/11/23 18:04:32 Client performs one last exchange of messages. 04/11/23 18:04:32 SSL Auth: SSL Authentication failed 04/11/23 18:04:32 SSL Auth: Receive message. 04/11/23 18:04:32 Received message (4). 04/11/23 18:04:32 Send message (3). 04/11/23 18:04:32 AUTHENTICATE: method 4096 (SCITOKENS) failed. [...]
What might be done about this matter?
|