[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] SSL help




I tried to generate SSL keys using OpenSSL, but I am still getting an error. I am including errors posted in the masterlog (different then the previous errors) as well as how I am generating the SSL keys. Is it possible that the passwords are causing the problem. I thought I followed the Condor ssl example (http://pages.cs.wisc.edu/~zmiller/ca-howto/), but I am still obviously doing something wrong.

Thanks for the help.
Mike

# Single-level and multi-level
########################## Root key and certificate ##############################
# Store these on a CD and do not give these out to anyone
#Create private root key
genrsa -des3 -out root-ca.key 2048
PWD: test1

#Create private certificate and self-sign root key (5 year duration)
req -new -x509 -days 1825 -key root-ca.key -out root-ca.crt -config OpenSSL_FORTcondor.cnf
PWD: test1
Default to settings if correct
Common Name: IGSKBACB-condoradmin
Email address: email here

#Create key, request, and self-signed certificate for signing (5 year duration)
# Duration must be same for some reason
genrsa -des3 -out signing-ca-1.key 2048
PWD: test2
req -new -days 1825 -key signing-ca-1.key -out signing-ca-1.csr -config OpenSSL_FORTcondor.cnf
PWD: test2
Default to settings if correct
Common Name: IGSKBACB-condoradmin
Email address: email here

#
ca -config OpenSSL_FORTcondor.cnf -name CA_root -extensions v3_ca -out signing-ca-1.crt -infiles signing-ca-1.csr
PWD: test1
Y
Y

req -newkey rsa:2048 -keyout IGSKBACBLT214.key -nodes -config OpenSSL_FORTcondor.cnf -out IGSKBACBLT214.req
Common Name: IGSKBACBLT214.gs.doi.net
Email address: email here
ca -config OpenSSL_FORTcondor.cnf -out IGSKBACBLT214.crt -infiles IGSKBACBLT214.req
PWD: test2
Y
Y

#Generated keys using openssl
MasterLog
01/27 08:11:13 ******************************************************
01/27 08:11:13 ** Condor (CONDOR_MASTER) STARTING UP
01/27 08:11:13 ** C:\Condor\bin\condor_master.exe
01/27 08:11:13 ** SubsystemInfo: name=MASTER type=MASTER(2) class=DAEMON(1)
01/27 08:11:13 ** Configuration: subsystem:MASTER local:<NONE> class:DAEMON
01/27 08:11:13 ** $CondorVersion: 7.4.0 Oct 31 2009 BuildID: 193173 $
01/27 08:11:13 ** $CondorPlatform: INTEL-WINNT50 $
01/27 08:11:13 ** PID = 1812
01/27 08:11:13 ** Log last touched 1/27 08:04:15
01/27 08:11:13 ******************************************************
01/27 08:11:13 Using config source: \\igskbacbfs001\condor$\Secured\Condor_Config\Global\FORTcondor_config
01/27 08:11:13 Using local config sources:
01/27 08:11:13    \\igskbacbfs001\condor$\Secured\Condor_Config\Local\condor_config_IGSKBACBLT214.local
01/27 08:11:13 DaemonCore: Command Socket at <159.189.162.73:1131>
01/27 08:11:13 Started DaemonCore process "C:\Condor/bin/condor_collector.exe", pid and pgroup = 3312
01/27 08:11:17 Started DaemonCore process "C:\Condor/bin/condor_negotiator.exe", pid and pgroup = 3044
01/27 08:11:17 Trying to accept.
01/27 08:11:18 SSL: trying to continue reading.
01/27 08:11:18 Receive message.
01/27 08:11:18 Trying to accept.
01/27 08:11:18 SSL: trying to continue reading.
01/27 08:11:18 Trying to accept.
01/27 08:11:18 SSL: trying to continue reading.
01/27 08:11:18 Receive message.
01/27 08:11:18 SSL Authentication failed
01/27 08:11:18 AUTHENTICATE: no available authentication methods succeeded, failing!
01/27 08:11:18 DC_AUTHENTICATE: authenticate failed: AUTHENTICATE:1003:Failed to authenticate with any method|AUTHENTICATE:1004:Failed to authenticate using SSL
01/27 08:11:18 Trying to accept.
01/27 08:11:18 SSL: trying to continue reading.
01/27 08:11:18 Receive message.
01/27 08:11:18 Trying to accept.
01/27 08:11:18 SSL: trying to continue reading.
01/27 08:11:18 Trying to accept.
01/27 08:11:18 SSL: trying to continue reading.
01/27 08:11:18 Receive message.
01/27 08:11:18 SSL Authentication failed
01/27 08:11:18 AUTHENTICATE: no available authentication methods succeeded, failing!
01/27 08:11:18 DC_AUTHENTICATE: authenticate failed: AUTHENTICATE:1003:Failed to authenticate with any method|AUTHENTICATE:1004:Failed to authenticate using SSL
01/27 08:11:23 Trying to accept.
01/27 08:11:23 SSL: trying to continue reading.
01/27 08:11:23 Receive message.
01/27 08:11:23 Trying to accept.
01/27 08:11:23 SSL: trying to continue reading.
01/27 08:11:23 Trying to accept.
01/27 08:11:23 SSL: trying to continue reading.
01/27 08:11:23 Receive message.
01/27 08:11:23 SSL Authentication failed
01/27 08:11:23 AUTHENTICATE: no available authentication methods succeeded, failing!
01/27 08:11:23 DC_AUTHENTICATE: authenticate failed: AUTHENTICATE:1003:Failed to authenticate with any method|AUTHENTICATE:1004:Failed to authenticate using SSL
01/27 08:11:23 Trying to accept.
01/27 08:11:23 SSL: trying to continue reading.
01/27 08:11:23 Receive message.
01/27 08:11:23 Trying to accept.
01/27 08:11:24 SSL: trying to continue reading.
01/27 08:11:24 Trying to accept.
01/27 08:11:24 SSL: trying to continue reading.
01/27 08:11:24 Receive message.
01/27 08:11:24 SSL Authentication failed
01/27 08:11:24 AUTHENTICATE: no available authentication methods succeeded, failing!
01/27 08:11:24 DC_AUTHENTICATE: authenticate failed: AUTHENTICATE:1003:Failed to authenticate with any method|AUTHENTICATE:1004:Failed to authenticate using SSL
01/27 08:11:28 Trying to accept.
01/27 08:11:28 SSL: trying to continue reading.
01/27 08:11:28 Receive message.
01/27 08:11:28 Trying to accept.
01/27 08:11:28 SSL: trying to continue reading.
01/27 08:11:28 Trying to accept.
01/27 08:11:28 SSL: trying to continue reading.
01/27 08:11:28 Receive message.
01/27 08:11:28 SSL Authentication failed
01/27 08:11:28 AUTHENTICATE: no available authentication methods succeeded, failing!
01/27 08:11:28 DC_AUTHENTICATE: authenticate failed: AUTHENTICATE:1003:Failed to authenticate with any method|AUTHENTICATE:1004:Failed to authenticate using SSL
01/27 08:11:28 condor_read() failed: recv() returned -1, errno = 10054 , reading 5 bytes from <159.189.162.73:9618>.
01/27 08:11:28 IO: Failed to read packet header
01/27 08:11:28 SECMAN: no classad from server, failing
01/27 08:11:28 ERROR: SECMAN:2004:Failed to create security session to <159.189.162.73:9618> with TCP.|SECMAN:2007:Failed to end classad message.
01/27 08:11:28 Failed to start non-blocking update to <159.189.162.73:9618>.
01/27 08:11:29 Trying to accept.
01/27 08:11:29 SSL: trying to continue reading.
01/27 08:11:29 Receive message.
01/27 08:11:29 Trying to accept.
01/27 08:11:29 SSL: trying to continue reading.
01/27 08:11:29 Trying to accept.
01/27 08:11:29 SSL: trying to continue reading.
01/27 08:11:29 Receive message.
01/27 08:11:29 SSL Authentication failed
01/27 08:11:29 AUTHENTICATE: no available authentication methods succeeded, failing!
01/27 08:11:29 DC_AUTHENTICATE: authenticate failed: AUTHENTICATE:1003:Failed to authenticate with any method|AUTHENTICATE:1004:Failed to authenticate using SSL
01/27 08:11:30 The NEGOTIATOR (pid 3044) exited with status 4
01/27 08:11:30 Sending obituary for "C:\Condor/bin/condor_negotiator.exe"
01/27 08:11:37 restarting C:\Condor/bin/condor_negotiator.exe in 10 seconds
01/27 08:11:38 attempt to connect to <159.189.162.73:9618> failed: connect errno = 10061 connection refused.
01/27 08:11:38 ERROR: SECMAN:2004:Failed to create security session to <159.189.162.73:9618> with TCP.|SECMAN:2003:TCP connection to <159.189.162.73:9618> failed.
01/27 08:11:38 Failed to start non-blocking update to <159.189.162.73:9618>.
01/27 08:11:38 The COLLECTOR (pid 3312) exited with status 4
01/27 08:11:38 Sending obituary for "C:\Condor/bin/condor_collector.exe"
01/27 08:11:41 restarting C:\Condor/bin/condor_collector.exe in 10 seconds
01/27 08:11:41 attempt to connect to <159.189.162.73:9618> failed: connect errno = 10061 connection refused.
01/27 08:11:41 ERROR: SECMAN:2004:Failed to create security session to <159.189.162.73:9618> with TCP.|SECMAN:2003:TCP connection to <159.189.162.73:9618> failed.
01/27 08:11:41 Failed to start non-blocking update to <159.189.162.73:9618>.
01/27 08:11:47 Started DaemonCore process "C:\Condor/bin/condor_negotiator.exe", pid and pgroup = 2576
01/27 08:11:47 attempt to connect to <159.189.162.73:9618> failed: connect errno = 10061 connection refused.
01/27 08:11:47 ERROR: SECMAN:2004:Failed to create security session to <159.189.162.73:9618> with TCP.|SECMAN:2003:TCP connection to <159.189.162.73:9618> failed.
01/27 08:11:47 Failed to start non-blocking update to <159.189.162.73:9618>.
01/27 08:11:47 Trying to accept.
01/27 08:11:47 SSL: trying to continue reading.
01/27 08:11:47 Receive message.
01/27 08:11:47 Trying to accept.
01/27 08:11:47 SSL: trying to continue reading.
01/27 08:11:47 Trying to accept.
01/27 08:11:47 SSL: trying to continue reading.
01/27 08:11:47 Receive message.
01/27 08:11:47 SSL Authentication failed




From: "Michael O'Donnell" <odonnellm@xxxxxxxx>
To: Condor-Users Mail List <condor-users@xxxxxxxxxxx>
Date: 01/27/2010 06:17 AM
Subject: Re: [Condor-users] SSL help
Sent by: condor-users-bounces@xxxxxxxxxxx






Thanks Zack. I used a different method (openssl commands) to generate the SSL files last night and will be testing these this morning. I thought this may be the source of error because generating ssl keys in python is not that well established yet. I did not find a one-one protocol for generating RSA keys with md5 digest and des3 encryption and because I have had no experience with SSL before, I think at this point is is simpler to start with the basics. Thank your for your suggestions and I will let you know how it turns out or if I have additional problems.


Mike



From: Zachary Miller <zmiller@xxxxxxxxxxx>
To: Condor-Users Mail List <condor-users@xxxxxxxxxxx>
Date: 01/27/2010 05:52 AM
Subject: Re: [Condor-users] SSL help
Sent by: condor-users-bounces@xxxxxxxxxxx






> 01/26 15:40:11 SSL: trying to continue reading.
> 01/26 15:40:11 Receive message.
> 01/26 15:40:11 Trying to connect.
> 01/26 15:40:11 SSL: library failure.  see error queue?
> 01/26 15:40:11 SSL Authentication failed

hmm.  i didn't see anything blatantly wrong with your configurartion so i think
the problem must somehow be in the format of your certificate files.  if you
like, feel free to send me the public cert off-list and i can take a look.  or
perhaps just the exact commands you used to create the files.


cheers,
-zach

_______________________________________________
Condor-users mailing list
To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting

https://lists.cs.wisc.edu/mailman/listinfo/condor-users

The archives can be found at:

https://lists.cs.wisc.edu/archive/condor-users/

_______________________________________________
Condor-users mailing list
To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/condor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/condor-users/