[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] SSL help




After additional testing of SSL Auth on Windows platforms for Condor, I am still unable to get this to work. I have now tried a single-level self signed CA / host level authentication, a multi-level approach, and I also excluded the email address from the CA and signing key which I did not do this before. I am following the instructions provided in the link below and I have modified the configuration file and so forth as outline. I have to add that I would have been completely lost without this document so I have to thank Zach and the Condor team for providing this example.

I am not sure this is related to my network or if I am still doing something incorrect. Does anyone have any ideas? Thank you for help-I greatly appreciate it.

The master log output looks like this:
01/27 12:05:13 AUTHENTICATE: no available authentication methods succeeded, failing!
01/27 12:05:13 DC_AUTHENTICATE: authenticate failed: AUTHENTICATE:1003:Failed to authenticate with any method|AUTHENTICATE:1004:Failed to authenticate using SSL
01/27 12:05:13 condor_read() failed: recv() returned -1, errno = 10054 , reading 5 bytes from <159.189.162.73:9618>.
01/27 12:05:13 IO: Failed to read packet header
01/27 12:05:13 SECMAN: no classad from server, failing
01/27 12:05:13 ERROR: SECMAN:2004:Was waiting for TCP auth session to <159.189.162.73:9618>, but it failed.
01/27 12:05:13 Failed to start non-blocking update to <159.189.162.73:9618>.
01/27 12:05:13 ERROR: SECMAN:2004:Failed to create security session to <159.189.162.73:9618> with TCP.|SECMAN:2007:Failed to end classad message.
01/27 12:05:13 Failed to start non-blocking update to <159.189.162.73:9618>.
01/27 12:05:13 The COLLECTOR (pid 2552) exited with status 4
01/27 12:05:13 restarting C:\Condor/bin/condor_collector.exe in 41 seconds
01/27 12:05:13 attempt to connect to <159.189.162.73:9618> failed: connect errno = 10061 connection refused.
01/27 12:05:13 ERROR: SECMAN:2004:Failed to create security session to <159.189.162.73:9618> with TCP.|SECMAN:2003:TCP connection to <159.189.162.73:9618> failed.
01/27 12:05:13 Failed to start non-blocking update to <159.189.162.73:9618>.
01/27 12:05:15 Trying to accept.
01/27 12:05:15 SSL: trying to continue reading.
01/27 12:05:15 Receive message.
01/27 12:05:15 Trying to accept.
01/27 12:05:15 SSL: trying to continue reading.
01/27 12:05:15 Trying to accept.
01/27 12:05:15 SSL: trying to continue reading.
01/27 12:05:15 Receive message.
01/27 12:05:15 SSL Authentication failed
01/27 12:05:15 AUTHENTICATE: no available authentication methods succeeded, failing!
01/27 12:05:15 DC_AUTHENTICATE: authenticate failed: AUTHENTICATE:1003:Failed to authenticate with any method|AUTHENTICATE:1004:Failed to authenticate using SSL
01/27 12:05:15 The NEGOTIATOR (pid 3024) exited with status 4
01/27 12:05:15 restarting C:\Condor/bin/condor_negotiator.exe in 41 seconds
01/27 12:05:15 attempt to connect to <159.189.162.73:9618> failed: connect errno = 10061 connection refused.
01/27 12:05:15 ERROR: SECMAN:2004:Failed to create security session to <159.189.162.73:9618> with TCP.|SECMAN:2003:TCP connection to <159.189.162.73:9618> failed.
01/27 12:05:15 Failed to start non-blocking update to <159.189.162.73:9618>.




From: "Michael O'Donnell" <odonnellm@xxxxxxxx>
To: Condor-Users Mail List <condor-users@xxxxxxxxxxx>
Date: 01/27/2010 08:59 AM
Subject: Re: [Condor-users] SSL help
Sent by: condor-users-bounces@xxxxxxxxxxx






Could the error be a result of using a multi-level CA versus a single-level CA? I am not using GSI and although the documentation does not say I can't do this, it also does not say I can do it.






From: "Michael O'Donnell" <odonnellm@xxxxxxxx>
To: Condor-Users Mail List <condor-users@xxxxxxxxxxx>
Date: 01/27/2010 08:44 AM
Subject: Re: [Condor-users] SSL help
Sent by: condor-users-bounces@xxxxxxxxxxx







I tried to generate SSL keys using OpenSSL, but I am still getting an error. I am including errors posted in the masterlog (different then the previous errors) as well as how I am generating the SSL keys. Is it possible that the passwords are causing the problem. I thought I followed the Condor ssl example (
http://pages.cs.wisc.edu/~zmiller/ca-howto/), but I am still obviously doing something wrong.

Thanks for the help.

Mike


# Single-level and multi-level

########################## Root key and certificate ##############################

# Store these on a CD and do not give these out to anyone

#Create private root key

genrsa -des3 -out root-ca.key 2048

PWD: test1


#Create private certificate and self-sign root key (5 year duration)

req -new -x509 -days 1825 -key root-ca.key -out root-ca.crt -config OpenSSL_FORTcondor.cnf

PWD: test1

Default to settings if correct

Common Name: IGSKBACB-condoradmin

Email address: email here

#Create key, request, and self-signed certificate for signing (5 year duration)

# Duration must be same for some reason

genrsa -des3 -out signing-ca-1.key 2048

PWD: test2

req -new -days 1825 -key signing-ca-1.key -out signing-ca-1.csr -config OpenSSL_FORTcondor.cnf

PWD: test2

Default to settings if correct

Common Name: IGSKBACB-condoradmin

Email address: email here


#

ca -config OpenSSL_FORTcondor.cnf -name CA_root -extensions v3_ca -out signing-ca-1.crt -infiles signing-ca-1.csr

PWD: test1

Y

Y


req -newkey rsa:2048 -keyout IGSKBACBLT214.key -nodes -config OpenSSL_FORTcondor.cnf -out IGSKBACBLT214.req

Common Name: IGSKBACBLT214.gs.doi.net

Email address: email here

ca -config OpenSSL_FORTcondor.cnf -out IGSKBACBLT214.crt -infiles IGSKBACBLT214.req

PWD: test2

Y

Y


#Generated keys using openssl
MasterLog
01/27 08:11:13 ******************************************************

01/27 08:11:13 ** Condor (CONDOR_MASTER) STARTING UP

01/27 08:11:13 ** C:\Condor\bin\condor_master.exe

01/27 08:11:13 ** SubsystemInfo: name=MASTER type=MASTER(2) class=DAEMON(1)

01/27 08:11:13 ** Configuration: subsystem:MASTER local:<NONE> class:DAEMON

01/27 08:11:13 ** $CondorVersion: 7.4.0 Oct 31 2009 BuildID: 193173 $

01/27 08:11:13 ** $CondorPlatform: INTEL-WINNT50 $

01/27 08:11:13 ** PID = 1812

01/27 08:11:13 ** Log last touched 1/27 08:04:15

01/27 08:11:13 ******************************************************

01/27 08:11:13 Using config source: \\igskbacbfs001\condor$\Secured\Condor_Config\Global\FORTcondor_config

01/27 08:11:13 Using local config sources:
01/27 08:11:13    \\igskbacbfs001\condor$\Secured\Condor_Config\Local\condor_config_IGSKBACBLT214.local

01/27 08:11:13 DaemonCore: Command Socket at <159.189.162.73:1131>

01/27 08:11:13 Started DaemonCore process "C:\Condor/bin/condor_collector.exe", pid and pgroup = 3312

01/27 08:11:17 Started DaemonCore process "C:\Condor/bin/condor_negotiator.exe", pid and pgroup = 3044

01/27 08:11:17 Trying to accept.

01/27 08:11:18 SSL: trying to continue reading.

01/27 08:11:18 Receive message.

01/27 08:11:18 Trying to accept.

01/27 08:11:18 SSL: trying to continue reading.

01/27 08:11:18 Trying to accept.

01/27 08:11:18 SSL: trying to continue reading.

01/27 08:11:18 Receive message.

01/27 08:11:18 SSL Authentication failed

01/27 08:11:18 AUTHENTICATE: no available authentication methods succeeded, failing!

01/27 08:11:18 DC_AUTHENTICATE: authenticate failed: AUTHENTICATE:1003:Failed to authenticate with any method|AUTHENTICATE:1004:Failed to authenticate using SSL

01/27 08:11:18 Trying to accept.

01/27 08:11:18 SSL: trying to continue reading.

01/27 08:11:18 Receive message.

01/27 08:11:18 Trying to accept.

01/27 08:11:18 SSL: trying to continue reading.

01/27 08:11:18 Trying to accept.

01/27 08:11:18 SSL: trying to continue reading.

01/27 08:11:18 Receive message.

01/27 08:11:18 SSL Authentication failed

01/27 08:11:18 AUTHENTICATE: no available authentication methods succeeded, failing!

01/27 08:11:18 DC_AUTHENTICATE: authenticate failed: AUTHENTICATE:1003:Failed to authenticate with any method|AUTHENTICATE:1004:Failed to authenticate using SSL

01/27 08:11:23 Trying to accept.

01/27 08:11:23 SSL: trying to continue reading.

01/27 08:11:23 Receive message.

01/27 08:11:23 Trying to accept.

01/27 08:11:23 SSL: trying to continue reading.

01/27 08:11:23 Trying to accept.

01/27 08:11:23 SSL: trying to continue reading.

01/27 08:11:23 Receive message.

01/27 08:11:23 SSL Authentication failed

01/27 08:11:23 AUTHENTICATE: no available authentication methods succeeded, failing!

01/27 08:11:23 DC_AUTHENTICATE: authenticate failed: AUTHENTICATE:1003:Failed to authenticate with any method|AUTHENTICATE:1004:Failed to authenticate using SSL

01/27 08:11:23 Trying to accept.

01/27 08:11:23 SSL: trying to continue reading.

01/27 08:11:23 Receive message.

01/27 08:11:23 Trying to accept.

01/27 08:11:24 SSL: trying to continue reading.

01/27 08:11:24 Trying to accept.

01/27 08:11:24 SSL: trying to continue reading.

01/27 08:11:24 Receive message.

01/27 08:11:24 SSL Authentication failed

01/27 08:11:24 AUTHENTICATE: no available authentication methods succeeded, failing!

01/27 08:11:24 DC_AUTHENTICATE: authenticate failed: AUTHENTICATE:1003:Failed to authenticate with any method|AUTHENTICATE:1004:Failed to authenticate using SSL

01/27 08:11:28 Trying to accept.

01/27 08:11:28 SSL: trying to continue reading.

01/27 08:11:28 Receive message.

01/27 08:11:28 Trying to accept.

01/27 08:11:28 SSL: trying to continue reading.

01/27 08:11:28 Trying to accept.

01/27 08:11:28 SSL: trying to continue reading.

01/27 08:11:28 Receive message.

01/27 08:11:28 SSL Authentication failed

01/27 08:11:28 AUTHENTICATE: no available authentication methods succeeded, failing!

01/27 08:11:28 DC_AUTHENTICATE: authenticate failed: AUTHENTICATE:1003:Failed to authenticate with any method|AUTHENTICATE:1004:Failed to authenticate using SSL

01/27 08:11:28 condor_read() failed: recv() returned -1, errno = 10054 , reading 5 bytes from <159.189.162.73:9618>.

01/27 08:11:28 IO: Failed to read packet header

01/27 08:11:28 SECMAN: no classad from server, failing

01/27 08:11:28 ERROR: SECMAN:2004:Failed to create security session to <159.189.162.73:9618> with TCP.|SECMAN:2007:Failed to end classad message.

01/27 08:11:28 Failed to start non-blocking update to <159.189.162.73:9618>.

01/27 08:11:29 Trying to accept.

01/27 08:11:29 SSL: trying to continue reading.

01/27 08:11:29 Receive message.

01/27 08:11:29 Trying to accept.

01/27 08:11:29 SSL: trying to continue reading.

01/27 08:11:29 Trying to accept.

01/27 08:11:29 SSL: trying to continue reading.

01/27 08:11:29 Receive message.

01/27 08:11:29 SSL Authentication failed

01/27 08:11:29 AUTHENTICATE: no available authentication methods succeeded, failing!

01/27 08:11:29 DC_AUTHENTICATE: authenticate failed: AUTHENTICATE:1003:Failed to authenticate with any method|AUTHENTICATE:1004:Failed to authenticate using SSL

01/27 08:11:30 The NEGOTIATOR (pid 3044) exited with status 4

01/27 08:11:30 Sending obituary for "C:\Condor/bin/condor_negotiator.exe"

01/27 08:11:37 restarting C:\Condor/bin/condor_negotiator.exe in 10 seconds

01/27 08:11:38 attempt to connect to <159.189.162.73:9618> failed: connect errno = 10061 connection refused.

01/27 08:11:38 ERROR: SECMAN:2004:Failed to create security session to <159.189.162.73:9618> with TCP.|SECMAN:2003:TCP connection to <159.189.162.73:9618> failed.

01/27 08:11:38 Failed to start non-blocking update to <159.189.162.73:9618>.

01/27 08:11:38 The COLLECTOR (pid 3312) exited with status 4

01/27 08:11:38 Sending obituary for "C:\Condor/bin/condor_collector.exe"

01/27 08:11:41 restarting C:\Condor/bin/condor_collector.exe in 10 seconds

01/27 08:11:41 attempt to connect to <159.189.162.73:9618> failed: connect errno = 10061 connection refused.

01/27 08:11:41 ERROR: SECMAN:2004:Failed to create security session to <159.189.162.73:9618> with TCP.|SECMAN:2003:TCP connection to <159.189.162.73:9618> failed.

01/27 08:11:41 Failed to start non-blocking update to <159.189.162.73:9618>.

01/27 08:11:47 Started DaemonCore process "C:\Condor/bin/condor_negotiator.exe", pid and pgroup = 2576

01/27 08:11:47 attempt to connect to <159.189.162.73:9618> failed: connect errno = 10061 connection refused.

01/27 08:11:47 ERROR: SECMAN:2004:Failed to create security session to <159.189.162.73:9618> with TCP.|SECMAN:2003:TCP connection to <159.189.162.73:9618> failed.

01/27 08:11:47 Failed to start non-blocking update to <159.189.162.73:9618>.

01/27 08:11:47 Trying to accept.

01/27 08:11:47 SSL: trying to continue reading.

01/27 08:11:47 Receive message.

01/27 08:11:47 Trying to accept.

01/27 08:11:47 SSL: trying to continue reading.

01/27 08:11:47 Trying to accept.

01/27 08:11:47 SSL: trying to continue reading.

01/27 08:11:47 Receive message.

01/27 08:11:47 SSL Authentication failed



From: "Michael O'Donnell" <odonnellm@xxxxxxxx>
To: Condor-Users Mail List <condor-users@xxxxxxxxxxx>
Date: 01/27/2010 06:17 AM
Subject: Re: [Condor-users] SSL help
Sent by: condor-users-bounces@xxxxxxxxxxx








Thanks Zack. I used a different method (openssl commands) to generate the SSL files last night and will be testing these this morning. I thought this may be the source of error because generating ssl keys in python is not that well established yet. I did not find a one-one protocol for generating RSA keys with md5 digest and des3 encryption and because I have had no experience with SSL before, I think at this point is is simpler to start with the basics. Thank your for your suggestions and I will let you know how it turns out or if I have additional problems.


Mike


From: Zachary Miller <zmiller@xxxxxxxxxxx>
To: Condor-Users Mail List <condor-users@xxxxxxxxxxx>
Date: 01/27/2010 05:52 AM
Subject: Re: [Condor-users] SSL help
Sent by: condor-users-bounces@xxxxxxxxxxx








> 01/26 15:40:11 SSL: trying to continue reading.
> 01/26 15:40:11 Receive message.
> 01/26 15:40:11 Trying to connect.
> 01/26 15:40:11 SSL: library failure.  see error queue?
> 01/26 15:40:11 SSL Authentication failed

hmm.  i didn't see anything blatantly wrong with your configurartion so i think
the problem must somehow be in the format of your certificate files.  if you
like, feel free to send me the public cert off-list and i can take a look.  or
perhaps just the exact commands you used to create the files.


cheers,
-zach

_______________________________________________
Condor-users mailing list
To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting

https://lists.cs.wisc.edu/mailman/listinfo/condor-users

The archives can be found at:

https://lists.cs.wisc.edu/archive/condor-users/

_______________________________________________
Condor-users mailing list
To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting

https://lists.cs.wisc.edu/mailman/listinfo/condor-users

The archives can be found at:

https://lists.cs.wisc.edu/archive/condor-users/

_______________________________________________
Condor-users mailing list
To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting

https://lists.cs.wisc.edu/mailman/listinfo/condor-users

The archives can be found at:

https://lists.cs.wisc.edu/archive/condor-users/

_______________________________________________
Condor-users mailing list
To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/condor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/condor-users/