Hide Forgot
Description of problem: I've got 2 certificates(client.cert, server.cert) signed by one self-signed certificate(ca.crt). I've set them to aviary, but scheduler plugin didn't load them nor query server did. I see this error in SchedLog: 2/16/12 07:42:40 (fd:11) (pid:25733) AXIS2_READ_TIMEOUT is undefined, using default value of 60000 02/16/12 07:42:40 (fd:18) (pid:25733) axis2_ssl_utils_initialize_ctx failed 02/16/12 07:42:40 (fd:17) (pid:25733) SSL/TLS requested but configuration failed 02/16/12 07:42:40 (fd:2) (pid:25733) ERROR "Unable to configure AviaryProvider. Exiting..." at line 57 in file /builddir/build/BUILD/condor-7.6.4/src/condor_contrib/aviary/src/AviaryScheddPlugin.cpp Stack dump for process 25733 at timestamp 1329396160 (11 frames) condor_schedd(dprintf_dump_stack+0x4a)[0x81cd9ca] condor_schedd[0x81afb56] [0x868420] /lib/libc.so.6(abort+0x221)[0x445831] condor_schedd(_EXCEPT_+0xa6)[0x81e6db6] /usr/lib/condor/plugins/AviaryScheddPlugin-plugin.so(_ZN6aviary3job18AviaryScheddPlugin15earlyInitializeEv+0x25f)[0x3b464f] condor_schedd(_ZN19ScheddPluginManager15EarlyInitializeEv+0x33)[0x811cef3] condor_schedd(_Z9main_initiPPc+0xb5)[0x811a625] condor_schedd(main+0x11e1)[0x8146a51] /lib/libc.so.6(__libc_start_main+0xdc)[0x430eac] condor_schedd[0x80bde01] Certificates are in valid form and verification is OK too. $ openssl verify -CAfile ca.crt ca.crt ca.crt: OK $ openssl verify -CAfile ca.crt server.crt server.crt: OK $ openssl verify -CAfile ca.crt client.crt client.crt: OK Every certificate has this form: $ cat client.crt Certificate: Data: Version: 1 (0x0) Serial Number: ... Signature Algorithm: NULL Issuer: CN=... Validity Not Before: Feb 15 10:26:27 2012 GMT Not After : Mar 16 10:26:27 2012 GMT Subject: CN=.... Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): ... Exponent: ... (...) Signature Algorithm: NULL -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- So they are in valid OpenSSL form. I've found similar issue in https://bugzilla.redhat.com/show_bug.cgi?id=752414 I think nobody will edit ssl certificates. Version-Release number of selected component (if applicable): condor-aviary-7.6.5-0.12 python-ssl-1.15-3.el5 openssl-0.9.8e-20.el5_7.1 How reproducible: 100% Steps to Reproduce: 1. install condor 2. setup aviary(scheduler plugin+queryserver) with ssl with valid OpenSSL certifactes 3. start condor and watch SchedLog and QueryServerLog Actual results: Aviary doesn't work with valid certificates. Expected results: Aviary will work with every type of valid OpenSSL certificate in PEM format. Additional info: Another type of verification: $ for i in sslclient sslserver nssslserver smimesign smimeencrypt crlsign any ocsphelper; do openssl verify -CAfile ca.crt -purpose $i server.crt; done server.crt: OK server.crt: OK server.crt: OK server.crt: OK server.crt: OK server.crt: OK server.crt: OK server.crt: OK $ for i in sslclient sslserver nssslserver smimesign smimeencrypt crlsign any ocsphelper; do openssl verify -CAfile ca.crt -purpose $i client.crt; done client.crt: OK client.crt: OK client.crt: OK client.crt: OK client.crt: OK client.crt: OK client.crt: OK client.crt: OK $ for i in sslclient sslserver nssslserver smimesign smimeencrypt crlsign any ocsphelper; do openssl verify -CAfile ca.crt -purpose $i ca.crt; done ca.crt: OK ca.crt: OK ca.crt: OK ca.crt: OK ca.crt: OK ca.crt: OK ca.crt: OK ca.crt: OK