Problem with certificate and alien

coppedis · December 19, 2023, 4:05pm

Dear all,
I have the following problem: the CERN certificate that I am using grants me access on Monalisa (I can access files on the grid via web interface) but it doesn’t work when I try to run alien.py on my mac (Ventura 13.6). It complains like this:

Enter PEM pass phrase:
Could NOT establish connection (WebSocket) to 128.142.249.52:8097
SSLCertVerificationError(1, ‘[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)’)
Check the logfile: /Users/chiara/alien_py.log

alien.py cert-info gives me this output
DN >>> DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=coppedis/CN=510092/CN=Chiara Oppedisano
ISSUER >>> DC=ch/DC=cern/CN=CERN Grid Certification Authority
BEGIN >>> 2023-11-30 09:18:09
EXPIRE >>> 2025-01-03 09:18:09

but alien.py cert-verify gives me the following error:
SSL Verification failed for /Users/chiara/.globus/usercert.pem

Does anybody know what I am missing and/or doing wrong?
Thanks a lot in advance, chiara

asevcenc · December 20, 2023, 8:42pm

Hi! Check that in your environment you have the following:

[O2Physics/daily-20231219-0100-1] ~ > openssl x509 -text -in $X509_CERT_DIR/CERN-GridCA.pem | grep 'Not Before\|Not After'
            Not Before: Mar 29 08:24:22 2022 GMT
            Not After : Mar 29 08:34:22 2032 GMT

if not, you need a full clean up and build to have a refreshed CAs certificate collection

coppedis · December 21, 2023, 10:35am

Dear @asevcenc
this is the output I get:

[O2Physics/latest-master-o2] ~/alirun/QC %> openssl x509 -text -in $X509_CERT_DIR/CERN-GridCA.pem | grep ‘Not Before|Not After’
Not Before: Mar 29 08:24:22 2022 GMT
Not After : Mar 29 08:34:22 2032 GMT

SO I am not sure how to proceed

asevcenc · December 21, 2023, 11:25am

weird … can you also try this:

openssl verify -CApath $X509_CERT_DIR $HOME/.globus/usercert.pem

coppedis · December 21, 2023, 11:27am

Here I have an error!

[O2Physics/latest-master-o2] ~/alirun/QC %> openssl verify -CApath $X509_CERT_DIR $HOME/.globus/usercert.pem
DC=ch, DC=cern, OU=Organic Units, OU=Users, CN=coppedis, CN=510092, CN=Chiara Oppedisano
error 20 at 0 depth lookup: unable to get local issuer certificate
error /Users/chiara/.globus/usercert.pem: verification failed
8027D155F87F0000:error:0480006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:773:Expecting: TRUSTED CERTIFICATE
8027D155F87F0000:error:05800087:x509 certificate routines:X509_load_cert_file_ex:no certificate found:crypto/x509/by_file.c:118:

asevcenc · December 21, 2023, 11:27am

and also send me please the log.txt of
ALIENPY_DEBUG=1 ALIENPY_DEBUG_FILE=log.txt alien.py pwd

asevcenc · December 21, 2023, 11:29am

this seems to indicate that your usercert.pem either is missing or is corrupted and not recognized

coppedis · December 21, 2023, 11:32am

In my .globus dir I run the usual commands:
openssl pkcs12 -in certs.p12 -clcerts -nokeys -out $HOME/.globus/usercert.pem
openssl pkcs12 -in certs.p12 -nocerts -out $HOME/.globus/userkey.pem
chmod 600 $HOME/.globus/userkey.pem
chmod 600 $HOME/.globus/usercert.pem

I am also attaching the log.txt
Thanks a lot for helping me!!!

coppedis · December 21, 2023, 11:33am

ERROR:2023-12-19 14:29:09,833 IsValidCert:: Unable to open certificate file /var/folders/t6/y5br_bxd1tn2jt50c0nbrt5c0000gn/T/tokencert_501.pem
DEBUG:2023-12-19 14:29:09,838 Using selector: KqueueSelector
DEBUG:2023-12-19 14:29:09,877 alien.py version: 1.5.6
alien.py version date: 20231128_105044
alien.py version hash: dcf57d6
alien.py location: /Users/chiara/alice/sw/osx_x86-64/xjalienfs/1.5.6-local1/lib/python/site-packages/alienpy/alien.py
script location: /Users/chiara/alice/sw/osx_x86-64/xjalienfs/1.5.6-local1/bin/alien.py
Interpreter: /usr/local/Cellar/python@3.11/3.11.6_1/Frameworks/Python.framework/Versions/3.11/bin/python3.11
Python version: 3.11.6 (main, Nov 2 2023, 04:51:19) [Clang 14.0.0 (clang-1400.0.29.202)]
XRootD version: 5.6.0
XRootD path: /Users/chiara/alice/sw/osx_x86-64/XRootD/v5.6.0-local1/lib/python/site-packages/XRootD/client/init.py

ERROR:2023-12-19 14:29:09,878 IsValidCert:: Unable to open certificate file /var/folders/t6/y5br_bxd1tn2jt50c0nbrt5c0000gn/T/tokencert_501.pem
DEBUG:2023-12-19 14:29:09,878
Cert = /Users/chiara/.globus/usercert.pem
Key = /Users/chiara/.globus/userkey.pem
Creating SSL context …
DEBUG:2023-12-19 14:29:09,890 CApath::X509_CERT_DIR:: requested and set to /Users/chiara/alice/sw/osx_x86-64/AliEn-Runtime/v2-19-le-local1/globus/share/certificates
DEBUG:2023-12-19 14:29:09,890
X509_CERT_DIR = /Users/chiara/alice/sw/osx_x86-64/AliEn-Runtime/v2-19-le-local1/globus/share/certificates
CApath = /Users/chiara/alice/sw/osx_x86-64/AliEn-Runtime/v2-19-le-local1/globus/share/certificates
DEBUG:2023-12-19 14:29:09,890 SSL context:: Loading verify location:
/Users/chiara/alice/sw/osx_x86-64/AliEn-Runtime/v2-19-le-local1/globus/share/certificates
DEBUG:2023-12-19 14:29:09,890 SSL context:: Loading cert,key pair:
/Users/chiara/.globus/usercert.pem
/Users/chiara/.globus/userkey.pem
DEBUG:2023-12-19 14:29:13,382
… SSL context done.
INFO:2023-12-19 14:29:13,382 Request connection to: alice-jcentral.cern.ch:8097/websocket/json
DEBUG:2023-12-19 14:29:13,382 TRY ENDPOINT: alice-jcentral.cern.ch:8097
DEBUG:2023-12-19 14:29:13,401 TCP SOCKET DELTA: 18.368 ms
INFO:2023-12-19 14:29:13,401 GOT SOCKET TO: 128.142.249.34:8097
DEBUG:2023-12-19 14:29:13,401 = connection is CONNECTING
ERROR:2023-12-19 14:29:13,430 Could NOT establish connection (WebSocket) to 128.142.249.34:8097
SSLCertVerificationError(1, ‘[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)’)
ERROR:2023-12-19 14:29:13,936 IsValidCert:: Unable to open certificate file /var/folders/t6/y5br_bxd1tn2jt50c0nbrt5c0000gn/T/tokencert_501.pem
DEBUG:2023-12-19 14:29:13,937
Cert = /Users/chiara/.globus/usercert.pem
Key = /Users/chiara/.globus/userkey.pem
Creating SSL context …
DEBUG:2023-12-19 14:29:13,948 CApath::X509_CERT_DIR:: requested and set to /Users/chiara/alice/sw/osx_x86-64/AliEn-Runtime/v2-19-le-local1/globus/share/certificates
DEBUG:2023-12-19 14:29:13,948
X509_CERT_DIR = /Users/chiara/alice/sw/osx_x86-64/AliEn-Runtime/v2-19-le-local1/globus/share/certificates
CApath = /Users/chiara/alice/sw/osx_x86-64/AliEn-Runtime/v2-19-le-local1/globus/share/certificates
DEBUG:2023-12-19 14:29:13,948 SSL context:: Loading verify location:
/Users/chiara/alice/sw/osx_x86-64/AliEn-Runtime/v2-19-le-local1/globus/share/certificates
DEBUG:2023-12-19 14:29:13,948 SSL context:: Loading cert,key pair:
/Users/chiara/.globus/usercert.pem
/Users/chiara/.globus/userkey.pem
DEBUG:2023-12-19 14:29:17,083
… SSL context done.
INFO:2023-12-19 14:29:17,083 Request connection to: alice-jcentral.cern.ch:8097/websocket/json
DEBUG:2023-12-19 14:29:17,083 TRY ENDPOINT: alice-jcentral.cern.ch:8097
DEBUG:2023-12-19 14:29:17,099 TCP SOCKET DELTA: 15.896 ms
INFO:2023-12-19 14:29:17,099 GOT SOCKET TO: ::ffff:128.142.249.76:8097
DEBUG:2023-12-19 14:29:17,099 = connection is CONNECTING
ERROR:2023-12-19 14:29:17,128 Could NOT establish connection (WebSocket) to ::ffff:128.142.249.76:8097
SSLCertVerificationError(1, ‘[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)’)
ERROR:2023-12-19 14:29:17,633 IsValidCert:: Unable to open certificate file /var/folders/t6/y5br_bxd1tn2jt50c0nbrt5c0000gn/T/tokencert_501.pem
DEBUG:2023-12-19 14:29:17,633
Cert = /Users/chiara/.globus/usercert.pem
Key = /Users/chiara/.globus/userkey.pem
Creating SSL context …
DEBUG:2023-12-19 14:29:17,645 CApath::X509_CERT_DIR:: requested and set to /Users/chiara/alice/sw/osx_x86-64/AliEn-Runtime/v2-19-le-local1/globus/share/certificates
DEBUG:2023-12-19 14:29:17,645
X509_CERT_DIR = /Users/chiara/alice/sw/osx_x86-64/AliEn-Runtime/v2-19-le-local1/globus/share/certificates
CApath = /Users/chiara/alice/sw/osx_x86-64/AliEn-Runtime/v2-19-le-local1/globus/share/certificates
DEBUG:2023-12-19 14:29:17,645 SSL context:: Loading verify location:
/Users/chiara/alice/sw/osx_x86-64/AliEn-Runtime/v2-19-le-local1/globus/share/certificates
DEBUG:2023-12-19 14:29:17,645 SSL context:: Loading cert,key pair:
/Users/chiara/.globus/usercert.pem
/Users/chiara/.globus/userkey.pem
DEBUG:2023-12-19 14:29:20,309
… SSL context done.
INFO:2023-12-19 14:29:20,309 Request connection to: alice-jcentral.cern.ch:8097/websocket/json
DEBUG:2023-12-19 14:29:20,309 TRY ENDPOINT: alice-jcentral.cern.ch:8097
DEBUG:2023-12-19 14:29:20,324 TCP SOCKET DELTA: 15.510 ms
INFO:2023-12-19 14:29:20,324 GOT SOCKET TO: ::ffff:128.142.249.34:8097
DEBUG:2023-12-19 14:29:20,325 = connection is CONNECTING
ERROR:2023-12-19 14:29:20,353 Could NOT establish connection (WebSocket) to ::ffff:128.142.249.34:8097
SSLCertVerificationError(1, ‘[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)’)
ERROR:2023-12-19 14:29:20,353 We tried on alice-jcentral.cern.ch:8097/websocket/json 3 times
DEBUG:2023-12-19 14:29:20,353 >>> Websocket trials connecting time: 10475.644 ms
DEBUG:2023-12-19 14:29:20,353 >>> AlienConnect::Time for connection: 10475.765 ms
ERROR:2023-12-19 14:29:20,353 Check the logfile: log.txt
Could not get a websocket connection to alice-jcentral.cern.ch:8097

asevcenc · December 21, 2023, 11:38am

so… i do not know what to say in this moment … the crux of the problem (and verification) is that you need
openssl verify -CApath $X509_CERT_DIR $HOME/.globus/usercert.pem
to work… (something that is independent of anything else)

try to download again the p12 file and create again the pem files …

coppedis · December 21, 2023, 11:42am

ok, I’ll try

coppedis · December 21, 2023, 1:58pm

Dear @asevcenc I tried on a ubuntu machine and there it works perfectly!
So I guess it is some mismatch on my mac…
I will try to fix it.
Thanks a lot for your super useful support!

ppillot · December 21, 2023, 2:22pm

Dear @coppedis , I am just reading this thread and I am not it is related, but on my Mac I had to add the option -legacy to the openssl command when producing the usercert.pem and userkey.pem.

coppedis · December 21, 2023, 2:31pm

Thanks a lot @ppillot
Now I am reinstalling O2Physics from scratch, but I will definitely try your suggestion and let you know!

coppedis · December 26, 2023, 7:50pm

Unfortunately neither reinstalling from scratch nor adding the -legacy option solved the issue with the certificate and osx ventura. It still complains telling:

Enter PEM pass phrase:
Could NOT establish connection (WebSocket) to ::ffff:128.142.249.54:8097
SSLCertVerificationError(1, ‘[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)’)
Check the logfile: /Users/chiara/alien_py.log

I really don’t know what else to try…

bhsingh · June 13, 2024, 4:33pm

Hi Chiara, I was wondering how you eventually managed to solve the problem. I have the same issue with my Mac. I tried all the possible suggestions, and now, after reading this thread, I was wondering if there was any follow-up to this.

coppedis · September 11, 2024, 1:12pm

Unfortunately we were not able to figure out a way out…
I am still struggling with my mac and can’t access alien in any way from it…
Did you by chance find a solution though?

asevcenc · September 12, 2024, 6:44pm

So, it seems that you still have a problem with CA certificates that should have been provided by the installation. There is a work-around in the form of alien.py command getCAcerts
see the output of alien.py getCAcerts -h