Re: [pcp] qa/713 certificate issue

To:	Ken McDonell <kenj@xxxxxxxxxxxxxxxx>
Subject:	Re: [pcp] qa/713 certificate issue
From:	Nathan Scott <nathans@xxxxxxxxxx>
Date:	Sun, 14 Apr 2013 23:26:47 -0400 (EDT)
Cc:	pcp@xxxxxxxxxxx
Delivered-to:	pcp@xxxxxxxxxxx
In-reply-to:	<5167E247.7030901@xxxxxxxxxxxxxxxx>
References:	<5154CA71.3080200@xxxxxxxxxxxxxxxx> <5154CE91.1070506@xxxxxxxxxxxxxxxx> <516631560.605811.1364865050360.JavaMail.root@xxxxxxxxxx> <515B6533.9040405@xxxxxxxxxxxxxxxx> <2118509281.3098105.1365112490747.JavaMail.root@xxxxxxxxxx> <5165CA54.20204@xxxxxxxxxxxxxxxx> <5167E247.7030901@xxxxxxxxxxxxxxxx>
Reply-to:	Nathan Scott <nathans@xxxxxxxxxx>
Thread-index:	nA4RhclE9do/PcDEqi5+/FoaasKSSQ==
Thread-topic:	qa/713 certificate issue

----- Original Message -----
> On 11/04/13 06:23, Ken McDonell wrote:
> > ...
> > Here's the transcript in the hope that someone can suggest what to try next
> > ...
> 
> No suggestions so far.
> 
> Some more info.  On another system I did the tutorial thing again, with
> similar results, except
> 
> 
> kenj@bozo-laptop:~$ PCP_SECURE_SOCKETS=enforce pmprobe sample.long.one
> WARNING: issuer of certificate received from host bozo-laptop is not trusted.
> SHA1 fingerprint is
> 2B:C6:AF:F2:7C:3A:B4:55:67:24:C2:6B:03:47:E3:C9:33:EC:FB:D9
> Do you want to accept and save this certificate locally anyway (y/n)?
> WARNING: Failed to save certificate locally: The operation failed because the
> PKCS#11 token is not logged in.
> sample.long.one -12366 IPC protocol failure
> 
> No clue what the PKCS#11 message is about (this is the different bit).

Hmm, FWIW, I've not come across that error before.

> And from pmcd.log ...
> 
> root@bozo-laptop:~/src/pcp/qa# grep -i certificate /var/log/pcp/pmcd/pmcd.log
> Certificate: PCP Collector certificate  Not Valid Before: Fri Apr 12 10:01:29
> 2013 UTC  Not Valid After: Wed Apr 12 10:01:29 2023 UTC
> [Fri Apr 12 20:12:37] pmcd(27432) Error: Unable to force secure handshake:
> SSL peer cannot verify your certificate.
> ...
> So far I have been unable to make secure sockets work on _any_ of the 20+ QA
> hosts I have, so I believe either it is totally broken, or there is
> something really critical missing from lab.secure.html _and_ the QA tests
> (712 and 713).
> 
> I would really appreciate some assistance on this one from the secure socket
> pixies.

I'm wondering if its a host / dns name related problem - from your earlier mail
looks like these hosts have no dns domainname at all or use .localdomain.  That
part is quite different to my setup (and I guess to expectations that NSS might
have).  I use a (just for QA) domainname setup via setdomainname(2).

Beyond this guess, next step will have to be building debug versions of the NSS
and NSPR libs and stepping through to find the certificate rejection point.  I
find it handy to keep the code close by, anyway, as it can be quite tricky to
decipher some of the error messages / codes (and to see how tools like certutil
are coded, in general).

cheers.

--
Nathan

domain.c
Description: Text Data

<Prev in Thread]	Current Thread	[Next in Thread>
Re: [pcp] qa/713 certificate issue, Nathan Scott Re: [pcp] qa/713 certificate issue, Ken McDonell Re: [pcp] qa/713 certificate issue, Nathan Scott Re: [pcp] qa/713 certificate issue, Ken McDonell Re: [pcp] qa/713 certificate issue, Ken McDonell Re: [pcp] qa/713 certificate issue, Nathan Scott <=

Previous by Date:	Re: [pcp] patch pcp-gui fix pmchart view save dialog, Nathan Scott
Next by Date:	pcp updates, Ken McDonell
Previous by Thread:	Re: [pcp] qa/713 certificate issue, Ken McDonell
Next by Thread:	Re: [pcp] rpm migrate_tempdirs() problem on SuSE, Nathan Scott
Indexes:	[Date] [Thread] [Top] [All Lists]