Skip to content

VOMS plugin fails with some user certificate

Created by: Pansanel

Hi,

I have a strange issue. Some user in the fedcloud.egi.eu cannot access my OpenStack infrastructure: https://ggus.eu/?mode=ticket_info&ticket_id=123581

I can reproduced the issue with my own certificate. Here is an output of the keystone logfile:

2016-08-25 21:28:45.397 18738 INFO keystone.middleware.core [req-560ec548-d3a2-41f9-a80f-7eb5b74aa54a - - - - -] No trusted_issuer
2016-08-25 21:28:45.398 18738 DEBUG keystone.middleware.core [req-560ec548-d3a2-41f9-a80f-7eb5b74aa54a - - - - -] There is either no auth token in the request or the certificate issuer is not trusted. No auth co
ntext will be set. process_request /usr/lib/python2.7/site-packages/keystone/middleware/core.py:311
2016-08-25 21:28:45.432 18738 ERROR keystone.common.wsgi [req-560ec548-d3a2-41f9-a80f-7eb5b74aa54a - - - - -] Cannot verify certificate with DN '<X509Name object '/O=GRID-FR/C=FR/O=CNRS/OU=IPHC/CN=Jerome Pansanel'>': [2, 2, 'unable to get issuer certificate']
2016-08-25 21:28:45.432 18738 ERROR keystone.common.wsgi Traceback (most recent call last):
2016-08-25 21:28:45.432 18738 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/common/wsgi.py", line 452, in __call__
2016-08-25 21:28:45.432 18738 ERROR keystone.common.wsgi     response = self.process_request(request)
2016-08-25 21:28:45.432 18738 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone_voms/core.py", line 264, in process_request
2016-08-25 21:28:45.432 18738 ERROR keystone.common.wsgi     return self._process_request(request)
2016-08-25 21:28:45.432 18738 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone_voms/core.py", line 252, in _process_request
2016-08-25 21:28:45.432 18738 ERROR keystone.common.wsgi     ca_path=CONF.voms.ca_path)
2016-08-25 21:28:45.432 18738 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone_voms/voms.py", line 68, in __init__
2016-08-25 21:28:45.432 18738 ERROR keystone.common.wsgi     self._verify()
2016-08-25 21:28:45.432 18738 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone_voms/voms.py", line 137, in _verify
2016-08-25 21:28:45.432 18738 ERROR keystone.common.wsgi     reason=e)
2016-08-25 21:28:45.432 18738 ERROR keystone.common.wsgi VerifyCertificateError: Cannot verify certificate with DN '<X509Name object '/O=GRID-FR/C=FR/O=CNRS/OU=IPHC/CN=Jerome Pansanel'>': [2, 2, 'unable to get issuer certificate']
2016-08-25 21:28:45.432 18738 ERROR keystone.common.wsgi

This happen since the upgrade to the last version of keystone-voms (stable/liberty)