Infrastructure

To test the SSL connection, I used:

sudo curl -v -o - -capath /etc/ssl/certs \
--cert /etc/dataone/client/certs/cn-unm-1.dataone.org.pem \
--key /etc/dataone/client/private/cn-unm-1.dataone.org.key \
"https://cn-ucsb-1.dataone.org/knb/servlet/replication?server=cn-unm-1.dataone.org/knb/servlet/replication&action=test"

which gives a successful SSL response of 200:

< HTTP/1.1 200 OK
< Date: Wed, 13 Mar 2013 23:14:36 GMT
< Server: Apache/2.2.14 (Ubuntu)
< Content-Length: 45
< Vary: Accept-Encoding
< Content-Type: text/html
<
Test successfully

This also works using:

openssl s_client \
-connect cn-ucsb-1.dataone.org:443 \
-showcerts -CApath /etc/ssl/certs \
-cert /etc/dataone/client/certs/cn-unm-1.dataone.org.pem \
-key /etc/dataone/client/private/cn-unm-1.dataone.org.key

I'm now looking at the java cacerts angle at this point.

ALthough I haven't directly connected via Java SSL, the cacerts file contains both the D1 Root and Production CA certificates, and we are configured to use the correct cacerts file. The cert and key properties in metacat.properties are set correctly, pointing to the FQDN-based certs in /etc/dataone/client/{certs|private} on all three CNs. I'll connect via Java SSL directly now, but am also seeing the following error in th replication.log file:

knb 2013-03-02T04:10:32: [ERROR]: ReplicationService.handleGetLockRequest - error requesting file lock from MetacatReplication.handleGetLockRequest: the requested docid 'OBJECT_FORMAT_LIST' does not exist

I'm not sure why the docid isn't 'OBJECT_FORMAT_LIST.1', and will also look into this next.