Task #7709
Story #7605: MemberNodes not authorizing CN to harvest log records
IOE does not trust the CN certificate for log harvesting
100%
Description
receiving this error from IOE when attempting to harvest logs:
died: org.dataone.service.exceptions.NotAuthorized: Only the CN or admin is allowed to harvest logs from this node
History
#1 Updated by Mark Servilla almost 8 years ago
Still receiving this error when using curl from cn-ucsb-1.dataone.org to access log content:
curl -s -E ./urn_node_CNUCSB1.pem -X GET https://data.rcg.montana.edu/catalog/d1/mn/v1/log
<?xml version="1.0" encoding="UTF-8"?>
Only the CN or admin is allowed to harvest logs from this node
#2 Updated by Mark Servilla almost 8 years ago
Note to self (and anyone else who cares to know): this is a Metacat deployment - https://data.rcg.montana.edu/catalog/admin
#3 Updated by Chris Jones almost 8 years ago
Can we confirm with IOE that Apache is configured correctly to trust the DataONE Production CA cert?
SSLCACertificateFile /etc/ssl/certs/DataONECAChain.crt
and that Apache is verifying client certs:
SSLVerifyClient optional
#4 Updated by Robert Waltz almost 8 years ago
- Status changed from New to Closed
- % Done changed from 0 to 100
- translation missing: en.field_remaining_hours set to 0.0
The problem was this:
SSLVerifyClient optional
SSLVerifyDepth 10
The SSLVerifyClient directive was only applied to metacat-metacat replication. Thomas Heetderks removed the Location directives, restarted apache and problem is now solved.
