Support #3573
Updated by Robert Waltz over 10 years ago
When attempting to retrieve log records on Ornithology Avian Knowledge Network MN from cn-unm-1.dataone.org, I receive the following response:
<error detailCode="1460" errorCode="401" name="NotAuthorized">
<description>Only the CN or admin is allowed to harvest logs from this node</description>
</error>
The initial problem is documented above. I have since attempted
curl --trace curl.out --cert /etc/dataone/client/private/urn_node_CNUCSB1.pem --capath /home/waltz/cloakn "https://dataone.ornith.cornell.edu/knb/d1/mn/v1/log?count=10"
>curl: (35) error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
waltz@cn-ucsb-1:~$ sudo openssl s_client -connect dataone.ornith.cornell.edu:443 -cert /etc/dataone/client/private/urn_node_CNUCSB1.pem -CApath /home/waltz/cloakn -showcerts -state -verify 3
(note that the openssl command is passing a client certificate)
verify depth is 3
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=3 /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC
verify return:1
depth=2 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
verify return:1
depth=1 /C=US/O=Internet2/OU=InCommon/CN=InCommon Server CA
verify return:1
depth=0 /C=US/postalCode=14853/ST=NY/L=Ithaca/streetAddress=no street/O=Cornell University/OU=Lab of Ornithology/CN=dataone.ornith.cornell.edu
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write certificate verify A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL3 alert read:fatal:unknown CA
SSL_connect:failed in SSLv3 read finished A
14203:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1099:SSL alert number 48
14203:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
Below is what I can gather is the certificate chain:
-----------------------------------------------------
1) openssl s_client -CApath /home/waltz/cloakn -verify 3 -msg -debug -connect dataone.ornith.cornell.edu:443
(note that the openssl command is not passing a client certificate)
...
depth=3 /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC
verify return:1
depth=2 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
verify return:1
depth=1 /C=US/O=Internet2/OU=InCommon/CN=InCommon Server CA
verify return:1
depth=0 /C=US/postalCode=14853/ST=NY/L=Ithaca/streetAddress=no street/O=Cornell University/OU=Lab of Ornithology/CN=dataone.ornith.cornell.edu
...
Verify return code: 0 (ok)
2) The certificate chain:
From CLOAKN Server Certificate PEM
Subject: C=US/postalCode=14853, ST=NY, L=Ithaca/streetAddress=no street, O=Cornell University, OU=Lab of Ornithology, CN=dataone.ornith.cornell.edu
Issuer: C=US, O=Internet2, OU=InCommon, CN=InCommon Server CA
X509v3 Authority Key Identifier:
keyid:48:4F:5A:FA:2F:4A:9A:5E:E0:50:F3:6B:7B:55:A5:DE:F5:BE:34:5D
From InCommon Server Cerficate Authority PEM
Subject: C=US, O=Internet2, OU=InCommon, CN=InCommon Server CA
Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root
X509v3 Authority Key Identifier:
keyid:AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A
X509v3 Subject Key Identifier:
48:4F:5A:FA:2F:4A:9A:5E:E0:50:F3:6B:7B:55:A5:DE:F5:BE:34:5D
From AddTrust External CA Root PEM
Subject: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root
Issuer: C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN - DATACorp SGC
X509v3 Authority Key Identifier:
keyid:53:32:D1:B3:CF:7F:FA:E0:F1:A0:5D:85:4E:92:D2:9E:45:1D:B4:4F
X509v3 Subject Key Identifier:
AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A
From The USERTRUST Network PEM
Subject: C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN - DATACorp SGC
Issuer: C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN - DATACorp SGC
X509v3 Subject Key Identifier:
53:32:D1:B3:CF:7F:FA:E0:F1:A0:5D:85:4E:92:D2:9E:45:1D:B4:4F
-----------------------------------------------------
The certificates are attached in a zipfile cloakn.tar.gz tar xvfz cloakn.tar.gz should provide the cloakn directory I have been using to test with.
<error detailCode="1460" errorCode="401" name="NotAuthorized">
<description>Only the CN or admin is allowed to harvest logs from this node</description>
</error>
The initial problem is documented above. I have since attempted
curl --trace curl.out --cert /etc/dataone/client/private/urn_node_CNUCSB1.pem --capath /home/waltz/cloakn "https://dataone.ornith.cornell.edu/knb/d1/mn/v1/log?count=10"
>curl: (35) error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
waltz@cn-ucsb-1:~$ sudo openssl s_client -connect dataone.ornith.cornell.edu:443 -cert /etc/dataone/client/private/urn_node_CNUCSB1.pem -CApath /home/waltz/cloakn -showcerts -state -verify 3
(note that the openssl command is passing a client certificate)
verify depth is 3
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=3 /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC
verify return:1
depth=2 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
verify return:1
depth=1 /C=US/O=Internet2/OU=InCommon/CN=InCommon Server CA
verify return:1
depth=0 /C=US/postalCode=14853/ST=NY/L=Ithaca/streetAddress=no street/O=Cornell University/OU=Lab of Ornithology/CN=dataone.ornith.cornell.edu
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write certificate verify A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL3 alert read:fatal:unknown CA
SSL_connect:failed in SSLv3 read finished A
14203:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1099:SSL alert number 48
14203:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
Below is what I can gather is the certificate chain:
-----------------------------------------------------
1) openssl s_client -CApath /home/waltz/cloakn -verify 3 -msg -debug -connect dataone.ornith.cornell.edu:443
(note that the openssl command is not passing a client certificate)
...
depth=3 /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC
verify return:1
depth=2 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
verify return:1
depth=1 /C=US/O=Internet2/OU=InCommon/CN=InCommon Server CA
verify return:1
depth=0 /C=US/postalCode=14853/ST=NY/L=Ithaca/streetAddress=no street/O=Cornell University/OU=Lab of Ornithology/CN=dataone.ornith.cornell.edu
...
Verify return code: 0 (ok)
2) The certificate chain:
From CLOAKN Server Certificate PEM
Subject: C=US/postalCode=14853, ST=NY, L=Ithaca/streetAddress=no street, O=Cornell University, OU=Lab of Ornithology, CN=dataone.ornith.cornell.edu
Issuer: C=US, O=Internet2, OU=InCommon, CN=InCommon Server CA
X509v3 Authority Key Identifier:
keyid:48:4F:5A:FA:2F:4A:9A:5E:E0:50:F3:6B:7B:55:A5:DE:F5:BE:34:5D
From InCommon Server Cerficate Authority PEM
Subject: C=US, O=Internet2, OU=InCommon, CN=InCommon Server CA
Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root
X509v3 Authority Key Identifier:
keyid:AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A
X509v3 Subject Key Identifier:
48:4F:5A:FA:2F:4A:9A:5E:E0:50:F3:6B:7B:55:A5:DE:F5:BE:34:5D
From AddTrust External CA Root PEM
Subject: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root
Issuer: C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN - DATACorp SGC
X509v3 Authority Key Identifier:
keyid:53:32:D1:B3:CF:7F:FA:E0:F1:A0:5D:85:4E:92:D2:9E:45:1D:B4:4F
X509v3 Subject Key Identifier:
AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A
From The USERTRUST Network PEM
Subject: C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN - DATACorp SGC
Issuer: C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN - DATACorp SGC
X509v3 Subject Key Identifier:
53:32:D1:B3:CF:7F:FA:E0:F1:A0:5D:85:4E:92:D2:9E:45:1D:B4:4F
-----------------------------------------------------
The certificates are attached in a zipfile cloakn.tar.gz tar xvfz cloakn.tar.gz should provide the cloakn directory I have been using to test with.
