National Center for Supercomputing Applications MyProxy Credential Management Service University of Illinois at Urbana-Champaign

[Valid HTML 4.01]
[Valid CSS]
[Valid Atom 1.0]

(OSI Certified)

When troubleshooting a MyProxy problem, it is important to consult the myproxy-server logs. If you don't have access to the myproxy-server logs, please contact your myproxy-server administrator for help. The myproxy-server logs to the system logger (syslog) LOG_DAEMON facility. Alternatively, run

myproxy-server -d

from a terminal. In that mode, the myproxy-server will write debugging messages to the terminal and exit after servicing a single request.

Also, all the MyProxy client commands provide verbose output when run with the -v option. This output can be helpful when debugging. Please include verbose/debug output from the MyProxy clients and server in bug reports or posts to the myproxy-user@globus.org list.

The most common cause of MyProxy authentication problems is incorrect system clocks. GSI authentication is very sensitive to clock skew. Make sure your system clock is accurate (for example, by running an ntpd) and your timezone is set correctly.

To debug GSI authentication problems, run

grid-proxy-init -debug -verify

from the terminal where you run the MyProxy clients, and run

grid-proxy-init -debug -verify \
  -cert /etc/grid-security/hostcert.pem \
  -key /etc/grid-security/hostkey.pem

as root on the myproxy-server machine (assuming you run the myproxy-server as root).

Visit the support page for info on mailing lists and issue reporting.

The following common problems are documented below:

  1. MyProxy server name does not match expected name.
  2. Error in bind(): Address already in use
  3. grid-proxy-init failed
  4. User not authorized
  5. Unable to verify remote side's credentials
  6. Certificate will expire within the requested lifetime of the proxy
  1. MyProxy server name does not match expected name.

    This error appears as a mutual authentication failure or a server authentication failure, and the error message should list two names: the expected name of the MyProxy server and the actual authenticated name. By default, the MyProxy clients expect the MyProxy server to be running with a host certificate that matches the target hostname. This error can occur when running the MyProxy server under a non-nost certificate or if the server is running on a machine with multiple hostnames. The MyProxy clients authenticate the identity of the MyProxy server to avoid sending passphrases and credentials to rogue servers.

    If the expected name contains an IP address, your system is unable to do a reverse lookup on that address to get the canonical hostname of the server, indicating either a problem with that machine's DNS record or a problem with the resolver on your system.

    If the server name shown in the error message is acceptable, set the MYPROXY_SERVER_DN environment variable to that name to resolve the problem.

  2. Error in bind(): Address already in use

    This error indicates that the myproxy-server port (default: 7512) is in use by another process, probably another myproxy-server instance. You can not run multiple instances of the myproxy-server on the same network port. If you want to run multiple instances of the myproxy-server on a machine, you can specify different ports with the -p option, and then give the same -p option to the MyProxy commands to tell them to use the myproxy-server on that port.

  3. grid-proxy-init failed

    This error indicates that the grid-proxy-init command failed when myproxy-init attempted to run it, which implies a problem with the underlying Globus installation. Run

    grid-proxy-init -debug -verify

    for more information.

  4. User not authorized

    An error from the myproxy-server saying you are "not authorized" to complete an operation typically indicates that the myproxy-server.config file settings are restricting your access to the myproxy-server. It is possible that the myproxy-server is running with the default myproxy-server.config file, which does not authorize any operations. See the "Configuring the MyProxy Server Installation" section of the Administrator's Guide for more information.

  5. Unable to verify remote side's credentials

    An error saying "Unable to verify remote side's credentials," "Couldn't verify the remote certificate," or "alert bad certificate" often indicates that the client or server's certificate is signed by an untrusted Certification Authority (CA). The client must have a CA certificate and signing policy file installed in /etc/grid-security/certificates for the CA that signed the server's certificate. Likewise, the server must have a CA certificate and signing policy file installed in /etc/grid-security/certificates for the CA that signed the client's certificate.

  6. Certificate will expire within the requested lifetime of the proxy

    If myproxy-init reports that grid-proxy-init failed because of the following "warning":

    Warning: your certificate and proxy will expire
    which is within the requested lifetime of the proxy
    grid-proxy-init failed

    Unfortunately grid-proxy-init may exit with an error status on this "warning" (see Bug 4505). In this case, simply re-run myproxy-init with the -c 0 command-line option to request a proxy valid for the maximum available lifetime of your certificate.

Last modified 11/24/14.
©2000-2016 Board of Trustees of the University of Illinois.