Page tree
Skip to end of metadata
Go to start of metadata

Common problems

Some common problems when authenticating, together with possible solutions. Please note that the provided problem causes are causes we observed. Of course it is possible that other reasons may cause the same problems, in that case these solutions may not work.

MacOS curl

Problem

* Trying x.x.x.x...
* TCP_NODELAY set * Connected to epic3.storage.surfsara.nl (x.x.x.x) port 8007 (#0)
* WARNING: SSL: CURLOPT_SSLKEY is ignored by Secure Transport. The private key must be in the Keychain.
* WARNING: SSL: Certificate type not set, assuming PKCS#12 format.
* SSL: Can't load the certificate "/<path>/<cert>.pem" and its private key: OSStatus -25299
* Closing connection 0
curl: (58) SSL: Can't load the certificate "/<path>/<cert>.pem" and its private key: OSStatus -25299

Possible Solution

The problem is that MacOS default does NOT have openssl compiled within curl. Use homebrew to download a precompiled curl with OpenSSL enabled:

brew install curl-openssl

Please note that this will not replace the default curl command of MacOS, you have to specifically point to the path of the newly installed version:

$ brew info curl-openssl
curl-openssl: stable 7.69.1 (bottled), HEAD [keg-only]
...
/usr/local/Cellar/curl-openssl/7.69.0_1 (457 files, 3.4MB)
...

Using the provided path:

$ /usr/local/Cellar/curl-openssl/7.69.0_1/bin/curl --version
curl 7.69.0 (x86_64-apple-darwin18.7.0) libcurl/7.69.0 OpenSSL/1.1.1d zlib/1.2.11 brotli/1.0.7 c-ares/1.15.0 libssh2/1.9.0 nghttp2/1.40.0 librtmp/2.3
Release-Date: 2020-03-04
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz Metalink NTLM NTLM_WB SPNEGO SSL TLS-SRP UnixSockets

Add it to your path to use the new version by default:

export PATH="/usr/local/Cellar/curl-openssl/7.69.0_1/bin:$PATH"

HTTP 401

Problem

  • The handle server returns a JSON object that looks like this: {"responseCode":402,"handle":"myprefix/123456"}
  • Handle Server responseCode 402 (Authentication needed)
  • HTTP status code 401 (Unauthorized)

Possible solution 1

This error occurs if the username does not have admin permissions yet. Make sure it is referred to in a HS_ADMIN or HS_VLIST that has admin permissions.

Possible solution 2

This error also occurs if the username did not get permissions for this specific handle in its HS_ADMIN entry. Each user can only modify handles whose HS_ADMIN entry (or one of its HS_ADMIN entries) gives write permissions to him, either directly or by pointing to a HS_VLIST that has admin permissions and that contains the username.

Handshake Failure

Problem

SSL routines:SSL3_READ_BYTES:ssl handshake failure

Possible Solution 1

This error can occur if the private key was encrypted. Please try with an unencrypted private key.

Possible Solution 2

Make sure that openssl version 1.0.1 or higher is used. Openssl 0.98 gives handshake errors.

SSL Error

Problem

requests.exceptions.SSLError: [SSL] PEM lib (_ssl.c:2525)

Possible Solution

This error occurs if the private key was not provided, for example if a single file instead of two was provided, but the private key was not contained. For this reason, we only recommend and describe passing certificate and private key in two separate files.

SSL Error

Problem

SSLError: SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Possible Solution:

This error occurs if the server certificate at the handle server can not be verified at the client side. The library default is to verify the certificate. This is normally done with a certificate from a CA authority. The credentials file can have an optional parameter HTTPS_verify to change the behaviour. The problem can be solved in several ways. By adding the correct CA certificate to the bundle on the system. By setting a path to the correct CA certificate as follows: "HTTPS_verify": "/path_to_ca_certificate/ca_certificate". Or by disabling the checking of the certificate: "HTTPS_verify": "False". The last option is the least desired option. The required CA authority file is included:

GEANT_OV_RSA_CA_4.pem

This file has a chain of three CA's (three CA certificates in the following order):

  • subject= /C=NL/O=GEANT Vereniging/CN=GEANT OV RSA CA 4
  • subject= /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
  • subject= /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services