netcdf-c icon indicating copy to clipboard operation
netcdf-c copied to clipboard
verified publisher icon Unidata

cdump on protected esgf files

Open doutriaux1 opened this issue 10 years ago • 9 comments

we are trying to update or .dodsrc to reflect the new format, but we are unable to get it working.

first the .dodsrc

USE_CACHE=0
HTTP.VERBOSE=0
HTTP.COOKIEJAR=/export/ames4/.esg/.dods_cookies
HTTP.SSL.VALIDATE=0
HTTP.SSL.CERTIFICATE=/export/ames4/.esg/credentials.pem
HTTP.SSL.KEY=/export/ames4/.esg/credentials.pem
HTTP.SSL.CAPATH=/export/ames4/.esg/certificates

now the ncdump command

ncdump -h  http://aims3.llnl.gov/thredds/dodsC/cmip5_css02_data/cmip5/output2/INM/inmcm4/1pctCO2/mon/land/Lmon/r1i1p1/cProduct/1/cProduct_Lmon_inmcm4_1pctCO2_r1i1p1_209001-222912.nc

error is:

CURL Error: SSL connect error
curl error details: 
ncdump: http://aims3.llnl.gov/thredds/dodsC/cmip5_css02_data/cmip5/output2/INM/inmcm4/1pctCO2/mon/land/Lmon/r1i1p1/cProduct/1/cProduct_Lmon_inmcm4_1pctCO2_r1i1p1_209001-222912.nc: NetCDF: I/O failure

@sashakames says that if you register on pcmdi9 and ask for CMIP5 group you should be able to reproduce this.

@dnadeau4 feel free to take a look if you want

@DennisHeimbigner I think this one is probably for you, any hint appreciated

doutriaux1 avatar Oct 22 '15 21:10 doutriaux1

You also need to fetch your client side cert from esgf. The easiest way to do this is to generate and run a wget script (but stop it once you start downloading). Myproxy password is your esgf openid password.

You need to agree to the CMIP5 licence agreement. There is a link on pcmdi9.llnl.gov to do this.

sashakames avatar Oct 22 '15 22:10 sashakames

At some point, the curl library appears to have changed how it handles some kinds of authorization. I have been slowly working to fix these as people report them. I will move this up the stack since you are in a position to help me fix it.

DennisHeimbigner avatar Oct 22 '15 22:10 DennisHeimbigner

@dmh is this something we should target for the 4.4.0 release or should I tag it 'future' ?

WardF avatar Oct 23 '15 18:10 WardF

Let me see if we can fix it fast.

DennisHeimbigner avatar Oct 23 '15 20:10 DennisHeimbigner

My immediate guess is that you are not using .netrc, which apparently is now required by libcurl. Have you seen the attached document? auth.txt

DennisHeimbigner avatar Oct 23 '15 20:10 DennisHeimbigner

Let me try this!

dnadeau4 avatar Oct 23 '15 21:10 dnadeau4

So it turns out that we were using a very old version of libcurl.

RedHat 6.7 has libcurl-7.19.7-46.el6.i686 which does not have the same SSL connection especially the TLS connection. Ubuntu is using libcurl-7.38

From Redhat 6.7:

  • NSS: client certificate from file
  •   subject: CN=https://pcmdi9.llnl.gov/esgf-idp/openid/nadeau1,OU=ESGF.ORG,O=ESGF

  •   start date: Oct 23 21:59:05 2015 GMT

  •   expire date: Oct 26 22:04:05 2015 GMT

  •   common name: https://pcmdi9.llnl.gov/esgf-idp/openid/nadeau1

  •   issuer: CN=pcmdi9.llnl.gov-CA,OU=ESGF.ORG,O=ESGF
  • NSS error -12195

When running using Ubuntu, we got the right answer from ncdump.

  • SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
  • Server certificate:
  • subject: O=ESGF; OU=ESGF.ORG; CN=aims3.llnl.gov
  • start date: 2015-09-09 22:04:12 GMT
  • expire date: 2016-09-08 22:04:12 GMT
  • issuer: O=ESGF; OU=ESGF.ORG; OU=simpleca.nsc.liu.se; CN=NSC Simple CA
  • SSL certificate verify ok.
  • Server auth using Basic with user ''

Denis

dnadeau4 avatar Oct 23 '15 23:10 dnadeau4

@sashakames that might be something you need to bring up with esgf. @DennisHeimbigner I'll investigate some more, but is your wild guess is that there is no way to make this work again with older curl?

doutriaux1 avatar Oct 26 '15 05:10 doutriaux1

I think this issue can be closed.

captainkirk99 avatar Dec 06 '25 16:12 captainkirk99