1579378 : Alex Thielen desy proxy issue¶
Created: 2026-02-24T16:37:31Z - current status: open¶
Here is the anonymized and summarized version of the reported issue:
Summary of the Issue¶
A user is experiencing difficulties generating a VOMS proxy using the command:
voms-proxy-init --rfc --voms cms -valid 192:00
Despite confirming that their grid certificate is up-to-date and even replacing it, the command fails (exact error not provided, but likely related to authentication or AFS/Kerberos token issues).
Possible Causes & Solution¶
- Missing Kerberos Ticket or AFS Token
- The issue may stem from an expired or missing Kerberos (KRB) ticket or AFS token, which are required for authentication in the DESY environment.
- Check and renew credentials:
bash klist # Check Kerberos ticket kinit # Renew Kerberos ticket (enter password when prompted) tokens # Check AFS token aklog # Renew AFS token -
If the ticket/token is missing or expired, renewing it may resolve the proxy generation issue.
-
Certificate Permissions or Path Issues
- Ensure the grid certificate (
usercert.pemanduserkey.pem) is in the correct location (~/.globus/) and has the right permissions (e.g.,chmod 600 ~/.globus/userkey.pem). -
Verify the certificate is valid using:
bash openssl x509 -in ~/.globus/usercert.pem -noout -dates -
VOMS Server Unreachable
- The VOMS server for the CMS VO might be temporarily unavailable. Test connectivity with:
bash voms-proxy-init --debug --rfc --voms cms -
If the server is unreachable, retry later or check CMS VOMS status.
-
AFS Path Symlink Issues (if applicable)
- If the error involves AFS paths (e.g.,
/afs/desy.de/user/a/athielen), try running the command from a non-symlinked directory (e.g.,/tmp) or use the--no-homeflag if working with containers.
Next Steps¶
- Renew Kerberos/AFS credentials and retry the
voms-proxy-initcommand. - Check certificate permissions and validity.
- If the issue persists, provide the exact error message for further debugging.