Hi all,
We failed a SAM test in our creamCE:
Cannot move ISB (${globus_transfer_cmd} gsiftp://wms206.cern.ch:2811/v [...]
https://lcg-sam.cern.ch:8443/sam/sam.py?funct=TestResult&nodename=ce08.pic.es&vo=ops&testname=CREAMCE-sft-job&testtimestamp=1266586515
So we forced new one from SAM admin page.
Now we have a critical in ca test, and the error shown is something
like:
---------------------------------------------------------------------
Installed CA RPMs version
Checking the list of all CAs
Configuration Details :
X509_CERT_DIR is : /etc/grid-security/certificates
Configuration timestamp : Thu, 29 Oct 2009 09:41:11 +0000
Allowed delay for update : 8 day(s), 0 hour(s), 0 min
Delay of warning : 1 day(s), 0 hour(s), 0 min
Test Results :
No time is left for sites to upgrade. Any of the following will throw a critical error :
- CA is missing.
- CA has dissapeared from the lates release but certificate is still on the site.
ca_NIIF : OK - CA is newer than what's in the datafile : 1.33
ca_IUCC : OK - CA is newer than what's in the datafile : 1.33
ca_PolishGrid : OK - CA is newer than what's in the datafile : 1.33
ca_SDG : OK - CA is newer than what's in the datafile : 1.33
ca_CNRS-Projets : ERROR !
Could not find any valid CA file.
CA file that was checked : /etc/grid-security/certificates/34a509c3.0
CA version it is found in : 1.32
[...]
--------------------------------------------------------------------
https://lcg-sam.cern.ch:8443/sam/sam.py?funct=TestResult&nodename=ce08.pic.es&vo=ops&testname=CREAMCE-sft-caver&testtimestamp=1266592501
*Notice the timestamps (29 Oct 2009).
WMS used were glite-rb-01.cnaf.infn.it and wms208.cern.ch
lcg-CE and creamCE share WNs. lcg-CE CA test show OK as we have
upgraded lcg-CA in all our WNs.
Appart from that, regular creamCE SAM test show a warning in ca, too:
Installed CA RPMs version
Checking the list of all CAs
Configuration Details :
X509_CERT_DIR is : /etc/grid-security/certificates
Configuration timestamp : Tue, 16 Feb 2010 14:27:03 +0000
Allowed delay for update : 8 day(s), 0 hour(s), 0 min
Delay of warning : 1 day(s), 0 hour(s), 0 min
Test Results :
Remaining time for sites to upgrade is : 5 day(s), 3 hour(s), 53 min
ca_NIIF : WARNING !
It seems you have an old version of CA ca_NIIF installed.
Highest detected is : 1.33
Latest known version : 1.34
File was : /etc/grid-security/certificates/cc800af0.0
ca_IUCC : WARNING !
It seems you have an old version of CA ca_IUCC installed.
Highest detected is : 1.33
Latest known version : 1.34
[...]
https://lcg-sam.cern.ch:8443/sam/sam.py?funct=TestResult&nodename=ce08.pic.es&vo=ops&testname=CREAMCE-sft-caver&testtimestamp=1266575645
Latest Known version is 1.34?
lcg-CA version and dates in hosts:
creamCE:
$ ssh root@ce08 "rpm -qa|grep lcg-CA"
Scientific Linux CERN SLC release 4.8 (Beryllium)
lcg-CA-1.33-1
Fri Feb 19 17:15:55 CET 2010
lcg-CE:
$ ssh root@ce05 "rpm -qa|grep lcg-CA"
Scientific Linux CERN SLC release 4.8 (Beryllium)
lcg-CA-1.33-1
Fri Feb 19 17:16:05 CET 2010
one of our WNs:
$ ssh root@td155 "rpm -qa|grep lcg-CA"
lcg-CA-1.33-1.noarch
Fri Feb 19 17:16:13 CET 2010
*This mess in CA could be causing ISB error
So, I have a couple of questions here. Where does the wrong timestamp
comes from?
What does the "latest known version 1.34" mean? Isn't 1.33 latest
version? why do we have a copule of days for upgrading? (see below).
Why creamCE is failing/warning and lcg-CE not?
Oh, we have passed last SAM test fine:
Configuration Details :
X509_CERT_DIR is : /etc/grid-security/certificates
Configuration timestamp : Fri, 19 Feb 2010 11:02:45 +0000
Allowed delay for update : 10 day(s), 0 hour(s), 0 min
Delay of warning : 3 day(s), 0 hour(s), 0 min
Test Results :
Remaining time for sites to upgrade is : 9 day(s), 18 hour(s), 47 min
ca_NIIF : NOTIFICATION !
2 days, 18 hours, 47 min delay left before warning for the site will be switched on!
It seems you have an old version of CA ca_NIIF installed.
Highest detected is : 1.33
Latest known version : 1.34
File was : /etc/grid-security/certificates/cc800af0.0
from lcg-CA update announcment:
http://grid-deployment.web.cern.ch/grid-deployment/lcg2CAlist.html
LCG-2 CAs
The current tag of the CA rpm list is LCG_CA-1.33 (based on IGTF 1.33) valid since 15.02.2009.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
is it an errata?
Cheers,
Arnau
|