Hello,
i have done this link in the crl web server
ln -s 13eab55e.r0 datagrid-es-crl.pem
so now the new CRL will be provided by both urls,
could you check if it has solved the problem ?
anyway i think the old CA should be removed to avoid problems,
i do not understand well why this problem has affected only
to the Spanish CRL and not to all the CAs (i mean, i think the
old Spanish CA and the new should be considered by the script
as different as any two other CAs, isn't it? ), i am having a look
to the scripts now...
Rafa
----- Original Message -----
From: Roberto SANTINELLI <[log in to unmask]>
Date: Monday, February 7, 2005 11:26 am
Subject: [LCG-ROLLOUT] Wrong Spanish CAs
> Hi,
> LHCb is experiencing a lot of failures due to an authentication
> problemwith many LCG resources.
>
> Once the problem did appear also at CERN we had a look in more
> detail and
> we discovered that the following RPM is installed:
>
> ca_Spain-old-0.25-1
>
> which includes a certificate with a revocation URL:
>
> http://grid.ifca.unican.es/ca/datagrid-es/datagrid-es-crl.pem
>
> The CRL at that address actually corresponds to an out of date CRL
> for the
> _new_ CA, as found in the newer RPM:
>
> ca_Spain-0.25-1
> or ca_Spain-0.26-1
>
> The result was that the out of date CRL, from the URL contained in
> the old
> CA, was overwriting the newer one.
>
> To fix this we can either have the older CA removed from all the
> CEs, or
> (quicker in my opinion) ask the Spanish CA managers to remove the
> out of
> date CRL from the above URL.
>
> I think that many site should check this problem just by doing a
> simplerpm -qa |grep Spain and verify if there are more than one rpm!
>
>
>
>
> R.
>
>
> --
> EUROPEAN LABORATORY FOR PARTICLE PHYSICS -- CERN
> Roberto Santinelli
> IT/GD Division
> Building: 28 Office: R-019
> Phone: +41 22 767 1925
> Fax: +41 22 767 4900
> Email: [log in to unmask]
>
|