Hi Frederic, Hi Judit,
Thanks for your suggestions, but... unfortunately it still does not work...
Some facts:
I'm using two web browsers: KDE Konqueror and Mozilla Firefox.
In both of them I've just reloaded my client certificate and Polish CA
certificate - it did not help anyway...
Both certificates are proper and valid - I've checked this twice :)
I used those certificates in both web browsers before the problems with polish
CA CRL list - and it worked until now.
Could anyone help me with this problem....?
My suggestions:
When I'm using Mozilla Firefox there is a message (maybe Firefox is just more
verbose in this issue then Konqueror which just stays silent):
"You have attempted to establish a connection with "lcg-sft.cern.ch". However,
the security certificate presented belongs to "host/lxb2089.cern.ch". It is
possible, though unlikely, that someone may be trying to intercept your
communication with this web site."
As I remember, few days ago Piotr Nyczyk (main developer of SFT-2) sent a post
about unified SFT-2 results host address "lcg-sft.cern.ch:9443". He also
mentioned that this domain is related with several machines...
Is it possible that polish CA CRL has not been updated on one of the machines
(which I'm trying to negotiate a connection) which is related with this
domain?
Regards
Rafal
On Tuesday 13 September 2005 15:54, Frederic Schaer wrote:
> Indeed...
> Then, the truth is elsewhere ;)
>
> Rafal, I suggest you check your browser stroed CA and CRL for the polish
> CA : maybe those are expired on your side (if you loaded the CA
> certificate or CA CRL in you browser...)
> (Not only your own certificate is important in the browser, but also
> those CA things)
>
> Cheers,
> Frederic
>
> NOVAK Judit wrote:
> >nextUpdate=Oct 12 08:13:50 2005 GMT
> >
> >Is this a good answer?
> >
> >
> >Judit
> >
> >On k, sze 13, Frederic Schaer wrote:
> >>Hi Judith,
> >>
> >>Can you check on the sft machine that the Polish CA is up-to-date and
> >>that the CRL (if any) is up-to-date ?
> >>Is this machine using CAs version 0.32 ?
> >>I think the CA files are 8a661490.[0 | r0 | crl_url | signing_policy]
> >>
> >>to check the crl :
> >>>openssl crl -in /etc/grid-security/certificates/8a661490.r0 -noout
> >>
> >>-nextupdate
> >>
> >>Thanks :)
> >>Fred
> >>
> >>Rafal Lichwala wrote:
> >>>Dear All,
> >>>
> >>>Yesterday there was a problem with CRL of polish CA (CRL for polish CA
> >>> has expired). We fixed it immediately and after cron jobs on other
> >>> machines updating this CRL list, everything should work fine now.
> >>>
> >>>Unfortunately we (I mean people using certificate signed by polish CA)
> >>>still have problem with connection to
> >>>"https://lcg-sft.cern.ch:9443/sft/lastreport.cgi" (published SFT
> >>> reports):
> >>>
> >>>We've got just:
> >>>
> >>>Could not connect to host lcg-sft.cern.ch (port 9443).
> >>>
> >>>or browser message that our certificate has expired (but I checked it's
> >>>valid until January 2006).
> >>>
> >>>Does anyone know what is going on and how to fix this?
> >>>
> >>>Best regards
> >>>
> >>>Rafal
--
* * *
* R a f a l L i c h w a l a
* Poznan Supercomputing and Networking Center
* EGEE Project Participant
*
* Address : Poznan Supercomputing and Networking Center
* 60-814 Poznan, Zwierzyniecka 20
* Phone : (+48 61) 858 21 82
* E-mail : mailto:[log in to unmask]
*
* * *
|