One more thing:
I have no problem with connection to GOC DB web site
(https://goc.grid-support.ac.uk/gridsite/gocdb2/) which also requires valid
client certificate, so I suppose my web browser settings (certificates) are
OK....
Regards
Rafal
On Wednesday 14 September 2005 09:33, Rafal Lichwala wrote:
> Hi Frederic, Hi Judit,
>
> Thanks for your suggestions, but... unfortunately it still does not work...
>
> Some facts:
>
> I'm using two web browsers: KDE Konqueror and Mozilla Firefox.
> In both of them I've just reloaded my client certificate and Polish CA
> certificate - it did not help anyway...
> Both certificates are proper and valid - I've checked this twice :)
> I used those certificates in both web browsers before the problems with
> polish CA CRL list - and it worked until now.
>
> Could anyone help me with this problem....?
>
> My suggestions:
>
> When I'm using Mozilla Firefox there is a message (maybe Firefox is just
> more verbose in this issue then Konqueror which just stays silent):
>
> "You have attempted to establish a connection with "lcg-sft.cern.ch".
> However, the security certificate presented belongs to
> "host/lxb2089.cern.ch". It is possible, though unlikely, that someone may
> be trying to intercept your communication with this web site."
>
> As I remember, few days ago Piotr Nyczyk (main developer of SFT-2) sent a
> post about unified SFT-2 results host address "lcg-sft.cern.ch:9443". He
> also mentioned that this domain is related with several machines...
> Is it possible that polish CA CRL has not been updated on one of the
> machines (which I'm trying to negotiate a connection) which is related with
> this domain?
>
> Regards
>
> Rafal
>
> On Tuesday 13 September 2005 15:54, Frederic Schaer wrote:
> > Indeed...
> > Then, the truth is elsewhere ;)
> >
> > Rafal, I suggest you check your browser stroed CA and CRL for the polish
> > CA : maybe those are expired on your side (if you loaded the CA
> > certificate or CA CRL in you browser...)
> > (Not only your own certificate is important in the browser, but also
> > those CA things)
> >
> > Cheers,
> > Frederic
> >
> > NOVAK Judit wrote:
> > >nextUpdate=Oct 12 08:13:50 2005 GMT
> > >
> > >Is this a good answer?
> > >
> > >
> > >Judit
> > >
> > >On k, sze 13, Frederic Schaer wrote:
> > >>Hi Judith,
> > >>
> > >>Can you check on the sft machine that the Polish CA is up-to-date and
> > >>that the CRL (if any) is up-to-date ?
> > >>Is this machine using CAs version 0.32 ?
> > >>I think the CA files are 8a661490.[0 | r0 | crl_url | signing_policy]
> > >>
> > >>to check the crl :
> > >>>openssl crl -in /etc/grid-security/certificates/8a661490.r0 -noout
> > >>
> > >>-nextupdate
> > >>
> > >>Thanks :)
> > >>Fred
> > >>
> > >>Rafal Lichwala wrote:
> > >>>Dear All,
> > >>>
> > >>>Yesterday there was a problem with CRL of polish CA (CRL for polish CA
> > >>> has expired). We fixed it immediately and after cron jobs on other
> > >>> machines updating this CRL list, everything should work fine now.
> > >>>
> > >>>Unfortunately we (I mean people using certificate signed by polish CA)
> > >>>still have problem with connection to
> > >>>"https://lcg-sft.cern.ch:9443/sft/lastreport.cgi" (published SFT
> > >>> reports):
> > >>>
> > >>>We've got just:
> > >>>
> > >>>Could not connect to host lcg-sft.cern.ch (port 9443).
> > >>>
> > >>>or browser message that our certificate has expired (but I checked
> > >>> it's valid until January 2006).
> > >>>
> > >>>Does anyone know what is going on and how to fix this?
> > >>>
> > >>>Best regards
> > >>>
> > >>>Rafal
--
* * *
* R a f a l L i c h w a l a
* Poznan Supercomputing and Networking Center
* EGEE Project Participant
*
* Address : Poznan Supercomputing and Networking Center
* 60-814 Poznan, Zwierzyniecka 20
* Phone : (+48 61) 858 21 82
* E-mail : mailto:[log in to unmask]
*
* * *
|