Hello,
I am having trouble with the UK e-Science CA. The web site does not
work (http://ca.grid-support.ac.uk/), and CRL updates timeout. Also,
other CRL updates fail with the edg-fetch-crl command.
Since the website is dead I have emailed lcg-support at RAL and
TB-SUPPORT in hopes someone can (if appropriate) redirect this message
to the CA staff -- I do not have an email address for them.
I am trying to use edg-fetch-crl (version details below). It is failing
for the list of entries listed below. The command either hangs (in
which case a CTRL-C after a few minutes moves on to the next in the
list), or returns an error message (listed below). It appears that
without a "recent" CRL validation of a user certificate is impossible
(this seems reasonable!). The CRL for UK e-Science CA states:
Next Update: Dec 23 09:08:14 2004 GMT
And since this has past, the node (grid.physics.ox.ac.uk) will no longer
validate UK e-Science certificates.
Is there any way I can temporarily disable CRL checking? I *really*
need to have this node accept my certificate on the basis that it is
still valid alone. Moving 16da7552.r0 to DISABLE_CRL_01621954.r0 and
restarting Apache seems to work for HTTPS access, but will this work for
LCG tools?
Is there something wrong with the e-Science CA website?
Cheers,
Ian.
ERROR MESSAGES
--------------
verify failed for CRL issued by 'DataGrid' (verify failure)
verify failed for CA certificate issued by 'Certification'
(/C=ES/O=DATAGRID-ES/CN=DATAGRID-ES 10)
could not download a valid file from
'http://www.cs.ucy.ac.cy/crossgrid/cygrid/cygrid-ca/crl.pem'
verify failed for CA certificate issued by 'HEP' (/O=Grid/O=UKHEP/CN=UK 10)
FAILED CRL FILES
----------------
[root@grid certificates]# cat
/etc/grid-security/certificates/01621954.crl_url
http://ca.grid-support.ac.uk/cgi-bin/importCRLpem
[root@grid certificates]# cat
/etc/grid-security/certificates/34a509c3.crl_url
http://igc.services.cnrs.fr/cgi-bin/loadcrl?CA=CNRS-Projets&format=PEM
[root@grid certificates]# cat
/etc/grid-security/certificates/0ed6468a.crl_url
http://www.gridpp.ac.uk/ca/ca-crl.pem
[root@grid certificates]# cat
/etc/grid-security/certificates/84c1f123.crl_url
http://www.cs.ucy.ac.cy/crossgrid/cygrid/cygrid-ca/crl.pem
[root@grid certificates]# cat
/etc/grid-security/certificates/90e2484f.crl_url
http://www.ifca.unican.es/datagrid/ca/datagrid-es-crl.pem
SCRIPT VERSION NUMBER
---------------------
# File: edg-fetch-crl
# Version: 1.7
# $Name: v1_6_1 $
# $Id: edg-fetch-crl.in,v 1.7 2003/04/11 08:10:39 fabio Exp $
--
Ian Stokes-Rees [log in to unmask]
Particle Physics, Oxford http://www-pnp.physics.ox.ac.uk/~stokes
|