Hi Sophie,
It is clear from the documentation that you don't _have_ to restart the
service when changing the host certificate, and that it is enough to put the
certificate files to some weird place (in addition to their default
location).
However, this was not the question here - we don't mind restarting the
service, actually we would be _very happy_ if restarting this particular
service will do the magic for new host certificates, without manual steps.
That way you don't have to worry when replacing host certificates and look
at the different troubleshooting pages for all node types you may have when
old certificates expire... Of course, the same applies to other node types
that require host certificate.
Regards, Antun
-----
Antun Balaz
Research Assistant
E-mail: [log in to unmask]
Web: http://scl.phy.bg.ac.yu/
Phone: +381 11 3160260, Ext. 152
Fax: +381 11 3162190
Scientific Computing Laboratory
Institute of Physics, Belgrade, Serbia
-----
---------- Original Message -----------
From: Sophie Lemaitre <[log in to unmask]>
To: [log in to unmask]
Sent: Thu, 12 Oct 2006 10:34:59 +0200
Subject: Re: [LCG-ROLLOUT] LFC problem
> Hello Antun & Rod,
>
> For the LFC and DPM, you don't have to restart the daemons after
> changing the host certificate.
>
> That's why modifying the init.d scripts will not help...
>
> The procedure to follow when changing the host certificate is
> already described in the FAQ :
https://uimon.cern.ch/twiki/bin/view/LCG/LfcTroubleshooting
>
> (see third bullet).
>
> Cheers, Sophie.
>
> >Hi Sophie,
> >
> >Is it possible to apply the following approach: each service using host
> >certificate can cp the needed files from their default location
in /etc/grid-
> >security when started? This way the problem Torsten encountered would be
> >much easier to solve - just restart the service and it would pick new
> >certificate automatically? The same applies to e.g. MON box...
> >
> >I believe that problems with the permissions of hostkey.pem "r--------"
can
> >be easily avoided.
> >
> >Thanks, Antun
> >
> >-----
> >Antun Balaz
> >Research Assistant
> >E-mail: [log in to unmask]
> >Web: http://scl.phy.bg.ac.yu/
> >
> >Phone: +381 11 3160260, Ext. 152
> >Fax: +381 11 3162190
> >
> >Scientific Computing Laboratory
> >Institute of Physics, Belgrade, Serbia
> >-----
> >
> >---------- Original Message -----------
> >From: Sophie Lemaitre <[log in to unmask]>
> >To: [log in to unmask]
> >Sent: Wed, 11 Oct 2006 15:45:34 +0200
> >Subject: Re: [LCG-ROLLOUT] LFC problem
> >
> >
> >
> >>Hi Torsten,
> >>
> >>Do you have copied and renamed the host certificate under
> >>/etc/grid-security/lfcmgr/ as well ?
> >>
> >>$ ll /etc/grid-security/lfcmgr | grep lfc
> >>-rw-r--r-- 1 lfcmgr lfcmgr 5423 May 30 13:58 lfccert.pem
> >>-r-------- 1 lfcmgr lfcmgr 1675 May 30 13:58 lfckey.pem
> >>
> >>Did you check the LFC troubleshooting page ?
> >>https://uimon.cern.ch/twiki/bin/view/LCG/LfcTroubleshooting
> >>
> >>Cheers, Sophie.
> >>
> >>
> >>
> >>>Hi Stephen,
> >>>
> >>>thanks for the quick reply:
> >>>
> >>>Burke, S (Stephen) wrote:
> >>>
> >>>
> >>>
> >>>>LHC Computer Grid - Rollout
> >>>>
> >>>>
> >>>>
> >>>>>[mailto:[log in to unmask]] On Behalf Of Torsten
> >>>>>Harenberg said:
> >>>>>Cns_serv: Could not establish security context:
> >>>>>server_establish_context_ext: Could not acquire the local server
> >>>>>credentials !
> >>>>>
> >>>>>No other log entries are written anymore.
> >>>>>
> >>>>>Does anybody know what it should tell me?
> >>>>>
> >>>>>
> >>>>Host certificate expired?
> >>>>
> >>>>
> >>>>
> >>>unfortunately not - it's brand new:
> >>>
> >>>Certificate:
> >>> Data:
> >>> Version: 3 (0x2)
> >>> Serial Number: 2649 (0xa59)
> >>> Signature Algorithm: sha1WithRSAEncryption
> >>> Issuer: C=DE, O=GermanGrid, CN=GridKa-CA
> >>> Validity
> >>> Not Before: Oct 6 09:21:39 2006 GMT
> >>> Not After : Nov 5 09:21:39 2007 GMT
> >>> Subject: O=GermanGrid, OU=UniWuppertal,
> >>>CN=host/grid-lfc.physik.uni-wuppertal.de
> >>>
> >>>But I had to replace the host certificate (explaination below) and
> >>>since approx. then it happened. I re-used the old-one (which was still
> >>>valid), but the errors stays.
> >>>
> >>>Hope that the problem is not again deep in SSL, we had trouble with
> >>>the FNAL VOMS server and it turned out that the German host
> >>>certificates missed the "SSL client" option. This was the reason why I
> >>>replaced the certificate by a new one, allthough the old one is still
> >>>valid.
> >>>
> >>>Cheers,
> >>>
> >>> Torsten
> >>>
> >>>
> >>>
> >>>
> >>>
> >------- End of Original Message -------
> >
> >
------- End of Original Message -------
|