Hi Sophie,
the script would help, thanks! But systematic approach would be even more
appreciated :))
Regards, Antun
-----
Antun Balaz
Research Assistant
E-mail: [log in to unmask]
Web: http://scl.phy.bg.ac.yu/
Phone: +381 11 3160260, Ext. 152
Fax: +381 11 3162190
Scientific Computing Laboratory
Institute of Physics, Belgrade, Serbia
-----
---------- Original Message -----------
From: Sophie Lemaitre <[log in to unmask]>
To: [log in to unmask]
Sent: Thu, 12 Oct 2006 12:00:39 +0200
Subject: Re: [LCG-ROLLOUT] LFC problem
> The LFC daemon is not running as root, that's why the host
> certificate and key need to be put somewhere else as well. The same
> is true for other services not running as root, like the FTS for instance.
>
> Maybe you don't mind restarting the service, but *you should not* do
> it, unless it is necessary. (It is not necessary here). If you
> restart the service, *the LFC users will loose their open sessions.*
>
> If you really need it, I can write a script that does the host cert
> copy under /etc/grid-security/lfcmgr, and include it in the RPM.
>
> Let me know.
> Thanks, Sophie.
>
> >Hi Sophie,
> >
> >It is clear from the documentation that you don't _have_ to restart the
> >service when changing the host certificate, and that it is enough to put
the
> >certificate files to some weird place (in addition to their default
> >location).
> >
> >However, this was not the question here - we don't mind restarting the
> >service, actually we would be _very happy_ if restarting this particular
> >service will do the magic for new host certificates, without manual
steps.
> >
> >That way you don't have to worry when replacing host certificates and
look
> >at the different troubleshooting pages for all node types you may have
when
> >old certificates expire... Of course, the same applies to other node
types
> >that require host certificate.
> >
> >Regards, Antun
> >
> >-----
> >Antun Balaz
> >Research Assistant
> >E-mail: [log in to unmask]
> >Web: http://scl.phy.bg.ac.yu/
> >
> >Phone: +381 11 3160260, Ext. 152
> >Fax: +381 11 3162190
> >
> >Scientific Computing Laboratory
> >Institute of Physics, Belgrade, Serbia
> >-----
> >
> >---------- Original Message -----------
> >From: Sophie Lemaitre <[log in to unmask]>
> >To: [log in to unmask]
> >Sent: Thu, 12 Oct 2006 10:34:59 +0200
> >Subject: Re: [LCG-ROLLOUT] LFC problem
> >
> >
> >
> >>Hello Antun & Rod,
> >>
> >>For the LFC and DPM, you don't have to restart the daemons after
> >>changing the host certificate.
> >>
> >>That's why modifying the init.d scripts will not help...
> >>
> >>The procedure to follow when changing the host certificate is
> >>already described in the FAQ :
> >>
> >>
> >https://uimon.cern.ch/twiki/bin/view/LCG/LfcTroubleshooting
> >
> >
> >>(see third bullet).
> >>
> >>Cheers, Sophie.
> >>
> >>
> >>
> >>>Hi Sophie,
> >>>
> >>>Is it possible to apply the following approach: each service using host
> >>>certificate can cp the needed files from their default location
> >>>
> >>>
> >in /etc/grid-
> >
> >
> >>>security when started? This way the problem Torsten encountered would
be
> >>>much easier to solve - just restart the service and it would pick new
> >>>certificate automatically? The same applies to e.g. MON box...
> >>>
> >>>I believe that problems with the permissions of hostkey.pem "r--------"
> >>>
> >>>
> >can
> >
> >
> >>>be easily avoided.
> >>>
> >>>Thanks, Antun
> >>>
> >>>-----
> >>>Antun Balaz
> >>>Research Assistant
> >>>E-mail: [log in to unmask]
> >>>Web: http://scl.phy.bg.ac.yu/
> >>>
> >>>Phone: +381 11 3160260, Ext. 152
> >>>Fax: +381 11 3162190
> >>>
> >>>Scientific Computing Laboratory
> >>>Institute of Physics, Belgrade, Serbia
> >>>-----
> >>>
> >>>---------- Original Message -----------
> >>>From: Sophie Lemaitre <[log in to unmask]>
> >>>To: [log in to unmask]
> >>>Sent: Wed, 11 Oct 2006 15:45:34 +0200
> >>>Subject: Re: [LCG-ROLLOUT] LFC problem
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>>Hi Torsten,
> >>>>
> >>>>Do you have copied and renamed the host certificate under
> >>>>/etc/grid-security/lfcmgr/ as well ?
> >>>>
> >>>>$ ll /etc/grid-security/lfcmgr | grep lfc
> >>>>-rw-r--r-- 1 lfcmgr lfcmgr 5423 May 30 13:58 lfccert.pem
> >>>>-r-------- 1 lfcmgr lfcmgr 1675 May 30 13:58 lfckey.pem
> >>>>
> >>>>Did you check the LFC troubleshooting page ?
> >>>>https://uimon.cern.ch/twiki/bin/view/LCG/LfcTroubleshooting
> >>>>
> >>>>Cheers, Sophie.
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>>Hi Stephen,
> >>>>>
> >>>>>thanks for the quick reply:
> >>>>>
> >>>>>Burke, S (Stephen) wrote:
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>>LHC Computer Grid - Rollout
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>[mailto:[log in to unmask]] On Behalf Of Torsten
> >>>>>>>Harenberg said:
> >>>>>>>Cns_serv: Could not establish security context:
> >>>>>>>server_establish_context_ext: Could not acquire the local server
> >>>>>>>credentials !
> >>>>>>>
> >>>>>>>No other log entries are written anymore.
> >>>>>>>
> >>>>>>>Does anybody know what it should tell me?
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>Host certificate expired?
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>unfortunately not - it's brand new:
> >>>>>
> >>>>>Certificate:
> >>>>> Data:
> >>>>> Version: 3 (0x2)
> >>>>> Serial Number: 2649 (0xa59)
> >>>>> Signature Algorithm: sha1WithRSAEncryption
> >>>>> Issuer: C=DE, O=GermanGrid, CN=GridKa-CA
> >>>>> Validity
> >>>>> Not Before: Oct 6 09:21:39 2006 GMT
> >>>>> Not After : Nov 5 09:21:39 2007 GMT
> >>>>> Subject: O=GermanGrid, OU=UniWuppertal,
> >>>>>CN=host/grid-lfc.physik.uni-wuppertal.de
> >>>>>
> >>>>>But I had to replace the host certificate (explaination below) and
> >>>>>since approx. then it happened. I re-used the old-one (which was
still
> >>>>>valid), but the errors stays.
> >>>>>
> >>>>>Hope that the problem is not again deep in SSL, we had trouble with
> >>>>>the FNAL VOMS server and it turned out that the German host
> >>>>>certificates missed the "SSL client" option. This was the reason why
I
> >>>>>replaced the certificate by a new one, allthough the old one is still
> >>>>>valid.
> >>>>>
> >>>>>Cheers,
> >>>>>
> >>>>> Torsten
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>------- End of Original Message -------
> >>>
> >>>
> >>>
> >>>
> >------- End of Original Message -------
> >
> >
------- End of Original Message -------
|