The LFC daemon is not running as root, that's why the host certificate
and key need to be put somewhere else as well.
The same is true for other services not running as root, like the FTS
for instance.
Maybe you don't mind restarting the service, but *you should not* do it,
unless it is necessary. (It is not necessary here).
If you restart the service, *the LFC users will loose their open sessions.*
If you really need it, I can write a script that does the host cert copy
under /etc/grid-security/lfcmgr, and include it in the RPM.
Let me know.
Thanks, Sophie.
>Hi Sophie,
>
>It is clear from the documentation that you don't _have_ to restart the
>service when changing the host certificate, and that it is enough to put the
>certificate files to some weird place (in addition to their default
>location).
>
>However, this was not the question here - we don't mind restarting the
>service, actually we would be _very happy_ if restarting this particular
>service will do the magic for new host certificates, without manual steps.
>
>That way you don't have to worry when replacing host certificates and look
>at the different troubleshooting pages for all node types you may have when
>old certificates expire... Of course, the same applies to other node types
>that require host certificate.
>
>Regards, Antun
>
>-----
>Antun Balaz
>Research Assistant
>E-mail: [log in to unmask]
>Web: http://scl.phy.bg.ac.yu/
>
>Phone: +381 11 3160260, Ext. 152
>Fax: +381 11 3162190
>
>Scientific Computing Laboratory
>Institute of Physics, Belgrade, Serbia
>-----
>
>---------- Original Message -----------
>From: Sophie Lemaitre <[log in to unmask]>
>To: [log in to unmask]
>Sent: Thu, 12 Oct 2006 10:34:59 +0200
>Subject: Re: [LCG-ROLLOUT] LFC problem
>
>
>
>>Hello Antun & Rod,
>>
>>For the LFC and DPM, you don't have to restart the daemons after
>>changing the host certificate.
>>
>>That's why modifying the init.d scripts will not help...
>>
>>The procedure to follow when changing the host certificate is
>>already described in the FAQ :
>>
>>
>https://uimon.cern.ch/twiki/bin/view/LCG/LfcTroubleshooting
>
>
>>(see third bullet).
>>
>>Cheers, Sophie.
>>
>>
>>
>>>Hi Sophie,
>>>
>>>Is it possible to apply the following approach: each service using host
>>>certificate can cp the needed files from their default location
>>>
>>>
>in /etc/grid-
>
>
>>>security when started? This way the problem Torsten encountered would be
>>>much easier to solve - just restart the service and it would pick new
>>>certificate automatically? The same applies to e.g. MON box...
>>>
>>>I believe that problems with the permissions of hostkey.pem "r--------"
>>>
>>>
>can
>
>
>>>be easily avoided.
>>>
>>>Thanks, Antun
>>>
>>>-----
>>>Antun Balaz
>>>Research Assistant
>>>E-mail: [log in to unmask]
>>>Web: http://scl.phy.bg.ac.yu/
>>>
>>>Phone: +381 11 3160260, Ext. 152
>>>Fax: +381 11 3162190
>>>
>>>Scientific Computing Laboratory
>>>Institute of Physics, Belgrade, Serbia
>>>-----
>>>
>>>---------- Original Message -----------
>>>From: Sophie Lemaitre <[log in to unmask]>
>>>To: [log in to unmask]
>>>Sent: Wed, 11 Oct 2006 15:45:34 +0200
>>>Subject: Re: [LCG-ROLLOUT] LFC problem
>>>
>>>
>>>
>>>
>>>
>>>>Hi Torsten,
>>>>
>>>>Do you have copied and renamed the host certificate under
>>>>/etc/grid-security/lfcmgr/ as well ?
>>>>
>>>>$ ll /etc/grid-security/lfcmgr | grep lfc
>>>>-rw-r--r-- 1 lfcmgr lfcmgr 5423 May 30 13:58 lfccert.pem
>>>>-r-------- 1 lfcmgr lfcmgr 1675 May 30 13:58 lfckey.pem
>>>>
>>>>Did you check the LFC troubleshooting page ?
>>>>https://uimon.cern.ch/twiki/bin/view/LCG/LfcTroubleshooting
>>>>
>>>>Cheers, Sophie.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>Hi Stephen,
>>>>>
>>>>>thanks for the quick reply:
>>>>>
>>>>>Burke, S (Stephen) wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>LHC Computer Grid - Rollout
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>[mailto:[log in to unmask]] On Behalf Of Torsten
>>>>>>>Harenberg said:
>>>>>>>Cns_serv: Could not establish security context:
>>>>>>>server_establish_context_ext: Could not acquire the local server
>>>>>>>credentials !
>>>>>>>
>>>>>>>No other log entries are written anymore.
>>>>>>>
>>>>>>>Does anybody know what it should tell me?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>Host certificate expired?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>unfortunately not - it's brand new:
>>>>>
>>>>>Certificate:
>>>>> Data:
>>>>> Version: 3 (0x2)
>>>>> Serial Number: 2649 (0xa59)
>>>>> Signature Algorithm: sha1WithRSAEncryption
>>>>> Issuer: C=DE, O=GermanGrid, CN=GridKa-CA
>>>>> Validity
>>>>> Not Before: Oct 6 09:21:39 2006 GMT
>>>>> Not After : Nov 5 09:21:39 2007 GMT
>>>>> Subject: O=GermanGrid, OU=UniWuppertal,
>>>>>CN=host/grid-lfc.physik.uni-wuppertal.de
>>>>>
>>>>>But I had to replace the host certificate (explaination below) and
>>>>>since approx. then it happened. I re-used the old-one (which was still
>>>>>valid), but the errors stays.
>>>>>
>>>>>Hope that the problem is not again deep in SSL, we had trouble with
>>>>>the FNAL VOMS server and it turned out that the German host
>>>>>certificates missed the "SSL client" option. This was the reason why I
>>>>>replaced the certificate by a new one, allthough the old one is still
>>>>>valid.
>>>>>
>>>>>Cheers,
>>>>>
>>>>> Torsten
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>------- End of Original Message -------
>>>
>>>
>>>
>>>
>------- End of Original Message -------
>
>
|