On Oct 12, 2006, at 12:00 PM, Sophie Lemaitre wrote:

> The LFC daemon is not running as root, that's why the host  
> certificate and key need to be put somewhere else as well.
> The same is true for other services not running as root, like the  
> FTS for instance.
>
> Maybe you don't mind restarting the service, but *you should not*  
> do it, unless it is necessary. (It is not necessary here).
> If you restart the service, *the LFC users will loose their open  
> sessions.*

Copying the certifcates over to the new location could be added to  
both the start method and
also the reload method. So a reload can be done updating the services  
without actually restarting
the service.

  Steve
>
> If you really need it, I can write a script that does the host cert  
> copy under /etc/grid-security/lfcmgr, and include it in the RPM.
>
> Let me know.
> Thanks, Sophie.
>
>
>
>> Hi Sophie,
>>
>> It is clear from the documentation that you don't _have_ to  
>> restart the service when changing the host certificate, and that  
>> it is enough to put the certificate files to some weird place (in  
>> addition to their default location).
>>
>> However, this was not the question here - we don't mind restarting  
>> the service, actually we would be _very happy_ if restarting this  
>> particular service will do the magic for new host certificates,  
>> without manual steps.
>> That way you don't have to worry when replacing host certificates  
>> and look at the different troubleshooting pages for all node types  
>> you may have when old certificates expire... Of course, the same  
>> applies to other node types that require host certificate.
>>
>> Regards, Antun
>>
>> -----
>> Antun Balaz
>> Research Assistant
>> E-mail: [log in to unmask]
>> Web: http://scl.phy.bg.ac.yu/
>>
>> Phone: +381 11 3160260, Ext. 152
>> Fax: +381 11 3162190
>>
>> Scientific Computing Laboratory
>> Institute of Physics, Belgrade, Serbia
>> -----
>>
>> ---------- Original Message -----------
>> From: Sophie Lemaitre <[log in to unmask]>
>> To: [log in to unmask]
>> Sent: Thu, 12 Oct 2006 10:34:59 +0200
>> Subject: Re: [LCG-ROLLOUT] LFC problem
>>
>>
>>> Hello Antun & Rod,
>>>
>>> For the LFC and DPM, you don't have to restart the daemons after  
>>> changing the host certificate.
>>>
>>> That's why modifying the init.d scripts will not help...
>>>
>>> The procedure to follow when changing the host certificate is  
>>> already described in the FAQ :
>> https://uimon.cern.ch/twiki/bin/view/LCG/LfcTroubleshooting
>>
>>> (see third bullet).
>>>
>>> Cheers, Sophie.
>>>
>>>
>>>> Hi Sophie,
>>>>
>>>> Is it possible to apply the following approach: each service  
>>>> using host certificate can cp the needed files from their  
>>>> default location
>> in /etc/grid-
>>
>>>> security when started? This way the problem Torsten encountered  
>>>> would be much easier to solve - just restart the service and it  
>>>> would pick new certificate automatically? The same applies to  
>>>> e.g. MON box...
>>>>
>>>> I believe that problems with the permissions of hostkey.pem  
>>>> "r--------"
>> can
>>>> be easily avoided.
>>>>
>>>> Thanks, Antun
>>>>
>>>> -----
>>>> Antun Balaz
>>>> Research Assistant
>>>> E-mail: [log in to unmask]
>>>> Web: http://scl.phy.bg.ac.yu/
>>>>
>>>> Phone: +381 11 3160260, Ext. 152
>>>> Fax: +381 11 3162190
>>>>
>>>> Scientific Computing Laboratory
>>>> Institute of Physics, Belgrade, Serbia
>>>> -----
>>>>
>>>> ---------- Original Message -----------
>>>> From: Sophie Lemaitre <[log in to unmask]>
>>>> To: [log in to unmask]
>>>> Sent: Wed, 11 Oct 2006 15:45:34 +0200
>>>> Subject: Re: [LCG-ROLLOUT] LFC problem
>>>>
>>>>
>>>>
>>>>> Hi Torsten,
>>>>>
>>>>> Do you have copied and renamed the host certificate under /etc/ 
>>>>> grid-security/lfcmgr/ as well ?
>>>>>
>>>>> $ ll /etc/grid-security/lfcmgr | grep lfc
>>>>> -rw-r--r--    1 lfcmgr   lfcmgr       5423 May 30 13:58  
>>>>> lfccert.pem
>>>>> -r--------    1 lfcmgr   lfcmgr       1675 May 30 13:58 lfckey.pem
>>>>>
>>>>> Did you check the LFC troubleshooting page ?
>>>>> https://uimon.cern.ch/twiki/bin/view/LCG/LfcTroubleshooting
>>>>>
>>>>> Cheers, Sophie.
>>>>>
>>>>>
>>>>>
>>>>>> Hi Stephen,
>>>>>>
>>>>>> thanks for the quick reply:
>>>>>>
>>>>>> Burke, S (Stephen) wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>> LHC Computer Grid - Rollout
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> [mailto:[log in to unmask]] On Behalf Of  
>>>>>>>> Torsten Harenberg said:
>>>>>>>> Cns_serv: Could not establish security context:  
>>>>>>>> server_establish_context_ext: Could not acquire the local  
>>>>>>>> server credentials !
>>>>>>>>
>>>>>>>> No other log entries are written anymore.
>>>>>>>>
>>>>>>>> Does anybody know what it should tell me?
>>>>>>>>
>>>>>>>>
>>>>>>> Host certificate expired?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> unfortunately not - it's brand new:
>>>>>>
>>>>>> Certificate:
>>>>>>   Data:
>>>>>>       Version: 3 (0x2)
>>>>>>       Serial Number: 2649 (0xa59)
>>>>>>       Signature Algorithm: sha1WithRSAEncryption
>>>>>>       Issuer: C=DE, O=GermanGrid, CN=GridKa-CA
>>>>>>       Validity
>>>>>>           Not Before: Oct  6 09:21:39 2006 GMT
>>>>>>           Not After : Nov  5 09:21:39 2007 GMT
>>>>>>       Subject: O=GermanGrid, OU=UniWuppertal, CN=host/grid- 
>>>>>> lfc.physik.uni-wuppertal.de
>>>>>>
>>>>>> But I had to replace the host certificate (explaination below)  
>>>>>> and since approx. then it happened. I re-used the old-one  
>>>>>> (which was still valid), but the errors stays.
>>>>>>
>>>>>> Hope that the problem is not again deep in SSL, we had trouble  
>>>>>> with the FNAL VOMS server and it turned out that the German  
>>>>>> host certificates missed the "SSL client" option. This was the  
>>>>>> reason why I replaced the certificate by a new one, allthough  
>>>>>> the old one is still valid.
>>>>>>
>>>>>> Cheers,
>>>>>>
>>>>>> Torsten
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>> ------- End of Original Message -------
>>>>
>>>>
>> ------- End of Original Message -------
>>

-- 
Steve Traylen
[log in to unmask]
CERN, IT-GD-OPS.