Hi Maarten, all,
So the "local" problem is not limited to CNAF but also CERN. But:
I have no problems whatsoever from Nikhef, and also not now from REUNA (Chile).
I can happily use wget from both Nikhef an my laptop here in Chile and
get the CRL.
So, is there a DNS problem somewhere at both CERN and CNAF?
Who else has this problem?
Does your local desktop have a different DNS server than the one where you
tried the wget?
Cheers,
DavidG.
------------------------------------------------------------------------------
ribble:~:2162$ hostname -f
ribble.nikhef.nl
ribble:~:2163$ wget http://gridca.hpcc.nectec.or.th/pub/crl/cacrl.crl
--19:33:13-- http://gridca.hpcc.nectec.or.th/pub/crl/cacrl.crl
=> `cacrl.crl.1'
Resolving gridca.hpcc.nectec.or.th... 203.185.132.199
Connecting to gridca.hpcc.nectec.or.th|203.185.132.199|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 606 [application/x-pkcs7-crl]
100%[====================================>] 606 --.--K/s
19:33:13 (48.16 MB/s) - `cacrl.crl.1' saved [606/606]
------------------------------------------------------------------------------
and from Santiago de Chile:
------------------------------------------------------------------------------
$ wget http://gridca.hpcc.nectec.or.th/pub/crl/cacrl.crl
--15:31:45-- http://gridca.hpcc.nectec.or.th/pub/crl/cacrl.crl
=> `cacrl.crl'
Resolving gridca.hpcc.nectec.or.th... 203.185.132.199
Connecting to gridca.hpcc.nectec.or.th|203.185.132.199|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 606 [application/x-pkcs7-crl]
100%[====================================>] 606 --.--K/s
15:31:46 (1.99 MB/s) - `cacrl.crl' saved [606/606]
davidg@xpsdavidg ~
$ tracert gridca.hpcc.nectec.or.th
Tracing route to www.hpcc.nectec.or.th [203.185.132.199]
over a maximum of 30 hops:
1 1 ms 1 ms 1 ms 192.168.0.1
2 28 ms 7 ms 62 ms MyViNE.local.lan [192.168.123.1]
3 10 ms 10 ms * ar6sentel.cnt.entelchile.net [200.72.3.103]
4 10 ms 8 ms 8 ms gr1s.cnt.entelchile.net [200.72.5.1]
5 8 ms 9 ms 9 ms san1-entel-chile-1-cl.san.seabone.net [195.22.22
1.37]
6 248 ms 248 ms 248 ms mil14-mil50-racc1.mil.seabone.net [195.22.196.16
9]
...
------------------------------------------------------------------------------
[log in to unmask] wrote:
> On Tue, 6 Nov 2007, David Groep wrote:
>
>> Hi Alessandro,
>>
>> This message is not critical in itself (it just indicates that you run
>> fetch-crl without the default warning suppress option "-a 24"). The
>> failure to download the NECTEC CRL does not in itself result in a
>> critical condition -- until the CRL expires.
>> And then your problems will be limited to interactions with users and
>> services associated with the NECTEC CA (i.e. those being in or originating
>> from Thailand).
>>
>> BTW: at the moment I can happily retrieve this CRL from the URL mentioned.
>
> Hi David,
> at CERN we have not been able to get a successful download of that CRL
> since Jun 25:
>
> -------------------------------------------------------------------------------
> [root@ce101 certificates]# ll 8a047de1.*
> -rw-r--r-- 1 root root 1367 Oct 9 10:25 8a047de1.0
> -rw-r--r-- 1 root root 50 Oct 9 10:25 8a047de1.crl_url
> -rw-r--r-- 1 root root 264 Oct 9 10:25 8a047de1.info
> -rw-r--r-- 1 root root 435 Oct 9 10:25 8a047de1.namespaces
> -rw-r--r-- 1 root root 2509 Jun 25 14:00 8a047de1.r0
> -rw-r--r-- 1 root root 1259 Oct 9 10:25 8a047de1.signing_policy
> -------------------------------------------------------------------------------
>
> I did not investigate it further, since nobody complained and various CAs
> have had such instabilities in the past...
> I can get the CRL in my _browser_, but wget fails:
>
> -------------------------------------------------------------------------------
> $ wget http://gridca.hpcc.nectec.or.th/pub/crl/cacrl.crl
> --19:23:53-- http://gridca.hpcc.nectec.or.th/pub/crl/cacrl.crl
> => `cacrl.crl'
> Resolving gridca.hpcc.nectec.or.th... failed: Temporary failure in name resolution.
> -------------------------------------------------------------------------------
>
>> Are you sure there are no other local network issues? The error messages
>> mentioned and the inability to run jobs are (should be) unrelated.
>>
>> Cheers,
>> DavidG.
>>
>> Italiano Alessandro wrote:
>>> we are encountering the following problem
>>>
>>> fetch-crl[9108]: 20071106T182248+0100 processing
>>> '/etc/grid-security/certificates/8a047de1.crl_url'
>>> fetch-crl[9108]: 20071106T182318+0100 RetrieveFileByURL: download no
>>> data from http://gridca.hpcc.nectec.or.th/pub/crl/cacrl.crl
>>> fetch-crl[9108]: 20071106T182318+0100 downloaded file from
>>> http://gridca.hpcc.nectec.or.th/pub/crl/cacrl.crl is not a valid CRL file
>>> fetch-crl[9108]: 20071106T182318+0100 Could not download any CRL from
>>> /etc/grid-security/certificates/8a047de1.crl_url:
>>> fetch-crl[9108]: 20071106T182318+0100 download failed from
>>> 'http://gridca.hpcc.nectec.or.th/pub/crl/cacrl.crl'
>>> fetch-crl[9108]: 20071106T182318+0100 download for
>>> http://gridca.hpcc.nectec.or.th/pub/crl/cacrl.crl is not valid and none
>>> of the URLs in '/etc/grid-security/certificates/8a047de1.crl_url' is
>>> operational
>>>
>>>
>>> All the jobs via GRID are failing
>>>
>>> is it a common problem ???
>>>
>>> Alessandro Italiano
>>
>>
--
David Groep
** National Institute for Nuclear and High Energy Physics, PDP/Grid group **
** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **
|