Hi Chris,
We've seen this. My hypothesis is that the UK CA DN associated to all
UK certificate holders was changed on CERN vomses.
If you haven't renewed your certificate recently, voms-proxy-init will
complain.
If you look at:
https://voms.cern.ch:8443/voms/dteam/PreEditUser.do?id=4011
you'll see for you:
User's DN & CA:
/C=UK/O=eScience/OU=CLRC/L=RAL/CN=chris dteam brew
/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA
and I bet if you issue an:
openssl x509 -in .globus/youddteamcert.pem -noout -issuer
you'll get:
issuer= /C=UK/O=eScienceCA/OU=Authority/CN=CA
I guess many will need to renew their certificate until voms stops doing
this check?
Yves
On Thu, 7 Feb 2008, Brew, CAJ (Chris) wrote:
> Hi,
>
> Today I seem to be unable to get voms proxies for any of the 'CERN' VOs
> (CMS and dteam for me) and my Atlas office mate cannot get a atlas VOMS
> proxy either.
>
> It complains that "User unknown to this VO."
>
> This seems to be independent of location since it even fails on lxplus:
>
> [lxplus208] /afs/cern.ch/user/b/brew > voms-proxy-init --voms cms --key
> ~/.my_certs/cms-userkey.pem --cert ~/.my_certs/cms-usercert.pem
> Enter GRID pass phrase:
> Your identity: /C=UK/O=eScience/OU=CLRC/L=RAL/CN=chris cms brew
> Cannot find file or dir: /afs/cern.ch/user/b/brew/.glite/vomses
> Creating temporary proxy
> .............................................................. Done
> Contacting voms.cern.ch:15002
> [/DC=ch/DC=cern/OU=computers/CN=voms.cern.ch] "cms" Failed
>
> Error: cms: User unknown to this VO.
>
> Trying next server for cms.
> Creating temporary proxy ................................. Done
> Contacting lcg-voms.cern.ch:15002
> [/DC=ch/DC=cern/OU=computers/CN=lcg-voms.cern.ch] "cms" Failed
>
> Error: cms: User unknown to this VO.
>
> None of the contacted servers for cms were capable
> of returning a valid AC for the user.
>
> Is anyone else seeing this problem? Is it something to do with the CA
> upgrade?
>
> Thanks,
> Chris.
>
|