Hi Nagaraj,
> > This seems to happen just after I updated to lcg-CA-1.22-1.noarch on our UI
> > and other site nodes.
> > When I try simple command (dpns-ls) I get this error. Here are the tail of
> > the output when I set CSEC_TRACE=1
> >
> > send2nsd: NS002 - send error : Bad credentials
> > Csec_clearContext: Clearing context
> > Csec_unload_shlib: Entering
> >
> > DPNS_HOST points to our SE on which I updated lcg-CA, too.
> > Which logs should I check to trace this problem?
>
> Do you have X509_CERT_DIR defined on your UI?
> If so, does that directory contain the (latest) CAs?
> (The default for X509_CERT_DIR is /etc/grid-security/certificates.)
this is the same problem we found with old users' or hosts' certificates
though still have valid lifetime (quote from hostcert content, it will
expired at Jun 18 next week, while ca root of ASGC will be expired at Jun
16 08:31:54 2008 GMT) but if you have upgrade to ca release tag 1.22, it
will force removing the old tag, including also ca_ASGC-1.21. the tag is
needed for ssl hand shaking as your hostcert compliant to old ca root.
have just install old tag on SE, and you can download and install the old
tag on your ui from our mirror:
ftp://slc.grid.sinica.edu.tw/pub/apt/LCG_CA/en/i386/RPMS.lcg/1.21-1/ca_ASGCCA-1.21-1.noarch.rpm
Not Before: Oct 12 09:09:43 2007 GMT
Not After : Jun 18 09:09:43 2008 GMT
Subject: C=TW, O=AP, OU=GRID, CN=se01.indiacms.res.in
however, the problem could be resolved simply by rekeying the hostcert
issued by new ca root, and you should already done that now as i can read
your new hostcert publish from ca web site at
http://ca.grid.sinica.edu.tw/publication/newCRT/newcerts/01B6.crt
i am closing the ticket from ggus later.
Br,
J
|