Mingchao, you are right about some VOMS checking the issuer's DN but
both dteam and atlas are managed at CERN and I thought that CERN applied
this policy to all VOs. Looks like this might not be the case.
> -----Original Message-----
> From: Testbed Support for GridPP member institutes
> [mailto:[log in to unmask]] On Behalf Of Ma, M (Mingchao)
> Sent: 04 August 2008 16:12
> To: [log in to unmask]
> Subject: Re: Certifcate problem
>
> Hi Ewan,
>
> It seems that there is still some confusion on the VOMS email
> notification.
> You can simply ignore the email if you can use your
> new/re-signed certificate as normal. The email basically told
> you that your old certificate (signed by old eScience CA) is
> not valid any more therefore it will not be recognised by the
> voms service either.
>
> If you can initialise voms proxy with dteam vo, but not with
> atlas, that means there is no problem with your certificate.
> What you need to do is to re-register with atlas vo. You have
> to ask atlas vo manager to remove your old entry (yes, your
> DN/issuer's DN pair) from atlas vo first, then you can
> re-register with atlas vo.
>
> The problem you experienced is a very old issue. The reason
> is that some VOMS servers identify user with the combination
> of user's DN and issuer's DN.
>
> Cheers,
>
> Mingchao
>
>
> > -----Original Message-----
> > From: Testbed Support for GridPP member institutes
> > [mailto:[log in to unmask]] On Behalf Of Ewan MacMahon
> > Sent: 04 August 2008 15:57
> > To: [log in to unmask]
> > Subject: Certifcate problem
> >
> > Hi all,
> >
> > I'm having an odd problem with my personal certificate, I
> don't think
> > it's a direct consequence of the CA rollover, but I'm not
> at all sure.
> > I've had a pair of emails this morning from the CERN VOMS
> server (one
> > for my dteam membership, one for atlas) saying that my certificate:
> >
> > "has been changed from Approved to Expired due to following
> > reason: Certificate signed by /C=UK/O=eScienceCA/OU=Authority/CN=CA
> > is not longer valid."
> >
> > Somewhat oddly I can still happily voms-proxy-init as a member of
> > dteam, but not of atlas (using my new certificate which was signed
> > with the new CA). Similarly the VOMS web interface for
> dteam seems to
> > recognise my certificate, and the atlas one doesn't.
> However, if I try
> > to re-register
> >
> > for the atlas VO I can't since my DN is already in the list.
> >
> > At this point I'm not sure where to go next, so I'd be grateful for
> > suggestions on:
> > - What's causing this?
> > - Is it just me, or a more widespread problem?
> > - How do I fix it?
> >
> > Ewan
> >
>
|