Maybe Ewan updated his certificate (and therefore the issuer DN) with
dteam but not with atlas.
cheers
alessandra
Gordon, JC (John) wrote:
> Mingchao, you are right about some VOMS checking the issuer's DN but
> both dteam and atlas are managed at CERN and I thought that CERN applied
> this policy to all VOs. Looks like this might not be the case.
>
>
>> -----Original Message-----
>> From: Testbed Support for GridPP member institutes
>> [mailto:[log in to unmask]] On Behalf Of Ma, M (Mingchao)
>> Sent: 04 August 2008 16:12
>> To: [log in to unmask]
>> Subject: Re: Certifcate problem
>>
>> Hi Ewan,
>>
>> It seems that there is still some confusion on the VOMS email
>> notification.
>> You can simply ignore the email if you can use your
>> new/re-signed certificate as normal. The email basically told
>> you that your old certificate (signed by old eScience CA) is
>> not valid any more therefore it will not be recognised by the
>> voms service either.
>>
>> If you can initialise voms proxy with dteam vo, but not with
>> atlas, that means there is no problem with your certificate.
>> What you need to do is to re-register with atlas vo. You have
>> to ask atlas vo manager to remove your old entry (yes, your
>> DN/issuer's DN pair) from atlas vo first, then you can
>> re-register with atlas vo.
>>
>> The problem you experienced is a very old issue. The reason
>> is that some VOMS servers identify user with the combination
>> of user's DN and issuer's DN.
>>
>> Cheers,
>>
>> Mingchao
>>
>>
>>
>>> -----Original Message-----
>>> From: Testbed Support for GridPP member institutes
>>> [mailto:[log in to unmask]] On Behalf Of Ewan MacMahon
>>> Sent: 04 August 2008 15:57
>>> To: [log in to unmask]
>>> Subject: Certifcate problem
>>>
>>> Hi all,
>>>
>>> I'm having an odd problem with my personal certificate, I
>>>
>> don't think
>>
>>> it's a direct consequence of the CA rollover, but I'm not
>>>
>> at all sure.
>>
>>> I've had a pair of emails this morning from the CERN VOMS
>>>
>> server (one
>>
>>> for my dteam membership, one for atlas) saying that my certificate:
>>>
>>> "has been changed from Approved to Expired due to following
>>> reason: Certificate signed by /C=UK/O=eScienceCA/OU=Authority/CN=CA
>>> is not longer valid."
>>>
>>> Somewhat oddly I can still happily voms-proxy-init as a member of
>>> dteam, but not of atlas (using my new certificate which was signed
>>> with the new CA). Similarly the VOMS web interface for
>>>
>> dteam seems to
>>
>>> recognise my certificate, and the atlas one doesn't.
>>>
>> However, if I try
>>
>>> to re-register
>>>
>>> for the atlas VO I can't since my DN is already in the list.
>>>
>>> At this point I'm not sure where to go next, so I'd be grateful for
>>> suggestions on:
>>> - What's causing this?
>>> - Is it just me, or a more widespread problem?
>>> - How do I fix it?
>>>
>>> Ewan
>>>
>>>
--
Well you'll still need a tray
|