Dunno if its related to your problem, but 1.33 CAs contain a buggy one.
1.34 fixes that but it has not been officially announced yet. Probably a
broadcast should have been made...
στις 19/2/2010 6:20 μμ, O/H Arnau Bria έγραψε:
> Hi all,
>
> We failed a SAM test in our creamCE:
>
> Cannot move ISB (${globus_transfer_cmd} gsiftp://wms206.cern.ch:2811/v [...]
>
> https://lcg-sam.cern.ch:8443/sam/sam.py?funct=TestResult&nodename=ce08.pic.es&vo=ops&testname=CREAMCE-sft-job&testtimestamp=1266586515
>
>
> So we forced new one from SAM admin page.
> Now we have a critical in ca test, and the error shown is something
> like:
>
> ---------------------------------------------------------------------
> Installed CA RPMs version
> Checking the list of all CAs
> Configuration Details :
>
> X509_CERT_DIR is : /etc/grid-security/certificates
> Configuration timestamp : Thu, 29 Oct 2009 09:41:11 +0000
> Allowed delay for update : 8 day(s), 0 hour(s), 0 min
> Delay of warning : 1 day(s), 0 hour(s), 0 min
>
> Test Results :
>
> No time is left for sites to upgrade. Any of the following will throw a critical error :
> - CA is missing.
> - CA has dissapeared from the lates release but certificate is still on the site.
> ca_NIIF : OK - CA is newer than what's in the datafile : 1.33
> ca_IUCC : OK - CA is newer than what's in the datafile : 1.33
> ca_PolishGrid : OK - CA is newer than what's in the datafile : 1.33
> ca_SDG : OK - CA is newer than what's in the datafile : 1.33
> ca_CNRS-Projets : ERROR !
> Could not find any valid CA file.
> CA file that was checked : /etc/grid-security/certificates/34a509c3.0
> CA version it is found in : 1.32
>
> [...]
> --------------------------------------------------------------------
>
> https://lcg-sam.cern.ch:8443/sam/sam.py?funct=TestResult&nodename=ce08.pic.es&vo=ops&testname=CREAMCE-sft-caver&testtimestamp=1266592501
>
> *Notice the timestamps (29 Oct 2009).
> WMS used were glite-rb-01.cnaf.infn.it and wms208.cern.ch
>
>
> lcg-CE and creamCE share WNs. lcg-CE CA test show OK as we have
> upgraded lcg-CA in all our WNs.
>
>
> Appart from that, regular creamCE SAM test show a warning in ca, too:
>
> Installed CA RPMs version
> Checking the list of all CAs
> Configuration Details :
>
> X509_CERT_DIR is : /etc/grid-security/certificates
> Configuration timestamp : Tue, 16 Feb 2010 14:27:03 +0000
> Allowed delay for update : 8 day(s), 0 hour(s), 0 min
> Delay of warning : 1 day(s), 0 hour(s), 0 min
>
> Test Results :
>
> Remaining time for sites to upgrade is : 5 day(s), 3 hour(s), 53 min
> ca_NIIF : WARNING !
> It seems you have an old version of CA ca_NIIF installed.
> Highest detected is : 1.33
> Latest known version : 1.34
> File was : /etc/grid-security/certificates/cc800af0.0
> ca_IUCC : WARNING !
> It seems you have an old version of CA ca_IUCC installed.
> Highest detected is : 1.33
> Latest known version : 1.34
>
> [...]
>
> https://lcg-sam.cern.ch:8443/sam/sam.py?funct=TestResult&nodename=ce08.pic.es&vo=ops&testname=CREAMCE-sft-caver&testtimestamp=1266575645
>
>
> Latest Known version is 1.34?
>
>
> lcg-CA version and dates in hosts:
>
> creamCE:
> $ ssh root@ce08 "rpm -qa|grep lcg-CA"
> Scientific Linux CERN SLC release 4.8 (Beryllium)
> lcg-CA-1.33-1
> Fri Feb 19 17:15:55 CET 2010
>
>
> lcg-CE:
> $ ssh root@ce05 "rpm -qa|grep lcg-CA"
> Scientific Linux CERN SLC release 4.8 (Beryllium)
> lcg-CA-1.33-1
> Fri Feb 19 17:16:05 CET 2010
>
>
> one of our WNs:
> $ ssh root@td155 "rpm -qa|grep lcg-CA"
> lcg-CA-1.33-1.noarch
> Fri Feb 19 17:16:13 CET 2010
>
>
> *This mess in CA could be causing ISB error
>
> So, I have a couple of questions here. Where does the wrong timestamp
> comes from?
> What does the "latest known version 1.34" mean? Isn't 1.33 latest
> version? why do we have a copule of days for upgrading? (see below).
>
> Why creamCE is failing/warning and lcg-CE not?
>
>
> Oh, we have passed last SAM test fine:
> Configuration Details :
>
> X509_CERT_DIR is : /etc/grid-security/certificates
> Configuration timestamp : Fri, 19 Feb 2010 11:02:45 +0000
> Allowed delay for update : 10 day(s), 0 hour(s), 0 min
> Delay of warning : 3 day(s), 0 hour(s), 0 min
>
> Test Results :
>
> Remaining time for sites to upgrade is : 9 day(s), 18 hour(s), 47 min
> ca_NIIF : NOTIFICATION !
> 2 days, 18 hours, 47 min delay left before warning for the site will be switched on!
> It seems you have an old version of CA ca_NIIF installed.
> Highest detected is : 1.33
> Latest known version : 1.34
> File was : /etc/grid-security/certificates/cc800af0.0
>
>
> from lcg-CA update announcment:
> http://grid-deployment.web.cern.ch/grid-deployment/lcg2CAlist.html
>
> LCG-2 CAs
> The current tag of the CA rpm list is LCG_CA-1.33 (based on IGTF 1.33) valid since 15.02.2009.
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> is it an errata?
>
>
> Cheers,
> Arnau
>
--
=============================================================================
Dimitris Zilaskos
GridAUTH Operations Centre @ Aristotle University of Thessaloniki , Greece
Tel: +302310998988 Fax: +302310994309
http://www.grid.auth.gr
=============================================================================
|