Ewan MacMahon wrote:
>> -----Original Message-----
>> From: Testbed Support for GridPP member institutes [mailto:TB-
>> Testbed Support for GridPP member institutes
>>> [mailto:[log in to unmask]] On Behalf Of Ewan MacMahon said:
>>> Identical as far as I can see. I've attached the text dumps of the
>>> old and new certificates for t2ce02.physics.ox.ac.uk, and looking
>>> at them with diff it appears that only the dates and the actual
>>> certificate data differ, but the old one works and the new one
>>> doesn't.
>> Weird ... clutching at straws a bit, but some services need extra
>> copies of the host cert, did you check that there aren't any old ones
>> lurking around? Or if they have been updated, that the permissions
>> are OK? (and the same for the private key)
>>
> Essentially, yes. We've now noticed this on a Cream CE as well, but
> I've mostly been playing with it on a would-be Argus server. Not only
> does it not require any other copies of the certificate, it's a brand
> new system so there's no old cruft lying around at all.
How does it access the key then? Does it run as root? suid? acls? or is
there a signing oracle[1]?
[1] A computer scientist implied to me that this is what one should do
in order to avoid the proliferation of copies of certificates.
|