[ ... ]
>> For those following at home, it looks like the admins at Manchester
>> have updated the host certificate for the voms server, and
>> our quattor generated systems don't have lsc files to cope
>> with this (yes, we know)
> To be fair to the Manchester admin for VOMS (and in case anyone
> missed it) he did announce that there would be a change:
> https://operations-portal.egi.eu/broadcast/archive?oldid=48455.
I don't think someone was blaming the UoM admin or a lack of notice, certificates have to be renewed after all. The issue is why this had adverse consequences.
My wild guess is that somehow the DN of the certificate changed upon renewal, or perhaps the certificate on the client and the server must be somehow exactly identical (same serial number, not just same DN).
Which is perhaps why there is a 'lcg-vomscerts' package, and that for some types of node is unavoidable:
https://twiki.cern.ch/twiki/bin/view/LCG/VomsFAQforServiceManagers#How_to_get_rid_of_the_whole_host
I just had a look at the current (6.2.0?) 'lcg-vomscerts' and there is no UoM node name in it, so ensuring that all WMS/FTS/FTA sites for UoM VOs have matching certs is a bit fragile I think unless they definitely are in 'lcg-vomscerts' and that gets refreshed promptly.
|