The certificates for the disk servers I put in place just a couple of months ago have host/ in their name.
Probably I shouldn't have been given the option when I requested then if it is indeed deprecated.
Wahid
On 6 Nov 2012, at 11:42, John Gordon <[log in to unmask]> wrote:
> From memory we deprecated /host some time ago but allowed sites to request a renewal if they wanted. Since CertWizard was developed long after this it doesn't surprise me that it wasn't part of its spec.
>
> What I can't remember is whether there was a time limit of support. Hence I cc Jens.
>
> John
>
> -----Original Message-----
> From: Testbed Support for GridPP member institutes [mailto:[log in to unmask]] On Behalf Of John Kewley
> Sent: 06 November 2012 11:23
> To: [log in to unmask]
> Subject: Re: "host/" prefix in server certs.
>
> Since unadorned host certs are considered host certs then use of "host/" hasn't
> been prevalent for a long time, although there are a smattering of host certificates with
> the "host/" prefix still hanging around, presumably for historical reasons.
>
> What is perhaps a better question is whether there is a use case for any of the other
> service prefixes which were supported on the old web interface. These were typically used
> when there were multiple services on the same machine, but I understand there are better
> ways of doing that now.
>
> Use cases could include the fact that your DN is embedded "all over the place"
> and it would be a real pain getting all your users/references to change. This may be
> the case for a VOMS or myproxy server for instance. I am not saying it'd be a compelling
> use case, but it would be a reasonable point all the same.
>
> I don't have any documentary evidence "to hand" about service prefixes being deprecated,
> but maybe Jens or Mike Jones has that information.
>
> Cheers
>
> JK
>
>> -----Original Message-----
>> From: Testbed Support for GridPP member institutes [mailto:TB-
>> [log in to unmask]] On Behalf Of John Hill
>> Sent: Tuesday, November 06, 2012 11:05 AM
>> To: [log in to unmask]
>> Subject: Re: "host/" prefix in server certs.
>>
>> None of our host certificates have the "host/".
>>
>> John
>>
>> On 06/11/2012 10:46, Wahid Bhimji wrote:
>>> Hi
>>>
>>> So when I tried to use the "Cert wizard" to renew my disk server
>>> certificates I hit an error apparatnly due to the "host/"
>>> Does anyone know if that is in fact needed or it is ok to use a cert
>>> without that bit?
>>>
>>> The salient parts of my discussionwith the helpdesk are below.
>>>
>>> Wahid
>>>
>>> Begin forwarded message:
>>>
>>>> *From: *UK Grid Operations Support Centre <[log in to unmask]
>>>> <mailto:[log in to unmask]>>
>>>> *Subject: **sec_error_unknown_issuer error using firefox to renew host
>>>> certificate ISSUE=15075 PROJ=1*
>>>> *Date: *6 November 2012 10:41:00 GMT
>>>> *To: *<[log in to unmask] <mailto:[log in to unmask]>>
>>>> *Reply-To: *<[log in to unmask]
>>>> <mailto:[log in to unmask]>>
>>>>
>>>> When replying, type your text above this line.
>>>> ------------------------------------------------------------------------
>>>> *Notification of Query Change*
>>>>
>>>> The following reply has been supplied for query [GOSC
>>>> 15075].
>>>>
>>>>
>>>> *Status: * Agent Replied *Creation Date: *
>> 05/11/2012
>>>>
>>>>
>>>> *Query Content:*
>>>> /Entered on 06/11/2012 at 10:41:29 GMT (GMT+0000) by John Kewley:/
>>>> OK thanks
>>>>
>>>> I agree it would be better if it worked on OS/X, but we have spent our
>>>> development on CertWizard so we don't have to support every browser on
>>>> every OS.
>>>>
>>>> Are you sure you need the "host/" prefix? If you have a use-case we'd
>>>> be pleased to hear it - that browser interface won't be around for
>>>> that long
>>>> so we do need to find out if anyone does indeed have any requirements
>>>> for a service certificate.
>>>>
>>>> Cheers
>>>>
>>>> JK
>>>>
>>>>
>>>> On 6 Nov 2012, at 09:41, UK Grid Operations Support Centre
>>>> <[log in to unmask] <mailto:[log in to unmask]>> wrote:
>>>>
>>>>> [Duplicate message snipped]
>>>>
>>>> /Entered on 06/11/2012 at 09:41:26 GMT (GMT+0000) by John Kewley:/
>>>> The use of a service has prefix (especially the host/ prefix) has been
>>>> pretty much deprecated by the community some time ago so we haven't
>>>> added support for it in CertWizard.
>>>>
>>>> Your error message doesn't look too friendly though, sorry about that.
>>>>
>>>> if you don't still require that exact DN then you can request a new
>>>> certificate without the prefix using CertWizard - this is likely your
>>>> easiest option ... unless you need that prefix for something.
>>>>
>>>> ... or you should be able to still use Firefox to renew it. Can you
>>>> you detail the steps you are doing in FF?
>>>>
>>>> cheers
>>>>
>>>> JK
>>>>
>>>> /Entered on 06/11/2012 at 09:20:26 GMT (GMT+0000) by
>>>> [log in to unmask] <mailto:[log in to unmask]>:/
>>>> Subject: Re: sec_error_unknown_issuer error using firefox to renew
>>>> host certificate ISSUE=15075 PROJ=1
>>>> To: <[log in to unmask] <mailto:[log in to unmask]>>
>>>> From: Wahid Bhimji <[log in to unmask]
>>>> <mailto:[log in to unmask]>>
>>>>
>>>> Right I tried the cert wizard and I got this message
>>>> "Server responded an error: For user cert requests, the CN should be
>>>> lowercase of the form 'firstname surname' (single space separator).
>>>> For hostcert requests, the CN should be a valid lowercase DNS domain
>>>> name. [Accepted (202) - The request has been accepted for processing,
>>>> but the processing has not been completed]"
>>>>
>>>> Is it possible to use the cert wizard or not - what does that message
>>>> mean.
>>>> The DN is
>>>> [log in to unmask]
>>>> <mailto:[log in to unmask]>,
>>>> CN=host/pool3.glite.ecdf.ed.ac.uk, L=NeSC, OU=Edinburgh, O=eScience,
>> C=UK
>>>> CN=UK e-Science CA 2B, OU=Authority, O=eScienceCA, C=UK
>>>>
>>>> I need to get this resolved very soon as the cert will expire next week
>>>>
>>>> Wahid
>>>>
>>>
>>>
>>>
>>> The University of Edinburgh is a charitable body, registered in
>>> Scotland, with registration number SC005336.
>>>
> --
> Scanned by iCritical.
> --
> Scanned by iCritical.
>
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
|