Indeed, the machine I tested this on (a decommissioned WN) has openssl
0.9.8e-22 installed. I get the same output as below from the "openssl
crl" command. I'll remove the .r0 files as I do the update.
John
On 29/01/2013 13:41, John Kewley wrote:
> I suspect you are on a 0.9.8 openssl machine. 53729190 would be the hash for a 1.0.0 openssl setup.
>
> I don't see any point in keeping either of the .r0 files for the old UK eScience CA.
>
> Before removing them you can see/check what they are by something like the following:
>
> ----
> [jmk27@puck ~]$ openssl crl -in 367b75c3.r0 -inform pem -noout -issuer -lastupdate -nextupdate
> issuer=/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA
> lastUpdate=Jan 28 15:41:43 2013 GMT
> nextUpdate=Feb 27 15:41:43 2013 GMT
> ----
>
> Ditto for 53729190.r0
>
> JK
>
>> -----Original Message-----
>> From: Testbed Support for GridPP member institutes [mailto:TB-
>> [log in to unmask]] On Behalf Of John Hill
>> Sent: Tuesday, January 29, 2013 12:40 PM
>> To: [log in to unmask]
>> Subject: Re: Changes in IGTF 1.52
>>
>> Curious - I only have 367b75c3.r0
>>
>> John
>>
>> On 29/01/2013 12:36, Alessandra Forti wrote:
>>> I have both
>>>
>>> /etc/grid-security/certificates/367b75c3.r0
>>> /etc/grid-security/certificates/53729190.r0
>>>
>>> which should I eliminate and which should I keep?
>>>
>>> thanks
>>>
>>> cheers
>>> alessandra
>>>
>>> On 29/01/2013 11:54, John Hill wrote:
>>>> /etc/grid-security/certificates/367b75c3.r0 is also still there after
>>>> upgrading to 1.52.
>>>>
>>>> John
>>>>
>>>> On 29/01/2013 11:38, Alessandra Forti wrote:
>>>>> Hi Jens,
>>>>>
>>>>> I've just upgraded and this is what's left behind in the
>>>>> /etc/grid-security/certificates/ directory
>>>>>
>>>>> #> rpm -qa ca-policy-egi-core
>>>>> ca-policy-egi-core-1.52-1.noarch
>>>>>
>>>>> #> ls /etc/grid-security/certificates/UKeScience*2007*
>>>>> /etc/grid-security/certificates/UKeScienceRoot-2007.crl_url
>>>>> /etc/grid-security/certificates/UKeScienceRoot-2007.pem
>>>>> /etc/grid-security/certificates/UKeScienceRoot-2007.info
>>>>> /etc/grid-security/certificates/UKeScienceRoot-2007.signing_policy
>>>>> /etc/grid-security/certificates/UKeScienceRoot-2007.namespaces
>>>>>
>>>>> cheers
>>>>> alessandra
>>>>>
>>>>>
>>>>> On 29/01/2013 11:34, Jens Jensen wrote:
>>>>>> Dropping old CA certifiate (no valid certs, valid CRL)
>>>>>> These files should go when you upgrade to 1.52:
>>>>>> /etc/grid-security/certificates/{UKeScienceCA-2007.*,367b75c3.*,53729190.*}
>>>>>>
>>>>>>
>>>>>> It is most important to get rid of *.pem, *.0, and *.r0
>>>>>>
>>>>>> We can watch the CRLs for downloads, see which IP addresses they
>>>>>> come from.
>>>>>>
>>>>>> The main (small) risk is that sites don't remove it (for some reason)
>>>>>> and get hit by the silly test for "expired" at the end of March (at
>>>>>> 23:59:59 UTC).
>>>>>>
>>>>>> There are associated changes in UKeScienceRoot-2007.namespaces and
>>>>>> UKeScienceRoot-2007.signing_policy. In addition, we changed the CRL
>>>>>> download point in UKeScienceRoot-2007.crl_url. There is a slight risk
>>>>>> that a bug has slipped through here, despite checking, due to some
>>>>>> undocumented or non-testable "feature" in the code that uses these
>>>>>> files.
>>>>>>
>>>>>> That's it. Any Qs or Cs?
>>>>>>
>>>>>> Cheers
>>>>>> --jens
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Facts aren't facts if they come from the wrong people. (Paul Krugman)
>>>>>
>>>
>>>
|