> -----Original Message-----
> From: Testbed Support for GridPP member institutes [mailto:TB-
> [log in to unmask]] On Behalf Of Simon Fayer
>
> On Fri, Oct 18, 2013 at 04:13:27PM +0000, Ewan MacMahon wrote:
> > and neither CertWizard, not indeed CertSorcerer seem to be at all
> > happy about renewing them.
>
> I've had a go at fixing this[*] in the trunk version of CertSorcerer if
> you do decide you want to renew it.
>
I finally got around to giving this a go, and it did this:
-----
# ./CS.py --sys
Processing HOST cert with "CN=t2se08.physics.ox.ac.uk" (OU=Oxford,L=OeSC,O=eScience,C=UK).
This certificate has been previously signed, start a renewal [y/N]? y
Generating renewal request...
writing RSA key
Sending renewal CSR to CA...
Starting PPPK authentication...
An error occured. Undoing renewal operations...
Traceback (most recent call last):
File "./CS.py", line 803, in ?
CS_UI.renew_cert(store, cn, hostcert)
File "./CS.py", line 697, in renew_cert
renewal_key = store.get_path(CS_Const.OKEY_FILE))
File "./CS.py", line 540, in post_csr
raise Exception("CA returned error code %d (%s) while sending CSR." %
Exception: CA returned error code 202 (<?xml version="1.0" encoding="UTF-8" standalone="no"?><error><request><method>POST</method><location>/CSR</location><time>2013-10-28 14:11:49</time></request><status><major><code>3</code><text>Certificate error</text></major><minor><code>3.6</code><text>The CSR renewal DN does not match the authenticating certificate DN</text></minor></status></error>) while sending CSR.
-----
It's sort-of got a point; the renewal request doesn't match the DN of the
cert that it's authenticating to the CA with, because the one it's
authenticating with has the extra 'host/' bit. If I'm understanding the
process correctly[1] then the client's doing the right thing, but the
CA shouldn't raise that objection for DN changes if the change is only
to remove a service prefix or an email address.
However, at this stage, I've got a week left on a whole bunch of SE node
host certificates, so unless anyone thinks it's particularly worth pursuing
this further, I'm just going to apply for fresh new certs and move on.
Ewan
[1] Big if.
|