Thanks John; I've noted that in the workaround document.
Steve
On 11/05/2015 01:49 PM, John Kewley wrote:
> From the evidence presented I think that CertWizard creates the certificates sub-directory.
>
> The simplest solution if you want to run grid stuff on the same filestore (whether remotely mounted or whatever) as you request certificates using CertWizard is (not tested since I don't run grid stuff anymore but maybe someone could try) is to set the X509_CERT_DIR environment variable to point to /etc/grid-secrity/certificates. That is what I always used to do so I hope it still works.
>
> Cheers
>
> JK
>
>> -----Original Message-----
>> From: Testbed Support for GridPP member institutes [mailto:TB-
>> [log in to unmask]] On Behalf Of Stephen Jones
>> Sent: Thursday, November 05, 2015 12:27 PM
>> To: [log in to unmask]
>> Subject: Re: Weird user error when reading LFC
>>
>> Hi all,
>>
>> It would be helpful to _know_ whether the files that stopped the system
>> definitely came from CertWizard, and to identify the actual files. If
>> they did, then we only have two choices: make CertWizard work with the
>> system, or make the system work with CertWizard. Meanwhile, I'm aware of
>> only one workaround - get rid of everything in .globus except
>> usercert.* and userkey.*. But I'm concerned that this will fall through
>> the gaps, again, so I've added this to the wiki.
>>
>> https://www.gridpp.ac.uk/wiki/Security_system_errors_and_workarounds
>>
>> I know wiki entries/FAQs etc. are barely adequate but we should consider
>> this a temporary matter until we can get one side or the other fixed.
>>
>> Cheers,
>>
>> Steve
>>
>>
>> On 11/05/2015 11:19 AM, Sam Skipsey wrote:
>>>
>>> On Thu, Nov 5, 2015 at 10:36 AM John Kewley <[log in to unmask]
>>> <mailto:[log in to unmask]>> wrote:
>>>
>>> > (The previous email from Winnie debugging a similar problem back
>>> in May, indicates that certwizard *does* put those
>>> > certs there, and this does cause this issue, so I'm not sure I'd
>>> call it a "wild" accusation.
>>>
>>> If something has been putting files there for donkey's years and
>>> then suddenly another bit of s/w barfs because
>>> of it then although it might be *because* of the original s/w, but
>>> I don't think you should be assigning blame. After all
>>> the s/w in question hasn't been touched for some time due to lack
>>> of funding.
>>>
>>>
>>> Sure, I'm not assigning blame, I'm just noting that it's not a "wild
>>> accusation" if the commenter is basing their particular comment on
>>> evidence presented in the thread already.
>>> I actually think the core issue is a bug in globus_gsi_callback's
>>> legacy signing policy parser, so it's not "certwizard's fault".
>>>
>>> > There's a question of if certwizard is precisely doing something
>>> wrong, or if the other tools should be able to cope with things,
>>> but it's certainly likely that those files are due to certwizard.
>>> See:
>>> https://www.jiscmail.ac.uk/cgi-bin/webadmin?A2=LCG-
>> ROLLOUT;566f81f5.1505
>>> )
>>>
>>> This "issue" wasn't raised on our helpdesk so I haven't seen it
>>> before.
>>>
>>> As I recall in days gone by if you had both a local
>>> .globus/certificates and a /etc/grid-security/certificates
>>> directory then globus would always locate the latter first (this
>>> was a bit of a gotcha for us for a while) - maybe this has changed
>>> in recent months to be the other way round?
>>>
>>>
>>> That's certainly possible - it's clear that something is getting
>>> confused by those signing policies (and it's probably a bug that it is).
>>>
>>> Sam
>>>
>>> Cheers
>>>
>>> JK
>>>
>>
>> --
>> Steve Jones [log in to unmask]
>> Grid System Administrator office: 220
>> High Energy Physics Division tel (int): 43396
>> Oliver Lodge Laboratory tel (ext): +44 (0)151 794 3396
>> University of Liverpool http://www.liv.ac.uk/physics/hep/
--
Steve Jones [log in to unmask]
Grid System Administrator office: 220
High Energy Physics Division tel (int): 43396
Oliver Lodge Laboratory tel (ext): +44 (0)151 794 3396
University of Liverpool http://www.liv.ac.uk/physics/hep/
|