Just to let you know that I'm aware of the issue; I wasn't involved in this release so wasn't involved in any testing, but I'll see if I can work out the issue.
My understanding is that Jens is out of the office, but I'm hoping he'll be online at some point this afternoon.
FYI, I haven't yet updated the CA repository, so the "old" 2B certificate should still be downloadable from there:
http://www.ngs.ac.uk/ukca/certificates/cacerts
Cheers
JK
> -----Original Message-----
> From: Testbed Support for GridPP member institutes [mailto:TB-
> [log in to unmask]] On Behalf Of Robert Frank
> Sent: 28 November 2017 13:45
> To: [log in to unmask]
> Subject: Re: We think trust anchors 1.88-1 breaks on SL6
>
> Have a look here:
>
> http://mirror.tier2.hep.manchester.ac.uk/Repositories/EMI/CA/
>
> Robert
>
> On 28/11/17 13:36, Stephen Jones wrote:
> > On 28/11/17 13:32, Daniela Bauer wrote:
> >> How did you roll back to 1.87 ?
> >
> >
> > They've taken it away.
> >
> > (note to self: always download and KEEP the last good CAs)
> >
> > Ste
> >
> >
> >>
> >> Cheers,
> >> Daniela
> >>
> >> On 28 November 2017 at 13:30, Robert Frank
> <[log in to unmask] <mailto:[log in to unmask]>>
> wrote:
> >>
> >> I've seen it as well in Manchester when I tried to update this
> >> morning. I've rolled everything back to 1.87 for now.
> >> I got the impression that it works when both, the server and the
> >> client use the same version, but more testing is needed to confirm
> >> this.
> >>
> >> Cheers,
> >> Robert
> >>
> >> On 28/11/17 13:21, Stephen Jones wrote:
> >>
> >> Don't update to 1.88-1
> >>
> >> We have same problems too!
> >>
> >> Working on it; site is down because ARGUS (SL6) is clobbered
> >> by this...
> >>
> >> Cheers,
> >>
> >>
> >> Ste
> >>
> >>
> >> On 28/11/17 13:17, Daniela Bauer wrote:
> >>
> >> Hi All,
> >>
> >> the latest trust anchor release contains this chage:
> >>
> >> * updated UKeScience 2B ICA based on a SHA-2 family digest
> >> (UK)
> >>
> >> When I try and run the cvmfs UI on SL6 I get the following
> >> error:
> >>
> >> lx01:~ > voms-proxy-init --voms gridpp
> >> Enter GRID pass phrase for this identity:
> >> Contacting voms03.gridpp.ac.uk:15000
> >> <http://voms03.gridpp.ac.uk:15000>
> >> <http://voms03.gridpp.ac.uk:15000
> >> <http://voms03.gridpp.ac.uk:15000>>
> >> [/C=UK/O=eScience/OU=Imperial/L=Physics/CN=voms03.gridpp.ac.u
> k
> >> <http://voms03.gridpp.ac.uk> <http://voms03.gridpp.ac.uk>]
> >> "gridpp"...
> >> Certificate validation error: Can not verify the CRL as
> >> its issuer's public key is unknown or can not be validated
> >> Cause: Certification path could not be validated. Cause:
> >> NullPointerException
> >> Error contacting voms03.gridpp.ac.uk:15000
> >> <http://voms03.gridpp.ac.uk:15000>
> >> <http://voms03.gridpp.ac.uk:15000
> >> <http://voms03.gridpp.ac.uk:15000>> for VO gridpp:
> >> java.security.cert.CertificateException: The peer's
> >> certificate with subject's DN CN=voms03.gridpp.ac.uk
> >> <http://voms03.gridpp.ac.uk>
> >> <http://voms03.gridpp.ac.uk>,L=Physics,OU=Imperial,O=eScience,C=
> UK
> >> was rejected. The peer's certificate status is: FAILED The
> >> following validation errors were found:
> >> error at position 0 in chain, problematic certificate
> >> subject: CN=voms03.gridpp.ac.uk
> >> <http://voms03.gridpp.ac.uk>
> >> <http://voms03.gridpp.ac.uk>,L=Physics,OU=Imperial,O=eScience,C=
> UK
> >> (category: CRL): Can not verify the CRL as its issuer's
> >> public key is unknown or can not be validated Cause:
> >> Certification path could not be validated. Cause:
> >> NullPointerException
> >> Certificate validation error: Can not verify the CRL as
> >> its issuer's public key is unknown or can not be validated
> >> Cause: Certification path could not be validated. Cause:
> >> NullPointerException
> >> Error contacting voms03.gridpp.ac.uk:15000
> >> <http://voms03.gridpp.ac.uk:15000>
> >> <http://voms03.gridpp.ac.uk:15000
> >> <http://voms03.gridpp.ac.uk:15000>> for VO gridpp: peer
> >> not authenticated
> >> Error contacting voms03.gridpp.ac.uk:15000
> >> <http://voms03.gridpp.ac.uk:15000>
> >> <http://voms03.gridpp.ac.uk:15000
> >> <http://voms03.gridpp.ac.uk:15000>> for VO gridpp: REST
> >> and legacy VOMS endpoints failed.
> >> Contacting voms02.gridpp.ac.uk:15000
> >> <http://voms02.gridpp.ac.uk:15000>
> >> <http://voms02.gridpp.ac.uk:15000
> >> <http://voms02.gridpp.ac.uk:15000>>
> >> [/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk
> >> <http://voms02.gridpp.ac.uk> <http://voms02.gridpp.ac.uk>]
> >> "gridpp"...
> >> Certificate validation error: Can not verify the CRL as
> >> its issuer's public key is unknown or can not be validated
> >> Cause: Certification path could not be validated. Cause:
> >> NullPointerException
> >> Error contacting voms02.gridpp.ac.uk:15000
> >> <http://voms02.gridpp.ac.uk:15000>
> >> <http://voms02.gridpp.ac.uk:15000
> >> <http://voms02.gridpp.ac.uk:15000>> for VO gridpp:
> >> java.security.cert.CertificateException: The peer's
> >> certificate with subject's DN CN=voms02.gridpp.ac.uk
> >> <http://voms02.gridpp.ac.uk>
> >> <http://voms02.gridpp.ac.uk>,L=OeSC,OU=Oxford,O=eScience,C=UK
> >> was rejected. The peer's certificate status is: FAILED The
> >> following validation errors were found:
> >> error at position 0 in chain, problematic certificate
> >> subject: CN=voms02.gridpp.ac.uk
> >> <http://voms02.gridpp.ac.uk>
> >> <http://voms02.gridpp.ac.uk>,L=OeSC,OU=Oxford,O=eScience,C=UK
> >> (category: CRL): Can not verify the CRL as its issuer's
> >> public key is unknown or can not be validated Cause:
> >> Certification path could not be validated. Cause:
> >> NullPointerException
> >> Certificate validation error: Can not verify the CRL as
> >> its issuer's public key is unknown or can not be validated
> >> Cause: Certification path could not be validated. Cause:
> >> NullPointerException
> >> Error contacting voms02.gridpp.ac.uk:15000
> >> <http://voms02.gridpp.ac.uk:15000>
> >> <http://voms02.gridpp.ac.uk:15000
> >> <http://voms02.gridpp.ac.uk:15000>> for VO gridpp: peer
> >> not authenticated
> >> Error contacting voms02.gridpp.ac.uk:15000
> >> <http://voms02.gridpp.ac.uk:15000>
> >> <http://voms02.gridpp.ac.uk:15000
> >> <http://voms02.gridpp.ac.uk:15000>> for VO gridpp: REST
> >> and legacy VOMS endpoints failed.
> >> Contacting voms.gridpp.ac.uk:15000
> >> <http://voms.gridpp.ac.uk:15000>
> >> <http://voms.gridpp.ac.uk:15000
> >> <http://voms.gridpp.ac.uk:15000>>
> >> [/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk
> >> <http://voms.gridpp.ac.uk> <http://voms.gridpp.ac.uk>]
> >> "gridpp"...
> >> Certificate validation error: Can not verify the CRL as
> >> its issuer's public key is unknown or can not be validated
> >> Cause: Certification path could not be validated. Cause:
> >> NullPointerException
> >> Error contacting voms.gridpp.ac.uk:15000
> >> <http://voms.gridpp.ac.uk:15000>
> >> <http://voms.gridpp.ac.uk:15000
> >> <http://voms.gridpp.ac.uk:15000>> for VO gridpp:
> >> java.security.cert.CertificateException: The peer's
> >> certificate with subject's DN CN=voms.gridpp.ac.uk
> >> <http://voms.gridpp.ac.uk>
> >> <http://voms.gridpp.ac.uk>,L=HEP,OU=Manchester,O=eScience,C=U
> K
> >> was rejected. The peer's certificate status is: FAILED The
> >> following validation errors were found:
> >> error at position 0 in chain, problematic certificate
> >> subject: CN=voms.gridpp.ac.uk <http://voms.gridpp.ac.uk>
> >> <http://voms.gridpp.ac.uk>,L=HEP,OU=Manchester,O=eScience,C=U
> K
> >> (category: CRL): Can not verify the CRL as its issuer's
> >> public key is unknown or can not be validated Cause:
> >> Certification path could not be validated. Cause:
> >> NullPointerException
> >> Certificate validation error: Can not verify the CRL as
> >> its issuer's public key is unknown or can not be validated
> >> Cause: Certification path could not be validated. Cause:
> >> NullPointerException
> >> Error contacting voms.gridpp.ac.uk:15000
> >> <http://voms.gridpp.ac.uk:15000>
> >> <http://voms.gridpp.ac.uk:15000
> >> <http://voms.gridpp.ac.uk:15000>> for VO gridpp: peer not
> >> authenticated
> >> Error contacting voms.gridpp.ac.uk:15000
> >> <http://voms.gridpp.ac.uk:15000>
> >> <http://voms.gridpp.ac.uk:15000
> >> <http://voms.gridpp.ac.uk:15000>> for VO gridpp: REST and
> >> legacy VOMS endpoints failed.
> >> None of the contacted servers for gridpp were capable of
> >> returning a valid AC for the user.
> >> User's request for VOMS attributes could not be fulfilled.
> >>
> >>
> >> It works on SL7.
> >>
> >> This error is fairly deadly for a lot of stuff we are
> >> doing here.
> >>
> >> Any ideas ?
> >>
> >> Regards,
> >> Daniela
> >>
> >>
> >> -- Sent from the pit of despair
> >>
> >> -----------------------------------------------------------
> >> [log in to unmask]
> >> <mailto:[log in to unmask]>
> >> <mailto:[log in to unmask]
> >> <mailto:[log in to unmask]>>
> >> HEP Group/Physics Dep
> >> Imperial College
> >> London, SW7 2BW
> >> Tel: +44-(0)20-75947810 <tel:%2B44-%280%2920-75947810>
> >> http://www.hep.ph.ic.ac.uk/~dbauer/
> >> <http://www.hep.ph.ic.ac.uk/%7Edbauer/>
> >> <http://www.hep.ph.ic.ac.uk/%7Edbauer/
> >> <http://www.hep.ph.ic.ac.uk/%7Edbauer/>>
> >>
> >>
> >>
> >>
> >>
> >>
> >> --
> >> Sent from the pit of despair
> >>
> >> -----------------------------------------------------------
> >> [log in to unmask] <mailto:[log in to unmask]>
> >> HEP Group/Physics Dep
> >> Imperial College
> >> London, SW7 2BW
> >> Tel: +44-(0)20-75947810
> >> http://www.hep.ph.ic.ac.uk/~dbauer/
> <http://www.hep.ph.ic.ac.uk/%7Edbauer/>
> >
> >
|