[log in to unmask]" type="cite">

Hello,
i have done this link in the crl web server
ln -s 13eab55e.r0 datagrid-es-crl.pem
so now the new CRL will be provided by both urls,

could you check if it has solved the problem ?

anyway i think the old CA should be removed to avoid problems,

i do not understand well why this problem has affected only
to the Spanish CRL and not to all the CAs (i mean, i think the
old Spanish CA and the new should be considered by the script
as different as any two other CAs, isn't it? ), i am having a look
to the scripts now...

Rafa

----- Original Message -----
From: Roberto SANTINELLI <[log in to unmask]>
Date: Monday, February 7, 2005 11:26 am
Subject: [LCG-ROLLOUT] Wrong Spanish CAs

  

Hi,
LHCb is experiencing a lot of failures due to an authentication
problemwith many LCG resources.

Once the problem did appear also at CERN we had a look in more
detail and
we discovered that the following RPM is installed:

ca_Spain-old-0.25-1

which includes a certificate with a revocation URL:

http://grid.ifca.unican.es/ca/datagrid-es/datagrid-es-crl.pem

The CRL at that address actually corresponds to an out of date CRL
for the
_new_ CA, as found in the newer RPM:

ca_Spain-0.25-1
or ca_Spain-0.26-1

The result was that the out of date CRL, from the URL contained in
the old
CA, was overwriting the newer one.

To fix this we can either have the older CA removed from all the
CEs, or
(quicker in my opinion) ask the Spanish CA managers to remove the
out of
date CRL from the above URL.

I think that many site should check this problem just by doing a
simplerpm -qa |grep Spain and verify if there are more than one rpm!




R.


--
EUROPEAN LABORATORY FOR PARTICLE PHYSICS -- CERN
Roberto Santinelli
IT/GD Division
Building: 28   Office: R-019
Phone: +41 22 767 1925
Fax:   +41 22 767 4900
Email: [log in to unmask]