 |
 |
Hi Gonçalo, Yes you need to replace it as the certificate on the VOMS server has been replaced. So the one provide by lcg-vomscerts-4.4.0-1 is no more valid. About your problem, do you know if your biomed user have a full voms-proxy? If the UI, he used to generate his proxy, still refers to the old VOMS certificate, his proxy will not be a full voms-proxy, and the VOMS authentication will fail. Cheers, David. Gonçalo Borges wrote: > Hi Maarten, > > Yes, I replace it because in the mail I refer to, it is explicitly > said that we should substitute it... > So, I'm a little bit confused now. Was the EGEE BROADCAST incorrect > and I have to go back to the one distributed by lcg-vomscerts? > I forward here the EGEE message I refer to: > > ------------------------------------------------------------------------------------ > > Publication from : David Bouvet <[log in to unmask]> (IN2P3-CC) > This mail has been sent using the broadcasting tool available at > http://cic.gridops.org > ------------------------------------------------------------------------------------ > > > Dear all, > > Yesterday the new host certificate of VOMS server > > cclcgvomsli01.in2p3.fr > > was changed. > > Unfortunetly, this certificate is not the same as the one provided by > RPM lcg-vomscerts-4.4.0-1. > It has been renewed by mistake after the RPM creation. > > The following VOs are affected: > > biomed > auvergrid > embrace > egeode > vo.ipnl.in2p3.fr > > To all sites supporting these VOs, please update the host certificate > of VOMS server cclcgvomsli01.in2p3.fr. > The new one is available on the CIC portal at: > https://cic.gridops.org/common/all/documents/VOMS/biomed-VOMSPublicKey-20070328-143040.txt > > > or using the following command: > openssl s_client -CApath /etc/grid-security/certificates -prexit > -connect cclcgvomsli01.in2p3.fr:8443 2>/dev/null | openssl x509 > > > Sorry for the inconvenience, > Regards, > > > David. > > > Cheers > Goncalo Borges > >> Gonçalo Borges wrote: >> >>> Hi All, >>> >>> As you probably know (mail sent on 28/03/2007 bu EGEE BROADCAST) the >>> cclcgvomsli01.in2p3.fr VOMS certificate was been renewed. >>> I have update it on our CE and I just sent you the beginning of the >>> certificate info: >>> >>> [root@ce02 vomsdir]# openssl x509 -text -noout -in >>> cclcgvomsli01.in2p3.fr.1864 >>> Certificate: >>> Data: >>> Version: 3 (0x2) >>> Serial Number: 1881 (0x759) >>> Signature Algorithm: sha1WithRSAEncryption >>> Issuer: C=FR, O=CNRS, CN=GRID-FR >>> Validity >>> Not Before: Mar 1 14:01:52 2007 GMT >>> Not After : Mar 1 14:01:52 2008 GMT >>> Subject: O=GRID-FR, C=FR, O=CNRS, OU=CC-LYON, >>> CN=cclcgvomsli01.in2p3.fr >>> (...) >> >> That is the wrong cert! It should be like this: >> >> Validity >> Not Before: Feb 28 10:22:35 2007 GMT >> Not After : Feb 28 10:22:35 2008 GMT >> Subject: O=GRID-FR, C=FR, O=CNRS, OU=CC-LYON, >> CN=cclcgvomsli01.in2p3.fr >> >> That is the cert provided by lcg-vomscerts-4.4.0-1. >> I suppose you replaced it after the accidental extra renewal on the >> server? >> Please put the original cert back and retry. >> >>> After this update, I have a biomed user, which although starting >>> it's proxy as biomed, he is always mapped as cmsprd in our local >>> cluster. >>> This is happening because the VOMS authentication fails, and since >>> he also belongs to cms, the gridmapfile is used instead. Here is >>> part of the /var/log/globus-gatekeper.log: >>> >>> (...) >>> LCMAPS 0: 2007-04-02.14:22:45.198065.0000021996.0000065337 : >>> lcmaps.mod-runPlugin(): running plugin >>> /opt/edg/lib/lcmaps/modules/lcmaps_voms.mod >>> LCMAPS 0: 2007-04-02.14:22:45.198065.0000021996.0000065337 : >>> lcmaps_plugin_voms-plugin_run(): Generic verification error for VOMS >>> (failure)! >>> LCMAPS 0: 2007-04-02.14:22:45.198065.0000021996.0000065337 : >>> lcmaps_plugin_voms-plugin_run(): voms plugin failed >>> LCMAPS 0: 2007-04-02.14:22:45.198065.0000021996.0000065337 : >>> lcmaps.mod-runPlugin(): found plugin >>> /opt/edg/lib/lcmaps/modules/lcmaps_localaccount.mod >>> LCMAPS 0: 2007-04-02.14:22:45.198065.0000021996.0000065337 : >>> lcmaps.mod-runPlugin(): running plugin >>> /opt/edg/lib/lcmaps/modules/lcmaps_localaccount.mod >>> LCMAPS 0: 2007-04-02.14:22:45.198065.0000021996.0000065337 : >>> lcmaps_plugin_localaccount-plugin_run(): localaccount plugin succeeded >>> LCMAPS 0: 2007-04-02.14:22:45.198065.0000021996.0000065337 : >>> lcmaps.mod-runPlugin(): found plugin >>> /opt/edg/lib/lcmaps/modules/lcmaps_posix_enf.mod >>> (...) >>> >>> Any suggestion to where should I look further? >>> >>> Thanks in advance >>> Best Regards >>> Goncalo Borges > -- *David BOUVET* /EGEE Project team/ IN2P3/CNRS Computing Centre - Lyon (FRANCE) http://grid.in2p3.fr Tel. : +33 4 72 69 41 62 | Fax. : +33 4 72 69 41 70 | e-mail : [log in to unmask]