Hello Antun & Rod,
For the LFC and DPM, you don't have to restart the daemons after
changing the host certificate.
That's why modifying the init.d scripts will not help...
The procedure to follow when changing the host certificate is already
described in the FAQ :
https://uimon.cern.ch/twiki/bin/view/LCG/LfcTroubleshooting
(see third bullet).
Cheers, Sophie.
>Hi Sophie,
>
>Is it possible to apply the following approach: each service using host
>certificate can cp the needed files from their default location in /etc/grid-
>security when started? This way the problem Torsten encountered would be
>much easier to solve - just restart the service and it would pick new
>certificate automatically? The same applies to e.g. MON box...
>
>I believe that problems with the permissions of hostkey.pem "r--------" can
>be easily avoided.
>
>Thanks, Antun
>
>-----
>Antun Balaz
>Research Assistant
>E-mail: [log in to unmask]
>Web: http://scl.phy.bg.ac.yu/
>
>Phone: +381 11 3160260, Ext. 152
>Fax: +381 11 3162190
>
>Scientific Computing Laboratory
>Institute of Physics, Belgrade, Serbia
>-----
>
>---------- Original Message -----------
>From: Sophie Lemaitre <[log in to unmask]>
>To: [log in to unmask]
>Sent: Wed, 11 Oct 2006 15:45:34 +0200
>Subject: Re: [LCG-ROLLOUT] LFC problem
>
>
>
>>Hi Torsten,
>>
>>Do you have copied and renamed the host certificate under
>>/etc/grid-security/lfcmgr/ as well ?
>>
>>$ ll /etc/grid-security/lfcmgr | grep lfc
>>-rw-r--r-- 1 lfcmgr lfcmgr 5423 May 30 13:58 lfccert.pem
>>-r-------- 1 lfcmgr lfcmgr 1675 May 30 13:58 lfckey.pem
>>
>>Did you check the LFC troubleshooting page ?
>>https://uimon.cern.ch/twiki/bin/view/LCG/LfcTroubleshooting
>>
>>Cheers, Sophie.
>>
>>
>>
>>>Hi Stephen,
>>>
>>>thanks for the quick reply:
>>>
>>>Burke, S (Stephen) wrote:
>>>
>>>
>>>
>>>>LHC Computer Grid - Rollout
>>>>
>>>>
>>>>
>>>>>[mailto:[log in to unmask]] On Behalf Of Torsten
>>>>>Harenberg said:
>>>>>Cns_serv: Could not establish security context:
>>>>>server_establish_context_ext: Could not acquire the local server
>>>>>credentials !
>>>>>
>>>>>No other log entries are written anymore.
>>>>>
>>>>>Does anybody know what it should tell me?
>>>>>
>>>>>
>>>>Host certificate expired?
>>>>
>>>>
>>>>
>>>unfortunately not - it's brand new:
>>>
>>>Certificate:
>>> Data:
>>> Version: 3 (0x2)
>>> Serial Number: 2649 (0xa59)
>>> Signature Algorithm: sha1WithRSAEncryption
>>> Issuer: C=DE, O=GermanGrid, CN=GridKa-CA
>>> Validity
>>> Not Before: Oct 6 09:21:39 2006 GMT
>>> Not After : Nov 5 09:21:39 2007 GMT
>>> Subject: O=GermanGrid, OU=UniWuppertal,
>>>CN=host/grid-lfc.physik.uni-wuppertal.de
>>>
>>>But I had to replace the host certificate (explaination below) and
>>>since approx. then it happened. I re-used the old-one (which was still
>>>valid), but the errors stays.
>>>
>>>Hope that the problem is not again deep in SSL, we had trouble with
>>>the FNAL VOMS server and it turned out that the German host
>>>certificates missed the "SSL client" option. This was the reason why I
>>>replaced the certificate by a new one, allthough the old one is still
>>>valid.
>>>
>>>Cheers,
>>>
>>> Torsten
>>>
>>>
>>>
>>>
>>>
>------- End of Original Message -------
>
>
|