Hi Maarten,
Yes, I replace it because in the mail I refer to, it is explicitly said
that we should substitute it...
So, I'm a little bit confused now. Was the EGEE BROADCAST incorrect and
I have to go back to the one distributed by lcg-vomscerts?
I forward here the EGEE message I refer to:
------------------------------------------------------------------------------------
Publication from : David Bouvet <[log in to unmask]> (IN2P3-CC)
This mail has been sent using the broadcasting tool available at http://cic.gridops.org
------------------------------------------------------------------------------------
Dear all,
Yesterday the new host certificate of VOMS server
cclcgvomsli01.in2p3.fr
was changed.
Unfortunetly, this certificate is not the same as the one provided by RPM lcg-vomscerts-4.4.0-1.
It has been renewed by mistake after the RPM creation.
The following VOs are affected:
biomed
auvergrid
embrace
egeode
vo.ipnl.in2p3.fr
To all sites supporting these VOs, please update the host certificate of VOMS server cclcgvomsli01.in2p3.fr.
The new one is available on the CIC portal at: https://cic.gridops.org/common/all/documents/VOMS/biomed-VOMSPublicKey-20070328-143040.txt
or using the following command:
openssl s_client -CApath /etc/grid-security/certificates -prexit -connect cclcgvomsli01.in2p3.fr:8443 2>/dev/null | openssl x509
Sorry for the inconvenience,
Regards,
David.
Cheers
Goncalo Borges
> Gonçalo Borges wrote:
>
>> Hi All,
>>
>> As you probably know (mail sent on 28/03/2007 bu EGEE BROADCAST) the
>> cclcgvomsli01.in2p3.fr VOMS certificate was been renewed.
>> I have update it on our CE and I just sent you the beginning of the
>> certificate info:
>>
>> [root@ce02 vomsdir]# openssl x509 -text -noout -in
>> cclcgvomsli01.in2p3.fr.1864
>> Certificate:
>> Data:
>> Version: 3 (0x2)
>> Serial Number: 1881 (0x759)
>> Signature Algorithm: sha1WithRSAEncryption
>> Issuer: C=FR, O=CNRS, CN=GRID-FR
>> Validity
>> Not Before: Mar 1 14:01:52 2007 GMT
>> Not After : Mar 1 14:01:52 2008 GMT
>> Subject: O=GRID-FR, C=FR, O=CNRS, OU=CC-LYON,
>> CN=cclcgvomsli01.in2p3.fr
>> (...)
>
> That is the wrong cert! It should be like this:
>
> Validity
> Not Before: Feb 28 10:22:35 2007 GMT
> Not After : Feb 28 10:22:35 2008 GMT
> Subject: O=GRID-FR, C=FR, O=CNRS, OU=CC-LYON,
> CN=cclcgvomsli01.in2p3.fr
>
> That is the cert provided by lcg-vomscerts-4.4.0-1.
> I suppose you replaced it after the accidental extra renewal on the
> server?
> Please put the original cert back and retry.
>
>> After this update, I have a biomed user, which although starting it's
>> proxy as biomed, he is always mapped as cmsprd in our local cluster.
>> This is happening because the VOMS authentication fails, and since he
>> also belongs to cms, the gridmapfile is used instead. Here is part of
>> the /var/log/globus-gatekeper.log:
>>
>> (...)
>> LCMAPS 0: 2007-04-02.14:22:45.198065.0000021996.0000065337 :
>> lcmaps.mod-runPlugin(): running plugin
>> /opt/edg/lib/lcmaps/modules/lcmaps_voms.mod
>> LCMAPS 0: 2007-04-02.14:22:45.198065.0000021996.0000065337 :
>> lcmaps_plugin_voms-plugin_run(): Generic verification error for VOMS
>> (failure)!
>> LCMAPS 0: 2007-04-02.14:22:45.198065.0000021996.0000065337 :
>> lcmaps_plugin_voms-plugin_run(): voms plugin failed
>> LCMAPS 0: 2007-04-02.14:22:45.198065.0000021996.0000065337 :
>> lcmaps.mod-runPlugin(): found plugin
>> /opt/edg/lib/lcmaps/modules/lcmaps_localaccount.mod
>> LCMAPS 0: 2007-04-02.14:22:45.198065.0000021996.0000065337 :
>> lcmaps.mod-runPlugin(): running plugin
>> /opt/edg/lib/lcmaps/modules/lcmaps_localaccount.mod
>> LCMAPS 0: 2007-04-02.14:22:45.198065.0000021996.0000065337 :
>> lcmaps_plugin_localaccount-plugin_run(): localaccount plugin succeeded
>> LCMAPS 0: 2007-04-02.14:22:45.198065.0000021996.0000065337 :
>> lcmaps.mod-runPlugin(): found plugin
>> /opt/edg/lib/lcmaps/modules/lcmaps_posix_enf.mod
>> (...)
>>
>> Any suggestion to where should I look further?
>>
>> Thanks in advance
>> Best Regards
>> Goncalo Borges
|