Hi Gonçalo,
Yes you need to replace it as the certificate on the VOMS server has
been replaced.
So the one provide by lcg-vomscerts-4.4.0-1 is no more valid.
About your problem, do you know if your biomed user have a full voms-proxy?
If the UI, he used to generate his proxy, still refers to the old VOMS
certificate, his proxy will not be a full voms-proxy, and the VOMS
authentication will fail.
Cheers,
David.
Gonçalo Borges wrote:
> Hi Maarten,
>
> Yes, I replace it because in the mail I refer to, it is explicitly
> said that we should substitute it...
> So, I'm a little bit confused now. Was the EGEE BROADCAST incorrect
> and I have to go back to the one distributed by lcg-vomscerts?
> I forward here the EGEE message I refer to:
>
> ------------------------------------------------------------------------------------
>
> Publication from : David Bouvet <[log in to unmask]> (IN2P3-CC)
> This mail has been sent using the broadcasting tool available at
> http://cic.gridops.org
> ------------------------------------------------------------------------------------
>
>
> Dear all,
>
> Yesterday the new host certificate of VOMS server
>
> cclcgvomsli01.in2p3.fr
>
> was changed.
>
> Unfortunetly, this certificate is not the same as the one provided by
> RPM lcg-vomscerts-4.4.0-1.
> It has been renewed by mistake after the RPM creation.
>
> The following VOs are affected:
>
> biomed
> auvergrid
> embrace
> egeode
> vo.ipnl.in2p3.fr
>
> To all sites supporting these VOs, please update the host certificate
> of VOMS server cclcgvomsli01.in2p3.fr.
> The new one is available on the CIC portal at:
> https://cic.gridops.org/common/all/documents/VOMS/biomed-VOMSPublicKey-20070328-143040.txt
>
>
> or using the following command:
> openssl s_client -CApath /etc/grid-security/certificates -prexit
> -connect cclcgvomsli01.in2p3.fr:8443 2>/dev/null | openssl x509
>
>
> Sorry for the inconvenience,
> Regards,
>
>
> David.
>
>
> Cheers
> Goncalo Borges
>
>> Gonçalo Borges wrote:
>>
>>> Hi All,
>>>
>>> As you probably know (mail sent on 28/03/2007 bu EGEE BROADCAST) the
>>> cclcgvomsli01.in2p3.fr VOMS certificate was been renewed.
>>> I have update it on our CE and I just sent you the beginning of the
>>> certificate info:
>>>
>>> [root@ce02 vomsdir]# openssl x509 -text -noout -in
>>> cclcgvomsli01.in2p3.fr.1864
>>> Certificate:
>>> Data:
>>> Version: 3 (0x2)
>>> Serial Number: 1881 (0x759)
>>> Signature Algorithm: sha1WithRSAEncryption
>>> Issuer: C=FR, O=CNRS, CN=GRID-FR
>>> Validity
>>> Not Before: Mar 1 14:01:52 2007 GMT
>>> Not After : Mar 1 14:01:52 2008 GMT
>>> Subject: O=GRID-FR, C=FR, O=CNRS, OU=CC-LYON,
>>> CN=cclcgvomsli01.in2p3.fr
>>> (...)
>>
>> That is the wrong cert! It should be like this:
>>
>> Validity
>> Not Before: Feb 28 10:22:35 2007 GMT
>> Not After : Feb 28 10:22:35 2008 GMT
>> Subject: O=GRID-FR, C=FR, O=CNRS, OU=CC-LYON,
>> CN=cclcgvomsli01.in2p3.fr
>>
>> That is the cert provided by lcg-vomscerts-4.4.0-1.
>> I suppose you replaced it after the accidental extra renewal on the
>> server?
>> Please put the original cert back and retry.
>>
>>> After this update, I have a biomed user, which although starting
>>> it's proxy as biomed, he is always mapped as cmsprd in our local
>>> cluster.
>>> This is happening because the VOMS authentication fails, and since
>>> he also belongs to cms, the gridmapfile is used instead. Here is
>>> part of the /var/log/globus-gatekeper.log:
>>>
>>> (...)
>>> LCMAPS 0: 2007-04-02.14:22:45.198065.0000021996.0000065337 :
>>> lcmaps.mod-runPlugin(): running plugin
>>> /opt/edg/lib/lcmaps/modules/lcmaps_voms.mod
>>> LCMAPS 0: 2007-04-02.14:22:45.198065.0000021996.0000065337 :
>>> lcmaps_plugin_voms-plugin_run(): Generic verification error for VOMS
>>> (failure)!
>>> LCMAPS 0: 2007-04-02.14:22:45.198065.0000021996.0000065337 :
>>> lcmaps_plugin_voms-plugin_run(): voms plugin failed
>>> LCMAPS 0: 2007-04-02.14:22:45.198065.0000021996.0000065337 :
>>> lcmaps.mod-runPlugin(): found plugin
>>> /opt/edg/lib/lcmaps/modules/lcmaps_localaccount.mod
>>> LCMAPS 0: 2007-04-02.14:22:45.198065.0000021996.0000065337 :
>>> lcmaps.mod-runPlugin(): running plugin
>>> /opt/edg/lib/lcmaps/modules/lcmaps_localaccount.mod
>>> LCMAPS 0: 2007-04-02.14:22:45.198065.0000021996.0000065337 :
>>> lcmaps_plugin_localaccount-plugin_run(): localaccount plugin succeeded
>>> LCMAPS 0: 2007-04-02.14:22:45.198065.0000021996.0000065337 :
>>> lcmaps.mod-runPlugin(): found plugin
>>> /opt/edg/lib/lcmaps/modules/lcmaps_posix_enf.mod
>>> (...)
>>>
>>> Any suggestion to where should I look further?
>>>
>>> Thanks in advance
>>> Best Regards
>>> Goncalo Borges
>
--
*David BOUVET*
/EGEE Project team/
IN2P3/CNRS Computing Centre - Lyon (FRANCE)
http://grid.in2p3.fr
Tel. : +33 4 72 69 41 62 | Fax. : +33 4 72 69 41 70 | e-mail :
[log in to unmask]
|