No, people will not have to renew because of this. VOMS should support
the old CA until its certificate expires. I am sure this lifetime is
longer than the lifetime of any certificate which it has signed. If not
I will expect Jens to commit hari kiri:-) voms shouldn't know about 'The
UK CA'. It knows about lots of Cas; the fact that two of them are in the
UK shouldn't matter.
I do know that Jens raised a ticket against CERN about the way their
VOMS tied users DNs to the certificate that signed them. This is why
you've all had to load your new certificate explicitly when you renewed
it even though your DN did not change. I suspect they have broken
something in trying to fix this lesser problem.
I suggest you raise a very high priority ticket.
John
> -----Original Message-----
> From: Testbed Support for GridPP member institutes
> [mailto:[log in to unmask]] On Behalf Of Yves Coppens
> Sent: 07 February 2008 18:35
> To: [log in to unmask]
> Subject: Re: Cannot get voms proxies
>
> Hi Chris,
>
> We've seen this. My hypothesis is that the UK CA DN
> associated to all UK certificate holders was changed on CERN vomses.
>
> If you haven't renewed your certificate recently,
> voms-proxy-init will complain.
>
> If you look at:
>
> https://voms.cern.ch:8443/voms/dteam/PreEditUser.do?id=4011
>
> you'll see for you:
>
> User's DN & CA:
> /C=UK/O=eScience/OU=CLRC/L=RAL/CN=chris dteam brew
> /C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA
>
> and I bet if you issue an:
>
> openssl x509 -in .globus/youddteamcert.pem -noout -issuer
>
> you'll get:
>
> issuer= /C=UK/O=eScienceCA/OU=Authority/CN=CA
>
> I guess many will need to renew their certificate until voms
> stops doing this check?
>
> Yves
>
> On Thu, 7 Feb 2008, Brew, CAJ (Chris) wrote:
>
> > Hi,
> >
> > Today I seem to be unable to get voms proxies for any of the 'CERN'
> > VOs (CMS and dteam for me) and my Atlas office mate cannot
> get a atlas
> > VOMS proxy either.
> >
> > It complains that "User unknown to this VO."
> >
> > This seems to be independent of location since it even
> fails on lxplus:
> >
> > [lxplus208] /afs/cern.ch/user/b/brew > voms-proxy-init --voms cms
> > --key ~/.my_certs/cms-userkey.pem --cert
> ~/.my_certs/cms-usercert.pem
> > Enter GRID pass phrase:
> > Your identity: /C=UK/O=eScience/OU=CLRC/L=RAL/CN=chris cms
> brew Cannot
> > find file or dir: /afs/cern.ch/user/b/brew/.glite/vomses
> > Creating temporary proxy
> > .............................................................. Done
> > Contacting voms.cern.ch:15002
> > [/DC=ch/DC=cern/OU=computers/CN=voms.cern.ch] "cms" Failed
> >
> > Error: cms: User unknown to this VO.
> >
> > Trying next server for cms.
> > Creating temporary proxy ................................. Done
> > Contacting lcg-voms.cern.ch:15002
> > [/DC=ch/DC=cern/OU=computers/CN=lcg-voms.cern.ch] "cms" Failed
> >
> > Error: cms: User unknown to this VO.
> >
> > None of the contacted servers for cms were capable of returning a
> > valid AC for the user.
> >
> > Is anyone else seeing this problem? Is it something to do
> with the CA
> > upgrade?
> >
> > Thanks,
> > Chris.
> >
>
|