On Mon, May 19, 2008 at 8:54 PM, Jensen, J (Jens) <[log in to unmask]> wrote:
> Hi Graeme,
>
> I know for the Moz NSS bug, it is because as part of the SSL negotiation, the server
> (or client, doesn't matter) sends its trusted certificates to the peer saying "look
> this is my cert" and the peer says "wot? I thought it looked like this?"
>
> But OpenSSL and stuff derived from OpenSSL does not work like this; they may
> or may not send intermediate certificates in the negotiation but all that matters
> is that the trust chain can be built, which of course they can be either way.
>
> Maybe it's something more obvious. Like CRLs that haven't been refreshed when
> you install the 1.21 release. You folk in Glasgow have probably been Good Eggs(tm)
> as usual and refreshed your CRLs.
I upgraded one UI first (not our main one) and checked that fetch-crl
worked - so that there was nothing basically wrong with the CA
release. Then, after I had upgraded the CE I refreshed the CRLs by
hand. Because of the way our site infrastruture works all the other
machines then copy their CRLs from the CE (via a simple mirror - no
complicated SSL thingamybobs...).
I can actually tell when Durham broke from the ATLAS pilot submission logs:
http://svr017.gla.scotgrid.ac.uk/factory/logs/2008-05-19/ce01.dur.scotgrid.ac.uk_2119_jobmanager-lcgpbs-q3d/SubmissionLog
I should say they broke for my submission before I had touched
anything at Glasgow re. the update.
I now see a very weird effect. I can globus job run from one Glasgow
UI to Durham ok, but not from the other...
g
|