Hi Elena,
On 04/12/2014 11:04, Elena Korolkova wrote:
> most of the hr.srce.CADist-Check nagios tests are failing in UKI-NORTHGRID-SHEF-HEP since Dec 1 and I have a ggus opened on Tuesday.
> (https://ggus.eu/index.php?mode=ticket_info&ticket_id=110498)
>
> The error message is
> wn030.hep: CA DIST CRITICAL - The official version is 1.61. Using AAACertificateServices to get CA distribution version. The following CAs have incorrect SHA1 fingerprint: cilogon-openid.
>
> on wn030 i can see that version 1.61 is installed:
>
> [root@wn030 ~]# rpm -qa |grep ca-policy-egi-
> ca-policy-egi-core-1.61-1.noarch
>
> All wn’s are on automatic update and new version of ca-policy 1.61 has been installed on Nov24:
Can you please check /where/ you get the updates from? The 1.61 version was
only released on December 1st, and you ought not have been able to get it
on November 24th!
Also, cilogin-openid is not part of the EGI core (nor the wLCG) trust
anchor distribution, so I wonder what your package source is. Are you
by chance taking it directly from IGTF preview releases?
cilogon-openid is an experimental CA that should not be installed unless
you really know what you're doing, and have put local controls in place
to assure there are no RPDNC namespace clashes and you feel happy letting any
Gmail or Facebook users authenticate.
You really sure you want that experimental CA installed? What does your
yum repos file say?
Cheers,
DavidG.
>
> Nov 24 05:16:19 Updated: ca_AddTrust-External-CA-Root-1.61-1.noarch
> Nov 24 05:16:20 Updated: ca_UTN-USERTrust-RSA-CA-1.61-1.noarch
> Nov 24 05:16:21 Updated: ca_DigiCertGridRootCA-Root-1.61-1.noarch
> Nov 24 05:16:22 Updated: ca_DigiCertAssuredIDRootCA-Root-1.61-1.noarch
> Nov 24 05:16:22 Updated: ca_UKeScienceRoot-2007-1.61-1.noarch
> Nov 24 05:16:23 Updated: ca_UTN-USERFirst-Hardware-1.61-1.noarch
> Nov 24 05:16:24 Updated: ca_COMODO-RSA-CA-1.61-1.noarch
> Nov 24 05:16:24 Updated: ca_CNRS2-1.61-1.noarch
> Nov 24 05:16:25 Updated: ca_CNRS2-Projets-1.61-1.noarch
> Nov 24 05:16:25 Updated: ca_QuoVadis-Root-CA1-1.61-1.noarch
> ……….
>
>
> Some wn’s are passing the tests, but most of the wn;s are not despite all of them have the same ca-policy-egi-core-1.61-1.noarch.
>
> I can’t find what exactly this nagios test is doing.
>
>
> Any thoughts/help are greatly appreciated.
>
> Elena
>
--
David Groep
** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group **
** Room: H1.50 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **
|