Just an FYI that I've had great success rolling back thanks to the link
Steve shared.
Just in case it's useful, the dummy yum repo snippet I used was:
[egi-igtf-187]
name=egi-igtf-187
baseurl=https://egi-igtf.ndpf.info/distribution/egi-1.87-1/ca-policy-egi-core-1.87-1/
enabled=0
gpgcheck=1
gpgkey=https://egi-igtf.ndpf.info/distribution/egi-1.87-1/GPG-KEY-EUGridPMA-RPM-3
Cheers,
Matt
On 28/11/17 13:50, John Kewley wrote:
> Just to let you know that I'm aware of the issue; I wasn't involved in this release so wasn't involved in any testing, but I'll see if I can work out the issue.
>
> My understanding is that Jens is out of the office, but I'm hoping he'll be online at some point this afternoon.
>
> FYI, I haven't yet updated the CA repository, so the "old" 2B certificate should still be downloadable from there:
> http://www.ngs.ac.uk/ukca/certificates/cacerts
>
> Cheers
>
> JK
>
>> -----Original Message-----
>> From: Testbed Support for GridPP member institutes [mailto:TB-
>> [log in to unmask]] On Behalf Of Robert Frank
>> Sent: 28 November 2017 13:45
>> To: [log in to unmask]
>> Subject: Re: We think trust anchors 1.88-1 breaks on SL6
>>
>> Have a look here:
>>
>> http://mirror.tier2.hep.manchester.ac.uk/Repositories/EMI/CA/
>>
>> Robert
>>
>> On 28/11/17 13:36, Stephen Jones wrote:
>>> On 28/11/17 13:32, Daniela Bauer wrote:
>>>> How did you roll back to 1.87 ?
>>>
>>>
>>> They've taken it away.
>>>
>>> (note to self: always download and KEEP the last good CAs)
>>>
>>> Ste
>>>
>>>
>>>>
>>>> Cheers,
>>>> Daniela
>>>>
>>>> On 28 November 2017 at 13:30, Robert Frank
>> <[log in to unmask] <mailto:[log in to unmask]>>
>> wrote:
>>>>
>>>> I've seen it as well in Manchester when I tried to update this
>>>> morning. I've rolled everything back to 1.87 for now.
>>>> I got the impression that it works when both, the server and the
>>>> client use the same version, but more testing is needed to confirm
>>>> this.
>>>>
>>>> Cheers,
>>>> Robert
>>>>
>>>> On 28/11/17 13:21, Stephen Jones wrote:
>>>>
>>>> Don't update to 1.88-1
>>>>
>>>> We have same problems too!
>>>>
>>>> Working on it; site is down because ARGUS (SL6) is clobbered
>>>> by this...
>>>>
>>>> Cheers,
>>>>
>>>>
>>>> Ste
>>>>
>>>>
>>>> On 28/11/17 13:17, Daniela Bauer wrote:
>>>>
>>>> Hi All,
>>>>
>>>> the latest trust anchor release contains this chage:
>>>>
>>>> * updated UKeScience 2B ICA based on a SHA-2 family digest
>>>> (UK)
>>>>
>>>> When I try and run the cvmfs UI on SL6 I get the following
>>>> error:
>>>>
>>>> lx01:~ > voms-proxy-init --voms gridpp
>>>> Enter GRID pass phrase for this identity:
>>>> Contacting voms03.gridpp.ac.uk:15000
>>>> <http://voms03.gridpp.ac.uk:15000>
>>>> <http://voms03.gridpp.ac.uk:15000
>>>> <http://voms03.gridpp.ac.uk:15000>>
>>>> [/C=UK/O=eScience/OU=Imperial/L=Physics/CN=voms03.gridpp.ac.u
>> k
>>>> <http://voms03.gridpp.ac.uk> <http://voms03.gridpp.ac.uk>]
>>>> "gridpp"...
>>>> Certificate validation error: Can not verify the CRL as
>>>> its issuer's public key is unknown or can not be validated
>>>> Cause: Certification path could not be validated. Cause:
>>>> NullPointerException
>>>> Error contacting voms03.gridpp.ac.uk:15000
>>>> <http://voms03.gridpp.ac.uk:15000>
>>>> <http://voms03.gridpp.ac.uk:15000
>>>> <http://voms03.gridpp.ac.uk:15000>> for VO gridpp:
>>>> java.security.cert.CertificateException: The peer's
>>>> certificate with subject's DN CN=voms03.gridpp.ac.uk
>>>> <http://voms03.gridpp.ac.uk>
>>>> <http://voms03.gridpp.ac.uk>,L=Physics,OU=Imperial,O=eScience,C=
>> UK
>>>> was rejected. The peer's certificate status is: FAILED The
>>>> following validation errors were found:
>>>> error at position 0 in chain, problematic certificate
>>>> subject: CN=voms03.gridpp.ac.uk
>>>> <http://voms03.gridpp.ac.uk>
>>>> <http://voms03.gridpp.ac.uk>,L=Physics,OU=Imperial,O=eScience,C=
>> UK
>>>> (category: CRL): Can not verify the CRL as its issuer's
>>>> public key is unknown or can not be validated Cause:
>>>> Certification path could not be validated. Cause:
>>>> NullPointerException
>>>> Certificate validation error: Can not verify the CRL as
>>>> its issuer's public key is unknown or can not be validated
>>>> Cause: Certification path could not be validated. Cause:
>>>> NullPointerException
>>>> Error contacting voms03.gridpp.ac.uk:15000
>>>> <http://voms03.gridpp.ac.uk:15000>
>>>> <http://voms03.gridpp.ac.uk:15000
>>>> <http://voms03.gridpp.ac.uk:15000>> for VO gridpp: peer
>>>> not authenticated
>>>> Error contacting voms03.gridpp.ac.uk:15000
>>>> <http://voms03.gridpp.ac.uk:15000>
>>>> <http://voms03.gridpp.ac.uk:15000
>>>> <http://voms03.gridpp.ac.uk:15000>> for VO gridpp: REST
>>>> and legacy VOMS endpoints failed.
>>>> Contacting voms02.gridpp.ac.uk:15000
>>>> <http://voms02.gridpp.ac.uk:15000>
>>>> <http://voms02.gridpp.ac.uk:15000
>>>> <http://voms02.gridpp.ac.uk:15000>>
>>>> [/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk
>>>> <http://voms02.gridpp.ac.uk> <http://voms02.gridpp.ac.uk>]
>>>> "gridpp"...
>>>> Certificate validation error: Can not verify the CRL as
>>>> its issuer's public key is unknown or can not be validated
>>>> Cause: Certification path could not be validated. Cause:
>>>> NullPointerException
>>>> Error contacting voms02.gridpp.ac.uk:15000
>>>> <http://voms02.gridpp.ac.uk:15000>
>>>> <http://voms02.gridpp.ac.uk:15000
>>>> <http://voms02.gridpp.ac.uk:15000>> for VO gridpp:
>>>> java.security.cert.CertificateException: The peer's
>>>> certificate with subject's DN CN=voms02.gridpp.ac.uk
>>>> <http://voms02.gridpp.ac.uk>
>>>> <http://voms02.gridpp.ac.uk>,L=OeSC,OU=Oxford,O=eScience,C=UK
>>>> was rejected. The peer's certificate status is: FAILED The
>>>> following validation errors were found:
>>>> error at position 0 in chain, problematic certificate
>>>> subject: CN=voms02.gridpp.ac.uk
>>>> <http://voms02.gridpp.ac.uk>
>>>> <http://voms02.gridpp.ac.uk>,L=OeSC,OU=Oxford,O=eScience,C=UK
>>>> (category: CRL): Can not verify the CRL as its issuer's
>>>> public key is unknown or can not be validated Cause:
>>>> Certification path could not be validated. Cause:
>>>> NullPointerException
>>>> Certificate validation error: Can not verify the CRL as
>>>> its issuer's public key is unknown or can not be validated
>>>> Cause: Certification path could not be validated. Cause:
>>>> NullPointerException
>>>> Error contacting voms02.gridpp.ac.uk:15000
>>>> <http://voms02.gridpp.ac.uk:15000>
>>>> <http://voms02.gridpp.ac.uk:15000
>>>> <http://voms02.gridpp.ac.uk:15000>> for VO gridpp: peer
>>>> not authenticated
>>>> Error contacting voms02.gridpp.ac.uk:15000
>>>> <http://voms02.gridpp.ac.uk:15000>
>>>> <http://voms02.gridpp.ac.uk:15000
>>>> <http://voms02.gridpp.ac.uk:15000>> for VO gridpp: REST
>>>> and legacy VOMS endpoints failed.
>>>> Contacting voms.gridpp.ac.uk:15000
>>>> <http://voms.gridpp.ac.uk:15000>
>>>> <http://voms.gridpp.ac.uk:15000
>>>> <http://voms.gridpp.ac.uk:15000>>
>>>> [/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk
>>>> <http://voms.gridpp.ac.uk> <http://voms.gridpp.ac.uk>]
>>>> "gridpp"...
>>>> Certificate validation error: Can not verify the CRL as
>>>> its issuer's public key is unknown or can not be validated
>>>> Cause: Certification path could not be validated. Cause:
>>>> NullPointerException
>>>> Error contacting voms.gridpp.ac.uk:15000
>>>> <http://voms.gridpp.ac.uk:15000>
>>>> <http://voms.gridpp.ac.uk:15000
>>>> <http://voms.gridpp.ac.uk:15000>> for VO gridpp:
>>>> java.security.cert.CertificateException: The peer's
>>>> certificate with subject's DN CN=voms.gridpp.ac.uk
>>>> <http://voms.gridpp.ac.uk>
>>>> <http://voms.gridpp.ac.uk>,L=HEP,OU=Manchester,O=eScience,C=U
>> K
>>>> was rejected. The peer's certificate status is: FAILED The
>>>> following validation errors were found:
>>>> error at position 0 in chain, problematic certificate
>>>> subject: CN=voms.gridpp.ac.uk <http://voms.gridpp.ac.uk>
>>>> <http://voms.gridpp.ac.uk>,L=HEP,OU=Manchester,O=eScience,C=U
>> K
>>>> (category: CRL): Can not verify the CRL as its issuer's
>>>> public key is unknown or can not be validated Cause:
>>>> Certification path could not be validated. Cause:
>>>> NullPointerException
>>>> Certificate validation error: Can not verify the CRL as
>>>> its issuer's public key is unknown or can not be validated
>>>> Cause: Certification path could not be validated. Cause:
>>>> NullPointerException
>>>> Error contacting voms.gridpp.ac.uk:15000
>>>> <http://voms.gridpp.ac.uk:15000>
>>>> <http://voms.gridpp.ac.uk:15000
>>>> <http://voms.gridpp.ac.uk:15000>> for VO gridpp: peer not
>>>> authenticated
>>>> Error contacting voms.gridpp.ac.uk:15000
>>>> <http://voms.gridpp.ac.uk:15000>
>>>> <http://voms.gridpp.ac.uk:15000
>>>> <http://voms.gridpp.ac.uk:15000>> for VO gridpp: REST and
>>>> legacy VOMS endpoints failed.
>>>> None of the contacted servers for gridpp were capable of
>>>> returning a valid AC for the user.
>>>> User's request for VOMS attributes could not be fulfilled.
>>>>
>>>>
>>>> It works on SL7.
>>>>
>>>> This error is fairly deadly for a lot of stuff we are
>>>> doing here.
>>>>
>>>> Any ideas ?
>>>>
>>>> Regards,
>>>> Daniela
>>>>
>>>>
>>>> -- Sent from the pit of despair
>>>>
>>>> -----------------------------------------------------------
>>>> [log in to unmask]
>>>> <mailto:[log in to unmask]>
>>>> <mailto:[log in to unmask]
>>>> <mailto:[log in to unmask]>>
>>>> HEP Group/Physics Dep
>>>> Imperial College
>>>> London, SW7 2BW
>>>> Tel: +44-(0)20-75947810 <tel:%2B44-%280%2920-75947810>
>>>> http://www.hep.ph.ic.ac.uk/~dbauer/
>>>> <http://www.hep.ph.ic.ac.uk/%7Edbauer/>
>>>> <http://www.hep.ph.ic.ac.uk/%7Edbauer/
>>>> <http://www.hep.ph.ic.ac.uk/%7Edbauer/>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Sent from the pit of despair
>>>>
>>>> -----------------------------------------------------------
>>>> [log in to unmask] <mailto:[log in to unmask]>
>>>> HEP Group/Physics Dep
>>>> Imperial College
>>>> London, SW7 2BW
>>>> Tel: +44-(0)20-75947810
>>>> http://www.hep.ph.ic.ac.uk/~dbauer/
>> <http://www.hep.ph.ic.ac.uk/%7Edbauer/>
>>>
>>>
|