[caops-wg] Fwd: useful information about bestman2 and SHA2 host certificates
Sill, Alan
alan.sill at ttu.edu
Sat Sep 13 02:11:00 EDT 2014
Hmm, more in the SHA2 and jglobus story below.
Any other related experience out there?
Alan
Begin forwarded message:
From: Horst Severini <hs at nhn.ou.edu>
Subject: useful information about bestman2 and SHA2 host certificates
Date: September 13, 2014 at 2:56:49 AM GMT+1
To: <osg-sites at OPENSCIENCEGRID.ORG>, <usatlas-t2-l at lists.bnl.gov>
Cc: <adt027 at latech.edu>, <hs.greenw at phys.latech.edu>
Reply-To: <hs at nhn.ou.edu>
Hi all,
since we just found out the hard way, I thought I'd send an email
and warn people who may run up against the same issue fairly soon.
This is documented somewhere, but I'm not sure how many people
actually know about it -- at least I hadn't read it before. =)
So the problem is that if you request a new hostcert on a RHEL6/SL6/CentOS6
machine with the latest openssl version installed, then the hostkey
which that procedure produces won't work with bestman2; somehow the version
of jglobus that bestman2 uses doesn't like it. The details are here:
https://twiki.grid.iu.edu/bin/view/Documentation/Release3/InstallOSGBestmanSE#14_1_Requesting_host_certificate
In a nutshell, the solution seems to be to run the following command
on the newly produced hostkey file:
openssl rsa -in hostkey.pem -out hostkey.pem.old
Then move the original hostkey.pem out of the way, rename hostkey.pem.old
back to hostkey.pem, and then make a copy of that to bestman/bestman.key
as well, as usual for bestman2.
At least that worked for us, Joel Snow tested it. Thanks to Wei Yang
for reminding us about this issue.
By the way, the DigiCert certificate expiration reminder email system
is currently being fixed, too -- well, it has been fixed, but this fix
will most likely be deployed on September 23 during the monthly maintenance,
so you may want to have a closer look at all your certificates as well
and make sure none of them expire before that. We were also bitten by that. :)
Cheers,
Horst
More information about the caops-wg
mailing list