[caops-wg] Fwd: useful information about bestman2 and SHA2 host certificates

[Sill, Alan]

Hmm, more in the SHA2 and jglobus story below.

Any other related experience out there?

Alan

Begin forwarded message:

From: Horst Severini <hs at nhn.ou.edu>
Subject: useful information about bestman2 and SHA2 host certificates
Date: September 13, 2014 at 2:56:49 AM GMT+1
To: <osg-sites at OPENSCIENCEGRID.ORG>, <usatlas-t2-l at lists.bnl.gov>
Cc: <adt027 at latech.edu>, <hs.greenw at phys.latech.edu>
Reply-To: <hs at nhn.ou.edu>

Hi all,

since we just found out the hard way, I thought I'd send an email
and warn people who may run up against the same issue fairly soon.
This is documented somewhere, but I'm not sure how many people 
actually know about it -- at least I hadn't read it before. =)

So the problem is that if you request a new hostcert on a RHEL6/SL6/CentOS6
machine with the latest openssl version installed, then the hostkey 
which that procedure produces won't work with bestman2; somehow the version 
of jglobus that bestman2 uses doesn't like it. The details are here:

https://twiki.grid.iu.edu/bin/view/Documentation/Release3/InstallOSGBestmanSE#14_1_Requesting_host_certificate

In a nutshell, the solution seems to be to run the following command 
on the newly produced hostkey file:

openssl rsa -in hostkey.pem -out hostkey.pem.old

Then move the original hostkey.pem out of the way, rename hostkey.pem.old 
back to hostkey.pem, and then make a copy of that to bestman/bestman.key 
as well, as usual for bestman2.

At least that worked for us, Joel Snow tested it. Thanks to Wei Yang
for reminding us about this issue.

By the way, the DigiCert certificate expiration reminder email system
is currently being fixed, too -- well, it has been fixed, but this fix 
will most likely be deployed on September 23 during the monthly maintenance,
so you may want to have a closer look at all your certificates as well 
and make sure none of them expire before that. We were also bitten by that. :)

Cheers,

	Horst