[caops-wg] [tagpma-general] Fwd: useful information about bestman2 and SHA2 host certificates

Mike Jones mike.jones at manchester.ac.uk
Sat Sep 13 05:25:10 EDT 2014 

I found this some time ago with my VOMS::Lite code. The issue is not the message digest but the key file storage format. The default format changed some time ago.
M

On September 13, 2014 7:11:00 AM GMT+01:00, "Sill, Alan" <alan.sill at ttu.edu> wrote:
>Hmm, more in the SHA2 and jglobus story below.
>
>Any other related experience out there?
>
>Alan
>
>Begin forwarded message:
>
>From: Horst Severini <hs at nhn.ou.edu>
>Subject: useful information about bestman2 and SHA2 host certificates
>Date: September 13, 2014 at 2:56:49 AM GMT+1
>To: <osg-sites at OPENSCIENCEGRID.ORG>, <usatlas-t2-l at lists.bnl.gov>
>Cc: <adt027 at latech.edu>, <hs.greenw at phys.latech.edu>
>Reply-To: <hs at nhn.ou.edu>
>
>Hi all,
>
>since we just found out the hard way, I thought I'd send an email
>and warn people who may run up against the same issue fairly soon.
>This is documented somewhere, but I'm not sure how many people 
>actually know about it -- at least I hadn't read it before. =)
>
>So the problem is that if you request a new hostcert on a
>RHEL6/SL6/CentOS6
>machine with the latest openssl version installed, then the hostkey 
>which that procedure produces won't work with bestman2; somehow the
>version 
>of jglobus that bestman2 uses doesn't like it. The details are here:
>
>https://twiki.grid.iu.edu/bin/view/Documentation/Release3/InstallOSGBestmanSE#14_1_Requesting_host_certificate
>
>In a nutshell, the solution seems to be to run the following command 
>on the newly produced hostkey file:
>
>openssl rsa -in hostkey.pem -out hostkey.pem.old
>
>Then move the original hostkey.pem out of the way, rename
>hostkey.pem.old 
>back to hostkey.pem, and then make a copy of that to
>bestman/bestman.key 
>as well, as usual for bestman2.
>
>At least that worked for us, Joel Snow tested it. Thanks to Wei Yang
>for reminding us about this issue.
>
>By the way, the DigiCert certificate expiration reminder email system
>is currently being fixed, too -- well, it has been fixed, but this fix 
>will most likely be deployed on September 23 during the monthly
>maintenance,
>so you may want to have a closer look at all your certificates as well 
>and make sure none of them expire before that. We were also bitten by
>that. :)
>
>Cheers,
>
>	Horst
>
>To unsubscribe from this group and stop receiving emails from it, send
>an email to tagpma-general+unsubscribe at tagpma.org.

-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.ogf.org/pipermail/caops-wg/attachments/20140913/1385214f/attachment.html>

More information about the caops-wg mailing list