Closed DmitryLitvintsev closed 5 years ago
golbi
commented
5 years ago Hi,
Have you tried to check at voms-api developers? It is hard for me to say what is the reason, the error looks more as something from VOMS, or at least is transformed. Something in CANL may be the root cause, but it is hard for me to guess what this could be. Also providing a version from which you upgraded could help so please add it when asking at VOMS.
Good luck
andreaceccanti
commented
5 years ago Here we are :) AFAIU, this is a CRL validation error that happens when checking the certificate that signed the VOMS attribute certificate.
golbi
commented
5 years ago OK, refreshing this thread. So is this an issue at CANL side or not? I'm not sure after Andea's comment. If it is not then I'll close the issue, otherwise I'd need an input to reproduce the problem: cert/AC, CRL & CA cert.
andreaceccanti
commented
5 years ago This doesn't seem a bug to me, but a simple CRL validation error. Probably CRLs were refreshed on the machine but not in the CANL trust store. @DmitryLitvintsev did you experience this error again?
golbi
commented
5 years ago Thanks Andrea! Closing - if there will be more info will reopen it.
DmitryLitvintsev
commented
5 years ago Hello,
Sorry for not following up sooner. I have found that I can avoid this issue by creating
X509CertChainValidatorExt with specified trust anchor update interval. In previous version it worked without it.
Thank you, Dmitry
Hello,
dCache storage system uses CANL library to handle certificates.
We recently upgraded to CANL version 2.5.0 (from 2.1.2) and voms-api-java to 3.3.0). We started to see the following errors when running certificate validation:
This used to work with previous version. Does this look familiar to you? Any advice you can give as to how to pursue this issue?
CRL files on the host are updated and current. As well as content of
/etc/grid-security/vomsdirIt seems like the issue is limited to cern VOs. At leas our installation in Fermilab we do not see these issues.
Thank you, Dmitry