Closed DmitryLitvintsev closed 5 years ago
Hi,
Have you tried to check at voms-api developers? It is hard for me to say what is the reason, the error looks more as something from VOMS, or at least is transformed. Something in CANL may be the root cause, but it is hard for me to guess what this could be. Also providing a version from which you upgraded could help so please add it when asking at VOMS.
Good luck
Here we are :) AFAIU, this is a CRL validation error that happens when checking the certificate that signed the VOMS attribute certificate.
OK, refreshing this thread. So is this an issue at CANL side or not? I'm not sure after Andea's comment. If it is not then I'll close the issue, otherwise I'd need an input to reproduce the problem: cert/AC, CRL & CA cert.
This doesn't seem a bug to me, but a simple CRL validation error. Probably CRLs were refreshed on the machine but not in the CANL trust store. @DmitryLitvintsev did you experience this error again?
Thanks Andrea! Closing - if there will be more info will reopen it.
Hello,
Sorry for not following up sooner. I have found that I can avoid this issue by creating
X509CertChainValidatorExt
with specified trust anchor update interval. In previous version it worked without it.
Thank you, Dmitry
Hello,
dCache storage system uses CANL library to handle certificates.
We recently upgraded to CANL version 2.5.0 (from 2.1.2) and voms-api-java to 3.3.0). We started to see the following errors when running certificate validation:
This used to work with previous version. Does this look familiar to you? Any advice you can give as to how to pursue this issue?
CRL files on the host are updated and current. As well as content of
/etc/grid-security/vomsdir
It seems like the issue is limited to cern VOs. At leas our installation in Fermilab we do not see these issues.
Thank you, Dmitry