Startup of xrootd with -d:2 option below. Looks like xrootd is mad that there is no CRL file for the CA? I found that XrdSecGSICRLCHECK is set to 3 require non-expired CRL. When I set to 1 xrootd appears to start normally, though I didn't check functionality. So, I guess this is either our config problem or that someone is not distributing a CRL as they should. Thanks for your help! Chad. 180525 19:48:58 4213 secgsi_InitOpts: *** ---------------------------------------------------------- -- *** 180525 19:48:58 4213 secgsi_Init: option CACheck: 1 180525 19:48:58 4213 secgsi_Init: testing CA dir(s): /etc/grid-security/certificates 180525 19:48:58 4213 secgsi_Init: using CA dir(s): ,/etc/grid-security/certificates/ 180525 19:48:58 4213 secgsi_Init: option CRLCheck: 3 ('require-not-expired'; download? no) 180525 19:48:58 4213 secgsi_Init: using CRL dir(s): ,/etc/grid-security/certificates/ 180525 19:48:58 4213 secgsi_Init: CRL information refreshed every 86400 secs 180525 19:48:58 4213 crypto_Factory::GetCryptoFactory: shared library 'libXrdCryptossl.so' loaded 180525 19:48:58 4213 sut_Rndm::GetBuffer: enter: len: 32 180525 19:48:58 4213 sut_Rndm::Init: taking seed from /dev/urandom 180525 19:48:58 4213 cryptossl_sslCipher::XrdCryptosslCipher: generate DH full key 180525 19:48:58 4213 cryptossl_X509::XrdCryptosslX509_file: certificate successfully loaded 180525 19:48:58 4213 cryptossl_X509::CertType: certificate has 9 extensions 180525 19:48:58 4213 cryptossl_X509::XrdCryptosslX509_file: RSA key completed 180525 19:48:59 4213 cryptossl_ASN1toUTC: UTC: 1527109259 isdst: 1 180525 19:48:59 4213 cryptossl_ASN1toUTC: UTC: 1534885259 isdst: 1 180525 19:48:59 4213 cryptossl_X509::Export: BIO data: 2208 bytes at 0x0x17c22e0 180525 19:48:59 4213 cryptossl_X509::Export: result of serialization: 2208 bytes 180525 19:48:59 4213 secgsi_GetCA: Querying cache for tag: 4f06f81d.0:1 (timestamp:1527295739, refresh fq:86400) 180525 19:48:59 4213 secgsi_GetCA: trying to load CA certificate from /etc/grid-security/certificates/4f06f81d.0 180525 19:48:59 4213 cryptossl_X509::CertType: certificate has 7 extensions 180525 19:48:59 4213 cryptossl_X509::CertType: CA certificate 180525 19:48:59 4213 cryptossl_X509ParseFile: certificate for '/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3'added to the chain - ord: 1 180525 19:48:59 4213 cryptossl_X509ParseFile: no RSA private key found in file /etc/grid-security/certificates/4f06f81d.0 180525 19:48:59 4213 cryptossl_ASN1toUTC: UTC: 1475790235 isdst: 1 180525 19:48:59 4213 cryptossl_ASN1toUTC: UTC: 1633556635 isdst: 1 180525 19:48:59 4213 cryptossl_X509::Verify: signature not OK 180525 19:48:59 4213 secgsi_VerifyCA: Warning: CA certificate not self-signed and integrity not checked: assuming OK (4f06f81d.0) 180525 19:48:59 4213 secgsi_LoadCRL: target file: /etc/grid-security/certificates/4f06f81d.r04a0a35c0.0 180525 19:48:59 4213 cryptossl_X509Crl::Init: file /etc/grid-security/certificates/4f06f81d.r0 does not exist - do nothing 180525 19:48:59 4213 cryptossl_X509Crl::XrdCryptosslX509Crl_file: could not initialize the CRL from /etc/grid-security/certificates/4f06f81d.r0 180525 19:48:59 4213 secgsi_GetCA: CRL is missing or expired: failing (CRLCheck: 3) 180525 19:48:59 4213 secgsi_GetCA: Querying cache for tag: 4a0a35c0.0:1 (timestamp:1527295739, refresh fq:86400) 180525 19:48:59 4213 secgsi_GetCA: trying to load CA certificate from /etc/grid-security/certificates/4a0a35c0.0 180525 19:48:59 4213 cryptossl_X509::CertType: certificate has 7 extensions 180525 19:48:59 4213 cryptossl_X509::CertType: CA certificate 180525 19:48:59 4213 cryptossl_X509ParseFile: certificate for '/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3'added to the chain - ord: 1 180525 19:48:59 4213 cryptossl_X509ParseFile: no RSA private key found in file /etc/grid-security/certificates/4a0a35c0.0 180525 19:48:59 4213 cryptossl_ASN1toUTC: UTC: 1475790235 isdst: 1 180525 19:48:59 4213 cryptossl_ASN1toUTC: UTC: 1633556635 isdst: 1 180525 19:48:59 4213 cryptossl_X509::Verify: signature not OK 180525 19:48:59 4213 secgsi_VerifyCA: Warning: CA certificate not self-signed and integrity not checked: assuming OK (4f06f81d.0) 180525 19:48:59 4213 secgsi_LoadCRL: target file: /etc/grid-security/certificates/4a0a35c0.r0 180525 19:48:59 4213 cryptossl_X509Crl::Init: file /etc/grid-security/certificates/4a0a35c0.r0 does not exist - do nothing 180525 19:48:59 4213 cryptossl_X509Crl::XrdCryptosslX509Crl_file: could not initialize the CRL from /etc/grid-security/certificates/4a0a35c0.r0 180525 19:48:59 4213 secgsi_GetCA: CRL is missing or expired: failing (CRLCheck: 3) 180525 19:48:59 4213 secgsi_GetSrvCertEnt: failed to load certificate for the issuing CA '4f06f81d.0|4a0a35c0.0' -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/xrootd/xrootd/issues/716#issuecomment-392225698 ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1