LISTSERV 16.5 - XROOTD-DEV Archives

Startup of xrootd with -d:2 option below.
Looks like xrootd is mad that there is no CRL file for the CA?

I found that XrdSecGSICRLCHECK is set to 3 require non-expired CRL.

When I set to 1 xrootd appears to start normally, though I didn't check 
functionality.

So, I guess this is either our config problem or that someone is not 
distributing a CRL as they should.

Thanks for your help!
Chad.


180525 19:48:58 4213 secgsi_InitOpts: *** 
----------------------------------------------------------
-- ***
180525 19:48:58 4213 secgsi_Init: option CACheck: 1
180525 19:48:58 4213 secgsi_Init: testing CA dir(s): 
/etc/grid-security/certificates
180525 19:48:58 4213 secgsi_Init: using CA dir(s): 
,/etc/grid-security/certificates/
180525 19:48:58 4213 secgsi_Init: option CRLCheck: 3 
('require-not-expired'; download? no)
180525 19:48:58 4213 secgsi_Init: using CRL dir(s): 
,/etc/grid-security/certificates/
180525 19:48:58 4213 secgsi_Init: CRL information refreshed every 86400 secs
180525 19:48:58 4213 crypto_Factory::GetCryptoFactory: shared library 
'libXrdCryptossl.so' loaded
180525 19:48:58 4213 sut_Rndm::GetBuffer: enter: len: 32
180525 19:48:58 4213 sut_Rndm::Init: taking seed from /dev/urandom
180525 19:48:58 4213 cryptossl_sslCipher::XrdCryptosslCipher: generate 
DH full key
180525 19:48:58 4213 cryptossl_X509::XrdCryptosslX509_file: certificate 
successfully loaded
180525 19:48:58 4213 cryptossl_X509::CertType: certificate has 9 extensions
180525 19:48:58 4213 cryptossl_X509::XrdCryptosslX509_file: RSA key 
completed
180525 19:48:59 4213 cryptossl_ASN1toUTC:  UTC: 1527109259  isdst: 1
180525 19:48:59 4213 cryptossl_ASN1toUTC:  UTC: 1534885259  isdst: 1
180525 19:48:59 4213 cryptossl_X509::Export: BIO data: 2208 bytes at 
0x0x17c22e0
180525 19:48:59 4213 cryptossl_X509::Export: result of serialization: 
2208 bytes
180525 19:48:59 4213 secgsi_GetCA: Querying cache for tag: 4f06f81d.0:1 
(timestamp:1527295739, refresh fq:86400)
180525 19:48:59 4213 secgsi_GetCA: trying to load CA certificate from 
/etc/grid-security/certificates/4f06f81d.0
180525 19:48:59 4213 cryptossl_X509::CertType: certificate has 7 extensions
180525 19:48:59 4213 cryptossl_X509::CertType: CA certificate
180525 19:48:59 4213 cryptossl_X509ParseFile: certificate for 
'/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3'added to the chain 
- ord: 1
180525 19:48:59 4213 cryptossl_X509ParseFile: no RSA private key found 
in file /etc/grid-security/certificates/4f06f81d.0
180525 19:48:59 4213 cryptossl_ASN1toUTC:  UTC: 1475790235  isdst: 1
180525 19:48:59 4213 cryptossl_ASN1toUTC:  UTC: 1633556635  isdst: 1
180525 19:48:59 4213 cryptossl_X509::Verify: signature not OK
180525 19:48:59 4213 secgsi_VerifyCA: Warning: CA certificate not 
self-signed and integrity not checked: assuming OK (4f06f81d.0)
180525 19:48:59 4213 secgsi_LoadCRL: target file: 
/etc/grid-security/certificates/4f06f81d.r04a0a35c0.0
180525 19:48:59 4213 cryptossl_X509Crl::Init: file 
/etc/grid-security/certificates/4f06f81d.r0 does not exist - do nothing
180525 19:48:59 4213 cryptossl_X509Crl::XrdCryptosslX509Crl_file: could 
not initialize the CRL from /etc/grid-security/certificates/4f06f81d.r0
180525 19:48:59 4213 secgsi_GetCA: CRL is missing or expired: failing 
(CRLCheck: 3)
180525 19:48:59 4213 secgsi_GetCA: Querying cache for tag: 4a0a35c0.0:1 
(timestamp:1527295739, refresh fq:86400)
180525 19:48:59 4213 secgsi_GetCA: trying to load CA certificate from 
/etc/grid-security/certificates/4a0a35c0.0
180525 19:48:59 4213 cryptossl_X509::CertType: certificate has 7 extensions
180525 19:48:59 4213 cryptossl_X509::CertType: CA certificate
180525 19:48:59 4213 cryptossl_X509ParseFile: certificate for 
'/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3'added to the chain 
- ord: 1
180525 19:48:59 4213 cryptossl_X509ParseFile: no RSA private key found 
in file /etc/grid-security/certificates/4a0a35c0.0
180525 19:48:59 4213 cryptossl_ASN1toUTC:  UTC: 1475790235  isdst: 1
180525 19:48:59 4213 cryptossl_ASN1toUTC:  UTC: 1633556635  isdst: 1
180525 19:48:59 4213 cryptossl_X509::Verify: signature not OK
180525 19:48:59 4213 secgsi_VerifyCA: Warning: CA certificate not 
self-signed and integrity not checked: assuming OK (4f06f81d.0)
180525 19:48:59 4213 secgsi_LoadCRL: target file: 
/etc/grid-security/certificates/4a0a35c0.r0
180525 19:48:59 4213 cryptossl_X509Crl::Init: file 
/etc/grid-security/certificates/4a0a35c0.r0 does not exist - do nothing
180525 19:48:59 4213 cryptossl_X509Crl::XrdCryptosslX509Crl_file: could 
not initialize the CRL from /etc/grid-security/certificates/4a0a35c0.r0
180525 19:48:59 4213 secgsi_GetCA: CRL is missing or expired: failing 
(CRLCheck: 3)
180525 19:48:59 4213 secgsi_GetSrvCertEnt: failed to load certificate 
for the issuing CA '4f06f81d.0|4a0a35c0.0'



-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/xrootd/xrootd/issues/716#issuecomment-392225698

########################################################################
Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1