Startup of xrootd with -d:2 option below.<br>
Looks like xrootd is mad that there is no CRL file for the CA?<br>
<br>
I found that XrdSecGSICRLCHECK is set to 3 require non-expired CRL.<br>
<br>
When I set to 1 xrootd appears to start normally, though I didn&#39;t check <br>
functionality.<br>
<br>
So, I guess this is either our config problem or that someone is not <br>
distributing a CRL as they should.<br>
<br>
Thanks for your help!<br>
Chad.<br>
<br>
<br>
180525 19:48:58 4213 secgsi_InitOpts: *** <br>
----------------------------------------------------------<br>
-- ***<br>
180525 19:48:58 4213 secgsi_Init: option CACheck: 1<br>
180525 19:48:58 4213 secgsi_Init: testing CA dir(s): <br>
/etc/grid-security/certificates<br>
180525 19:48:58 4213 secgsi_Init: using CA dir(s): <br>
,/etc/grid-security/certificates/<br>
180525 19:48:58 4213 secgsi_Init: option CRLCheck: 3 <br>
(&#39;require-not-expired&#39;; download? no)<br>
180525 19:48:58 4213 secgsi_Init: using CRL dir(s): <br>
,/etc/grid-security/certificates/<br>
180525 19:48:58 4213 secgsi_Init: CRL information refreshed every 86400 secs<br>
180525 19:48:58 4213 crypto_Factory::GetCryptoFactory: shared library <br>
&#39;libXrdCryptossl.so&#39; loaded<br>
180525 19:48:58 4213 sut_Rndm::GetBuffer: enter: len: 32<br>
180525 19:48:58 4213 sut_Rndm::Init: taking seed from /dev/urandom<br>
180525 19:48:58 4213 cryptossl_sslCipher::XrdCryptosslCipher: generate <br>
DH full key<br>
180525 19:48:58 4213 cryptossl_X509::XrdCryptosslX509_file: certificate <br>
successfully loaded<br>
180525 19:48:58 4213 cryptossl_X509::CertType: certificate has 9 extensions<br>
180525 19:48:58 4213 cryptossl_X509::XrdCryptosslX509_file: RSA key <br>
completed<br>
180525 19:48:59 4213 cryptossl_ASN1toUTC:  UTC: 1527109259  isdst: 1<br>
180525 19:48:59 4213 cryptossl_ASN1toUTC:  UTC: 1534885259  isdst: 1<br>
180525 19:48:59 4213 cryptossl_X509::Export: BIO data: 2208 bytes at <br>
0x0x17c22e0<br>
180525 19:48:59 4213 cryptossl_X509::Export: result of serialization: <br>
2208 bytes<br>
180525 19:48:59 4213 secgsi_GetCA: Querying cache for tag: 4f06f81d.0:1 <br>
(timestamp:1527295739, refresh fq:86400)<br>
180525 19:48:59 4213 secgsi_GetCA: trying to load CA certificate from <br>
/etc/grid-security/certificates/4f06f81d.0<br>
180525 19:48:59 4213 cryptossl_X509::CertType: certificate has 7 extensions<br>
180525 19:48:59 4213 cryptossl_X509::CertType: CA certificate<br>
180525 19:48:59 4213 cryptossl_X509ParseFile: certificate for <br>
&#39;/C=US/O=Let&#39;s Encrypt/CN=Let&#39;s Encrypt Authority X3&#39;added to the chain <br>
- ord: 1<br>
180525 19:48:59 4213 cryptossl_X509ParseFile: no RSA private key found <br>
in file /etc/grid-security/certificates/4f06f81d.0<br>
180525 19:48:59 4213 cryptossl_ASN1toUTC:  UTC: 1475790235  isdst: 1<br>
180525 19:48:59 4213 cryptossl_ASN1toUTC:  UTC: 1633556635  isdst: 1<br>
180525 19:48:59 4213 cryptossl_X509::Verify: signature not OK<br>
180525 19:48:59 4213 secgsi_VerifyCA: Warning: CA certificate not <br>
self-signed and integrity not checked: assuming OK (4f06f81d.0)<br>
180525 19:48:59 4213 secgsi_LoadCRL: target file: <br>
/etc/grid-security/certificates/4f06f81d.r04a0a35c0.0<br>
180525 19:48:59 4213 cryptossl_X509Crl::Init: file <br>
/etc/grid-security/certificates/4f06f81d.r0 does not exist - do nothing<br>
180525 19:48:59 4213 cryptossl_X509Crl::XrdCryptosslX509Crl_file: could <br>
not initialize the CRL from /etc/grid-security/certificates/4f06f81d.r0<br>
180525 19:48:59 4213 secgsi_GetCA: CRL is missing or expired: failing <br>
(CRLCheck: 3)<br>
180525 19:48:59 4213 secgsi_GetCA: Querying cache for tag: 4a0a35c0.0:1 <br>
(timestamp:1527295739, refresh fq:86400)<br>
180525 19:48:59 4213 secgsi_GetCA: trying to load CA certificate from <br>
/etc/grid-security/certificates/4a0a35c0.0<br>
180525 19:48:59 4213 cryptossl_X509::CertType: certificate has 7 extensions<br>
180525 19:48:59 4213 cryptossl_X509::CertType: CA certificate<br>
180525 19:48:59 4213 cryptossl_X509ParseFile: certificate for <br>
&#39;/C=US/O=Let&#39;s Encrypt/CN=Let&#39;s Encrypt Authority X3&#39;added to the chain <br>
- ord: 1<br>
180525 19:48:59 4213 cryptossl_X509ParseFile: no RSA private key found <br>
in file /etc/grid-security/certificates/4a0a35c0.0<br>
180525 19:48:59 4213 cryptossl_ASN1toUTC:  UTC: 1475790235  isdst: 1<br>
180525 19:48:59 4213 cryptossl_ASN1toUTC:  UTC: 1633556635  isdst: 1<br>
180525 19:48:59 4213 cryptossl_X509::Verify: signature not OK<br>
180525 19:48:59 4213 secgsi_VerifyCA: Warning: CA certificate not <br>
self-signed and integrity not checked: assuming OK (4f06f81d.0)<br>
180525 19:48:59 4213 secgsi_LoadCRL: target file: <br>
/etc/grid-security/certificates/4a0a35c0.r0<br>
180525 19:48:59 4213 cryptossl_X509Crl::Init: file <br>
/etc/grid-security/certificates/4a0a35c0.r0 does not exist - do nothing<br>
180525 19:48:59 4213 cryptossl_X509Crl::XrdCryptosslX509Crl_file: could <br>
not initialize the CRL from /etc/grid-security/certificates/4a0a35c0.r0<br>
180525 19:48:59 4213 secgsi_GetCA: CRL is missing or expired: failing <br>
(CRLCheck: 3)<br>
180525 19:48:59 4213 secgsi_GetSrvCertEnt: failed to load certificate <br>
for the issuing CA &#39;4f06f81d.0|4a0a35c0.0&#39;<br>
<br>


<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">&mdash;<br />You are receiving this because you are subscribed to this thread.<br />Reply to this email directly, <a href="https://github.com/xrootd/xrootd/issues/716#issuecomment-392225698">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/AD7YjpoQV0yKxExVPIrl1iJ69bmaZ9J3ks5t2LBggaJpZM4UMpJn">mute the thread</a>.<img src="https://github.com/notifications/beacon/AD7YjsscPQ-rDLgojYQjG9rxwTNMPaSoks5t2LBggaJpZM4UMpJn.gif" height="1" width="1" alt="" /></p>
<!cript type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","potentialAction":{"@type":"ViewAction","target":"https://github.com/xrootd/xrootd/issues/716#issuecomment-392225698","url":"https://github.com/xrootd/xrootd/issues/716#issuecomment-392225698","name":"View Issue"},"description":"View this Issue on GitHub","publisher":{"@type":"Organization","name":"GitHub","url":"https://github.com"}}</script>
<!cript type="application/json" data-scope="inboxmarkup">{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/xrootd/xrootd","title":"xrootd/xrootd","subtitle":"GitHub repository","main_image_url":"https://assets-cdn.github.com/images/email/message_cards/header.png","avatar_image_url":"https://assets-cdn.github.com/images/email/message_cards/avatar.png","action":{"name":"Open in GitHub","url":"https://github.com/xrootd/xrootd"}},"updates":{"snippets":[{"icon":"PERSON","message":"@lickdragon in #716: Startup of xrootd with -d:2 option below.\nLooks like xrootd is mad that there is no CRL file for the CA?\n\nI found that XrdSecGSICRLCHECK is set to 3 require non-expired CRL.\n\nWhen I set to 1 xrootd appears to start normally, though I didn't check \nfunctionality.\n\nSo, I guess this is either our config problem or that someone is not \ndistributing a CRL as they should.\n\nThanks for your help!\nChad.\n\n\n180525 19:48:58 4213 secgsi_InitOpts: *** \n----------------------------------------------------------\n-- ***\n180525 19:48:58 4213 secgsi_Init: option CACheck: 1\n180525 19:48:58 4213 secgsi_Init: testing CA dir(s): \n/etc/grid-security/certificates\n180525 19:48:58 4213 secgsi_Init: using CA dir(s): \n,/etc/grid-security/certificates/\n180525 19:48:58 4213 secgsi_Init: option CRLCheck: 3 \n('require-not-expired'; download? no)\n180525 19:48:58 4213 secgsi_Init: using CRL dir(s): \n,/etc/grid-security/certificates/\n180525 19:48:58 4213 secgsi_Init: CRL information refreshed every 86400 secs\n180525 19:48:58 4213 crypto_Factory::GetCryptoFactory: shared library \n'libXrdCryptossl.so' loaded\n180525 19:48:58 4213 sut_Rndm::GetBuffer: enter: len: 32\n180525 19:48:58 4213 sut_Rndm::Init: taking seed from /dev/urandom\n180525 19:48:58 4213 cryptossl_sslCipher::XrdCryptosslCipher: generate \nDH full key\n180525 19:48:58 4213 cryptossl_X509::XrdCryptosslX509_file: certificate \nsuccessfully loaded\n180525 19:48:58 4213 cryptossl_X509::CertType: certificate has 9 extensions\n180525 19:48:58 4213 cryptossl_X509::XrdCryptosslX509_file: RSA key \ncompleted\n180525 19:48:59 4213 cryptossl_ASN1toUTC:  UTC: 1527109259  isdst: 1\n180525 19:48:59 4213 cryptossl_ASN1toUTC:  UTC: 1534885259  isdst: 1\n180525 19:48:59 4213 cryptossl_X509::Export: BIO data: 2208 bytes at \n0x0x17c22e0\n180525 19:48:59 4213 cryptossl_X509::Export: result of serialization: \n2208 bytes\n180525 19:48:59 4213 secgsi_GetCA: Querying cache for tag: 4f06f81d.0:1 \n(timestamp:1527295739, refresh fq:86400)\n180525 19:48:59 4213 secgsi_GetCA: trying to load CA certificate from \n/etc/grid-security/certificates/4f06f81d.0\n180525 19:48:59 4213 cryptossl_X509::CertType: certificate has 7 extensions\n180525 19:48:59 4213 cryptossl_X509::CertType: CA certificate\n180525 19:48:59 4213 cryptossl_X509ParseFile: certificate for \n'/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3'added to the chain \n- ord: 1\n180525 19:48:59 4213 cryptossl_X509ParseFile: no RSA private key found \nin file /etc/grid-security/certificates/4f06f81d.0\n180525 19:48:59 4213 cryptossl_ASN1toUTC:  UTC: 1475790235  isdst: 1\n180525 19:48:59 4213 cryptossl_ASN1toUTC:  UTC: 1633556635  isdst: 1\n180525 19:48:59 4213 cryptossl_X509::Verify: signature not OK\n180525 19:48:59 4213 secgsi_VerifyCA: Warning: CA certificate not \nself-signed and integrity not checked: assuming OK (4f06f81d.0)\n180525 19:48:59 4213 secgsi_LoadCRL: target file: \n/etc/grid-security/certificates/4f06f81d.r04a0a35c0.0\n180525 19:48:59 4213 cryptossl_X509Crl::Init: file \n/etc/grid-security/certificates/4f06f81d.r0 does not exist - do nothing\n180525 19:48:59 4213 cryptossl_X509Crl::XrdCryptosslX509Crl_file: could \nnot initialize the CRL from /etc/grid-security/certificates/4f06f81d.r0\n180525 19:48:59 4213 secgsi_GetCA: CRL is missing or expired: failing \n(CRLCheck: 3)\n180525 19:48:59 4213 secgsi_GetCA: Querying cache for tag: 4a0a35c0.0:1 \n(timestamp:1527295739, refresh fq:86400)\n180525 19:48:59 4213 secgsi_GetCA: trying to load CA certificate from \n/etc/grid-security/certificates/4a0a35c0.0\n180525 19:48:59 4213 cryptossl_X509::CertType: certificate has 7 extensions\n180525 19:48:59 4213 cryptossl_X509::CertType: CA certificate\n180525 19:48:59 4213 cryptossl_X509ParseFile: certificate for \n'/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3'added to the chain \n- ord: 1\n180525 19:48:59 4213 cryptossl_X509ParseFile: no RSA private key found \nin file /etc/grid-security/certificates/4a0a35c0.0\n180525 19:48:59 4213 cryptossl_ASN1toUTC:  UTC: 1475790235  isdst: 1\n180525 19:48:59 4213 cryptossl_ASN1toUTC:  UTC: 1633556635  isdst: 1\n180525 19:48:59 4213 cryptossl_X509::Verify: signature not OK\n180525 19:48:59 4213 secgsi_VerifyCA: Warning: CA certificate not \nself-signed and integrity not checked: assuming OK (4f06f81d.0)\n180525 19:48:59 4213 secgsi_LoadCRL: target file: \n/etc/grid-security/certificates/4a0a35c0.r0\n180525 19:48:59 4213 cryptossl_X509Crl::Init: file \n/etc/grid-security/certificates/4a0a35c0.r0 does not exist - do nothing\n180525 19:48:59 4213 cryptossl_X509Crl::XrdCryptosslX509Crl_file: could \nnot initialize the CRL from /etc/grid-security/certificates/4a0a35c0.r0\n180525 19:48:59 4213 secgsi_GetCA: CRL is missing or expired: failing \n(CRLCheck: 3)\n180525 19:48:59 4213 secgsi_GetSrvCertEnt: failed to load certificate \nfor the issuing CA '4f06f81d.0|4a0a35c0.0'\n\n"}],"action":{"name":"View Issue","url":"https://github.com/xrootd/xrootd/issues/716#issuecomment-392225698"}}}</script>
<!cript type="application/ld+json">{
"@type": "MessageCard",
"@context": "http://schema.org/extensions",
"hideOriginalBody": "false",
"originator": "37567f93-e2a7-4e2a-ad37-a9160fc62647",
"title": "Re: [xrootd/xrootd] xrootd 4.80 cannot use letsencrypt as CA (#716)",
"sections": [
{
"text": "",
"activityTitle": "**cwseys**",
"activityImage": "https://assets-cdn.github.com/images/email/message_cards/avatar.png",
"activitySubtitle": "@lickdragon",
"facts": [

]
}
],
"potentialAction": [
{
"name": "Add a comment",
"@type": "ActionCard",
"inputs": [
{
"isMultiLine": true,
"@type": "TextInput",
"id": "IssueComment",
"isRequired": false
}
],
"actions": [
{
"name": "Comment",
"@type": "HttpPOST",
"target": "https://api.github.com",
"body": "{\n\"commandName\": \"IssueComment\",\n\"repositoryFullName\": \"xrootd/xrootd\",\n\"issueId\": 716,\n\"IssueComment\": \"{{IssueComment.value}}\"\n}"
}
]
},
{
"name": "Close issue",
"@type": "HttpPOST",
"target": "https://api.github.com",
"body": "{\n\"commandName\": \"IssueClose\",\n\"repositoryFullName\": \"xrootd/xrootd\",\n\"issueId\": 716\n}"
},
{
"targets": [
{
"os": "default",
"uri": "https://github.com/xrootd/xrootd/issues/716#issuecomment-392225698"
}
],
"@type": "OpenUri",
"name": "View on GitHub"
},
{
"name": "Unsubscribe",
"@type": "HttpPOST",
"target": "https://api.github.com",
"body": "{\n\"commandName\": \"MuteNotification\",\n\"threadId\": 338858599\n}"
}
],
"themeColor": "26292E"
}</script><br>
<hr>
<p align="left">
Use REPLY-ALL to reply to list</p>
<p align="center">To unsubscribe from the XROOTD-DEV list, click the following link:<br>
<a href="https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1" target="_blank">https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1</a>
</p>