<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Richard,<br>
<br>
FWIW, I still have a copy of my old (ca. March 2013) credentials.
They are about to expire, but not yet! Anyway, I re-obtained my
proxy using the old pem file and now the srmls works. So I am OK for
another week or so.<br>
<br>
-- Mark<br>
<br>
<div class="moz-cite-prefix">On 04/19/2014 10:21 AM, Richard Jones
wrote:<br>
</div>
<blockquote
cite="mid:CABfxa3RpRpLc7peoJ=4KtpWAZw85wdBvb+2cSg7JXHa6j2vhVw@mail.gmail.com"
type="cite">
<div dir="ltr">Hello all,
<div><br>
</div>
<div>Several of you have reported that you have problems with
srm commands to the UConn site, even though you have a valid
proxy and are authenticated to the voms. I have been able to
reproduce the problem, as in the following example.</div>
<div><br>
</div>
<div>
<div>$ srmls <a moz-do-not-send="true">srm://grinch.phys.uconn.edu/Gluex/dc1.1-12-2012/dana_rest_1000596.hddm</a></div>
<div>
2014-04-19 01:04:59,523 [main] ERROR
org.dcache.srm.client.SRMClientV2 - srmLs : try # 0 failed
with error ; nested exception is: <br>
</div>
<div>
<div> java.net.SocketException: Connection reset</div>
<div>2014-04-19 01:04:59,529 [main] ERROR
org.dcache.srm.client.SRMClientV2 - srmLs : try again</div>
<div>
<br>
</div>
<div>Here is what happened. At the top of the page on<a
moz-do-not-send="true"
href="http://www.digicert-grid.com"> the digicert web
site</a> are the following words:</div>
<div><br>
</div>
<div>
<p dir="ltr">
On January 8, 2014, DigiCert created two new SHA2 based
issuing CAs for the Grid-Only and Public Trust
hierarchies. It is anticipated that these will be used
to issue grid certificates for existing clients from
May, 2014. They have been included in the IGTF
Distribution of Authority Root Certificates from version
1.56 of the distribution, built on Monday, 24 Mar, 2014.</p>
<p dir="ltr"><br>
</p>
<div>So any certificates that were issued since Mar. 24,
2014 have this new signature algorithm that can only be
verified by recent updates to the osg software. All of
the client software at Jlab is up-to-date, and most of
my infrastructure -- except for the srm, which I was
waiting until after the data challenge to update.
Remember we have been thinking this dc-2 was immanent
since January. This changeover to the new-style
certificates that took place on 3/24/2014 was almost
perfectly aligned to catch me with my proverbial drawers
down.</div>
<div><br>
</div>
<div>The bottom line is that if you just renewed your
certificate in the past 2 weeks then it is going to work
with everything EXCEPT the UConn srm, until I do the
upgrade. I do not plan to do this until the dc-2 is
over, in a week or so.</div>
<div><br>
</div>
<div>If anyone would like an old-style proxy certificate
that will work until May 1, I have created it and
uploaded it to the docdb as document 2457. There is a
README posted with it, to explain how to activate it on
your system. After you set it up, you can check it out
with the voms-proxy-info command. Of course, if you do a
voms-proxy-init you will overwrite it and need to fetch
down a new copy. </div>
<div><br>
</div>
<div>Sorry for the inconvenience.</div>
<div><br>
</div>
<div>-Richard Jones</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Halld-offline mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Halld-offline@jlab.org">Halld-offline@jlab.org</a>
<a class="moz-txt-link-freetext" href="https://mailman.jlab.org/mailman/listinfo/halld-offline">https://mailman.jlab.org/mailman/listinfo/halld-offline</a></pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Mark M. Ito, Jefferson Lab, <a class="moz-txt-link-abbreviated" href="mailto:marki@jlab.org">marki@jlab.org</a>, (757)269-5295
</pre>
</body>
</html>