GGUS-Ticket-ID: #158702 "IN PROGRESS" "ARGUS" "can not start argus pepd process after update of IGTF certs"

0 views
Skip to first unread message

help...@ggus.org

unread,
Sep 2, 2022, 11:13:45 AM9/2/22
to argus-...@googlegroups.com

Hello,

GGUS ticket #158702 was updated.

REFERENCE LINK: https://ggus.eu/index.php?mode=ticket_info&ticket_id=158702
SUBJECT: can not start argus pepd process after update of IGTF certs

LATEST MODIFICATIONS:

LAST MODIFIER: Enrico Vianello
STATUS: in progress
PUBLIC DIARY:

Hi all, and thanks for your detailed analysis!



Exactly, the problem should be what was pointed by Zdenek i.e. Argus doesn't handle quoting in policy files correctly and a comma in DN breaks it.



In fact subjectdn is intended as a comma separated list: https://github.com/argus-authz/argus-pep-server/blob/develop/src/main/java/org/glite/authz/pep/pip/provider/authnprofilespip/AuthenticationProfileUtils.java#L40



as you already pointed. 



That's why these files currently break pepd start:




grep subjectdn /etc/grid-security/certificates/*.info | grep "DigiCert,"
/etc/grid-security/certificates/DigiCert-Assured-ID-Grid-Client-RSA2048-SHA256-2022-CA1.info:subjectdn = "/C=US/O=DigiCert, Inc./CN=DigiCert Assured ID Grid Client RSA2048 SHA256 2022 CA1"
/etc/grid-security/certificates/DigiCert-Assured-ID-Grid-TLS-RSA2048-SHA256-2022-CA1.info:subjectdn = "/C=US/O=DigiCert, Inc./CN=DigiCert Assured ID Grid TLS RSA2048 SHA256 2022 CA1"


but also empty subjectdn in /etc/grid-security/certificates/policy-igtf-slcs.info is a problem.



We probably have to fix code asap and provide a kind of beta as soon as possible. I was already able to reproduce it locally and it's something that can be easily tested through a jUnit test. I'll let you know asap.



Cheers, Enrico




*********************************************************************
This is an automated mail. When replying don't change the subject line!
S T R I P   P R E V I O U S   M A I L S   please!!
*********************************************************************

help...@ggus.org

unread,
Sep 8, 2022, 10:32:20 AM9/8/22
to argus-...@googlegroups.com

Hello,

GGUS ticket #158702 was updated.

REFERENCE LINK: https://ggus.eu/index.php?mode=ticket_info&ticket_id=158702
SUBJECT: can not start argus pepd process after update of IGTF certs

LATEST MODIFICATIONS:

LAST MODIFIER: Baptiste Grenier
PUBLIC DIARY:
Dear Enrico,
Would you be able to provide an update on this matter?

In the meantime this was recorded as a Known Error in the EGI Federation Known Error Database (KEDB).

David Groep suggested the following workaround:


  • Remove the "subjectdn=" line from policy-igtf-slcs.info

  • Remove the subjectdn= from the new comma-enhanced DigiCert .info files (to be confirmed if it's working)

  • Rollback to 1.117 unless working with Swiss as they make use of the new DigiCert CA



help...@ggus.org

unread,
Sep 8, 2022, 11:26:22 AM9/8/22
to argus-...@googlegroups.com

Hello,

GGUS ticket #158702 was updated.

REFERENCE LINK: https://ggus.eu/index.php?mode=ticket_info&ticket_id=158702
SUBJECT: can not start argus pepd process after update of IGTF certs

LATEST MODIFICATIONS:

LAST MODIFIER: Maarten Litmaath
PUBLIC DIARY:
Hi all,
for the record, sites supporting ATLAS, CMS or LHCb
had better not roll back, because those VOs each have
at least 1 site making use of the Swiss CA and any of
their grid sites may need to be able to transfer data
to/from such Swiss sites.

Reply all
Reply to author
Forward
0 new messages