OSG CA Certificates Updater
About this Document
This document explains the installation and use of
, a package in the OSG Software 3.x distribution that provides automatic updates of CA certificates.
- OS must be Red Hat Enterprise Linux 5 or 6 or variants.
- The OSG repositories must be installed and enabled. See the Yum Repositories page for instructions.
- One grid-certificates package from the OSG repositories must be installed as described here. Currently, these are:
Run the following command to install the latest version of the updater.
[root@client ~]$ yum install osg-ca-certs-updater
Run the following to enable the updater. This will persist until the machine is rebooted.
[root@client ~]$ service osg-ca-certs-updater-cron start
Run the following to enable the updater when the machine is rebooted.
[root@client ~]$ chkconfig osg-ca-certs-updater-cron on
Run both commands if you wish for the service to activate immediately and remain active throughout reboots.
Enter the following to disable the updater. This will persist until the machine is rebooted.
[root@client ~]$ service osg-ca-certs-updater-cron stop
Enter the following to disable the updater when the machine is rebooted.
[root@client ~]$ chkconfig osg-ca-certs-updater-cron off
Run both commands if you wish for the service to deactivate immediately and not get reactivated during reboots.
While there is no configuration file, the behavior of the updater can be adjusted by command-line arguments that are specified in the
entry of the service.
This entry is located in the file
Please see the Unix manual page for
in section 5 for an explanation of the format.
The manual page can be accessed by the command
man 5 crontab
The valid command-line arguments can be listed by running
Reasonable defaults have been provided, namely:
- Attempt an update no more often than every 23 hours. Due to the random wait (see below), having a 24-hour minimum time between updates would cause the update time to slowly slide back every day.
- Run the script every 6 hours. We run the script more often than we update so that downtime at the wrong moment does not cause the update to be delayed for a full day.
- Delay for a random amount of time up to 30 minutes before updating, to reduce load spikes on OSG repositories.
- Do not warn the administrator about update failures that have happened less than 72 hours since the last successful update.
- Log errors only.
|| File Description
|| Cron entry for periodically launching the updater
| Command-line arguments to the updater can be specified here
|| Repo definition files for production OSG repositories
| Make sure these repositories are enabled and reachable from the host you are trying to update
Logging is performed to the console by default.
Please see the manual for your
daemon to find out how it handles console output.
A logfile can be specified via the
If logging to syslog via the
option, the updater will write to the
section of the syslog.
determines where syslog messages are saved.
How to get Help?
To get assistance please use Help Procedure
Some guides on X.509 certificates:
Some examples about verifying the certificates: