Upgrading Fetch-Crl 2 to Fetch-Crl 3 on EL5

1 About This Document

This document is intended for a system administrator upgrading the OSG Software Stack Version 3 from pre-3.1.15 to 3.1.15 or higher on an Enterprise Linux 5 system.

The version of Fetch-CRL version 2, which is the version of Fetch-CRL that is normally installed on Enterprise Linux 5 systems is outdated and is unlikely to receive updates. Therefore, starting with release 3.1.15, the OSG Software stack will bring in (by default) Fetch-CRL 3 instead of Fetch-CRL 2 for software that requires CRLs. For systems that already have Fetch-CRL 2 installed, we recommend updating when convenient.

Because the configuration format has changed between versions, some manual work is required to migrate the configuration before the change will take effect.

2 Requirements

An installation of the OSG Software Stack Version 3, with Fetch-CRL 2 is required for this procedure. You may test for that by running rpm -q fetch-crl, which prints out the name and version of the fetch-crl package.

If you are using an Enterprise Linux 6 system, or Fetch-CRL 2 is not installed, then this procedure is unnecessary.

3 Procedure

Fetch-CRL 3 can be installed side-by-side with Fetch-CRL 2. Because of this, and the fact that configuration has to be migrated, from Fetch-CRL 2 to Fetch-CRL 3, the installation procedure is as follows:

  1. Install Fetch-CRL 3
  2. Migrate configuration
  3. Disable and stop Fetch-CRL 2
  4. Validate operation of Fetch-CRL 3
  5. Enable Fetch-CRL 3
  6. Uninstall Fetch-CRL 2
All of this can be done without any downtime.

The step-by-step procedure follows:

3.1 Install Fetch-CRL 3

Install the RPM named fetch-crl3. This will be done on an update to OSG-Software 3.1.15 or higher. If are not updating from an earlier version of OSG-Software and thus have no Fetch-CRL 2 configuration to migrate, you may skip to the section marked "Validate operation of Fetch-CRL 3."

3.2 Migrate the configuration

There are two parts to this: migrating changes to the cron job (in /etc/cron.d/fetch-crl), and migrating changes to the configuration (in /etc/fetch-crl.conf).

Migrating cron job

If any changes were made to the /etc/cron.d/fetch-crl file, then see if those changes need to be migrated in /etc/cron.d/fetch-crl3.

One way to determine if /etc/cron.d/fetch-crl was changed from the installed version is to run the following:

rpm --verify --nouser --nogroup fetch-crl | grep /etc/cron.d/fetch-crl
That command should display no output if the file was unmodified.

A typical argument that is added onto the fetch-crl command line is --randomwait (or its abbreviation, -r). This parameter determines the maximum length of time to wait for before starting to download CRL files. The intent of this is to reduce load spikes on the servers hosting the CRLs.

HELP NOTE
For Fetch-CRL 2, that argument was given in minutes, but in Fetch-CRL 3, it should be given in seconds.

Migrating configuration file

Edit /etc/fetch-crl3.conf as desired, see the translation table below on how to migrate customizations made in /etc/fetch-crl.conf to /etc/fetch-crl3.conf. Also see the example file below the translation table.

Configuration Translation

fetch-crl.conf fetch-crl3.conf
ALLWARNINGS=yes No equivalent; see the nowarnings and verbosity options to achieve the same results (1)
CACHEDIR=/var/cache/fetch-crl statedir = /var/cache/fetch-crl3
CACHEDIR= (disables cache) nocache or stateless (2)
CRLDIR=/etc/grid-security-certificates infodir = /etc/grid-security/certificates
CRL_AGING_THRESHOLD=24 agingtolerance = 24
FETCH_CRL_OPENSSL=/usr/bin/openssl openssl = /usr/bin/openssl
FORCE_OVERWRITE=yes No equivalent; this is always on
HTTP_PROXY=... http_proxy = ... (3)
QUIET=yes verbosity = 0 (1)
RESETPATHMODE=yes path = /bin:/usr/bin (4)
RESETPATHMODE=searchopenssl No equivalent (4)
SERVERCERTCHECK=no No equivalent; the server cert is never checked (5)
SLOPPYCRLHASHES=yes No equivalent
SYSLOGFACILITY=daemon syslogfacility = daemon
WGET_OPTS=... No equivalent
WGET_RETRIES=2 No equivalent
WGET_TIMEOUT=120 httptimeout = 120

  1. Setting nowarnings = 1 in the fetch-crl3.conf silences a few warnings, mostly about not being able to execute openssl commands.
    The verbosity variable, which is an integer from -1 to 7, is a more fine-grained way of controlling the amount of output.
    The default verbosity is 0.
  2. nocache disables caching of CRLs, while stateless also disables saving metadata (such as last update time).
  3. To set the HTTP proxy, you may also add the HTTP_PROXY variable to /etc/sysconfig/fetch-crl3 and add http_proxy = ENV to fetch-crl3.conf
  4. The $PATH used internally in the script can now be explicitly specified by setting the path variable in the fetch-crl3.conf file.
    searchopenssl was primarily used to find a copy of openssl in a non-standard location, such as under the Globus hierarchy.
  5. The CRLs themselves are signed, so checking the server cert is unnecessary and may give false positives for security warnings.
    If you still want to check, perform the following:
    1. yum install the package perl-Crypt=SSLeay
    2. Edit or create /etc/sysconfig/fetch-crl3 and set the variable HTTPS_CA_FILE to the CA cert you want to check the server cert against.

See also /usr/share/doc/fetch-crl3-*/fetch-crl.conf.example

Example fetch-crl3.conf file, based on the default configuration file shipped with fetch-crl 2.8.5 in the EPEL 5 repository:

# Configuration file for fetch-crl 3.0.x

# Directory containing .crl_url files and output directory

info_dir = /etc/grid-security/certificates
verbosity = 0
nowarnings

# The time in hours for which CRL download failures are accepted
# without printing an error (instead, a warning is generated)
# Default=24hours (used to be 0 for versions <= 2.6.6).
#agingtolerance = 24

# What do we set the path to? Uses $PATH in environment by default.
#path = /bin:/usr/bin

# Write messages also to syslog using logger(1) if and only if the facility
# name is set. When empty, no syslog messages are generated. Default is
# empty. For valid facility values see logger(1)
#syslogfacility = 

# Path to an explicit OpenSSL version to use. Default will look through
# the path.
#openssl = <path>

# Path of a download cache directory, *exclusively writable by the user
# running fetch-crl*, where the original downloads are stored. The
# cache is used unless "nocache" or "stateless" are set. Default is a cache
# in "/var/cache/fetch-crl3" if that exists.
# You will need to manually create this directory first with proper permissions
#statedir=/var/cache/fetch-crl3

# What http proxy to use. By default, no proxy is used. If set to "ENV", then
# the value of the HTTP_PROXY environment variable (in the environment
# fetch-crl3 is run) is used. This environment variable is often set in
# "/etc/sysconfig/fetch-crl3", which does not exist by default.
#http_proxy = ENV
#http_proxy = http://myproxy.domain.com:8080

3.3 Disable and stop Fetch-CRL 2

This involves running the following commands:

[root@client ~]$ service fetch-crl-boot stop
[root@client ~]$ chkconfig fetch-crl-boot off
[root@client ~]$ service fetch-crl-cron stop
[root@client ~]$ chkconfig fetch-crl off

If fetch-crl is running (which can be tested by running ps axuw and looking for the process fetch-crl), wait for it to finish. You may kill the process, but that might end up leaving incomplete CRL files behind, so it is not recommended.

3.4 Validate Fetch-CRL 3 operation

This is done by running /usr/sbin/fetch-crl3 from the command line. It should take a few minutes to download updated CRLs from various sites; with the default configuration, it should produce no output. Run ls -l /etc/grid-security/certificates/*.r0 and examine the timestamps to make sure that new CRLs have actually been downloaded.

3.5 Enable Fetch-CRL 3

This involves running the following commands:

[root@client ~]$ service fetch-crl3-boot start
[root@client ~]$ chkconfig fetch-crl3-boot on
[root@client ~]$ service fetch-crl3-cron start
[root@client ~]$ chkconfig fetch-crl3-cron on

3.6 Remove Fetch-CRL 2

If you have Fetch-CRL 2 installed, and are satisfied that Fetch-CRL 3 works, then remove Fetch-CRL 2 by running yum erase fetch-crl

yum should not be trying to remove any packages other than fetch-crl (i.e. there should be no section in the table yum produces marked "Removing for dependencies"). If this is not true, stop and verify that you have fully updated your installation to 3.1.15 or higher.

4 New Commands

Please note that after installing fetch-crl3 all the commands to start, stop, enable and disable the fetch-crl service will be different:

To start the fetch-crl service to keep the CRLs up to date:

[root@client ~]$ /usr/sbin/fetch-crl3   # This fetches the CRLs 
[root@client ~]$ /sbin/service fetch-crl3-boot start
[root@client ~]$ /sbin/service fetch-crl3-cron start
For more details and options, please see our CRL documentation.

To enable the fetch-crl service to keep the CRLs up to date after reboots:

[root@client ~]$ /sbin/chkconfig fetch-crl3-boot on
[root@client ~]$ /sbin/chkconfig fetch-crl3-cron on

To stop fetch-crl:

[root@client ~]$ /sbin/service fetch-crl3-boot stop
[root@client ~]$ /sbin/service fetch-crl3-cron stop
For more details and options, please see our CRL documentation.

To disable the fetch-crl service:

[root@client ~]$ /sbin/chkconfig fetch-crl3-boot off
[root@client ~]$ /sbin/chkconfig fetch-crl3-cron off

5 Getting Help

To get assistance please use this Help Procedure.

6 References

7 Comments

Topic revision: r9 - 06 Dec 2016 - 18:12:45 - KyleGross
Hello, TWikiGuest!
Register

 
TWIKI.NET

TWiki | Report Bugs | Privacy Policy

This site is powered by the TWiki collaboration platformCopyright by the contributing authors. All material on this collaboration platform is the property of the contributing authors..