JIRA Issue

[#XCI-290] Improve fetch-crl configuration instructions

[XCI-290] Improve fetch-crl configuration instructions Created: 12/05/2017  Updated: 07/13/2018

Status: Proposed
Project: XSEDE Cyberinfrastructure Integration
Component/s: XSEDE CA Certificate Installer
Fix Version/s: None

Type: Task Priority: Major
Reporter: Shava Smallen Assignee: Unassigned
Resolution: Unresolved Votes: 0

Issue Links:
XCI Test Recommendations
is a recommendation from the XCI Testing team XCI-6 Verify integration process for a new ... Closed
XSEDE Priority: -
Public activity link: https://software.xsede.org/display/xci-290


From XCI-6 Test Report:

The instructions for the fetch-crl configuration as part of the xsede-ca-certificate package are unclear and inaccurate.

The fetch-crl tool instructions are unclear and inaccurate.

The first point is minor. The first line of the fetch-crl installation instructions reads:
"This specific RPM only supplies the crl_url . . ."
For clarity it should explicitly name the RPM to which it is referring.
"The xsede-ca-certificates RPM only supplies the crl_url ..."

The instructions do not clearly indicate the name of the rpm for fetch-crl and that it’s not in the XSEDE repo. The rpm is in fact downloadable (installable) from the fedora epel repo but unless you already had that repo enabled the attempt to use yum to install fetch-crl would fail.

Step 2 of the fetch-crl instructions inexplicably instructs the user to run a test using $HOME/tmp/ as the infodir path even though it’s never mentioned before that point, it doesn’t contain any .crl_url files and likely doesn’t exists. If you just follow these directions blindly you'll get:

#fetch-crl -l $HOME/tmp/
WARN No trust anchors to process