Revocation policies and recent sierra cloud outages

Some FutureGrid Nimbus users may have experienced failures related to expired certificates recently. There were two things that caused these problems. The first is that the host certificate for the Nimbus service on sierra expired, so there should no longer be any problem. We apologize for this inconvenience.

The second problem occurred due to revocation policies packaged with the Nimbus Cloud Client. For security reasons (the explanation of which are beyond the scope of this post) we have historically packaged CA signed policies with the Cloud Client that force the user update the policy before a given date. If the user does not do this, Cloud Client considers the host certificate in question invalid. This give the CA a way to tell clients about security compromises that may have happened.

Unfortunately there is no functionality packaged with Cloud Client to update these policies automatically for users. Because if this we have decided to stop packaging these policies with our release of Cloud Client. We do, however, include the 'crl_url' files which contain all of the information on how to update these policies. Tools like 'Fetch CRL' http://vdt.cs.wisc.edu/components/fetch-crl.html can be configured to handle this task for users interested in this additional layer of security.

If you are having problems with expired certificates on FutureGrid Nimbus clouds there are three ways you can solve them:

1) Upgrade to Cloud Client 19:
http://www.nimbusproject.org/downloads/nimbus-cloud-client-019.tar.gz

2) Remove all *.r0 files from the lib/certs directory under your Cloud Client
installation.

3) Use a tool like 'Fetch CRL' http://vdt.cs.wisc.edu/components/fetch-crl.html
to update the policies.