Task #6331
MNDeployment #3221: EDAC member node
Determine why Node Registry prevents MN cert from updating node capabilities
100%
Description
When attempting to update the EDAC node document by using the d1nodeupdate bash script, Hays is getting the following error:
$ ./d1nodeupdate -r -v -b https://cn.dataone.org/cn -f ./dataone.xml -E ./dataone.pem
<?xml version="1.0" encoding="UTF-8"?>
Certificate should be an administrative subject before request can be processed
The dataone.xml file is the same as the node document at https://gstore.unm.edu/dataone/v1/node, and the dataone.pem file is the Member Node client certificate issued to EDAC:
Issuer: DC=org, DC=dataone, CN=DataONE Production CA
Validity
Not Before: Feb 19 18:23:30 2014 GMT
Not After : Feb 18 18:23:30 2017 GMT
Subject: DC=org, DC=dataone, CN=urn:node:EDACGSTORE
Determine why the Node Registry is not allowing an MN client certificate to call CNRegister.updateNodeCapabilities() successfully.
History
#1 Updated by Chris Jones over 9 years ago
- Status changed from In Progress to Closed
- translation missing: en.field_remaining_hours set to 0.0
After discussing this with Rob and Robert, it looks like the original Node.Subject value that was used at the time of registering the EDACGSTORE Member Node was not what was in the certificate issued. The node document contained:
CN=gstore.unm.edu,DC=dataone,DC=org
whereas the certificate was issued using:
CN=urn:node:EDACGSTORE,DC=dataone,DC=org
So, upon calling CNRegister.updateNodeCapabilities() using the issued certificate, the Node.Subject in the certificate didn't match the Node.Subject registered.
Ultimately, this needs to be clarified in the documentation, but in this scenario, we manually fixed the registered subject.
