Note: This version of the VDT (1.11.0) is no longer supported. Feel free to look through the documentation and install it, but we cannot guarantee support for it. The current stable release is 2.0.0.

NAME

vdt-update-certs - Update the VDT CA certificate installation

SYNOPSIS

    vdt-update-certs [options] 
                --vdt-install <location>
                --force
                --dump-config
                --quiet
                --debug
                --help

DESCRIPTION

This program is used to update the VDT CA certificate distribution which is in a location pointed to by the symlink at $VDT_LOCATION/globus/TRUSTED_CA

Normally, this program is run by cron once every hour, but you can choose to run it manually if you prefer. From the command-line, the you must either have the $VDDT_LOCATION environment variable set (normally set when sourcing setup.sh), or pass the --vdt-location flag.

When this program runs via cron, it exits immediately if the program has been successfully run in the last 24 hours. The reason for this is reliability: the VDT installation will set this program to run every hour via cron, but it has the goal of checking for an update every 24 hours. If the VDT web site is down, or some other serious error occurs, it retries an hour later in hopes that the error has resolved itself. Once the program has run successfully it will not try to do any updates for 24 hours.

Note: when run from the command line, the program will always check for an update. This is a change in behavior from VDT 1.10.1, where it was necessary to pass the --force flag. The meaning of this flag has changed (see below).

When vdt-update-certs runs, if it finds a previous incarnation of itself still running, it will kill the old process before it runs.

OPTIONS

--vdt-location <location>: The location the VDT was installed in. This option overrides the $VDT_LOCATION environment variable if it exists. This option is not needed if $VDT_LOCATION is set to the correct location.
--force: Forces the script to download the certificates even though the release version has not changed.
--dump-config: Print the configuration to the screen and exit. No other work will be done.
--quiet: Run with no output to standard output. All output will be in the log file.
--debug: Provide more information in the log file.
--help: Show brief explanatory text for using vdt-update-certs

CONFIGURATION

When vdt-update-certs is run, it looks for a configuration file in $VDT_LOCATION/vdt/etc/vdt-update-certs.conf. This file must contain an entry for cacerts_url. There are defaults for all other options.

The configuration file can have blank lines as well as comments. Comments begin with a hash mark (#).

Each option is of the form

 name=value

The following configuration options can be specified:

cacerts_url

This option is required.

The cacerts_url option specifies where to download the CA certificates from. For most users, you will be told what this URL should be. For people who are responsible for a CA certificate distribution, this should be the full URL to the description file, not the URL to the tarball or the directory containing these files. Example:

 cacerts_url=http://vdt.cs.wisc.edu/software/certificates/vdt-igtf-ca-certs-version

log

The log option specifies where the log file for vdt-update-certs is located. The log file is always created. It defaults to $VDT_LOCATION/logs/vdt-update-certs.log, and you do not need to set this unless you prefer the log to be elsewhere.

 log=/opt/vdt/logs/vdt-update-certs.log

debug

This option is equivalent to the command line --debug option listed above. If enabled, it will provide more information in the log file. The default is to not print this information. To enable it:

 debug=1

include

The full pathname of a file to be copied into the CA certificates directory in addition to any files that are downloaded from the VDT. This can be used to add a CA that is not part of the VDT. It is necessary because when the VDT installs a new set of CA certificates it creates a directory and does not preserve anything that was previously part of the CA certificate directory. This option only allows a single file to be specified, but the option can be specified multiple times to include multiple files. The default for this option is not to include any files. Example:

 include=/opt/local-ca/12345678.0
 include=/opt/local-ca/12345678.signing_policy
 include=/opt/local-ca/12345678.crl_url

Note that you should never specify files that are inside a directory that is updated by vdt-update-certs. Though it may seem like a handy shortcut to store the files in your current certs directory, at the time the files are copied this directory will have been renamed, and the copy will fail.

exclude_ca

The hash of a Certificate Authority to be removed from the CA certificates directory when they are installed. All files of the form <hash>.* will be removed. This is to remove any CA certificates that you do not wish to trust but are provided by the VDT. The default for this option is not to exclude any CAs. To exclude a CA with hash '87654321', include a line such as:

 exclude_ca=87654321