URL: <http://savannah.cern.ch/support/?126060> Summary: gsi auth plugin caches (expired) host certificate? Project: XROOTD Submitted by: iven Submitted on: 2012-02-03 08:55 Category: None Priority: 5 - Normal Severity: 3 - Normal Status: None Privacy: Public Assigned to: None Originator Email: Open/Closed: Open Discussion Lock: Any Operating System: GNU/Linux _______________________________________________________ Details: xrootd-server-3.0.4-0 openssl-0.9.8e-20.el5 GSI authentication failed with messages such as 120203 00:00:25 6150 XrootdXeq: User authentication failed; Secgsi: ErrParseBuffer: certificate has expired - go and get a new one: kXGC_certreq Nevertheless, the certificate on disk had been renewed: [root@c2atlassrv301 ~]# grep /xrootd-server-cert.pem /etc/xrd.cf sec.protocol gsi -crl:3 -cert:/etc/grid-security/xrootd-server/xrootd-server-cert.pem -key:/etc/grid-security/xrootd-server/xrootd-server-key.pem -gridmap:/etc/grid-security/grid-mapfile -d:0 -gmapopt:2 [root@c2atlassrv301 ~]# ll /etc/grid-security/xrootd-server/xrootd-server-cert.pem -rw-r--r-- 1 stage st 2422 Jan 30 09:37 /etc/grid-security/xrootd-server/xrootd-server-cert.pem [root@c2atlassrv301 ~]# openssl x509 -in /etc/grid-security/xrootd-server/xrootd-server-cert.pem -noout -enddate notAfter=Jan 22 16:15:40 2013 GMT However, the daemon had not been restarted afterwards: [root@c2atlassrv301 ~]# ps axo lstart,pid,cmd | grep xroot Tue Jan 17 11:01:03 2012 6150 /opt/xrootd/bin/xrootd -n manager -r -c /etc/xrd.cf -l /var/log/xroot/xrdlog.manager -b -R stage Would it be possible to stat() and re-read the host certificate+key occasionally (of course, this should be cached for some reasonable time, i.e. not re-read at every connection), and at least in case the certificate appears to be expired? Or would this be already fixed in a more recent xrootd release? _______________________________________________________ Reply to this item at: <http://savannah.cern.ch/support/?126060> _______________________________________________ Message sent via/by LCG Savannah http://savannah.cern.ch/ ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1