Print

Print

Using xrootd 4.8.3, I observe the following after a few days:

139990299645696:error:80066405:lib(128):func(102):reason(1029):sslutils.c:1915:
139990299645696:error:80066411:lib(128):func(102):reason(1041):sslutils.c:2110:: CRL has expired [subject=/DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=ddmadmin/CN=531497/CN=Robot: ATLAS Data Management,issuer=/DC=ch/DC=cern/CN=CERN Grid Certification Authority]
139990299645696:error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed:s3_srvr.c:3327:

all over in our logs.

Checking:

# ls -lart b4278411.r0 c2a48ab6.r0 5168735f.r0 4339b4bc.r0
-rw-r--r--. 1 root root  1535 19. Jun 12:47 c2a48ab6.r0
-rw-r--r--. 1 root root  1535 19. Jun 12:47 b4278411.r0
-rw-r--r--. 1 root root 33292 19. Jun 12:47 5168735f.r0
-rw-r--r--. 1 root root 33292 19. Jun 12:47 4339b4bc.r0

shows they are up-to-date (those are the CRLs for CERN-GridCA and CERN-Root-2, we run fetchcrl regulartly).

Checking xrootd with strace, I find:

[pid 13040] futex(0x610f18, FUTEX_WAIT_PRIVATE, 0, NULL <unfinished ...>
[pid 10153] <... accept4 resumed> {sa_family=AF_INET6, sin6_port=htons(51392), inet_pton(AF_INET6, "::ffff:128.142.132.207", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, [28], SOCK_CLOEXEC) = 25
[pid 10153] setsockopt(25, SOL_SOCKET, SO_LINGER, {onoff=1, linger=3}, 8) = 0
[pid 10153] setsockopt(25, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0
[pid 10153] setsockopt(25, SOL_TCP, TCP_NODELAY, [1], 4) = 0
[pid 10153] futex(0x7ffc4e2a27b0, FUTEX_WAKE_PRIVATE, 1) = 1
[pid  3022] <... futex resumed> )       = 0
[pid 10153] poll([{fd=25, events=POLLIN|POLLRDNORM}], 1, 30000 <unfinished ...>
[pid  3022] futex(0x610f18, FUTEX_WAKE_PRIVATE, 1 <unfinished ...>
[pid 13039] <... futex resumed> )       = 0
[pid 10153] <... poll resumed> )        = 1 ([{fd=25, revents=POLLIN|POLLRDNORM}])
[pid  3022] <... futex resumed> )       = 1
[pid 13039] futex(0x610f38, FUTEX_WAIT_PRIVATE, 2, NULL <unfinished ...>
[pid 10153] recvfrom(25,  <unfinished ...>
[pid  3022] futex(0x610f38, FUTEX_WAKE_PRIVATE, 1 <unfinished ...>
[pid 13039] <... futex resumed> )       = -1 EAGAIN (Resource temporarily unavailable)
[pid 10153] <... recvfrom resumed> "\26\3\1\1\24\1\0\1\20\3\3[)'\305\261\351\17<\225C\232\311\27V\240\221q\t\377\26\275"..., 44, MSG_PEEK, NULL, NULL) = 44
[pid  3022] <... futex resumed> )       = 0
[pid 13039] futex(0x610f38, FUTEX_WAKE_PRIVATE, 1 <unfinished ...>
[pid 10153] poll([{fd=25, events=POLLIN|POLLRDNORM}], 1, 10000 <unfinished ...>
[pid  3022] futex(0x7ffc4e2a27b0, FUTEX_WAIT_PRIVATE, 0, NULL <unfinished ...>
[pid 13039] <... futex resumed> )       = 0
[pid 10153] <... poll resumed> )        = 1 ([{fd=25, revents=POLLIN|POLLRDNORM}])
[pid 13039] accept4(17,  <unfinished ...>
[pid 10153] recvfrom(25, "\26\3\1\1\24\1\0\1\20\3\3[)'\305\261", 16, MSG_PEEK, NULL, NULL) = 16
[pid 10153] epoll_ctl(7, EPOLL_CTL_ADD, 25, {0, {u32=738201208, u64=139990902247032}}) = 0
[pid 10153] setsockopt(25, SOL_SOCKET, SO_RCVTIMEO, "\n\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 16) = 0
[pid 10153] setsockopt(25, SOL_SOCKET, SO_SNDTIMEO, "\n\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 16) = 0
[pid 10153] read(25, "\26\3\1\1\24", 5) = 5
[pid 10153] read(25, "\1\0\1\20\3\3[)'\305\261\351\17<\225C\232\311\27V\240\221q\t\377\26\275\232G\260\300\276"..., 276) = 276
[pid 10153] write(25, "\26\3\3\0:\2\0\0006\3\3\24\275\332\341L+Tw:\2216\231\1\352~\213\37S\v\274."..., 2216) = 2216
[pid 10153] read(25, "\26\3\3\0378", 5) = 5
[pid 10153] read(25, "\v\0\0374\0\0371\0\3L0\202\3H0\202\2\261\240\3\2\1\2\2\1\0000\r\6\t*\206"..., 7992) = 7992
[pid 10153] stat("/etc/grid-security/certificates/c2a48ab6.r1", 0x7f523588a1f0) = -1 ENOENT (No such file or directory)
[pid 10153] stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2309, ...}) = 0
[pid 10153] stat("/etc/grid-security/certificates/c2a48ab6.r1", 0x7f523588a1f0) = -1 ENOENT (No such file or directory)
[pid 10153] open("/etc/grid-security/certificates/e187c0c8.signing_policy", O_RDONLY) = -1 ENOENT (No such file or directory)
[pid 10153] open("/etc/grid-security/certificates/e187c0c8.namespaces", O_RDONLY) = -1 ENOENT (No such file or directory)
[pid 10153] open("/etc/grid-security/certificates/f27afd4e.signing_policy", O_RDONLY) = -1 ENOENT (No such file or directory)
[pid 10153] open("/etc/grid-security/certificates/f27afd4e.namespaces", O_RDONLY) = -1 ENOENT (No such file or directory)
[pid 10153] open("/etc/grid-security/certificates/4ad425d0.signing_policy", O_RDONLY) = -1 ENOENT (No such file or directory)
[pid 10153] open("/etc/grid-security/certificates/4ad425d0.namespaces", O_RDONLY) = -1 ENOENT (No such file or directory)
[pid 10153] open("/etc/grid-security/certificates/7768cc9b.signing_policy", O_RDONLY) = -1 ENOENT (No such file or directory)
[pid 10153] open("/etc/grid-security/certificates/7768cc9b.namespaces", O_RDONLY) = -1 ENOENT (No such file or directory)
[pid 10153] open("/etc/grid-security/certificates/5168735f.signing_policy", O_RDONLY) = 26
[pid 10153] ioctl(26, TCGETS, 0x7f5235889900) = -1 ENOTTY (Inappropriate ioctl for device)
[pid 10153] read(26, "# @(#)$Id: 4339b4bc.signing_poli"..., 8192) = 269
[pid 10153] read(26, "", 8192)          = 0
[pid 10153] ioctl(26, TCGETS, 0x7f5235889910) = -1 ENOTTY (Inappropriate ioctl for device)
[pid 10153] close(26)                   = 0
[pid 10153] open("/etc/grid-security/certificates/5168735f.namespaces", O_RDONLY) = -1 ENOENT (No such file or directory)
[pid 10153] open("/etc/grid-security/certificates/c2a48ab6.signing_policy", O_RDONLY) = 26
[pid 10153] ioctl(26, TCGETS, 0x7f5235889900) = -1 ENOTTY (Inappropriate ioctl for device)
[pid 10153] read(26, "# @(#)$Id: b4278411.signing_poli"..., 8192) = 362
[pid 10153] read(26, "", 8192)          = 0
[pid 10153] ioctl(26, TCGETS, 0x7f5235889910) = -1 ENOTTY (Inappropriate ioctl for device)
[pid 10153] close(26)                   = 0
[pid 10153] open("/etc/grid-security/certificates/c2a48ab6.namespaces", O_RDONLY) = 26
[pid 10153] ioctl(26, TCGETS, 0x7f5235889900) = -1 ENOTTY (Inappropriate ioctl for device)
[pid 10153] read(26, "################################"..., 8192) = 774
[pid 10153] read(26, "", 8192)          = 0
[pid 10153] ioctl(26, TCGETS, 0x7f5235889910) = -1 ENOTTY (Inappropriate ioctl for device)
[pid 10153] close(26)                   = 0
[pid 10153] stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2309, ...}) = 0
[pid 10153] stat("/etc/grid-security/certificates/5168735f.r1", 0x7f523588a1f0) = -1 ENOENT (No such file or directory)
[pid 10153] write(25, "\25\3\3\0\2\2-", 7) = 7
[pid 10153] write(2, "139991062198016:error:80066405:l"..., 80) = 80
[pid 10153] write(2, "139991062198016:error:80066411:l"..., 261) = 261
[pid 10153] write(2, "139991062198016:error:14089086:S"..., 114) = 114

Any ideas what could be causing that?

Restarting the xrootd service immediately gets rid of that issue.


You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.

{"@context":"http://schema.org","@type":"EmailMessage","potentialAction":{"@type":"ViewAction","target":"https://github.com/xrootd/xrootd/issues/750","url":"https://github.com/xrootd/xrootd/issues/750","name":"View Issue"},"description":"View this Issue on GitHub","publisher":{"@type":"Organization","name":"GitHub","url":"https://github.com"}} {"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/xrootd/xrootd","title":"xrootd/xrootd","subtitle":"GitHub repository","main_image_url":"https://assets-cdn.github.com/images/email/message_cards/header.png","avatar_image_url":"https://assets-cdn.github.com/images/email/message_cards/avatar.png","action":{"name":"Open in GitHub","url":"https://github.com/xrootd/xrootd"}},"updates":{"snippets":[{"icon":"DESCRIPTION","message":"XrdHttp fails to refresh CRLs (#750)"}],"action":{"name":"View Issue","url":"https://github.com/xrootd/xrootd/issues/750"}}} { "@type": "MessageCard", "@context": "http://schema.org/extensions", "hideOriginalBody": "false", "originator": "AF6C5A86-E920-430C-9C59-A73278B5EFEB", "title": "XrdHttp fails to refresh CRLs (#750)", "sections": [ { "text": "", "activityTitle": "**Oliver Freyermuth**", "activityImage": "https://assets-cdn.github.com/images/email/message_cards/avatar.png", "activitySubtitle": "@olifre", "facts": [ { "name": "Repository: ", "value": "xrootd/xrootd" }, { "name": "Issue #: ", "value": 750 } ] } ], "potentialAction": [ { "name": "Add a comment", "@type": "ActionCard", "inputs": [ { "isMultiLine": true, "@type": "TextInput", "id": "IssueComment", "isRequired": false } ], "actions": [ { "name": "Comment", "@type": "HttpPOST", "target": "https://api.github.com", "body": "{\n\"commandName\": \"IssueComment\",\n\"repositoryFullName\": \"xrootd/xrootd\",\n\"issueId\": 750,\n\"IssueComment\": \"{{IssueComment.value}}\"\n}" } ] }, { "name": "Close issue", "@type": "HttpPOST", "target": "https://api.github.com", "body": "{\n\"commandName\": \"IssueClose\",\n\"repositoryFullName\": \"xrootd/xrootd\",\n\"issueId\": 750\n}" }, { "targets": [ { "os": "default", "uri": "https://github.com/xrootd/xrootd/issues/750" } ], "@type": "OpenUri", "name": "View on GitHub" }, { "name": "Unsubscribe", "@type": "HttpPOST", "target": "https://api.github.com", "body": "{\n\"commandName\": \"MuteNotification\",\n\"threadId\": 347549194\n}" } ], "themeColor": "26292E" }

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1