At RAL we have 7 gateway machines behind a DNS alias `xrootd.echo.stfc.ac.uk`. This is reflected in each gateway machine's `/etc/grid-security/xrootd/hostcert.pem` certificate, which has, eg.
X509v3 Subject Alternative Name:
DNS:ceph-gw1.gridpp.rl.ac.uk, DNS:echo.stfc.ac.uk, DNS:*.echo.stfc.ac.uk, DNS:*.s3.echo.stfc.ac.uk
`xrootd.echo.stfc.ac.uk` should match the `*.echo.stfc.ac.uk` wildcard. but it doesn't work for `xrdcp --tpc`, eg. with xrootd v4.9.1 on client and gateway server:
% xrdcp --tpc delegate only root://xrootd.echo.stfc.ac.uk:1094/dteam:test1/testKaty1 root://prometheus.desy.de:1095/VOs/dteam/testRAL1b
secgsi: proxy delegation forbidden when trusting DNS!
On the other hand, this copy works fine if I use a specific host name (eg. `ceph-gw1.gridpp.rl.ac.uk`), or the `echo.stfc.ac.uk` alias (which isn't specified with a wildcard).
Although we can use one of those other names as a temporary workaround, that isn't a good long-term solution as it introduces other incompatibilities that I needn't go into here. We also can't change the certificate to add `xrootd.echo.stfc.ac.uk` explicitly.
So it would be good to have a fix fairly soon. If the fix is only required on the gateway machines, then we could apply it as soon as it becomes available. If it's needed on the xrdcp client, then we'll have to wait for the new release to be widely deployed. Which is it?
Thanks,
Tim.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/xrootd/xrootd/issues/1055
########################################################################
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
