You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.
At RAL we have 7 gateway machines behind a DNS alias xrootd.echo.stfc.ac.uk. This is reflected in each gateway machine's /etc/grid-security/xrootd/hostcert.pem certificate, which has, eg.
X509v3 Subject Alternative Name:
DNS:ceph-gw1.gridpp.rl.ac.uk, DNS:echo.stfc.ac.uk, DNS:*.echo.stfc.ac.uk, DNS:*.s3.echo.stfc.ac.uk
xrootd.echo.stfc.ac.uk should match the *.echo.stfc.ac.uk wildcard. but it doesn't work for xrdcp --tpc, eg. with xrootd v4.9.1 on client and gateway server:
% xrdcp --tpc delegate only root://xrootd.echo.stfc.ac.uk:1094/dteam:test1/testKaty1 root://prometheus.desy.de:1095/VOs/dteam/testRAL1b
secgsi: proxy delegation forbidden when trusting DNS!
On the other hand, this copy works fine if I use a specific host name (eg. ceph-gw1.gridpp.rl.ac.uk), or the echo.stfc.ac.uk alias (which isn't specified with a wildcard).
Although we can use one of those other names as a temporary workaround, that isn't a good long-term solution as it introduces other incompatibilities that I needn't go into here. We also can't change the certificate to add xrootd.echo.stfc.ac.uk explicitly.
So it would be good to have a fix fairly soon. If the fix is only required on the gateway machines, then we could apply it as soon as it becomes available. If it's needed on the xrdcp client, then we'll have to wait for the new release to be widely deployed. Which is it?
Thanks,
Tim.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1