 |
 |
Hi Derek, You didn't show the commands you used to do all of this so it's mysterious. If you didn't use "xroots://" to the port that is designated as a TLS-only port then it wouldn't work. Otherwise, it looks OK. The best idea is to first try xrdfs or xrdcp directly to the origin server to make sure it's working fine. Then making sure that the proxy is setup in the same way. Andy On Thu, 30 Apr 2020, Derek Weitzel wrote: > I am testing the xrootd 5.0-rc2 and having issues when turning TLS on. > I have am using a cache -> origin architecture. > > On the cache, I have no special configuration. It is OSG's build: > xrootd-server-5.0.0-0.rc2.2.osgup.el7.x86_64. The cache has the proxy > line removed, so it cannot use a proxy to force other authentication > methods. > > On the origin, I have the TLS lines: > ``` > xrd.tls /etc/grid-security/xrd/xrdcert.pem /etc/grid-security/xrd/xrdkey.pem > xrd.tlsca noverify > xrd.trace all > xrd.trace tls > xrd.protocol tls xrootd:1095 * > ``` > > The origin also has `gsi` enabled. Same version of xrootd as the cache. > > ### Cache Log > ``` > 200501 00:14:32 13399 XrdInet: Accepted connection from 161@natnode > 200501 00:14:32 13399 XrdProtLoad: matched port 8443 protocol http > 200501 00:14:32 13399 anon:161@natnode XrdPoll: FD 161 attached to poller 0; num=1 > 200501 00:14:32 13399 XrootdBridge: unknown.1:161@natnode login as nobody > 200501 00:14:32 13399 unknown.1:161@natnode ofs_stat: fn=/hcc/PROTECTED/dweitzel-test/blah2.txt > [2020-05-01 00:14:33.148553 +0000][Error ][XRootDTransport ] [p0@origin:1095.0] No protocols left to try > [2020-05-01 00:14:33.148609 +0000][Error ][AsyncSock ] [p0@origin:1095.0] Socket error while handshaking: [FATAL] Auth failed > [2020-05-01 00:14:33.148660 +0000][Error ][PostMaster ] [p0@origin:1095] elapsed = 0, pConnectionWindow = 120 seconds. > [2020-05-01 00:14:33.148682 +0000][Error ][PostMaster ] [p0@origin:1095] Unable to recover: [FATAL] Auth failed. > [2020-05-01 00:14:33.148689 +0000][Error ][XRootD ] [p0@origin:1095] Impossible to send message kXR_stat (path: /hcc/PROTECTED/dweitzel-test/blah2.txt?authz=Bearer%20biglongbearertoken&oss.lcl=1&pss.tid=http, flags: none). Trying to recover. > 200501 00:14:33 13399 ofs_stat: unknown.1:161@natnode Unable to locate /hcc/PROTECTED/dweitzel-test/blah2.txt; permission denied > 200501 00:14:33 13399 unknown.1:161@natnode XrootdResponse: sending err 3010: Unable to locate /hcc/PROTECTED/dweitzel-test/blah2.txt; permission denied > 200501 00:14:33 13399 unknown.1:161@natnode ofs_open: 0-600 fn=/hcc/PROTECTED/dweitzel-test/blah2.txt > [2020-05-01 00:14:33.174253 +0000][Error ][XRootDTransport ] [origin:1095.0] No protocols left to try > [2020-05-01 00:14:33.174280 +0000][Error ][AsyncSock ] origin:1095.0] Socket error while handshaking: [FATAL] Auth failed > [2020-05-01 00:14:33.174323 +0000][Error ][PostMaster ] [origin:1095] elapsed = 0, pConnectionWindow = 120 seconds. > [2020-05-01 00:14:33.174334 +0000][Error ][PostMaster ] [origin:1095] Unable to recover: [FATAL] Auth failed. > [2020-05-01 00:14:33.174339 +0000][Error ][XRootD ] [origin:1095] Impossible to send message kXR_open (file: /hcc/PROTECTED/dweitzel-test/blah2.txt?authz=Bearer%20biglongbearertoken&oss.lcl=1&pss.tid=http, mode: 00, flags: kXR_open_read kXR_async kXR_retstat ). Trying to recover. > 200501 00:14:33 13399 Posix_Open: [FATAL] Auth failed open root://origin:1095//hcc/PROTECTED/dweitzel-test/blah2.txt?authz=Bearer%20biglongbearertoken&pss.tid=http&oss.lcl=1 > 200501 00:14:33 13399 ofs_open: unknown.1:161@natnode Unable to open /hcc/PROTECTED/dweitzel-test/blah2.txt; permission denied > 200501 00:14:33 13399 unknown.1:161@natnode XrootdResponse: sending err 3010: Unable to open /hcc/PROTECTED/dweitzel-test/blah2.txt; permission denied > 200501 00:14:33 13399 unknown.1:161@natnode ofs_close: use=0 fn=dummy > 200501 00:14:33 13399 XrootdXeq: unknown.1:161@natnode disc 0:00:01 (send failure) > 200501 00:14:33 13399 unknown.1:161@natnode XrdPoll: FD 161 detached from poller 0; num=0 > ``` > > ### Origin Log > ``` > 200501 00:14:33 20363 XrdInet: Accepted connection from 141@cachenode > 200501 00:14:33 20363 XrdProtLoad: matched port 1095 protocol xroot > 200501 00:14:33 20363 anon:141@cachenode XrdPoll: FD 141 attached to poller 0; num=1 > 200501 00:14:33 20363 XrootdXeq: p0.13393:141@cachenode disc 0:00:00 > 200501 00:14:33 20363 p0.13393:141@cachenode XrdPoll: FD 141 detached from poller 0; num=0 > 200501 00:14:33 20364 XrdInet: Accepted connection from 143@cachenode > 200501 00:14:33 20993 XrdSched: running main accept inq=0 > 200501 00:14:33 20364 XrdProtLoad: matched port 1095 protocol xroot > 200501 00:14:33 20364 anon:143@cachenode XrdPoll: FD 143 attached to poller 0; num=1 > 200501 00:14:33 20364 XrootdXeq: xrootd.13393:143@cachenode disc 0:00:00 > 200501 00:14:33 20364 xrootd.13393:143@cachenode XrdPoll: FD 143 detached from poller 0; num=0 > ``` > > I'm not sure if the TLS is conflicting with gsi? What further debugging information would be useful? > > -- > You are receiving this because you are subscribed to this thread. > Reply to this email directly or view it on GitHub: > https://github.com/xrootd/xrootd/issues/1188 -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/xrootd/xrootd/issues/1188#issuecomment-622199273 ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1