Hi Andy, I want to bring up this issue again. I don't understand why it's expected. For example, (base) [bockjoo@cms ~]$ xrdfs cmsio3.rc.ufl.edu ls /store/user/bockjoo [FATAL] TLS error: Unable to validate 172.16.200.175; hostname not in SAN extension. I provided a fully qualified public hostname, but why is xrdfs coming up with a private ip 172.16.200.175 On the other hand, if I check a specific file, xrdfs does not show this issue and shows the correct output: (base) [bockjoo@cms ~]$ xrdfs cmsio3.rc.ufl.edu ls /store/user/bockjoo/xrdmapc.txt /store/user/bockjoo/xrdmapc.txt I think this is a bug. Thanks, Bockjoo On 4/15/22 01:04, Andrew Hanushevsky wrote: > Hi Bockjoo, > > This is expected and normal behaviour. If the machine van be known by more than one name then it's host cert must have all of these listed in SAN extension. I suggest you either not give it two name (i.e. use the name in tghe cert) or get a new cert with the all the names in the SAN extension. Some people also put the host's IP address(s) in the SAN extension as a client might use an IP address to reach the host. > > Andy > > > On Thu, 14 Apr 2022, Bockjoo Kim wrote: > >> Hi, >> >> With the xrootd servers, I am seeing this error: >> >> (base) [bockjoo@cms ~]$ time xrdfs cmsio2.rc.ufl.edu ls /store/mc >> [FATAL] TLS error: Unable to validate 172.16.199.254; hostname not in SAN extension. >> >> The machine's FQHN is set at cmsio2.ufhpc ( 172.16.199.254 ) by the local cluster management team but cmsio2.rc.ufl.edu is the publicly accessible FQHN. >> >> So, I guess xrdfs is looking for the DN matching to the cmsio2.ufhpc instead of cmsio2.rc.ufl.edu. >> >> Is this expected? >> >> When we were using the non-xrootd security system, I did not see this issue. >> >> Is there any workaround in terms of xrootd directive or something? >> >> Thanks, >> >> Bockjoo >> >> ######################################################################## >> Use REPLY-ALL to reply to list >> >> To unsubscribe from the XROOTD-L list, click the following link: >> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1 >> ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-L list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1