 |
 |
Hi Bockjoo, That is incorrect. SAN extensions are recognized by xrootd and should work as advertised. What we have found is that people are not getting certificates with the SAN properly populated. Andy On Mon, 20 Feb 2023, Bockjoo Kim wrote: > Hi Yujun, > > My understanding is that the Subject Alternative Name(SAN) does not work with > xrootd. > > SAN worked with the gridftp, though. > > I think xrootd knows only one hostname (either through $(/bin/hostname -f) or > through /etc/sysconfig/xrootd). > > Only one hostname is valid in xrootd, I think. > > I hope this is not true. > > Bockjoo > > On 2/20/23 12:01, Yujun Wu wrote: >> Good morning XRootD experts, >> >> We have 3 site XRootD redirectors at FNAL and an alias for them: >> >> $ host cmsxrootd-site.fnal.gov >> >> cmsxrootd-site.fnal.gov has address 131.225.205.75 >> >> cmsxrootd-site.fnal.gov has address 131.225.188.52 >> >> cmsxrootd-site.fnal.gov has address 131.225.205.239 >> >> >> [enstore@fndca2b ~]$ host 131.225.205.75 >> >> 75.205.225.131.in-addr.arpa domain name pointer cmsxrootd-site1.fnal.gov. >> >> [enstore@fndca2b ~]$ host 131.225.205.239 >> >> 239.205.225.131.in-addr.arpa domain name pointer cmsxrootd-site2.fnal.gov. >> >> [enstore@fndca2b ~]$ host 131.225.188.52 >> >> 52.188.225.131.in-addr.arpa domain name pointer cmsxrootd-site3.fnal.gov. >> >> >> [root@cmsxrootd-site1 xrootd]# openssl x509 -text -noout -in >> /etc/grid-security/hostcert.pem >> >> ....... >> >> X509v3 Subject Alternative Name: >> >> DNS:cmsxrootd-site1.fnal.gov, DNS:cmsxrootd-site.fnal.gov >> >> .... >> >> [root@cmsxrootd-site2 ~]# openssl x509 -text -noout -in >> /etc/grid-security/hostcert.pem >> >> ...... >> >> X509v3 Subject Alternative Name: >> >> DNS:cmsxrootd-site2.fnal.gov, DNS:cmsxrootd-site.fnal.gov >> >> >> [root@cmsxrootd-site3 ~]# openssl x509 -text -noout -in >> /etc/grid-security/hostcert.pem >> >> ....... >> >> X509v3 Subject Alternative Name: >> >> DNS:cmsxrootd-site3.fnal.gov, DNS:cmsxrootd-site.fnal.gov >> >> .... >> >> ------------------------------ >> However, our tests using the alias always fail with "hostname not in SAN >> extension" like these: >> >> [enstore@fndca2b ~]$ xrdfs cmsxrootd-site.fnal.gov locate >> /store/test/xrootd/T1_US_FNAL/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000/A64CCCF2-5C76-E711-B359-0CC47A78A3F8.root >> >> [FATAL] TLS error: Unable to validate cmsxrootd-site.fnal.gov; hostname not >> in SAN extension. >> >> [enstore@fndca2b ~]$ xrdfs cmsxrootd-site1.fnal.gov locate >> /store/test/xrootd/T1_US_FNAL/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000/A64CCCF2-5C76-E711-B359-0CC47A78A3F8.root >> >> [2620:6a:0:8420::f8]:1093 Server Read >> >> [enstore@fndca2b ~]$ xrdfs cmsxrootd-site2.fnal.gov locate >> /store/test/xrootd/T1_US_FNAL/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000/A64CCCF2-5C76-E711-B359-0CC47A78A3F8.root >> >> [2620:6a:0:8420::f9]:1093 Server Read >> >> [enstore@fndca2b ~]$xrdfs cmsxrootd-site3.fnal.gov locate >> /store/test/xrootd/T1_US_FNAL/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000/A64CCCF2-5C76-E711-B359-0CC47A78A3F8.root >> >> [2620:6a:0:8421::243]:1093 Server Read >> >> >> ----- >> >> [enstore@fndca2b ~]$ xrdcp -d 1 -f >> root://cmsxrootd-site.fnal.gov:1094///store/test/xrootd/T1_US_FNAL/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000/A64CCCF2-5C76-E711-B359-0CC47A78A3F8.root >> /dev/null >> >> [2023-02-20 10:57:43.404883 -0600][Error][TlsMsg] Failed to do TLS connect: >> Unable to validate cmsxrootd-site.fnal.gov; hostname not in SAN extension. >> >> [2023-02-20 10:57:43.404999 -0600][Error][AsyncSock ] >> [cmsxrootd-site.fnal.gov:1094.0] Socket error while handshaking: [FATAL] >> TLS error >> >> [2023-02-20 10:57:43.405216 -0600][Error][PostMaster] >> [cmsxrootd-site.fnal.gov:1094] elapsed = 0, pConnectionWindow = 120 >> seconds. >> >> [2023-02-20 10:57:43.413492 -0600][Error][TlsMsg] Failed to do TLS connect: >> Unable to validate cmsxrootd-site.fnal.gov; hostname not in SAN extension. >> >> [2023-02-20 10:57:43.413567 -0600][Error][AsyncSock ] >> [cmsxrootd-site.fnal.gov:1094.0] Socket error while handshaking: [FATAL] >> TLS error >> >> [2023-02-20 10:57:43.413729 -0600][Error][PostMaster] >> [cmsxrootd-site.fnal.gov:1094] elapsed = 0, pConnectionWindow = 120 >> seconds. >> >> [2023-02-20 10:57:43.419627 -0600][Error][TlsMsg] Failed to do TLS connect: >> Unable to validate cmsxrootd-site.fnal.gov; hostname not in SAN extension. >> >> [2023-02-20 10:57:43.419691 -0600][Error][AsyncSock ] >> [cmsxrootd-site.fnal.gov:1094.0] Socket error while handshaking: [FATAL] >> TLS error >> >> [2023-02-20 10:57:43.419852 -0600][Error][PostMaster] >> [cmsxrootd-site.fnal.gov:1094] elapsed = 0, pConnectionWindow = 120 >> seconds. >> >> [2023-02-20 10:57:43.419933 -0600][Error][PostMaster] >> [cmsxrootd-site.fnal.gov:1094] Unable to recover: [FATAL] TLS error. >> >> [2023-02-20 10:57:43.420009 -0600][Error][XRootD] >> [cmsxrootd-site.fnal.gov:1094] Impossible to send message kXR_open (file: >> //store/test/xrootd/T1_US_FNAL/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000/A64CCCF2-5C76-E711-B359-0CC47A78A3F8.root, >> mode: 00, flags: kXR_open_read kXR_async kXR_retstat ). Trying to recover. >> >> [0B/0B][100%][==================================================][0B/s] >> >> Run: [FATAL] TLS error: Unable to validate cmsxrootd-site.fnal.gov; >> hostname not in SAN extension. (source) >> >> [enstore@fndca2b ~]$ xrdcp -d 1 -f >> root://cmsxrootd-site1.fnal.gov:1094///store/test/xrootd/T1_US_FNAL/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000/A64CCCF2-5C76-E711-B359-0CC47A78A3F8.root >> /dev/null >> >> [2023-02-20 10:58:02.693319 -0600][Info ][AsyncSock ] >> [cmsxrootd-site1.fnal.gov:1094.0] TLS hand-shake done. >> >> [229.3MB/229.3MB][100%][==================================================][57.33MB/s] >> >> The same for cmsxrootd-site2 and cmsxrootd-site3. >> >> >> Could you please advise if we need add some options in the xrootd.cfg file? >> >> >> Thanks in advance for any help on this. >> >> >> >> Regards, >> >> Yujun >> >> >> >> >> ------------------------------------------------------------------------ >> >> Use REPLY-ALL to reply to list >> >> To unsubscribe from the XROOTD-L list, click the following link: >> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1 >> <https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1> >> > > ######################################################################## > Use REPLY-ALL to reply to list > > To unsubscribe from the XROOTD-L list, click the following link: > https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1 ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-L list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1