Hi Yujun, My understanding is that the Subject Alternative Name(SAN) does not work with xrootd. SAN worked with the gridftp, though. I think xrootd knows only one hostname (either through $(/bin/hostname -f) or through /etc/sysconfig/xrootd). Only one hostname is valid in xrootd, I think. I hope this is not true. Bockjoo On 2/20/23 12:01, Yujun Wu wrote: > Good morning XRootD experts, > > We have 3 site XRootD redirectors at FNAL and an alias for them: > > $ host cmsxrootd-site.fnal.gov > > cmsxrootd-site.fnal.gov has address 131.225.205.75 > > cmsxrootd-site.fnal.gov has address 131.225.188.52 > > cmsxrootd-site.fnal.gov has address 131.225.205.239 > > > [enstore@fndca2b ~]$ host 131.225.205.75 > > 75.205.225.131.in-addr.arpa domain name pointer cmsxrootd-site1.fnal.gov. > > [enstore@fndca2b ~]$ host 131.225.205.239 > > 239.205.225.131.in-addr.arpa domain name pointer cmsxrootd-site2.fnal.gov. > > [enstore@fndca2b ~]$ host 131.225.188.52 > > 52.188.225.131.in-addr.arpa domain name pointer cmsxrootd-site3.fnal.gov. > > > [root@cmsxrootd-site1 xrootd]# openssl x509 -text -noout -in > /etc/grid-security/hostcert.pem > > ....... > > X509v3 Subject Alternative Name: > > DNS:cmsxrootd-site1.fnal.gov, DNS:cmsxrootd-site.fnal.gov > > .... > > [root@cmsxrootd-site2 ~]# openssl x509 -text -noout -in > /etc/grid-security/hostcert.pem > > ...... > > X509v3 Subject Alternative Name: > > DNS:cmsxrootd-site2.fnal.gov, DNS:cmsxrootd-site.fnal.gov > > > [root@cmsxrootd-site3 ~]# openssl x509 -text -noout -in > /etc/grid-security/hostcert.pem > > ....... > > X509v3 Subject Alternative Name: > > DNS:cmsxrootd-site3.fnal.gov, DNS:cmsxrootd-site.fnal.gov > > .... > > ------------------------------ > However, our tests using the alias always fail with "hostname not in > SAN extension" like these: > > [enstore@fndca2b ~]$ xrdfs cmsxrootd-site.fnal.gov locate > /store/test/xrootd/T1_US_FNAL/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000/A64CCCF2-5C76-E711-B359-0CC47A78A3F8.root > > [FATAL] TLS error: Unable to validate cmsxrootd-site.fnal.gov; > hostname not in SAN extension. > > [enstore@fndca2b ~]$ xrdfs cmsxrootd-site1.fnal.gov locate > /store/test/xrootd/T1_US_FNAL/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000/A64CCCF2-5C76-E711-B359-0CC47A78A3F8.root > > [2620:6a:0:8420::f8]:1093 Server Read > > [enstore@fndca2b ~]$ xrdfs cmsxrootd-site2.fnal.gov locate > /store/test/xrootd/T1_US_FNAL/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000/A64CCCF2-5C76-E711-B359-0CC47A78A3F8.root > > [2620:6a:0:8420::f9]:1093 Server Read > > [enstore@fndca2b ~]$xrdfs cmsxrootd-site3.fnal.gov locate > /store/test/xrootd/T1_US_FNAL/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000/A64CCCF2-5C76-E711-B359-0CC47A78A3F8.root > > [2620:6a:0:8421::243]:1093 Server Read > > > ----- > > [enstore@fndca2b ~]$ xrdcp -d 1 -f > root://cmsxrootd-site.fnal.gov:1094///store/test/xrootd/T1_US_FNAL/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000/A64CCCF2-5C76-E711-B359-0CC47A78A3F8.root > /dev/null > > [2023-02-20 10:57:43.404883 -0600][Error][TlsMsg] Failed to do TLS > connect: Unable to validate cmsxrootd-site.fnal.gov; hostname not in > SAN extension. > > [2023-02-20 10:57:43.404999 -0600][Error][AsyncSock ] > [cmsxrootd-site.fnal.gov:1094.0] Socket error while handshaking: > [FATAL] TLS error > > [2023-02-20 10:57:43.405216 -0600][Error][PostMaster] > [cmsxrootd-site.fnal.gov:1094] elapsed = 0, pConnectionWindow = 120 > seconds. > > [2023-02-20 10:57:43.413492 -0600][Error][TlsMsg] Failed to do TLS > connect: Unable to validate cmsxrootd-site.fnal.gov; hostname not in > SAN extension. > > [2023-02-20 10:57:43.413567 -0600][Error][AsyncSock ] > [cmsxrootd-site.fnal.gov:1094.0] Socket error while handshaking: > [FATAL] TLS error > > [2023-02-20 10:57:43.413729 -0600][Error][PostMaster] > [cmsxrootd-site.fnal.gov:1094] elapsed = 0, pConnectionWindow = 120 > seconds. > > [2023-02-20 10:57:43.419627 -0600][Error][TlsMsg] Failed to do TLS > connect: Unable to validate cmsxrootd-site.fnal.gov; hostname not in > SAN extension. > > [2023-02-20 10:57:43.419691 -0600][Error][AsyncSock ] > [cmsxrootd-site.fnal.gov:1094.0] Socket error while handshaking: > [FATAL] TLS error > > [2023-02-20 10:57:43.419852 -0600][Error][PostMaster] > [cmsxrootd-site.fnal.gov:1094] elapsed = 0, pConnectionWindow = 120 > seconds. > > [2023-02-20 10:57:43.419933 -0600][Error][PostMaster] > [cmsxrootd-site.fnal.gov:1094] Unable to recover: [FATAL] TLS error. > > [2023-02-20 10:57:43.420009 -0600][Error][XRootD] > [cmsxrootd-site.fnal.gov:1094] Impossible to send message kXR_open > (file: > //store/test/xrootd/T1_US_FNAL/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000/A64CCCF2-5C76-E711-B359-0CC47A78A3F8.root, > mode: 00, flags: kXR_open_read kXR_async kXR_retstat ). Trying to recover. > > [0B/0B][100%][==================================================][0B/s] > > Run: [FATAL] TLS error: Unable to validate cmsxrootd-site.fnal.gov; > hostname not in SAN extension. (source) > > [enstore@fndca2b ~]$ xrdcp -d 1 -f > root://cmsxrootd-site1.fnal.gov:1094///store/test/xrootd/T1_US_FNAL/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000/A64CCCF2-5C76-E711-B359-0CC47A78A3F8.root > /dev/null > > [2023-02-20 10:58:02.693319 -0600][Info ][AsyncSock ] > [cmsxrootd-site1.fnal.gov:1094.0] TLS hand-shake done. > > [229.3MB/229.3MB][100%][==================================================][57.33MB/s] > > > The same for cmsxrootd-site2 and cmsxrootd-site3. > > > Could you please advise if we need add some options in the xrootd.cfg > file? > > > Thanks in advance for any help on this. > > > > Regards, > > Yujun > > > > > ------------------------------------------------------------------------ > > Use REPLY-ALL to reply to list > > To unsubscribe from the XROOTD-L list, click the following link: > https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1 > <https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1> > ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-L list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1