You might have to set up a separate host for the top level site redirector within one of the siteĀ redirectors or using a separate machine. Again, I hope you don't have to do this. Bockjoo On 2/20/23 12:20, Yujun Wu wrote: > Hi Bockjoo, > > Thanks a lot for your info. Really hope this is NOT true, otherwise we > need to tell local users to use individual host names. > > > Regards, > Yujun > ------------------------------------------------------------------------ > *From:* [log in to unmask] <[log in to unmask]> on > behalf of Bockjoo Kim <[log in to unmask]> > *Sent:* Monday, February 20, 2023 11:14 AM > *To:* Yujun Wu > <[log in to unmask]>; xrootd-l > <[log in to unmask]> > *Cc:* David A Mason <[log in to unmask]>; Chih-Hao Huang <[log in to unmask]> > *Subject:* Re: Help with hostname not in SAN extension TLS error > > Hi Yujun, > > My understanding is that the Subject Alternative Name(SAN) does not > work with xrootd. > > SAN worked with the gridftp, though. > > I think xrootd knows only one hostname (either through $(/bin/hostname > -f) or through /etc/sysconfig/xrootd). > > Only one hostname is valid in xrootd, I think. > > I hope this is not true. > > Bockjoo > > On 2/20/23 12:01, Yujun Wu wrote: >> Good morning XRootD experts, >> >> We have 3 site XRootD redirectors at FNAL and an alias for them: >> >> $ host cmsxrootd-site.fnal.gov >> >> cmsxrootd-site.fnal.gov has address 131.225.205.75 >> >> cmsxrootd-site.fnal.gov has address 131.225.188.52 >> >> cmsxrootd-site.fnal.gov has address 131.225.205.239 >> >> >> [enstore@fndca2b ~]$ host 131.225.205.75 >> >> 75.205.225.131.in-addr.arpa domain name pointer cmsxrootd-site1.fnal.gov. >> >> [enstore@fndca2b ~]$ host 131.225.205.239 >> >> 239.205.225.131.in-addr.arpa domain name pointer >> cmsxrootd-site2.fnal.gov. >> >> [enstore@fndca2b ~]$ host 131.225.188.52 >> >> 52.188.225.131.in-addr.arpa domain name pointer cmsxrootd-site3.fnal.gov. >> >> >> [root@cmsxrootd-site1 xrootd]# openssl x509 -text -noout -in >> /etc/grid-security/hostcert.pem >> >> ....... >> >> X509v3 Subject Alternative Name: >> >> DNS:cmsxrootd-site1.fnal.gov, DNS:cmsxrootd-site.fnal.gov >> >> .... >> >> [root@cmsxrootd-site2 ~]# openssl x509 -text -noout -in >> /etc/grid-security/hostcert.pem >> >> ...... >> >> X509v3 Subject Alternative Name: >> >> DNS:cmsxrootd-site2.fnal.gov, DNS:cmsxrootd-site.fnal.gov >> >> >> [root@cmsxrootd-site3 ~]# openssl x509 -text -noout -in >> /etc/grid-security/hostcert.pem >> >> ....... >> >> X509v3 Subject Alternative Name: >> >> DNS:cmsxrootd-site3.fnal.gov, DNS:cmsxrootd-site.fnal.gov >> >> .... >> >> ------------------------------ >> However, our tests using the alias always fail with "hostname not in >> SAN extension" like these: >> >> [enstore@fndca2b ~]$ xrdfs cmsxrootd-site.fnal.gov locate >> /store/test/xrootd/T1_US_FNAL/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000/A64CCCF2-5C76-E711-B359-0CC47A78A3F8.root >> >> [FATAL] TLS error: Unable to validate cmsxrootd-site.fnal.gov; >> hostname not in SAN extension. >> >> [enstore@fndca2b ~]$ xrdfs cmsxrootd-site1.fnal.gov locate >> /store/test/xrootd/T1_US_FNAL/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000/A64CCCF2-5C76-E711-B359-0CC47A78A3F8.root >> >> [2620:6a:0:8420::f8]:1093 Server Read >> >> [enstore@fndca2b ~]$ xrdfs cmsxrootd-site2.fnal.gov locate >> /store/test/xrootd/T1_US_FNAL/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000/A64CCCF2-5C76-E711-B359-0CC47A78A3F8.root >> >> [2620:6a:0:8420::f9]:1093 Server Read >> >> [enstore@fndca2b ~]$xrdfs cmsxrootd-site3.fnal.gov locate >> /store/test/xrootd/T1_US_FNAL/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000/A64CCCF2-5C76-E711-B359-0CC47A78A3F8.root >> >> [2620:6a:0:8421::243]:1093 Server Read >> >> >> ----- >> >> [enstore@fndca2b ~]$ xrdcp -d 1 -f >> root://cmsxrootd-site.fnal.gov:1094///store/test/xrootd/T1_US_FNAL/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000/A64CCCF2-5C76-E711-B359-0CC47A78A3F8.root >> /dev/null >> >> [2023-02-20 10:57:43.404883 -0600][Error][TlsMsg] Failed to do TLS >> connect: Unable to validate cmsxrootd-site.fnal.gov; hostname not in >> SAN extension. >> >> [2023-02-20 10:57:43.404999 -0600][Error][AsyncSock ] >> [cmsxrootd-site.fnal.gov:1094.0] Socket error while handshaking: >> [FATAL] TLS error >> >> [2023-02-20 10:57:43.405216 -0600][Error][PostMaster] >> [cmsxrootd-site.fnal.gov:1094] elapsed = 0, pConnectionWindow = 120 >> seconds. >> >> [2023-02-20 10:57:43.413492 -0600][Error][TlsMsg] Failed to do TLS >> connect: Unable to validate cmsxrootd-site.fnal.gov; hostname not in >> SAN extension. >> >> [2023-02-20 10:57:43.413567 -0600][Error][AsyncSock ] >> [cmsxrootd-site.fnal.gov:1094.0] Socket error while handshaking: >> [FATAL] TLS error >> >> [2023-02-20 10:57:43.413729 -0600][Error][PostMaster] >> [cmsxrootd-site.fnal.gov:1094] elapsed = 0, pConnectionWindow = 120 >> seconds. >> >> [2023-02-20 10:57:43.419627 -0600][Error][TlsMsg] Failed to do TLS >> connect: Unable to validate cmsxrootd-site.fnal.gov; hostname not in >> SAN extension. >> >> [2023-02-20 10:57:43.419691 -0600][Error][AsyncSock ] >> [cmsxrootd-site.fnal.gov:1094.0] Socket error while handshaking: >> [FATAL] TLS error >> >> [2023-02-20 10:57:43.419852 -0600][Error][PostMaster] >> [cmsxrootd-site.fnal.gov:1094] elapsed = 0, pConnectionWindow = 120 >> seconds. >> >> [2023-02-20 10:57:43.419933 -0600][Error][PostMaster] >> [cmsxrootd-site.fnal.gov:1094] Unable to recover: [FATAL] TLS error. >> >> [2023-02-20 10:57:43.420009 -0600][Error][XRootD] >> [cmsxrootd-site.fnal.gov:1094] Impossible to send message kXR_open >> (file: >> //store/test/xrootd/T1_US_FNAL/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000/A64CCCF2-5C76-E711-B359-0CC47A78A3F8.root, >> mode: 00, flags: kXR_open_read kXR_async kXR_retstat ). Trying to >> recover. >> >> [0B/0B][100%][==================================================][0B/s] >> >> Run: [FATAL] TLS error: Unable to validate cmsxrootd-site.fnal.gov; >> hostname not in SAN extension. (source) >> >> [enstore@fndca2b ~]$ xrdcp -d 1 -f >> root://cmsxrootd-site1.fnal.gov:1094///store/test/xrootd/T1_US_FNAL/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000/A64CCCF2-5C76-E711-B359-0CC47A78A3F8.root >> /dev/null >> >> [2023-02-20 10:58:02.693319 -0600][Info ][AsyncSock ] >> [cmsxrootd-site1.fnal.gov:1094.0] TLS hand-shake done. >> >> [229.3MB/229.3MB][100%][==================================================][57.33MB/s] >> >> >> The same for cmsxrootd-site2 and cmsxrootd-site3. >> >> >> Could you please advise if we need add some options in the xrootd.cfg >> file? >> >> >> Thanks in advance for any help on this. >> >> >> >> Regards, >> >> Yujun >> >> >> >> >> ------------------------------------------------------------------------ >> >> Use REPLY-ALL to reply to list >> >> To unsubscribe from the XROOTD-L list, click the following link: >> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1 >> <https://urldefense.proofpoint.com/v2/url?u=https-3A__listserv.slac.stanford.edu_cgi-2Dbin_wa-3FSUBED1-3DXROOTD-2DL-26A-3D1&d=DwMDaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=bFk3iAgykb1xfdm5362Q9w&m=DLhjVs4SxHLfb08gO7VszUWSmlELeAUVa-SwHM_jRd-n7rNg_SQ7yKq2Dw_sAvW7&s=LmctUFiXUVeRyq3B4sQMVr92norArpBmFAvAP4e36-E&e=> >> >> > > ------------------------------------------------------------------------ > > Use REPLY-ALL to reply to list > > To unsubscribe from the XROOTD-L list, click the following link: > https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1 > <https://urldefense.proofpoint.com/v2/url?u=https-3A__listserv.slac.stanford.edu_cgi-2Dbin_wa-3FSUBED1-3DXROOTD-2DL-26A-3D1&d=DwMDaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=bFk3iAgykb1xfdm5362Q9w&m=DLhjVs4SxHLfb08gO7VszUWSmlELeAUVa-SwHM_jRd-n7rNg_SQ7yKq2Dw_sAvW7&s=LmctUFiXUVeRyq3B4sQMVr92norArpBmFAvAP4e36-E&e=> > > ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-L list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1