You might have to set up a separate host for the top level site redirector
within one of the site redirectors or using a separate machine.
Again, I hope you don't have to do this.
Bockjoo
[log in to unmask]">Hi Bockjoo,
Thanks a lot for your info. Really hope this is NOT true, otherwise we need to tell local users to use individual host names.
Regards,Yujun
From: [log in to unmask] <[log in to unmask]> on behalf of Bockjoo Kim <[log in to unmask]>
Sent: Monday, February 20, 2023 11:14 AM
To: Yujun Wu <[log in to unmask]>; xrootd-l <[log in to unmask]>
Cc: David A Mason <[log in to unmask]>; Chih-Hao Huang <[log in to unmask]>
Subject: Re: Help with hostname not in SAN extension TLS errorHi Yujun,
My understanding is that the Subject Alternative Name(SAN) does not work with xrootd.
SAN worked with the gridftp, though.
I think xrootd knows only one hostname (either through $(/bin/hostname -f) or through /etc/sysconfig/xrootd).
Only one hostname is valid in xrootd, I think.
I hope this is not true.
Bockjoo
On 2/20/23 12:01, Yujun Wu wrote:
Good morning XRootD experts,
We have 3 site XRootD redirectors at FNAL and an alias for them:
$ host cmsxrootd-site.fnal.gov
cmsxrootd-site.fnal.gov has address 131.225.205.75
cmsxrootd-site.fnal.gov has address 131.225.188.52
cmsxrootd-site.fnal.gov has address 131.225.205.239
[enstore@fndca2b ~]$ host 131.225.205.75
75.205.225.131.in-addr.arpa domain name pointer cmsxrootd-site1.fnal.gov.
[enstore@fndca2b ~]$ host 131.225.205.239
239.205.225.131.in-addr.arpa domain name pointer cmsxrootd-site2.fnal.gov.
[enstore@fndca2b ~]$ host 131.225.188.52
52.188.225.131.in-addr.arpa domain name pointer cmsxrootd-site3.fnal.gov.
[root@cmsxrootd-site1 xrootd]# openssl x509 -text -noout -in /etc/grid-security/hostcert.pem
.......X509v3 Subject Alternative Name:
DNS:cmsxrootd-site1.fnal.gov, DNS:cmsxrootd-site.fnal.gov
....
[root@cmsxrootd-site2 ~]# openssl x509 -text -noout -in /etc/grid-security/hostcert.pem
......X509v3 Subject Alternative Name:
DNS:cmsxrootd-site2.fnal.gov, DNS:cmsxrootd-site.fnal.gov
[root@cmsxrootd-site3 ~]# openssl x509 -text -noout -in /etc/grid-security/hostcert.pem
.......X509v3 Subject Alternative Name:
DNS:cmsxrootd-site3.fnal.gov, DNS:cmsxrootd-site.fnal.gov
....
------------------------------However, our tests using the alias always fail with "hostname not in SAN extension" like these:
[enstore@fndca2b ~]$ xrdfs cmsxrootd-site.fnal.gov locate /store/test/xrootd/T1_US_FNAL/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000/A64CCCF2-5C76-E711-B359-0CC47A78A3F8.root
[FATAL] TLS error: Unable to validate cmsxrootd-site.fnal.gov; hostname not in SAN extension.
[enstore@fndca2b ~]$ xrdfs cmsxrootd-site1.fnal.gov locate /store/test/xrootd/T1_US_FNAL/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000/A64CCCF2-5C76-E711-B359-0CC47A78A3F8.root
[2620:6a:0:8420::f8]:1093 Server Read
[enstore@fndca2b ~]$ xrdfs cmsxrootd-site2.fnal.gov locate /store/test/xrootd/T1_US_FNAL/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000/A64CCCF2-5C76-E711-B359-0CC47A78A3F8.root
[2620:6a:0:8420::f9]:1093 Server Read
[enstore@fndca2b ~]$ xrdfs cmsxrootd-site3.fnal.gov locate /store/test/xrootd/T1_US_FNAL/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000/A64CCCF2-5C76-E711-B359-0CC47A78A3F8.root
[2620:6a:0:8421::243]:1093 Server Read
-----
[enstore@fndca2b ~]$ xrdcp -d 1 -f root://cmsxrootd-site.fnal.gov:1094///store/test/xrootd/T1_US_FNAL/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000/A64CCCF2-5C76-E711-B359-0CC47A78A3F8.root /dev/null
[2023-02-20 10:57:43.404883 -0600][Error ][TlsMsg ] Failed to do TLS connect: Unable to validate cmsxrootd-site.fnal.gov; hostname not in SAN extension.
[2023-02-20 10:57:43.404999 -0600][Error ][AsyncSock ] [cmsxrootd-site.fnal.gov:1094.0] Socket error while handshaking: [FATAL] TLS error
[2023-02-20 10:57:43.405216 -0600][Error ][PostMaster ] [cmsxrootd-site.fnal.gov:1094] elapsed = 0, pConnectionWindow = 120 seconds.
[2023-02-20 10:57:43.413492 -0600][Error ][TlsMsg ] Failed to do TLS connect: Unable to validate cmsxrootd-site.fnal.gov; hostname not in SAN extension.
[2023-02-20 10:57:43.413567 -0600][Error ][AsyncSock ] [cmsxrootd-site.fnal.gov:1094.0] Socket error while handshaking: [FATAL] TLS error
[2023-02-20 10:57:43.413729 -0600][Error ][PostMaster ] [cmsxrootd-site.fnal.gov:1094] elapsed = 0, pConnectionWindow = 120 seconds.
[2023-02-20 10:57:43.419627 -0600][Error ][TlsMsg ] Failed to do TLS connect: Unable to validate cmsxrootd-site.fnal.gov; hostname not in SAN extension.
[2023-02-20 10:57:43.419691 -0600][Error ][AsyncSock ] [cmsxrootd-site.fnal.gov:1094.0] Socket error while handshaking: [FATAL] TLS error
[2023-02-20 10:57:43.419852 -0600][Error ][PostMaster ] [cmsxrootd-site.fnal.gov:1094] elapsed = 0, pConnectionWindow = 120 seconds.
[2023-02-20 10:57:43.419933 -0600][Error ][PostMaster ] [cmsxrootd-site.fnal.gov:1094] Unable to recover: [FATAL] TLS error.
[2023-02-20 10:57:43.420009 -0600][Error ][XRootD ] [cmsxrootd-site.fnal.gov:1094] Impossible to send message kXR_open (file: //store/test/xrootd/T1_US_FNAL/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000/A64CCCF2-5C76-E711-B359-0CC47A78A3F8.root, mode: 00, flags: kXR_open_read kXR_async kXR_retstat ). Trying to recover.
[0B/0B][100%][==================================================][0B/s]
Run: [FATAL] TLS error: Unable to validate cmsxrootd-site.fnal.gov; hostname not in SAN extension. (source)
[enstore@fndca2b ~]$ xrdcp -d 1 -f root://cmsxrootd-site1.fnal.gov:1094///store/test/xrootd/T1_US_FNAL/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000/A64CCCF2-5C76-E711-B359-0CC47A78A3F8.root /dev/null
[2023-02-20 10:58:02.693319 -0600][Info ][AsyncSock ] [cmsxrootd-site1.fnal.gov:1094.0] TLS hand-shake done.
[229.3MB/229.3MB][100%][==================================================][57.33MB/s]
The same for cmsxrootd-site2 and cmsxrootd-site3.
Could you please advise if we need add some options in the xrootd.cfg file?
Thanks in advance for any help on this.
Regards,
Yujun
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1