 |
 |
Could somebody explain to me why there is not "cmsxrootd-site.fnal.gov" in the SAN when I look at network stream dump / Server Hello Petr On 2/20/23 18:57, Albert Rossi wrote: > Yujun, > > There may be security issues with this, but you might be able to get > around this by setting > > ``` > export XrdSecGSITRUSTDNS=1 > ``` > > I know that the xroot team discourages this, but you might see if it > works. > > This would have to be done on the client side. If there is not way of > changing the client environment, then ignore this suggestion. > > Cheers, Al > > ________________________________________________ > Albert L. Rossi > Senior Software Developer > Scientific Computing Division, Scientific Data Services, Distributed > Data Development > WH 566 > Fermi National Accelerator Laboratory > Batavia, IL 60510 > (630) 840-3023 > > ------------------------------------------------------------------------ > *From:* [log in to unmask] <[log in to unmask]> on > behalf of Bockjoo Kim <[log in to unmask]> > *Sent:* Monday, February 20, 2023 11:28 AM > *To:* Yujun Wu <[log in to unmask]>; Yujun Wu > <[log in to unmask]>; xrootd-l > <[log in to unmask]> > *Cc:* David A Mason <[log in to unmask]>; Chih-Hao Huang <[log in to unmask]> > *Subject:* Re: Help with hostname not in SAN extension TLS error > > You might have to set up a separate host for the top level site redirector > > within one of the site redirectors or using a separate machine. > > Again, I hope you don't have to do this. > > Bockjoo > > On 2/20/23 12:20, Yujun Wu wrote: >> Hi Bockjoo, >> >> Thanks a lot for your info. Really hope this is NOT true, otherwise >> we need to tell local users to use individual host names. >> >> >> Regards, >> Yujun >> ------------------------------------------------------------------------ >> *From:* [log in to unmask] >> <mailto:[log in to unmask]> <[log in to unmask]> >> <mailto:[log in to unmask]> on behalf of Bockjoo Kim >> <[log in to unmask]> <mailto:[log in to unmask]> >> *Sent:* Monday, February 20, 2023 11:14 AM >> *To:* Yujun Wu >> <[log in to unmask]> >> <mailto:[log in to unmask]>; >> xrootd-l <[log in to unmask]> <mailto:[log in to unmask]> >> *Cc:* David A Mason <[log in to unmask]> <mailto:[log in to unmask]>; >> Chih-Hao Huang <[log in to unmask]> <mailto:[log in to unmask]> >> *Subject:* Re: Help with hostname not in SAN extension TLS error >> >> Hi Yujun, >> >> My understanding is that the Subject Alternative Name(SAN) does not >> work with xrootd. >> >> SAN worked with the gridftp, though. >> >> I think xrootd knows only one hostname (either through >> $(/bin/hostname -f) or through /etc/sysconfig/xrootd). >> >> Only one hostname is valid in xrootd, I think. >> >> I hope this is not true. >> >> Bockjoo >> >> On 2/20/23 12:01, Yujun Wu wrote: >>> Good morning XRootD experts, >>> >>> We have 3 site XRootD redirectors at FNAL and an alias for them: >>> >>> $ host cmsxrootd-site.fnal.gov >>> >>> cmsxrootd-site.fnal.gov has address 131.225.205.75 >>> >>> cmsxrootd-site.fnal.gov has address 131.225.188.52 >>> >>> cmsxrootd-site.fnal.gov has address 131.225.205.239 >>> >>> >>> [enstore@fndca2b ~]$ host 131.225.205.75 >>> >>> 75.205.225.131.in-addr.arpa domain name pointer >>> cmsxrootd-site1.fnal.gov. >>> >>> [enstore@fndca2b ~]$ host 131.225.205.239 >>> >>> 239.205.225.131.in-addr.arpa domain name pointer >>> cmsxrootd-site2.fnal.gov. >>> >>> [enstore@fndca2b ~]$ host 131.225.188.52 >>> >>> 52.188.225.131.in-addr.arpa domain name pointer >>> cmsxrootd-site3.fnal.gov. >>> >>> >>> [root@cmsxrootd-site1 xrootd]# openssl x509 -text -noout -in >>> /etc/grid-security/hostcert.pem >>> >>> ....... >>> >>> X509v3 Subject Alternative Name: >>> >>> DNS:cmsxrootd-site1.fnal.gov, DNS:cmsxrootd-site.fnal.gov >>> >>> .... >>> >>> [root@cmsxrootd-site2 ~]# openssl x509 -text -noout -in >>> /etc/grid-security/hostcert.pem >>> >>> ...... >>> >>> X509v3 Subject Alternative Name: >>> >>> DNS:cmsxrootd-site2.fnal.gov, DNS:cmsxrootd-site.fnal.gov >>> >>> >>> [root@cmsxrootd-site3 ~]# openssl x509 -text -noout -in >>> /etc/grid-security/hostcert.pem >>> >>> ....... >>> >>> X509v3 Subject Alternative Name: >>> >>> DNS:cmsxrootd-site3.fnal.gov, DNS:cmsxrootd-site.fnal.gov >>> >>> .... >>> >>> ------------------------------ >>> However, our tests using the alias always fail with "hostname not in >>> SAN extension" like these: >>> >>> [enstore@fndca2b ~]$ xrdfs cmsxrootd-site.fnal.gov locate >>> /store/test/xrootd/T1_US_FNAL/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000/A64CCCF2-5C76-E711-B359-0CC47A78A3F8.root >>> >>> [FATAL] TLS error: Unable to validate cmsxrootd-site.fnal.gov; >>> hostname not in SAN extension. >>> >>> [enstore@fndca2b ~]$ xrdfs cmsxrootd-site1.fnal.gov locate >>> /store/test/xrootd/T1_US_FNAL/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000/A64CCCF2-5C76-E711-B359-0CC47A78A3F8.root >>> >>> [2620:6a:0:8420::f8]:1093 Server Read >>> >>> [enstore@fndca2b ~]$ xrdfs cmsxrootd-site2.fnal.gov locate >>> /store/test/xrootd/T1_US_FNAL/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000/A64CCCF2-5C76-E711-B359-0CC47A78A3F8.root >>> >>> [2620:6a:0:8420::f9]:1093 Server Read >>> >>> [enstore@fndca2b ~]$xrdfs cmsxrootd-site3.fnal.gov locate >>> /store/test/xrootd/T1_US_FNAL/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000/A64CCCF2-5C76-E711-B359-0CC47A78A3F8.root >>> >>> [2620:6a:0:8421::243]:1093 Server Read >>> >>> >>> ----- >>> >>> [enstore@fndca2b ~]$ xrdcp -d 1 -f >>> root://cmsxrootd-site.fnal.gov:1094///store/test/xrootd/T1_US_FNAL/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000/A64CCCF2-5C76-E711-B359-0CC47A78A3F8.root >>> /dev/null >>> >>> [2023-02-20 10:57:43.404883 -0600][Error][TlsMsg] Failed to do TLS >>> connect: Unable to validate cmsxrootd-site.fnal.gov; hostname not in >>> SAN extension. >>> >>> [2023-02-20 10:57:43.404999 -0600][Error][AsyncSock ] >>> [cmsxrootd-site.fnal.gov:1094.0] Socket error while handshaking: >>> [FATAL] TLS error >>> >>> [2023-02-20 10:57:43.405216 -0600][Error][PostMaster] >>> [cmsxrootd-site.fnal.gov:1094] elapsed = 0, pConnectionWindow = 120 >>> seconds. >>> >>> [2023-02-20 10:57:43.413492 -0600][Error][TlsMsg] Failed to do TLS >>> connect: Unable to validate cmsxrootd-site.fnal.gov; hostname not in >>> SAN extension. >>> >>> [2023-02-20 10:57:43.413567 -0600][Error][AsyncSock ] >>> [cmsxrootd-site.fnal.gov:1094.0] Socket error while handshaking: >>> [FATAL] TLS error >>> >>> [2023-02-20 10:57:43.413729 -0600][Error][PostMaster] >>> [cmsxrootd-site.fnal.gov:1094] elapsed = 0, pConnectionWindow = 120 >>> seconds. >>> >>> [2023-02-20 10:57:43.419627 -0600][Error][TlsMsg] Failed to do TLS >>> connect: Unable to validate cmsxrootd-site.fnal.gov; hostname not in >>> SAN extension. >>> >>> [2023-02-20 10:57:43.419691 -0600][Error][AsyncSock ] >>> [cmsxrootd-site.fnal.gov:1094.0] Socket error while handshaking: >>> [FATAL] TLS error >>> >>> [2023-02-20 10:57:43.419852 -0600][Error][PostMaster] >>> [cmsxrootd-site.fnal.gov:1094] elapsed = 0, pConnectionWindow = 120 >>> seconds. >>> >>> [2023-02-20 10:57:43.419933 -0600][Error][PostMaster] >>> [cmsxrootd-site.fnal.gov:1094] Unable to recover: [FATAL] TLS error. >>> >>> [2023-02-20 10:57:43.420009 -0600][Error][XRootD] >>> [cmsxrootd-site.fnal.gov:1094] Impossible to send message kXR_open >>> (file: >>> //store/test/xrootd/T1_US_FNAL/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000/A64CCCF2-5C76-E711-B359-0CC47A78A3F8.root, >>> mode: 00, flags: kXR_open_read kXR_async kXR_retstat ). Trying to >>> recover. >>> >>> [0B/0B][100%][==================================================][0B/s] >>> >>> Run: [FATAL] TLS error: Unable to validate cmsxrootd-site.fnal.gov; >>> hostname not in SAN extension. (source) >>> >>> [enstore@fndca2b ~]$ xrdcp -d 1 -f >>> root://cmsxrootd-site1.fnal.gov:1094///store/test/xrootd/T1_US_FNAL/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000/A64CCCF2-5C76-E711-B359-0CC47A78A3F8.root >>> /dev/null >>> >>> [2023-02-20 10:58:02.693319 -0600][Info ][AsyncSock ] >>> [cmsxrootd-site1.fnal.gov:1094.0] TLS hand-shake done. >>> >>> [229.3MB/229.3MB][100%][==================================================][57.33MB/s] >>> >>> >>> The same for cmsxrootd-site2 and cmsxrootd-site3. >>> >>> >>> Could you please advise if we need add some options in the >>> xrootd.cfg file? >>> >>> >>> Thanks in advance for any help on this. >>> >>> >>> >>> Regards, >>> >>> Yujun >>> >>> >>> >>> >>> ------------------------------------------------------------------------ >>> >>> Use REPLY-ALL to reply to list >>> >>> To unsubscribe from the XROOTD-L list, click the following link: >>> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1 >>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__listserv.slac.stanford.edu_cgi-2Dbin_wa-3FSUBED1-3DXROOTD-2DL-26A-3D1&d=DwMDaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=bFk3iAgykb1xfdm5362Q9w&m=DLhjVs4SxHLfb08gO7VszUWSmlELeAUVa-SwHM_jRd-n7rNg_SQ7yKq2Dw_sAvW7&s=LmctUFiXUVeRyq3B4sQMVr92norArpBmFAvAP4e36-E&e=> >>> >>> >> >> ------------------------------------------------------------------------ >> >> Use REPLY-ALL to reply to list >> >> To unsubscribe from the XROOTD-L list, click the following link: >> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1 >> <https://urldefense.proofpoint.com/v2/url?u=https-3A__listserv.slac.stanford.edu_cgi-2Dbin_wa-3FSUBED1-3DXROOTD-2DL-26A-3D1&d=DwMDaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=bFk3iAgykb1xfdm5362Q9w&m=DLhjVs4SxHLfb08gO7VszUWSmlELeAUVa-SwHM_jRd-n7rNg_SQ7yKq2Dw_sAvW7&s=LmctUFiXUVeRyq3B4sQMVr92norArpBmFAvAP4e36-E&e=> >> >> > > ------------------------------------------------------------------------ > > Use REPLY-ALL to reply to list > > To unsubscribe from the XROOTD-L list, click the following link: > https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1 > <https://urldefense.proofpoint.com/v2/url?u=https-3A__listserv.slac.stanford.edu_cgi-2Dbin_wa-3FSUBED1-3DXROOTD-2DL-26A-3D1&d=DwMDaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=yOpc0FxULW0VPnAEXr-9vwvDYVbLrqBYcKQ-lbwH-0B0w0Q4Y6eCsJoMjxrjPFs2&s=S8-m4xpSxlgLNSBaV7aeNcTE8vxRPwJjxIRTZ0dk-lc&e=> > > > > ------------------------------------------------------------------------ > > Use REPLY-ALL to reply to list > > To unsubscribe from the XROOTD-L list, click the following link: > https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1 > <https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1> > ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-L list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1