 |
 |
Hi together, a quick "gdb" into: https://github.com/xrootd/xrootd/blob/0e460d7a11702c9935ed9fc1c67f22cb998b6fa4/src/XrdTls/XrdTlsNotaryUtils.icc#L122 reveals that "san_names_nb" is "1" when checking with a client against "cmsxrootd-site.fnal.gov". So for sure, something is strange there, since the certificate you dumped in your mail has two SANs, but the certificate presented to the client only has one SAN entry (the actual hostname). While I can only recommend using a top-level redirector since you get load-based load-balancing and automatic removal of broken nodes as compared to a simple DNS round robin, my feeling is that this is a bug (either software or config). It might be interesting to share XRootDs startup logs, and to check again that xrd.tls in the config really references the certificate you intended XRootD to use (just to exclude the obvious). Note that XrdSecGSITRUSTDNS is of course completely unrelated to host SANs. Cheers, Oliver Am 20.02.23 um 18:28 schrieb Bockjoo Kim: > You might have to set up a separate host for the top level site redirector > > within one of the site redirectors or using a separate machine. > > Again, I hope you don't have to do this. > > Bockjoo > > On 2/20/23 12:20, Yujun Wu wrote: >> Hi Bockjoo, >> >> Thanks a lot for your info. Really hope this is NOT true, otherwise we need to tell local users to use individual host names. >> >> >> Regards, >> Yujun >> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ >> *From:* [log in to unmask] <[log in to unmask]> on behalf of Bockjoo Kim <[log in to unmask]> >> *Sent:* Monday, February 20, 2023 11:14 AM >> *To:* Yujun Wu <[log in to unmask]>; xrootd-l <[log in to unmask]> >> *Cc:* David A Mason <[log in to unmask]>; Chih-Hao Huang <[log in to unmask]> >> *Subject:* Re: Help with hostname not in SAN extension TLS error >> >> Hi Yujun, >> >> My understanding is that the Subject Alternative Name(SAN) does not work with xrootd. >> >> SAN worked with the gridftp, though. >> >> I think xrootd knows only one hostname (either through $(/bin/hostname -f) or through /etc/sysconfig/xrootd). >> >> Only one hostname is valid in xrootd, I think. >> >> I hope this is not true. >> >> Bockjoo >> >> On 2/20/23 12:01, Yujun Wu wrote: >>> Good morning XRootD experts, >>> >>> We have 3 site XRootD redirectors at FNAL and an alias for them: >>> >>> $ host cmsxrootd-site.fnal.gov >>> >>> cmsxrootd-site.fnal.gov has address 131.225.205.75 >>> >>> cmsxrootd-site.fnal.gov has address 131.225.188.52 >>> >>> cmsxrootd-site.fnal.gov has address 131.225.205.239 >>> >>> >>> [enstore@fndca2b ~]$ host 131.225.205.75 >>> >>> 75.205.225.131.in-addr.arpa domain name pointer cmsxrootd-site1.fnal.gov. >>> >>> [enstore@fndca2b ~]$ host 131.225.205.239 >>> >>> 239.205.225.131.in-addr.arpa domain name pointer cmsxrootd-site2.fnal.gov. >>> >>> [enstore@fndca2b ~]$ host 131.225.188.52 >>> >>> 52.188.225.131.in-addr.arpa domain name pointer cmsxrootd-site3.fnal.gov. >>> >>> >>> [root@cmsxrootd-site1 xrootd]# openssl x509 -text -noout -in /etc/grid-security/hostcert.pem >>> >>> ....... >>> >>> X509v3 Subject Alternative Name: >>> >>> DNS:cmsxrootd-site1.fnal.gov, DNS:cmsxrootd-site.fnal.gov >>> >>> .... >>> >>> [root@cmsxrootd-site2 ~]# openssl x509 -text -noout -in /etc/grid-security/hostcert.pem >>> >>> ...... >>> >>> X509v3 Subject Alternative Name: >>> >>> DNS:cmsxrootd-site2.fnal.gov, DNS:cmsxrootd-site.fnal.gov >>> >>> >>> [root@cmsxrootd-site3 ~]# openssl x509 -text -noout -in /etc/grid-security/hostcert.pem >>> >>> ....... >>> >>> X509v3 Subject Alternative Name: >>> >>> DNS:cmsxrootd-site3.fnal.gov, DNS:cmsxrootd-site.fnal.gov >>> >>> .... >>> >>> ------------------------------ >>> However, our tests using the alias always fail with "hostname not in SAN extension" like these: >>> >>> [enstore@fndca2b ~]$ xrdfs cmsxrootd-site.fnal.gov locate /store/test/xrootd/T1_US_FNAL/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000/A64CCCF2-5C76-E711-B359-0CC47A78A3F8.root >>> >>> [FATAL] TLS error: Unable to validate cmsxrootd-site.fnal.gov; hostname not in SAN extension. >>> >>> [enstore@fndca2b ~]$ xrdfs cmsxrootd-site1.fnal.gov locate /store/test/xrootd/T1_US_FNAL/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000/A64CCCF2-5C76-E711-B359-0CC47A78A3F8.root >>> >>> [2620:6a:0:8420::f8]:1093 Server Read >>> >>> [enstore@fndca2b ~]$ xrdfs cmsxrootd-site2.fnal.gov locate /store/test/xrootd/T1_US_FNAL/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000/A64CCCF2-5C76-E711-B359-0CC47A78A3F8.root >>> >>> [2620:6a:0:8420::f9]:1093 Server Read >>> >>> [enstore@fndca2b ~]$xrdfs cmsxrootd-site3.fnal.gov locate /store/test/xrootd/T1_US_FNAL/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000/A64CCCF2-5C76-E711-B359-0CC47A78A3F8.root >>> >>> [2620:6a:0:8421::243]:1093 Server Read >>> >>> >>> ----- >>> >>> [enstore@fndca2b ~]$ xrdcp -d 1 -f root://cmsxrootd-site.fnal.gov:1094///store/test/xrootd/T1_US_FNAL/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000/A64CCCF2-5C76-E711-B359-0CC47A78A3F8.root /dev/null >>> >>> [2023-02-20 10:57:43.404883 -0600][Error][TlsMsg] Failed to do TLS connect: Unable to validate cmsxrootd-site.fnal.gov; hostname not in SAN extension. >>> >>> [2023-02-20 10:57:43.404999 -0600][Error][AsyncSock ] [cmsxrootd-site.fnal.gov:1094.0] Socket error while handshaking: [FATAL] TLS error >>> >>> [2023-02-20 10:57:43.405216 -0600][Error][PostMaster] [cmsxrootd-site.fnal.gov:1094] elapsed = 0, pConnectionWindow = 120 seconds. >>> >>> [2023-02-20 10:57:43.413492 -0600][Error][TlsMsg] Failed to do TLS connect: Unable to validate cmsxrootd-site.fnal.gov; hostname not in SAN extension. >>> >>> [2023-02-20 10:57:43.413567 -0600][Error][AsyncSock ] [cmsxrootd-site.fnal.gov:1094.0] Socket error while handshaking: [FATAL] TLS error >>> >>> [2023-02-20 10:57:43.413729 -0600][Error][PostMaster] [cmsxrootd-site.fnal.gov:1094] elapsed = 0, pConnectionWindow = 120 seconds. >>> >>> [2023-02-20 10:57:43.419627 -0600][Error][TlsMsg] Failed to do TLS connect: Unable to validate cmsxrootd-site.fnal.gov; hostname not in SAN extension. >>> >>> [2023-02-20 10:57:43.419691 -0600][Error][AsyncSock ] [cmsxrootd-site.fnal.gov:1094.0] Socket error while handshaking: [FATAL] TLS error >>> >>> [2023-02-20 10:57:43.419852 -0600][Error][PostMaster] [cmsxrootd-site.fnal.gov:1094] elapsed = 0, pConnectionWindow = 120 seconds. >>> >>> [2023-02-20 10:57:43.419933 -0600][Error][PostMaster] [cmsxrootd-site.fnal.gov:1094] Unable to recover: [FATAL] TLS error. >>> >>> [2023-02-20 10:57:43.420009 -0600][Error][XRootD] [cmsxrootd-site.fnal.gov:1094] Impossible to send message kXR_open (file: //store/test/xrootd/T1_US_FNAL/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000/A64CCCF2-5C76-E711-B359-0CC47A78A3F8.root, mode: 00, flags: kXR_open_read kXR_async kXR_retstat ). Trying to recover. >>> >>> [0B/0B][100%][==================================================][0B/s] >>> >>> Run: [FATAL] TLS error: Unable to validate cmsxrootd-site.fnal.gov; hostname not in SAN extension. (source) >>> >>> [enstore@fndca2b ~]$ xrdcp -d 1 -f root://cmsxrootd-site1.fnal.gov:1094///store/test/xrootd/T1_US_FNAL/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000/A64CCCF2-5C76-E711-B359-0CC47A78A3F8.root /dev/null >>> >>> [2023-02-20 10:58:02.693319 -0600][Info ][AsyncSock ] [cmsxrootd-site1.fnal.gov:1094.0] TLS hand-shake done. >>> >>> [229.3MB/229.3MB][100%][==================================================][57.33MB/s] >>> >>> The same for cmsxrootd-site2 and cmsxrootd-site3. >>> >>> >>> Could you please advise if we need add some options in the xrootd.cfg file? >>> >>> >>> Thanks in advance for any help on this. >>> >>> >>> >>> Regards, >>> >>> Yujun >>> >>> >>> >>> >>> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ >>> >>> Use REPLY-ALL to reply to list >>> >>> To unsubscribe from the XROOTD-L list, click the following link: >>> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1 <https://urldefense.proofpoint.com/v2/url?u=https-3A__listserv.slac.stanford.edu_cgi-2Dbin_wa-3FSUBED1-3DXROOTD-2DL-26A-3D1&d=DwMDaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=bFk3iAgykb1xfdm5362Q9w&m=DLhjVs4SxHLfb08gO7VszUWSmlELeAUVa-SwHM_jRd-n7rNg_SQ7yKq2Dw_sAvW7&s=LmctUFiXUVeRyq3B4sQMVr92norArpBmFAvAP4e36-E&e=> >>> >> >> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ >> >> Use REPLY-ALL to reply to list >> >> To unsubscribe from the XROOTD-L list, click the following link: >> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1 <https://urldefense.proofpoint.com/v2/url?u=https-3A__listserv.slac.stanford.edu_cgi-2Dbin_wa-3FSUBED1-3DXROOTD-2DL-26A-3D1&d=DwMDaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=bFk3iAgykb1xfdm5362Q9w&m=DLhjVs4SxHLfb08gO7VszUWSmlELeAUVa-SwHM_jRd-n7rNg_SQ7yKq2Dw_sAvW7&s=LmctUFiXUVeRyq3B4sQMVr92norArpBmFAvAP4e36-E&e=> >> > > ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ > > Use REPLY-ALL to reply to list > > To unsubscribe from the XROOTD-L list, click the following link: > https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1 <https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1> > -- Oliver Freyermuth Universität Bonn Physikalisches Institut, Raum 1.047 Nußallee 12 53115 Bonn -- Tel.: +49 228 73 2367 Fax: +49 228 73 7869 -- ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-L list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1