Hi Guilherme, The client machine (xrootd 5.6.1) that I had the issue is a fully credible OSG CE. So, there should be no issue with the CA and X509_CERT_DIR. I have used this python script to reproduce the issue on the client machine: ############################################# import os import sys import errno import subprocess import zlib import random from XRootD import client from XRootD.client.flags import OpenFlags ENDPOINT='cmsio2.rc.ufl.edu:1094' SAM_TEST_FILE='/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000/A64CCCF2-5C76-E711-B359-0CC47A78A3F8.root' print ("XRootD Client Versin",client.__version__) cmd = [ "xrdfs "+ENDPOINT+" query config version" ] try: result = subprocess.run(cmd, shell=True, capture_output=True, text=True) print("XRootD Server Version", result.stdout) except subprocess.TimeoutExpired: print("connecting to endpoint timed out") os.environ["X509_CERT_DIR"] = "/cvmfs/cms.cern.ch/grid/etc/grid-security/certificates" os.environ["X509_USER_PROXY"] = "/home/bockjoo/.cmsuser.proxy" os.environ["X509_USER_PROXY_NONCMS"] = "/home/bockjoo/.griduser.proxy" os.environ["XRD_NETWORKSTACK"] = "IPv4" with client.File() as f: status, response = f.open("root://" + ENDPOINT + "/" + \ SAM_TEST_FILE, flags=OpenFlags.READ, timeout=90) if ( not status.ok ): print (("\nopen(root://%s/%s, flags=OpenFlags.READ, time" + \ "out=90)\nXRootDStatus.code=%d \"%s\"\n") % \ (ENDPOINT, SAM_TEST_FILE, status.code, \ status.message.replace("\n", ""))) pass status, data = f.read(offset=0, size=65536, timeout=90) if ( not status.ok ): print(("\n%s\nread(offset=0, size=65536, timeout=90)\n" + \ "XRootDStatus.code=%d \"%s\"\n") % (SAM_TEST_FILE, \ status.code, status.message.replace("\n", ""))) pass print ("Open Status",status.ok) ############################################# You can choose the endpoint and the file of your choosing with the 5.5.5 server to test it. Thanks, Bockjoo On 8/28/23 09:33, Guilherme Amadio wrote: > Dear Bockjoo, > > On Sat, Aug 26, 2023 at 04:14:28PM -0400, Bockjoo Kim wrote: >> Hi, >> >> I am seeing a python XRootD file open issue for the 5.6.1 client with a >> 5.5.5 server : >> >> ============================================================= >> >> XRootD Client Versin 5.6.1 >> XRootD Server Version v5.5.5 >> >> open(root://cmsio2.rc.ufl.edu:1094//store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000/A64CCCF2-5C76-E711-B359-0CC47A78A3F8.root, >> flags=OpenFlags.READ, timeout=90) >> XRootDStatus.code=110 "[FATAL] TLS error: resource temporarily >> unavailable: Unable to connect to cmsio2.rc.ufl.edu; error_ssl" >> >> --------------------------------------------------------------------------- >> ValueError Traceback (most recent call last) >> /tmp/ipykernel_4179061/812350213.py in <module> >> 40 status.message.replace("\n", ""))) >> 41 #pass >> ---> 42 status, data = f.read(offset=0, size=65536, timeout=90) >> 43 if ( not status.ok ): >> 44 print(("\n%s\nread(offset=0, size=65536, >> timeout=90)\n" + \ >> >> /opt/cms/services/anaconda3/lib/python3.9/site-packages/XRootD/client/file.py >> in read(self, offset, size, timeout, callback) >> 124 return XRootDStatus(self.__file.read(offset, size, >> timeout, callback)) >> 125 >> --> 126 status, response = self.__file.read(offset, size, timeout) >> 127 return XRootDStatus(status), response >> 128 >> >> ValueError: I/O operation on closed file >> >> =============================================================== >> >> Here, XRootD Server is configured with TLS. >> >> If I remove TLS configuration of the 5.5.5 server, there is no issue. >> >> If I switch to 5.5.5 client, there is no issue. >> >> Is this expected? > It may or may not be. When I wrote the patch, I tested several scenarios > (see https://github.com/xrootd/xrootd/pull/2031#issuecomment-1589380486). > The error message that you see is likely caused by a client that cannot > validate the server with TLS (because it does not have the proper CA > certificates installed locally). So I suggest you to try with xrdcp > --notlsok option, or export X509_CERT_DIR=/dev/null to force the client > into not being able to do TLS at all. If the directory /etc/grid-security > exists on your machine, but the client cannot verify the server, and TLS > is enforced, then this behavior is expected. Otherwise, please export > XRD_LOGLEVEL=Dump, re-run the command and send us the output so I can > investigate this issue further. You may also want to install the proper > certificates to let the client validate the server to be able to use > TLS. > > Best regards, > -Guilherme ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-L list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1