Closed marianne013 closed 3 months ago
This would be the proxy used to connect to the FTS3 server. Printouts in FTS3Job.generateContext
would tell you more.
So that gets me:
https://fts00.grid.hep.ph.ic.ac.uk:8446
/opt/dirac/work/DataManagement/FTS3Agent/1718028385_daniela.bauer_lz_user_fts00.grid.hep.ph.ic.ac.uk_Thread-18 (worker).pem
43200
Looking at the name, it's an LZ proxy, and it's in my name, which is as expected, the lifetime is 43200 s. (I just printed the input to FTS3Job.generateContext).
I ran:
openssl x509 -in "/opt/dirac/work/DataManagement/FTS3Agent/1718028385_daniela.bauer_lz_user_fts00.grid.hep.ph.ic.ac.uk_Thread-18 (worker).pem" -noout -text
and got no complaint. Any idea what else I can check ?
@sfayer: FYI
The error would be on the server side, do you have access to the logs ? Is it a recent release of FTS? It could be that the proxy is too short, I think the minimum is now 2048
The proxy is 2048. I have access to the server logs, but I can't find any mention in there, unless I am looking in the wrong place. It is a very recent version of FTS, in fact it has been very recently been upgraded to Rocky9 :-S
Ah ! is there Sha1
anywhere in the chain ?
No, it's an honest to goodness UK CA based proxy which is not on the naughty list.
So Simon just found a SHA1 somewhere (at the very end of the chain). At what point (version) did diracos stop generating those ?
We were running diracos2.38 which had 'sha1' at /opt/dirac/diracos/lib/python3.1/site-packages/fts3/rest/client/delegator.py (~ line 237). Upgrading to diracos2.42 fixed the issue. Having said this 2.38 is from February, why was this still around in February this year ?!
Hi,
I'm trying to work out why the dirac-dms-replicate-and-register command seems to avoid using our FTS server. I am sure it used to work. Hrmpf. In the process of doing this I fished the following error out of DataManagement/FTS3Agent. Any idea how I can convince it to tell me which proxy it is talking about ? This is on the pre-prod server and the request (there should only be one) was submitted with the same proxy it managed to submit a bunch of jobs with, so as far as I cam concerned it should be happy.
Possibly one for @chaen to comment ?