search

dCache / dcache

dCache - a system for storing and retrieving huge amounts of data, distributed among a large number of heterogenous server nodes, under a single virtual filesystem tree with a variety of standard access methods
https://dcache.org
285 stars 136 forks source link

Problems parsing certificate subject alternative name #5744

Open vokac opened 3 years ago

vokac commented 3 years ago

HTTP-TPC pull fails with dCache 6.2.13 destionation and one TRIUMF dCache source dpool49.lcg.triumf.ca that's behind webdav.lcg.triumf.ca alias (the rest works fine, but they have a bit different certificates). TPC client just receives error message Transfer failed: Certificate for <webdav.lcg.triumf.ca> doesn't match any of the subject alternative names: [] althought I can see right DNS:webdav.lcg.triumf.ca SAN in the certificate

$ openssl s_client -connect dpool49.lcg.triumf.ca:2880 -showcerts > /tmp/dpool49.crt
$ openssl x509 -text -noout -in /tmp/dpool49.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 39362 (0x99c2)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CA, O=Grid, CN=Grid Canada Certificate Authority
        Validity
            Not Before: Jul  7 15:16:05 2020 GMT
            Not After : Aug  6 15:16:05 2021 GMT
        Subject: C=CA, O=Grid, CN=dpool49.lcg.triumf.ca
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:ce:46:f3:aa:75:e5:b7:30:fc:e8:24:29:f7:42:
                    09:aa:b4:78:3f:3e:fd:d7:84:eb:cf:bf:03:e2:90:
                    21:bd:33:f2:32:b0:eb:c3:a4:f7:71:84:0c:0d:2e:
                    b3:f6:67:f7:f1:f1:26:08:1d:61:ec:d9:a0:aa:ff:
                    bf:97:47:28:51:b4:30:0c:f4:e0:9e:f2:74:3e:16:
                    cc:0b:92:ec:de:89:70:74:60:6d:fe:45:17:33:0c:
                    36:c1:5f:93:0f:15:56:c7:23:e6:d1:23:ce:22:12:
                    b6:2c:62:89:28:be:1e:8c:8c:38:34:d4:d3:18:65:
                    93:e7:47:fa:72:fe:17:00:a4:18:92:c1:3e:00:f3:
                    37:9a:8d:72:f6:1d:98:cf:24:68:77:6a:4f:d1:43:
                    12:97:74:63:da:7e:0f:6e:53:20:39:53:17:a2:98:
                    7d:83:2b:7f:f4:38:94:64:dd:47:eb:13:e2:5e:19:
                    fc:cb:fa:ba:0b:5f:bf:f0:c4:81:02:27:1a:1c:42:
                    0e:55:5c:f1:64:d0:ff:18:a6:93:d5:b0:f5:3e:eb:
                    ec:a7:31:5a:2a:0f:bb:c2:20:b5:2c:91:dd:1a:d5:
                    f8:e5:9b:60:3c:20:89:3d:f5:79:a2:ae:f2:67:0a:
                    49:96:d9:2a:f5:59:e4:bb:c4:0a:dc:cb:9e:17:46:
                    b3:bc:75:f9:16:60:21:4f:fb:23:81:c2:bf:d3:8a:
                    8b:37:d3:f9:a8:58:5d:cf:88:95:f0:74:f7:f4:91:
                    0d:49:74:52:0f:0f:81:b1:78:4a:83:a7:69:5d:d7:
                    e7:b7:4f:a6:00:42:32:f1:9b:65:43:9b:ed:b0:d8:
                    8e:08:b6:28:10:2b:7a:80:cd:85:f4:63:ea:eb:18:
                    a9:ed:a3:fd:05:a9:75:c0:4e:87:d0:50:af:10:d5:
                    47:d8:d3:4d:a3:45:e7:25:43:15:88:63:94:3a:12:
                    9f:6b:13:0d:f8:ea:a6:c7:65:18:31:51:40:24:de:
                    24:bc:8d:0e:32:8e:47:fe:7f:55:4a:c4:2b:4d:bb:
                    9c:63:5a:1d:c2:fd:d1:a7:77:1f:ce:8b:87:46:f1:
                    fc:1c:5a:5b:e1:d9:ff:de:a2:58:e5:9a:91:ce:19:
                    f7:16:c9:3b:94:ca:e3:ab:a5:bf:7b:30:7c:89:50:
                    5d:84:7d:84:92:72:6f:45:2c:f6:ed:a1:37:07:49:
                    fa:2d:f4:77:30:54:42:96:87:ae:9b:ad:91:38:a5:
                    48:b7:0c:5a:44:45:f8:d7:b1:c9:24:09:d9:7b:41:
                    b0:d5:4c:2e:7d:1b:4c:8f:5a:7e:37:d2:7c:ad:3f:
                    ed:88:d1:16:fb:9a:ff:12:db:2b:d7:71:69:3a:3d:
                    a7:a4:3d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, TLS Web Server Authentication, E-mail Protection
            X509v3 Subject Key Identifier: 
                70:A9:1B:D8:63:80:05:1D:1C:D6:1A:70:AF:4F:F0:C4:CB:D1:16:E2
            X509v3 Authority Key Identifier: 
                keyid:E8:AC:12:F1:20:EE:C8:D7:8F:4C:6A:01:D1:A6:02:BF:CE:AE:99:18

            X509v3 Subject Alternative Name: 
                email:aywong@, DNS:dpool49.lcg.triumf.ca, DNS:webdav.lcg.triumf.ca, DNS:xrootd.lcg.triumf.ca
            X509v3 Issuer Alternative Name: 
                email:ca@gridcanada.ca
            Authority Information Access: 
                CA Issuers - URI:http://cert.gridcanada.ca/pki/pub/cacert/cacert.crt

            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://www.gridcanada.ca/ca/bffbd7d0.r0

            X509v3 Certificate Policies: 
                Policy: 2.16.124.101.1.274.47.1.1
                Policy: 1.2.840.113612.5.2.2.1

    Signature Algorithm: sha256WithRSAEncryption
         32:01:e4:06:25:d4:3b:a0:1d:bb:d7:fb:0c:2d:68:30:46:70:
         d9:2f:4b:6b:a3:35:37:05:44:e8:43:f0:17:26:47:96:bb:c8:
         d2:77:26:94:6c:37:5d:77:c4:11:e8:a7:82:51:3b:b4:10:07:
         06:1d:1b:73:32:22:5b:58:db:95:51:15:e7:94:5a:c1:6d:67:
         e5:ad:d6:c8:ea:25:7c:a8:0d:75:2b:1d:4c:cd:42:0c:7f:7b:
         24:b6:a6:b4:60:7e:f0:05:40:e5:6a:f5:91:3d:21:05:9f:91:
         dd:85:18:1c:e7:77:15:2a:65:7a:da:a6:e4:f2:fd:c1:66:78:
         31:95:a2:6c:b7:d4:5c:14:55:a3:38:b3:70:b6:50:88:8d:04:
         35:bd:47:21:39:ac:7b:23:c7:f4:8b:ec:cf:ec:f4:81:80:d2:
         dc:27:84:b6:87:60:7c:f3:31:c0:74:61:cc:78:3a:61:03:89:
         77:19:6d:42:eb:54:9b:b0:3e:72:fe:ec:be:5c:27:3e:17:61:
         33:e2:25:1e:aa:a8:40:95:cf:d8:3b:f5:40:5d:8e:23:c8:03:
         ff:fe:7b:ca:68:a6:d7:2d:87:4f:6e:64:54:e7:1a:57:de:98:
         e2:1d:3d:bc:47:6d:1a:c7:36:3e:9e:01:f2:da:12:ec:b8:53:
         ec:95:6e:c9

This is the log file from dCache 6.2.13 destination

Feb 27 03:57:28 dcache.farm.particle.cz dcache@poolsDomain[10366]: 27 Feb 2021 03:57:28 (pool1) [door:WebDAV-dcache@doorsDomain:AAW8SIt/xPg RemoteTransferManager PoolAcceptFile 0000808CDD05E6374B1BB137A6BB3C88A1C9] Secure session established
Feb 27 03:57:28 dcache.farm.particle.cz dcache@poolsDomain[10366]: 27 Feb 2021 03:57:28 (pool1) [door:WebDAV-dcache@doorsDomain:AAW8SIt/xPg RemoteTransferManager PoolAcceptFile 0000808CDD05E6374B1BB137A6BB3C88A1C9]  negotiated protocol: TLSv1.3
Feb 27 03:57:28 dcache.farm.particle.cz dcache@poolsDomain[10366]: 27 Feb 2021 03:57:28 (pool1) [door:WebDAV-dcache@doorsDomain:AAW8SIt/xPg RemoteTransferManager PoolAcceptFile 0000808CDD05E6374B1BB137A6BB3C88A1C9]  negotiated cipher suite: TLS_AES_128_GCM_SHA256
Feb 27 03:57:28 dcache.farm.particle.cz dcache@poolsDomain[10366]: 27 Feb 2021 03:57:28 (pool1) [door:WebDAV-dcache@doorsDomain:AAW8SIt/xPg RemoteTransferManager PoolAcceptFile 0000808CDD05E6374B1BB137A6BB3C88A1C9]  peer principal: CN=dpool49.lcg.triumf.ca, O=Grid, C=CA
Feb 27 03:57:28 dcache.farm.particle.cz dcache@poolsDomain[10366]: 27 Feb 2021 03:57:28 (pool1) [door:WebDAV-dcache@doorsDomain:AAW8SIt/xPg RemoteTransferManager PoolAcceptFile 0000808CDD05E6374B1BB137A6BB3C88A1C9]  issuer principal: CN=Grid Canada Certificate Authority, O=Grid, C=CA
Feb 27 03:57:28 dcache.farm.particle.cz dcache@poolsDomain[10366]: 27 Feb 2021 03:57:28 (pool1) [door:WebDAV-dcache@doorsDomain:AAW8SIt/xPg RemoteTransferManager PoolAcceptFile 0000808CDD05E6374B1BB137A6BB3C88A1C9]  issuer alternative names: [ca@gridcanada.ca]
Feb 27 03:57:28 dcache.farm.particle.cz dcache@poolsDomain[10366]: 27 Feb 2021 03:57:28 (pool1) [door:WebDAV-dcache@doorsDomain:AAW8SIt/xPg RemoteTransferManager PoolAcceptFile 0000808CDD05E6374B1BB137A6BB3C88A1C9] Certificate for <webdav.lcg.triumf.ca> doesn't match common name of the certificate subject: dpool49.lcg.triumf.ca
Feb 27 03:57:28 dcache.farm.particle.cz dcache@poolsDomain[10366]: javax.net.ssl.SSLPeerUnverifiedException: Certificate for <webdav.lcg.triumf.ca> doesn't match common name of the certificate subject: dpool49.lcg.triumf.ca
Feb 27 03:57:28 dcache.farm.particle.cz dcache@poolsDomain[10366]: at org.apache.http.conn.ssl.DefaultHostnameVerifier.matchCN(DefaultHostnameVerifier.java:186)
Feb 27 03:57:28 dcache.farm.particle.cz dcache@poolsDomain[10366]: at org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:133)
Feb 27 03:57:28 dcache.farm.particle.cz dcache@poolsDomain[10366]: at org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:99)
Feb 27 03:57:28 dcache.farm.particle.cz dcache@poolsDomain[10366]: at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:463)
Feb 27 03:57:28 dcache.farm.particle.cz dcache@poolsDomain[10366]: at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:397)
Feb 27 03:57:28 dcache.farm.particle.cz dcache@poolsDomain[10366]: at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
Feb 27 03:57:28 dcache.farm.particle.cz dcache@poolsDomain[10366]: at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
Feb 27 03:57:28 dcache.farm.particle.cz dcache@poolsDomain[10366]: at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:359)
Feb 27 03:57:28 dcache.farm.particle.cz dcache@poolsDomain[10366]: at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381)
Feb 27 03:57:28 dcache.farm.particle.cz dcache@poolsDomain[10366]: at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
Feb 27 03:57:28 dcache.farm.particle.cz dcache@poolsDomain[10366]: at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
Feb 27 03:57:28 dcache.farm.particle.cz dcache@poolsDomain[10366]: at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
Feb 27 03:57:28 dcache.farm.particle.cz dcache@poolsDomain[10366]: at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111)
Feb 27 03:57:28 dcache.farm.particle.cz dcache@poolsDomain[10366]: at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
Feb 27 03:57:28 dcache.farm.particle.cz dcache@poolsDomain[10366]: at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
Feb 27 03:57:28 dcache.farm.particle.cz dcache@poolsDomain[10366]: at org.dcache.pool.movers.RemoteHttpDataTransferProtocol.doGet(RemoteHttpDataTransferProtocol.java:381)
Feb 27 03:57:28 dcache.farm.particle.cz dcache@poolsDomain[10366]: at org.dcache.pool.movers.RemoteHttpDataTransferProtocol.receiveFile(RemoteHttpDataTransferProtocol.java:314)
Feb 27 03:57:28 dcache.farm.particle.cz dcache@poolsDomain[10366]: at org.dcache.pool.movers.RemoteHttpDataTransferProtocol.runIO(RemoteHttpDataTransferProtocol.java:284)
Feb 27 03:57:28 dcache.farm.particle.cz dcache@poolsDomain[10366]: at org.dcache.pool.movers.RemoteHttpsDataTransferProtocol.runIO(RemoteHttpsDataTransferProtocol.java:59)
Feb 27 03:57:28 dcache.farm.particle.cz dcache@poolsDomain[10366]: at org.dcache.pool.classic.AbstractMoverProtocolTransferService$MoverTask.runMoverForWrite(AbstractMoverProtocolTransferService.java:196)
Feb 27 03:57:28 dcache.farm.particle.cz dcache@poolsDomain[10366]: at org.dcache.pool.classic.AbstractMoverProtocolTransferService$MoverTask.run(AbstractMoverProtocolTransferService.java:144)
Feb 27 03:57:28 dcache.farm.particle.cz dcache@poolsDomain[10366]: at org.dcache.util.CDCExecutorServiceDecorator$WrappedRunnable.run(CDCExecutorServiceDecorator.java:149)
Feb 27 03:57:28 dcache.farm.particle.cz dcache@poolsDomain[10366]: at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
Feb 27 03:57:28 dcache.farm.particle.cz dcache@poolsDomain[10366]: at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
Feb 27 03:57:28 dcache.farm.particle.cz dcache@poolsDomain[10366]: at java.base/java.lang.Thread.run(Thread.java:834)
Feb 27 03:57:28 dcache.farm.particle.cz dcache@poolsDomain[10366]: 27 Feb 2021 03:57:28 (pool1) [door:WebDAV-dcache@doorsDomain:AAW8SIt/xPg RemoteTransferManager PoolAcceptFile 0000808CDD05E6374B1BB137A6BB3C88A1C9] http-outgoing-308: Shutdown connection
Feb 27 03:57:28 dcache.farm.particle.cz dcache@poolsDomain[10366]: 27 Feb 2021 03:57:28 (pool1) [door:WebDAV-dcache@doorsDomain:AAW8SIt/xPg RemoteTransferManager PoolAcceptFile 0000808CDD05E6374B1BB137A6BB3C88A1C9] Connection discarded
Feb 27 03:57:28 dcache.farm.particle.cz dcache@poolsDomain[10366]: 27 Feb 2021 03:57:28 (pool1) [door:WebDAV-dcache@doorsDomain:AAW8SIt/xPg RemoteTransferManager PoolAcceptFile 0000808CDD05E6374B1BB137A6BB3C88A1C9] Connection released: [id: 308][route: {s}->https://webdav.lcg.triumf.ca:2880][total kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20]
Feb 27 03:57:28 dcache.farm.particle.cz dcache@poolsDomain[10366]: 27 Feb 2021 03:57:28 (pool1) [door:WebDAV-dcache@doorsDomain:AAW8SIt/xPg RemoteTransferManager PoolAcceptFile 0000808CDD05E6374B1BB137A6BB3C88A1C9] Connection manager is shutting down
Feb 27 03:57:28 dcache.farm.particle.cz dcache@poolsDomain[10366]: 27 Feb 2021 03:57:28 (pool1) [door:WebDAV-dcache@doorsDomain:AAW8SIt/xPg RemoteTransferManager PoolAcceptFile 0000808CDD05E6374B1BB137A6BB3C88A1C9] Connection manager shut down
Feb 27 03:57:28 dcache.farm.particle.cz dcache@poolsDomain[10366]: 27 Feb 2021 03:57:28 (pool1) [door:WebDAV-dcache@doorsDomain:AAW8SIt/xPg RemoteTransferManager PoolAcceptFile 0000808CDD05E6374B1BB137A6BB3C88A1C9] Adjusting allocation: allocated: 0, file size: 0
Feb 27 03:57:28 dcache.farm.particle.cz dcache@poolsDomain[10366]: 27 Feb 2021 03:57:28 (pool1) [door:WebDAV-dcache@doorsDomain:AAW8SIt/xPg RemoteTransferManager PoolAcceptFile 0000808CDD05E6374B1BB137A6BB3C88A1C9] Transfer failed: Certificate for <webdav.lcg.triumf.ca> doesn't match any of the subject alternative names: []
Feb 27 03:57:28 dcache.farm.particle.cz dcache@poolsDomain[10366]: 27 Feb 2021 03:57:28 (pool1) [door:WebDAV-dcache@doorsDomain:AAW8SIt/xPg RemoteTransferManager PoolAcceptFile 0000808CDD05E6374B1BB137A6BB3C88A1C9] Unable to generate checksum of sparse file: java.nio.channels.ClosedChannelException
Feb 27 03:57:28 dcache.farm.particle.cz dcache@poolsDomain[10366]: 27 Feb 2021 03:57:28 (pool1) [door:WebDAV-dcache@doorsDomain:AAW8SIt/xPg RemoteTransferManager PoolAcceptFile 0000808CDD05E6374B1BB137A6BB3C88A1C9] Computed checksum, length 0, checksum [1:00000001] in 0 ms

When I use differen TRIUMF dCache addess, e.g. dpool42.lcg.triumf.ca than there is one additional line in the log

Feb 27 04:18:08 dcache.farm.particle.cz dcache@poolsDomain[10366]: 27 Feb 2021 04:18:08 (pool1) [door:WebDAV-dcache@doorsDomain:AAW8SNVqLbA RemoteTransferManager PoolAcceptFile 0000CF7D5AA964FE466097E697841F29E9C6]  peer alternative names: [aywong@triumf.ca, dpool42.lcg.triumf.ca, webdav.lcg.triumf.ca, xrootd.lcg.triumf.ca]

It looks like dCache is not able to parse certificate SAN from certificate used by dpool49.lcg.triumf.ca:2880

paulmillar commented 3 years ago

Thanks for reporting this Petr,

I have a few questions:

  1. Have you managed to repeat the problem with Triumf selecting a different pool, or (to the best of your knowledge) is the problem limited to dpool49?
  2. Were you able to pull any data from Triumf? If so, can you figure out from which pool the transfer succeeded?
  3. You mentioned doing something different to get the extra line peer alternative names: [...]. Could you explain in a bit more detail what you did, to get that extra line?

Cheers, Paul.

vokac commented 3 years ago

Unfortunately somebody from TRIUMF read our meeting notes and already replaced problematic certificate. I'll try to get this certificate for you...

vokac commented 3 years ago

Actually I still have problematic certificate that was installed on dpool49.lcg.triumf.ca

-----BEGIN CERTIFICATE-----
MIIFsDCCBJigAwIBAgIDAJnCMA0GCSqGSIb3DQEBCwUAMEgxCzAJBgNVBAYTAkNB
MQ0wCwYDVQQKEwRHcmlkMSowKAYDVQQDEyFHcmlkIENhbmFkYSBDZXJ0aWZpY2F0
ZSBBdXRob3JpdHkwHhcNMjAwNzA3MTUxNjA1WhcNMjEwODA2MTUxNjA1WjA8MQsw
CQYDVQQGEwJDQTENMAsGA1UEChMER3JpZDEeMBwGA1UEAxMVZHBvb2w0OS5sY2cu
dHJpdW1mLmNhMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAzkbzqnXl
tzD86CQp90IJqrR4Pz7914Trz78D4pAhvTPyMrDrw6T3cYQMDS6z9mf38fEmCB1h
7Nmgqv+/l0coUbQwDPTgnvJ0PhbMC5Ls3olwdGBt/kUXMww2wV+TDxVWxyPm0SPO
IhK2LGKJKL4ejIw4NNTTGGWT50f6cv4XAKQYksE+APM3mo1y9h2YzyRod2pP0UMS
l3Rj2n4PblMgOVMXoph9gyt/9DiUZN1H6xPiXhn8y/q6C1+/8MSBAicaHEIOVVzx
ZND/GKaT1bD1PuvspzFaKg+7wiC1LJHdGtX45ZtgPCCJPfV5oq7yZwpJltkq9Vnk
u8QK3MueF0azvHX5FmAhT/sjgcK/04qLN9P5qFhdz4iV8HT39JENSXRSDw+BsXhK
g6dpXdfnt0+mAEIy8ZtlQ5vtsNiOCLYoECt6gM2F9GPq6xip7aP9Bal1wE6H0FCv
ENVH2NNNo0XnJUMViGOUOhKfaxMN+Oqmx2UYMVFAJN4kvI0OMo5H/n9VSsQrTbuc
Y1odwv3Rp3cfzouHRvH8HFpb4dn/3qJY5ZqRzhn3Fsk7lMrjq6W/ezB8iVBdhH2E
knJvRSz27aE3B0n6LfR3MFRCloeum62ROKVItwxaREX417HJJAnZe0Gw1UwufRtM
j1p+N9J8rT/tiNEW+5r/Etsr13FpOj2npD0CAwEAAaOCAa0wggGpMAwGA1UdEwEB
/wQCMAAwCwYDVR0PBAQDAgTwMCcGA1UdJQQgMB4GCCsGAQUFBwMCBggrBgEFBQcD
AQYIKwYBBQUHAwQwHQYDVR0OBBYEFHCpG9hjgAUdHNYacK9P8MTL0RbiMB8GA1Ud
IwQYMBaAFOisEvEg7sjXj0xqAdGmAr/OrpkYMFUGA1UdEQROMEyBB2F5d29uZ0CC
FWRwb29sNDkubGNnLnRyaXVtZi5jYYIUd2ViZGF2LmxjZy50cml1bWYuY2GCFHhy
b290ZC5sY2cudHJpdW1mLmNhMBsGA1UdEgQUMBKBEGNhQGdyaWRjYW5hZGEuY2Ew
TwYIKwYBBQUHAQEEQzBBMD8GCCsGAQUFBzAChjNodHRwOi8vY2VydC5ncmlkY2Fu
YWRhLmNhL3BraS9wdWIvY2FjZXJ0L2NhY2VydC5jcnQwOAYDVR0fBDEwLzAtoCug
KYYnaHR0cDovL3d3dy5ncmlkY2FuYWRhLmNhL2NhL2JmZmJkN2QwLnIwMCQGA1Ud
IAQdMBswCwYJYHxlAYISLwEBMAwGCiqGSIb3TAUCAgEwDQYJKoZIhvcNAQELBQAD
ggEBADIB5AYl1DugHbvX+wwtaDBGcNkvS2ujNTcFROhD8BcmR5a7yNJ3JpRsN113
xBHop4JRO7QQBwYdG3MyIltY25VRFeeUWsFtZ+Wt1sjqJXyoDXUrHUzNQgx/eyS2
prRgfvAFQOVq9ZE9IQWfkd2FGBzndxUqZXrapuTy/cFmeDGVomy31FwUVaM4s3C2
UIiNBDW9RyE5rHsjx/SL7M/s9IGA0twnhLaHYHzzMcB0Ycx4OmEDiXcZbULrVJuw
PnL+7L5cJz4XYTPiJR6qqECVz9g79UBdjiPIA//+e8poptcth09uZFTnGlfemOId
PbxHbRrHNj6eAfLaEuy4U+yVbsk=
-----END CERTIFICATE-----

and it looks like they did not yet replaced it

openssl s_client -connect dpool49.lcg.triumf.ca:2880 -showcerts
paulmillar commented 3 years ago

It looks like the problem comes from the badly formatted subjectAltName email. In the problematic certificate, the first SAN is the email address aywong@, which is missing the domain.

Host certificates for other nodes at TRIUMF (which are accepted) also have an email address as the first subjectAltName. However, those email address contain a domain, and so are well-formed.

vokac commented 3 years ago

I guess library used by dCache tries to validate everything ... anyway, TRIUMF already replaced problematic certificate and because failure with such certificate is technically correct behavior (invalid mail in certificate is user / CA issue) we can close this ticket.

paulmillar commented 3 years ago

I'm not completely convinced: if one of the SAN is badly formatted, should that invalidate all the other SANs? (I would say, "no")

But, even if it does: the error message should make it clear where the problem lies.