Open vokac opened 3 years ago
Thanks for reporting this Petr,
I have a few questions:
peer alternative names: [...]
. Could you explain in a bit more detail what you did, to get that extra line?Cheers, Paul.
Unfortunately somebody from TRIUMF read our meeting notes and already replaced problematic certificate. I'll try to get this certificate for you...
Actually I still have problematic certificate that was installed on dpool49.lcg.triumf.ca
-----BEGIN CERTIFICATE-----
MIIFsDCCBJigAwIBAgIDAJnCMA0GCSqGSIb3DQEBCwUAMEgxCzAJBgNVBAYTAkNB
MQ0wCwYDVQQKEwRHcmlkMSowKAYDVQQDEyFHcmlkIENhbmFkYSBDZXJ0aWZpY2F0
ZSBBdXRob3JpdHkwHhcNMjAwNzA3MTUxNjA1WhcNMjEwODA2MTUxNjA1WjA8MQsw
CQYDVQQGEwJDQTENMAsGA1UEChMER3JpZDEeMBwGA1UEAxMVZHBvb2w0OS5sY2cu
dHJpdW1mLmNhMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAzkbzqnXl
tzD86CQp90IJqrR4Pz7914Trz78D4pAhvTPyMrDrw6T3cYQMDS6z9mf38fEmCB1h
7Nmgqv+/l0coUbQwDPTgnvJ0PhbMC5Ls3olwdGBt/kUXMww2wV+TDxVWxyPm0SPO
IhK2LGKJKL4ejIw4NNTTGGWT50f6cv4XAKQYksE+APM3mo1y9h2YzyRod2pP0UMS
l3Rj2n4PblMgOVMXoph9gyt/9DiUZN1H6xPiXhn8y/q6C1+/8MSBAicaHEIOVVzx
ZND/GKaT1bD1PuvspzFaKg+7wiC1LJHdGtX45ZtgPCCJPfV5oq7yZwpJltkq9Vnk
u8QK3MueF0azvHX5FmAhT/sjgcK/04qLN9P5qFhdz4iV8HT39JENSXRSDw+BsXhK
g6dpXdfnt0+mAEIy8ZtlQ5vtsNiOCLYoECt6gM2F9GPq6xip7aP9Bal1wE6H0FCv
ENVH2NNNo0XnJUMViGOUOhKfaxMN+Oqmx2UYMVFAJN4kvI0OMo5H/n9VSsQrTbuc
Y1odwv3Rp3cfzouHRvH8HFpb4dn/3qJY5ZqRzhn3Fsk7lMrjq6W/ezB8iVBdhH2E
knJvRSz27aE3B0n6LfR3MFRCloeum62ROKVItwxaREX417HJJAnZe0Gw1UwufRtM
j1p+N9J8rT/tiNEW+5r/Etsr13FpOj2npD0CAwEAAaOCAa0wggGpMAwGA1UdEwEB
/wQCMAAwCwYDVR0PBAQDAgTwMCcGA1UdJQQgMB4GCCsGAQUFBwMCBggrBgEFBQcD
AQYIKwYBBQUHAwQwHQYDVR0OBBYEFHCpG9hjgAUdHNYacK9P8MTL0RbiMB8GA1Ud
IwQYMBaAFOisEvEg7sjXj0xqAdGmAr/OrpkYMFUGA1UdEQROMEyBB2F5d29uZ0CC
FWRwb29sNDkubGNnLnRyaXVtZi5jYYIUd2ViZGF2LmxjZy50cml1bWYuY2GCFHhy
b290ZC5sY2cudHJpdW1mLmNhMBsGA1UdEgQUMBKBEGNhQGdyaWRjYW5hZGEuY2Ew
TwYIKwYBBQUHAQEEQzBBMD8GCCsGAQUFBzAChjNodHRwOi8vY2VydC5ncmlkY2Fu
YWRhLmNhL3BraS9wdWIvY2FjZXJ0L2NhY2VydC5jcnQwOAYDVR0fBDEwLzAtoCug
KYYnaHR0cDovL3d3dy5ncmlkY2FuYWRhLmNhL2NhL2JmZmJkN2QwLnIwMCQGA1Ud
IAQdMBswCwYJYHxlAYISLwEBMAwGCiqGSIb3TAUCAgEwDQYJKoZIhvcNAQELBQAD
ggEBADIB5AYl1DugHbvX+wwtaDBGcNkvS2ujNTcFROhD8BcmR5a7yNJ3JpRsN113
xBHop4JRO7QQBwYdG3MyIltY25VRFeeUWsFtZ+Wt1sjqJXyoDXUrHUzNQgx/eyS2
prRgfvAFQOVq9ZE9IQWfkd2FGBzndxUqZXrapuTy/cFmeDGVomy31FwUVaM4s3C2
UIiNBDW9RyE5rHsjx/SL7M/s9IGA0twnhLaHYHzzMcB0Ycx4OmEDiXcZbULrVJuw
PnL+7L5cJz4XYTPiJR6qqECVz9g79UBdjiPIA//+e8poptcth09uZFTnGlfemOId
PbxHbRrHNj6eAfLaEuy4U+yVbsk=
-----END CERTIFICATE-----
and it looks like they did not yet replaced it
openssl s_client -connect dpool49.lcg.triumf.ca:2880 -showcerts
It looks like the problem comes from the badly formatted subjectAltName email. In the problematic certificate, the first SAN is the email address aywong@
, which is missing the domain.
Host certificates for other nodes at TRIUMF (which are accepted) also have an email address as the first subjectAltName. However, those email address contain a domain, and so are well-formed.
I guess library used by dCache tries to validate everything ... anyway, TRIUMF already replaced problematic certificate and because failure with such certificate is technically correct behavior (invalid mail in certificate is user / CA issue) we can close this ticket.
I'm not completely convinced: if one of the SAN is badly formatted, should that invalidate all the other SANs? (I would say, "no")
But, even if it does: the error message should make it clear where the problem lies.
HTTP-TPC pull fails with dCache 6.2.13 destionation and one TRIUMF dCache source dpool49.lcg.triumf.ca that's behind webdav.lcg.triumf.ca alias (the rest works fine, but they have a bit different certificates). TPC client just receives error message
Transfer failed: Certificate for <webdav.lcg.triumf.ca> doesn't match any of the subject alternative names: []
althought I can see right DNS:webdav.lcg.triumf.ca SAN in the certificateThis is the log file from dCache 6.2.13 destination
When I use differen TRIUMF dCache addess, e.g. dpool42.lcg.triumf.ca than there is one additional line in the log
It looks like dCache is not able to parse certificate SAN from certificate used by dpool49.lcg.triumf.ca:2880