hostcert/key auto renew in dCache 7.2.3

dCache / dcache

dCache - a system for storing and retrieving huge amounts of data, distributed among a large number of heterogenous server nodes, under a single virtual filesystem tree with a variety of standard access methods

https://dcache.org

276 stars 134 forks source link

hostcert/key auto renew in dCache 7.2.3 #6353

Open qiulan2021 opened 2 years ago

qiulan2021 commented 2 years ago

We found our the hostcert/key auto renew mechanism in dCache cluster does not work after we upgraded to dCache 7.2.3.

The issue was that the cert were properly renewed, but the service was not aware so it needed to be restarted by hand.

Now we use the following check command at lxplus.cern.ch

gfal-ls -vvv davs://dcdoor11.usatlas.bnl.gov:2881//pnfs/usatlas.bnl.gov

gfal-ls -vvv gsiftp://dcdoor11.usatlas.bnl.gov//pnfs/usatlas.bnl.gov

paulmillar commented 2 years ago

Hi @qiulan2021,

Thanks for reporting this issue.

Could you confirm with which doors you observed this problem?

Cheers, Paul.

qiulan2021 commented 2 years ago

Hello Paul,

Doug first got this issue on dcdoor12.

Then we check the cert is renewed by puppet, but dcache service was not aware.

It works by restarting the dcache service.

Best Regards, Qiulan

paulmillar commented 2 years ago

Hi Qiulan,

Do you happen to know which protocol Doug was using when he discovered the problem? Perhaps GridFTP, xroot, HTTP/WebDAV, ... ?

Cheers, Paul.

qiulan2021 commented 2 years ago

Hi Paul,

I checked the chat logs again, it was from Atlas client side reported from Vincent. But no protocol was indicated.

The certificate has expired: Credential with subject: /DC=org/DC=incommon/C=US/ST=New York/L=Upton/O=Brookhaven National Laboratory/OU=SDCC/CN=dcdoor11.usatlas.bnl.gov has expired. The certificate has expired: Credential with subject: /DC=org/DC=incommon/C=US/ST=New York/L=Upton/O=Brookhaven National Laboratory/OU=SDCC/CN=dcdoor12.usatlas.bnl.gov has expired.

Regards, Qiulan