Open calestyo opened 2 years ago
Hi Chris,
I guess you need to install the standard package of trusted CAs:
$ rpm -qf /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
ca-certificates-2021.2.52-1.0.fc35.noarch
$ openssl s_client -showcerts -connect stats.dcache.org:443 (git)-[master]
CONNECTED(00000003)
depth=3 C = DE, O = T-Systems Enterprise Services GmbH, OU = T-Systems Trust Center, CN = T-TeleSec GlobalRoot Class 2
verify return:1
depth=2 C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Certification Authority 2
verify return:1
depth=1 C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Global Issuing CA
verify return:1
depth=0 C = DE, ST = Hamburg, L = Hamburg, O = Deutsches Elektronen-Synchrotron DESY, OU = dCache.org, CN = stats.dcache.org
verify return:1
---
Certificate chain
0 s:C = DE, ST = Hamburg, L = Hamburg, O = Deutsches Elektronen-Synchrotron DESY, OU = dCache.org, CN = stats.dcache.org
i:C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Global Issuing CA
-----BEGIN CERTIFICATE-----
MIIH+jCCBuKgAwIBAgIMIuSK0kc/ArSr2kLfMA0GCSqGSIb3DQEBCwUAMIGNMQsw
CQYDVQQGEwJERTFFMEMGA1UECgw8VmVyZWluIHp1ciBGb2VyZGVydW5nIGVpbmVz
IERldXRzY2hlbiBGb3JzY2h1bmdzbmV0emVzIGUuIFYuMRAwDgYDVQQLDAdERk4t
UEtJMSUwIwYDVQQDDBxERk4tVmVyZWluIEdsb2JhbCBJc3N1aW5nIENBMB4XDTIw
MDUyMDEwNTgxMloXDTIyMDgyMjEwNTgxMlowgZExCzAJBgNVBAYTAkRFMRAwDgYD
VQQIDAdIYW1idXJnMRAwDgYDVQQHDAdIYW1idXJnMS4wLAYDVQQKDCVEZXV0c2No
ZXMgRWxla3Ryb25lbi1TeW5jaHJvdHJvbiBERVNZMRMwEQYDVQQLDApkQ2FjaGUu
b3JnMRkwFwYDVQQDDBBzdGF0cy5kY2FjaGUub3JnMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAxvatToFTuM4R0/eWKDqs69NF2JXUsBHw93CxF+czz9PT
u4Pj0pZXvGuWxgEQJMKBW4fsE0NJy8GV2ju3vgPW2lDzDd420qBgtEXX8jPgcist
VJRfsRP5SJvvA1UThAE/YRXTW01OQtuX4hRwMfsPCVFv4wkfbZe9IKZ7gM/VlXAy
6XUM6fe+Edj5geaCAs0cB50ZOqDsq55ENnpJK1xorNuE/z1OzWn5cYU0H63OMHec
mibwCt3fxnpK68QCEOzXUxog0y8uRNOD4yUhXbXqAkEz2zKOpYHoFBDSFkgkgjyG
WsBAS26NjPobs58DnzCexz5iVfi+ZA3KPkNQVFyFlwIDAQABo4IEUjCCBE4wVwYD
VR0gBFAwTjAIBgZngQwBAgIwDQYLKwYBBAGBrSGCLB4wDwYNKwYBBAGBrSGCLAEB
BDAQBg4rBgEEAYGtIYIsAQEEBjAQBg4rBgEEAYGtIYIsAgEEBjAJBgNVHRMEAjAA
MA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAdBgNVHQ4EFgQU
sd/gdT9n8Pcx1huDO418qB3RhoowHwYDVR0jBBgwFoAUazqYi/nyU4na4K2yMh4J
H+iqO3QwGwYDVR0RBBQwEoIQc3RhdHMuZGNhY2hlLm9yZzCBjQYDVR0fBIGFMIGC
MD+gPaA7hjlodHRwOi8vY2RwMS5wY2EuZGZuLmRlL2Rmbi1jYS1nbG9iYWwtZzIv
cHViL2NybC9jYWNybC5jcmwwP6A9oDuGOWh0dHA6Ly9jZHAyLnBjYS5kZm4uZGUv
ZGZuLWNhLWdsb2JhbC1nMi9wdWIvY3JsL2NhY3JsLmNybDCB2wYIKwYBBQUHAQEE
gc4wgcswMwYIKwYBBQUHMAGGJ2h0dHA6Ly9vY3NwLnBjYS5kZm4uZGUvT0NTUC1T
ZXJ2ZXIvT0NTUDBJBggrBgEFBQcwAoY9aHR0cDovL2NkcDEucGNhLmRmbi5kZS9k
Zm4tY2EtZ2xvYmFsLWcyL3B1Yi9jYWNlcnQvY2FjZXJ0LmNydDBJBggrBgEFBQcw
AoY9aHR0cDovL2NkcDIucGNhLmRmbi5kZS9kZm4tY2EtZ2xvYmFsLWcyL3B1Yi9j
YWNlcnQvY2FjZXJ0LmNydDCCAfYGCisGAQQB1nkCBAIEggHmBIIB4gHgAHUAu9nf
vB+KcbWTlCOXqpJ7RzhXlQqrUugakJZkNo4e0YUAAAFyMbvj7AAABAMARjBEAiAa
hvrUJIGGockC50hV06Yv3xgXhcFiuJbzCr9VPwcWfAIgHxUbhj1/TQI4npaLcHjm
8kqmaqI7KvzyQ5B7qKqDo48AdgCkuQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80O
yA3cEAAAAXIxu+PwAAAEAwBHMEUCIHu2JKrDIDgDImgxzUe2+8B6l82Ml8bhx9Oh
UGLBRVITAiEAlzpLsPAUbBBUxiy7Osy+9ONnd9JgztHiopMWj7nD02UAdgBvU3as
MfAxGdiZAKRRFf93FRwR2QLBACkGjbIImjfZEwAAAXIxu+SZAAAEAwBHMEUCIQDL
gZJnsvvDEL14SdM//GGGMA/dRSWu0NUumFPGsVxx3QIgStX2g+W0h+62umso4dod
IaqsrGn05QhR478NSZlLQsEAdwBVgdTCFpA2AUrqC5tXPFPwwOQ4eHAlCBcvo6od
BxPTDAAAAXIxu+W9AAAEAwBIMEYCIQD+PYftNHXS0jJvjyX8B2crzNWELlJEWToC
DaXDzd+lxgIhALYBpy6xCSQvpsTe0ywiKnR0y3bHMXJAnNd1JgzIGh/7MA0GCSqG
SIb3DQEBCwUAA4IBAQBKddsM5mu5iO9JrB1deUa/PUvmu8HC1BUB53zTMlF7ayB0
wFfbt+FkAXZa9OcVlLSE3CqjxcDjOFMySHHgx8Zxm4OMBFvzgspHI/6cq6ZpbP0M
IhowKBtcfclF9ZjfUBajwt5ZqQm84qRaeghN/1nKF/28om0xThbuRq3iWCnNIvTu
BvcocusvO9gP46tc3xrBLzPzA0SjR90sXfOTSVRwXUIOqae457l29iUVugfCpadQ
Ivf2Hb7+IB0nVpXIBTlY6golygl2PpFgZ9PEoQeuwsJNEa4RMxtwl+jfE2lPsP4V
ECp1vPgOuGouiN6jfS+9nyMZ1aMZ9duixMUSqZOO
-----END CERTIFICATE-----
1 s:C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Global Issuing CA
i:C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Certification Authority 2
-----BEGIN CERTIFICATE-----
MIIFrDCCBJSgAwIBAgIHG2O60B4sPTANBgkqhkiG9w0BAQsFADCBlTELMAkGA1UE
BhMCREUxRTBDBgNVBAoTPFZlcmVpbiB6dXIgRm9lcmRlcnVuZyBlaW5lcyBEZXV0
c2NoZW4gRm9yc2NodW5nc25ldHplcyBlLiBWLjEQMA4GA1UECxMHREZOLVBLSTEt
MCsGA1UEAxMkREZOLVZlcmVpbiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAyMB4X
DTE2MDUyNDExMzg0MFoXDTMxMDIyMjIzNTk1OVowgY0xCzAJBgNVBAYTAkRFMUUw
QwYDVQQKDDxWZXJlaW4genVyIEZvZXJkZXJ1bmcgZWluZXMgRGV1dHNjaGVuIEZv
cnNjaHVuZ3NuZXR6ZXMgZS4gVi4xEDAOBgNVBAsMB0RGTi1QS0kxJTAjBgNVBAMM
HERGTi1WZXJlaW4gR2xvYmFsIElzc3VpbmcgQ0EwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQCdO3kcR94fhsvGadcQnjnX2aIw23IcBX8pX0to8a0Z1kzh
axuxC3+hq+B7i4vYLc5uiDoQ7lflHn8EUTbrunBtY6C+li5A4dGDTGY9HGRp5Zuk
rXKuaDlRh3nMF9OuL11jcUs5eutCp5eQaQW/kP+kQHC9A+e/nhiIH5+ZiE0OR41I
X2WZENLZKkntwbktHZ8SyxXTP38eVC86rpNXp354ytVK4hrl7UF9U1/Isyr1ijCs
7RcFJD+2oAsH/U0amgNSoDac3iSHZeTn+seWcyQUzdDoG2ieGFmudn730Qp4PIdL
sDfPU8o6OBDzy0dtjGQ9PFpFSrrKgHy48+enTEzNAgMBAAGjggIFMIICATASBgNV
HRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjApBgNVHSAEIjAgMA0GCysG
AQQBga0hgiweMA8GDSsGAQQBga0hgiwBAQQwHQYDVR0OBBYEFGs6mIv58lOJ2uCt
sjIeCR/oqjt0MB8GA1UdIwQYMBaAFJPj2DIm2tXxSqWRSuDqS+KiDM/hMIGPBgNV
HR8EgYcwgYQwQKA+oDyGOmh0dHA6Ly9jZHAxLnBjYS5kZm4uZGUvZ2xvYmFsLXJv
b3QtZzItY2EvcHViL2NybC9jYWNybC5jcmwwQKA+oDyGOmh0dHA6Ly9jZHAyLnBj
YS5kZm4uZGUvZ2xvYmFsLXJvb3QtZzItY2EvcHViL2NybC9jYWNybC5jcmwwgd0G
CCsGAQUFBwEBBIHQMIHNMDMGCCsGAQUFBzABhidodHRwOi8vb2NzcC5wY2EuZGZu
LmRlL09DU1AtU2VydmVyL09DU1AwSgYIKwYBBQUHMAKGPmh0dHA6Ly9jZHAxLnBj
YS5kZm4uZGUvZ2xvYmFsLXJvb3QtZzItY2EvcHViL2NhY2VydC9jYWNlcnQuY3J0
MEoGCCsGAQUFBzAChj5odHRwOi8vY2RwMi5wY2EuZGZuLmRlL2dsb2JhbC1yb290
LWcyLWNhL3B1Yi9jYWNlcnQvY2FjZXJ0LmNydDANBgkqhkiG9w0BAQsFAAOCAQEA
gXhFpE6kfw5V8Amxaj54zGg1qRzzlZ4/8/jfazh3iSyNta0+x/KUzaAGrrrMqLGt
Mwi2JIZiNkx4blDw1W5gjU9SMUOXRnXwYuRuZlHBQjFnUOVJ5zkey5/KhkjeCBT/
FUsrZpugOJ8Azv2n69F/Vy3ITF/cEBGXPpYEAlyEqCk5bJT8EJIGe57u2Ea0G7UD
DDjZ3LCpP3EGC7IDBzPCjUhjJSU8entXbveKBTjvuKCuL/TbB9VbhBjBqbhLzmyQ
GoLkuT36d/HSHzMCv1PndvncJiVBby+mG/qkE5D6fH7ZC2Bd7L/KQaBh+xFJKdio
LXUV2EoY6hbvVTQiGhONBg==
-----END CERTIFICATE-----
2 s:C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Certification Authority 2
i:C = DE, O = T-Systems Enterprise Services GmbH, OU = T-Systems Trust Center, CN = T-TeleSec GlobalRoot Class 2
-----BEGIN CERTIFICATE-----
MIIFEjCCA/qgAwIBAgIJAOML1fivJdmBMA0GCSqGSIb3DQEBCwUAMIGCMQswCQYD
VQQGEwJERTErMCkGA1UECgwiVC1TeXN0ZW1zIEVudGVycHJpc2UgU2VydmljZXMg
R21iSDEfMB0GA1UECwwWVC1TeXN0ZW1zIFRydXN0IENlbnRlcjElMCMGA1UEAwwc
VC1UZWxlU2VjIEdsb2JhbFJvb3QgQ2xhc3MgMjAeFw0xNjAyMjIxMzM4MjJaFw0z
MTAyMjIyMzU5NTlaMIGVMQswCQYDVQQGEwJERTFFMEMGA1UEChM8VmVyZWluIHp1
ciBGb2VyZGVydW5nIGVpbmVzIERldXRzY2hlbiBGb3JzY2h1bmdzbmV0emVzIGUu
IFYuMRAwDgYDVQQLEwdERk4tUEtJMS0wKwYDVQQDEyRERk4tVmVyZWluIENlcnRp
ZmljYXRpb24gQXV0aG9yaXR5IDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDLYNf/ZqFBzdL6h5eKc6uZTepnOVqhYIBHFU6MlbLlz87TV0uNzvhWbBVV
dgfqRv3IA0VjPnDUq1SAsSOcvjcoqQn/BV0YD8SYmTezIPZmeBeHwp0OzEoy5xad
rg6NKXkHACBU3BVfSpbXeLY008F0tZ3pv8B3Teq9WQfgWi9sPKUA3DW9ZQ2PfzJt
8lpqS2IB7qw4NFlFNkkF2njKam1bwIFrEczSPKiL+HEayjvigN0WtGd6izbqTpEp
PbNRXK2oDL6dNOPRDReDdcQ5HrCUCxLx1WmOJfS4PSu/wI7DHjulv1UQqyquF5de
M87I8/QJB+MChjFGawHFEAwRx1npAgMBAAGjggF0MIIBcDAOBgNVHQ8BAf8EBAMC
AQYwHQYDVR0OBBYEFJPj2DIm2tXxSqWRSuDqS+KiDM/hMB8GA1UdIwQYMBaAFL9Z
IDYAeaCgImuM1fJh0rgsy4JKMBIGA1UdEwEB/wQIMAYBAf8CAQIwMwYDVR0gBCww
KjAPBg0rBgEEAYGtIYIsAQEEMA0GCysGAQQBga0hgiweMAgGBmeBDAECAjBMBgNV
HR8ERTBDMEGgP6A9hjtodHRwOi8vcGtpMDMzNi50ZWxlc2VjLmRlL3JsL1RlbGVT
ZWNfR2xvYmFsUm9vdF9DbGFzc18yLmNybDCBhgYIKwYBBQUHAQEEejB4MCwGCCsG
AQUFBzABhiBodHRwOi8vb2NzcDAzMzYudGVsZXNlYy5kZS9vY3NwcjBIBggrBgEF
BQcwAoY8aHR0cDovL3BraTAzMzYudGVsZXNlYy5kZS9jcnQvVGVsZVNlY19HbG9i
YWxSb290X0NsYXNzXzIuY2VyMA0GCSqGSIb3DQEBCwUAA4IBAQCHC/8+AptlyFYt
1juamItxT9q6Kaoh+UYu9bKkD64ROHk4sw50unZdnugYgpZi20wz6N35at8yvSxM
R2BVf+d0a7Qsg9h5a7a3TVALZge17bOXrerufzDmmf0i4nJNPoRb7vnPmep/11I5
LqyYAER+aTu/de7QCzsazeX3DyJsR4T2pUeg/dAaNH2t0j13s+70103/w+jlkk9Z
PpBHEEqwhVjAb3/4ru0IQp4e1N8ULk2PvJ6Uw+ft9hj4PEnnJqinNtgs3iLNi4LY
2XjiVRKjO4dEthEL1QxSr2mMDwbf0KJTi1eYe8/9ByT0/L3D/UqSApcb8re2z2WK
GqK1chk5
-----END CERTIFICATE-----
3 s:C = DE, O = T-Systems Enterprise Services GmbH, OU = T-Systems Trust Center, CN = T-TeleSec GlobalRoot Class 2
i:C = DE, O = T-Systems Enterprise Services GmbH, OU = T-Systems Trust Center, CN = T-TeleSec GlobalRoot Class 2
-----BEGIN CERTIFICATE-----
MIIDwzCCAqugAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCREUx
KzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAd
BgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNl
YyBHbG9iYWxSb290IENsYXNzIDIwHhcNMDgxMDAxMTA0MDE0WhcNMzMxMDAxMjM1
OTU5WjCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnBy
aXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50
ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqX9obX+hzkeXaXPSi5kfl82hVYAUd
AqSzm1nzHoqvNK38DcLZSBnuaY/JIPwhqgcZ7bBcrGXHX+0CfHt8LRvWurmAwhiC
FoT6ZrAIxlQjgeTNuUk/9k9uN0goOA/FvudocP05l03Sx5iRUKrERLMjfTlH6VJi
1hKTXrcxlkIF+3anHqP1wvzpesVsqXFP6st4vGCvx9702cu+fjOlbpSD8DT6Iavq
jnKgP6TeMFvvhk1qlVtDRKgQFRzlAVfFmPHmBiiRqiDFt1MmUUOyCxGVWOHAD3bZ
wI18gfNycJ5v/hqO2V81xrJvNHy+SE/iWjnX2J14np+GPgNeGYtEotXHAgMBAAGj
QjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS/
WSA2AHmgoCJrjNXyYdK4LMuCSjANBgkqhkiG9w0BAQsFAAOCAQEAMQOiYQsfdOhy
NsZt+U2e+iKo4YFWz827n+qrkRk4r6p8FU3ztqONpfSO9kSpp+ghla0+AGIWiPAC
uvxhI+YzmzB6azZie60EI4RYZeLbK4rnJVM3YlNfvNoBYimipidx5joifsFvHZVw
IEoHNN/q/xWA5brXethbdXwFeilHfkCoMRN3zUA7tFFHei4R40cR3p1m0IvVVGb6
g1XqfMIpiRvpb7PO4gWEyS8+eIVibslfwXhjdFjASBgMmTnrpMwatXlajRWc2BQN
9noHV8cigwUtPJslJj0Ys6lDfMjIq2SPDqO/nBudMNva0Bkuqjzx+zOAduTNrRlP
BSeOE6Fuwg==
-----END CERTIFICATE-----
---
Server certificate
subject=C = DE, ST = Hamburg, L = Hamburg, O = Deutsches Elektronen-Synchrotron DESY, OU = dCache.org, CN = stats.dcache.org
issuer=C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Global Issuing CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 6457 bytes and written 403 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: D5034F942B08D7F9D36EDA16671E0DE145A3A0A7950352D2DE45A59D72C9D9E0
Session-ID-ctx:
Master-Key: 126624453ACC08263E4AF65BA2FBBD24ACA41CE7B8DD7E2AF72B34AE189567858E81F0E39AA7FCDB3458F8FF1A8EC41B
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 04 ae 05 1d 02 37 b1 90-2d 6b e2 51 d2 a6 5b 55 .....7..-k.Q..[U
0010 - 2d 49 75 88 5e 30 26 af-67 63 9b ca 52 bc 13 16 -Iu.^0&.gc..R...
0020 - ca f3 34 86 1c dd b7 01-bf 4c b4 ab c0 4e a1 ee ..4......L...N..
0030 - 4c 0f bb d8 0e 22 0b a7-7a b6 16 52 dc 56 3c ee L...."..z..R.V<.
0040 - ca 4e f1 4f 34 f5 bb 49-26 ce c2 28 f9 62 5d 60 .N.O4..I&..(.b]`
0050 - 08 db bf c3 57 59 67 11-84 e7 87 2f c8 39 77 f9 ....WYg..../.9w.
0060 - cd ec 31 f2 d3 aa 01 dc-2a 08 29 36 25 1d fe c1 ..1.....*.)6%...
0070 - 69 18 39 ee 8d dd a7 b5-cd 5d 9f 26 1b 24 f5 18 i.9......].&.$..
0080 - 1b dc e5 b7 95 3d 87 62-89 3b 51 67 ad 57 dd 7f .....=.b.;Qg.W..
0090 - 8f 7c 66 f9 ea a2 bf 5c-90 e5 47 33 dd 9e 53 61 .|f....\..G3..Sa
00a0 - b8 59 16 8a 7f f4 f0 3d-41 c7 36 2b d5 3a 78 e6 .Y.....=A.6+.:x.
00b0 - c6 fa 48 ef ac 9f 3e 13-a3 3b 45 a5 f1 de 82 a1 ..H...>..;E.....
00c0 - bf 6b 93 55 25 9a dc 23-28 f3 46 cd 23 a9 16 5d .k.U%..#(.F.#..]
Start Time: 1646133646
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
Would it be possible to make the CA path/file configurable for telemetry
?
And perhaps a better error message would be nice, too :-)
The path depends on JVM configuration and not controlled by dcache
Ah... okay... I had hoped it could be made configurable via one like the other ca-path options e.g. as for gplazma or so.
But if not... I guess we can either close this or leave it for a better error message.
It's not really clear from that error message which certs is uses... could be OpenSSL’s
/etc/ssl/certs/
which is empty in my case?Is there a way to configure another location... for that service only?
Cheers, Chris.