search

dCache / dcache

dCache - a system for storing and retrieving huge amounts of data, distributed among a large number of heterogenous server nodes, under a single virtual filesystem tree with a variety of standard access methods
https://dcache.org
281 stars 135 forks source link

HTTP-TPC push fails for destination that presents invalid unused certs #6662

Open vokac opened 2 years ago

vokac commented 2 years ago

Uploading data to the storage that during TLS handshake sends unused certificates fails if these superfluous certificate doesn't pass "globus policy validation", e.g.

$ export SRC=https://se1.farm.particle.cz/dpm/farm.particle.cz/home/atlas/1M
$ export TSRC=$(curl --silent --cert /tmp/x509up_u$(id -u) --key /tmp/x509up_u$(id -u) --cacert /tmp/x509up_u$(id -u) --capath /etc/grid-security/certificates -X POST -H 'Content-Type: application/macaroon-request' -d '{"caveats": ["activity:DOWNLOAD"], "validity": "PT30M"}' "$SRC" | jq -r '.macaroon')
$ curl -v --capath /etc/grid-security/certificates -L -X COPY -H 'Credentials: none' -H "Authorization: Bearer $TSRC" -H "Destination: https://atlas-amazon-cloud.cern.ch:443/bla/bla/bla" $SRC
...
> COPY /dpm/farm.particle.cz/home/atlas/1M HTTP/1.1
> User-Agent: curl/7.29.0
> Host: se1.farm.particle.cz
> Accept: */*
> Credentials: none
> Authorization: Bearer token_content
> Destination: https://atlas-amazon-cloud.cern.ch:443/bla/bla/bla
> 
< HTTP/1.1 202 Accepted
< Date: Thu, 19 May 2022 21:53:53 GMT
< Server: dCache/7.2.16
< Content-Type: text/perf-marker-stream
< Transfer-Encoding: chunked
< 
Perf Marker
    Timestamp: 1652997233
    State: 9
    State description: Requesting mover
    Stripe Index: 0
    Total Stripe Count: 1
End
failure: problem sending data: The peer's certificate with subject's DN CN=atlas-amazon-cloud.cern.ch,OU=computers,DC=cern,DC=ch was rejected. The peer's certificate status is: FAILED The following validation errors were found:;error at position 4 in chain, problematic certificate subject: CN=CERN Certification Authority,DC=cern,DC=ch (category: NAMESPACE): The certificate subject CN=CERN Certification Authority,DC=cern,DC=ch is not accepted by any rule of the the relevant namespace policies. Policies which matches the issuer are: /etc/grid-security/certificates/c2a48ab6.namespaces:1 /etc/grid-security/certificates/c2a48ab6.namespaces:3 ;error at position 4 in chain, problematic certificate subject: CN=CERN Certification Authority,DC=cern,DC=ch (category: NAMESPACE): The certificate subject CN=CERN Certification Authority,DC=cern,DC=ch is not accepted by any rule of the the relevant namespace policies. Policies which matches the issuer are: /etc/grid-security/certificates/c2a48ab6.signing_policy /etc/grid-security/certificates/c2a48ab6.signing_policy ;error at position 5 in chain, problematic certificate subject: CN=CERN Certification Authority,DC=cern,DC=ch (category: NAMESPACE): The certificate subject CN=CERN Certification Authority,DC=cern,DC=ch is not accepted by any rule of the the relevant namespace policies. Policies which matches the issuer are: /etc/grid-security/certificates/c2a48ab6.namespaces:1 /etc/grid-security/certificates/c2a48ab6.namespaces:3 ;error at position 5 in chain, problematic certificate subject: CN=CERN Certification Authority,DC=cern,DC=ch (category: NAMESPACE): The certificate subject CN=CERN Certification Authority,DC=cern,DC=ch is not accepted by any rule of the the relevant namespace policies. Policies which matches the issuer are: /etc/grid-security/certificates/c2a48ab6.signing_policy /etc/grid-security/certificates/c2a48ab6.signing_policy 
* Connection #0 to host se1.farm.particle.cz left intact

Why dCache 7.2.16 tries to validate certificate that is not really part of the chain? Currently atlas-amazon-cloud.cern.ch:443 present these certificates:

$ echo "" | openssl s_client -connect atlas-amazon-cloud.cern.ch:443 -showcerts 
CONNECTED(00000003)
depth=2 C = ch, O = CERN, CN = CERN Root Certification Authority 2
verify return:1
depth=1 DC = ch, DC = cern, CN = CERN Grid Certification Authority
verify return:1
depth=0 DC = ch, DC = cern, OU = computers, CN = atlas-amazon-cloud.cern.ch
verify return:1
---
Certificate chain
 0 s:DC = ch, DC = cern, OU = computers, CN = atlas-amazon-cloud.cern.ch
   i:DC = ch, DC = cern, CN = CERN Grid Certification Authority
-----BEGIN CERTIFICATE-----
MIIIFDCCBfygAwIBAgITbgBZQ9vyFhacHe+/8QAAAFlD2zANBgkqhkiG9w0BAQ0F
ADBWMRIwEAYKCZImiZPyLGQBGRYCY2gxFDASBgoJkiaJk/IsZAEZFgRjZXJuMSow
KAYDVQQDEyFDRVJOIEdyaWQgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMjIw
MzA0MTAzODI0WhcNMjMwNDA4MTAzODI0WjBjMRIwEAYKCZImiZPyLGQBGRYCY2gx
FDASBgoJkiaJk/IsZAEZFgRjZXJuMRIwEAYDVQQLEwljb21wdXRlcnMxIzAhBgNV
BAMTGmF0bGFzLWFtYXpvbi1jbG91ZC5jZXJuLmNoMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAici9gGm9aNrHoxkFZP5MZTPuHc69X28qn7RiTJV5MOOw
hiaAaQY12wvxeiZd20JULy2ORu8hh49R6W/XzkJeOpgPFtMr1z47ElsamXl3pdkf
55hz+QERZQ2sRmVcj577fD1valw41W/A7AmsQFfkkafMUkzOdLvpbL3YrksMaSPg
9JvUg+GSaXacy84DVGnHtHB/mystJ61jF8IGVL7jQdK90bjBzWYo8Q1Ramgrpt/B
L3KOl0Gjh5MEyc7bWVZL6iAfMQBTpmrwLqNbEleOcsFZ9lk1yn6MSl7LEbY/ZO62
8HVHHHUa4/NoZoGttZYWgkIegQGquMt3p70b4sPv3wIDAQABo4IDzDCCA8gwJQYD
VR0RBB4wHIIaYXRsYXMtYW1hem9uLWNsb3VkLmNlcm4uY2gwHQYDVR0OBBYEFDgA
KcsfQ+0fsHBfYfKXSufp/IIwMB8GA1UdIwQYMBaAFKWg/WZY/bndeuGynZ+j0eVQ
GJTnMIIBOAYDVR0fBIIBLzCCASswggEnoIIBI6CCAR+GTmh0dHA6Ly9jYWZpbGVz
LmNlcm4uY2gvY2FmaWxlcy9jcmwvQ0VSTiUyMEdyaWQlMjBDZXJ0aWZpY2F0aW9u
JTIwQXV0aG9yaXR5LmNybIaBzGxkYXA6Ly8vQ049Q0VSTiUyMEdyaWQlMjBDZXJ0
aWZpY2F0aW9uJTIwQXV0aG9yaXR5LENOPUNFUk5QS0kwNSxDTj1DRFAsQ049UHVi
bGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlv
bixEQz1jZXJuLERDPWNoP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9v
YmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCCAWIGCCsGAQUFBwEBBIIB
VDCCAVAwYwYIKwYBBQUHMAKGV2h0dHA6Ly9jYWZpbGVzLmNlcm4uY2gvY2FmaWxl
cy9jZXJ0aWZpY2F0ZXMvQ0VSTiUyMEdyaWQlMjBDZXJ0aWZpY2F0aW9uJTIwQXV0
aG9yaXR5LmNydDCBwgYIKwYBBQUHMAKGgbVsZGFwOi8vL0NOPUNFUk4lMjBHcmlk
JTIwQ2VydGlmaWNhdGlvbiUyMEF1dGhvcml0eSxDTj1BSUEsQ049UHVibGljJTIw
S2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1j
ZXJuLERDPWNoP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZp
Y2F0aW9uQXV0aG9yaXR5MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jZXJuLmNo
L29jc3AwDgYDVR0PAQH/BAQDAgWgMDwGCSsGAQQBgjcVBwQvMC0GJSsGAQQBgjcV
CIO90AmC7Y0Nhu2LK4He9TeFgNBiHoaAW4XfpisCAWQCARowHQYDVR0lBBYwFAYI
KwYBBQUHAwIGCCsGAQUFBwMBMCcGCSsGAQQBgjcVCgQaMBgwCgYIKwYBBQUHAwIw
CgYIKwYBBQUHAwEwJwYDVR0gBCAwHjAOBgwrBgEEAWAKBAICAwEwDAYKKoZIhvdM
BQICATANBgkqhkiG9w0BAQ0FAAOCAgEAKSNa54R0Psk76F+V1b2C7YZseBguJh5h
w97hFzogfKv6ypZ4HiVktWBzFkE7KIR+0WmA4pVL5zrou6RdLKVYYPSKoJ8qp8CV
S4++jLcsFb7I9nATOh/hZwj7qKHQDsGCpTP/fprfUaXCxvrIAQCXMWcGwX3sJ6yu
Ny/KBFMS2uGjapN7AcXE9CrMXgK6WMwlva+/Ur5r/z/0ivkuMz7QUaBtgWS8VHUM
UKGJ359UmNhru2nfHsUk2aw8vnmNDGnVAVpx8hxZd1ICxnSsyN3Ifv1aHQmf2/Sy
wocN7G5PxvVcWRm0U7x0SMyK3O3yjGI4z09HJ6xweGlbINpwmQ26kRXR344NeKpm
CDwRDdWdDKNxAYtBVficnAiJTfXPieib9sCv6k0QAj6wAP9sfpzqhZhlJMmIQCZ7
qrlLqzOn6ari/KWFWiA2R0m2GiHIges6+yMWLzFw5w6NLW39vvYLkXn4yU2VlynN
u78+0KkDpGoEZdDJTAOZB1lIYie8mWPsSjhMvotUj9Hrhia5XfVQoH6HZHd/nr54
+u5nUGIqxRqiLxgZToM9gLCctgc2812AprA93rzruRsE0DzLqOH6bCmlNcA+PvKf
hKWnQU08WLDwls1fHolb9kweQ1g8es0gkmfoXJ/N59kXK2vTSZE73b+RClHyXBVZ
5TA4IzsW5+8=
-----END CERTIFICATE-----
 1 s:DC = ch, DC = cern, CN = CERN Root CA
   i:DC = ch, DC = cern, CN = CERN Root CA
-----BEGIN CERTIFICATE-----
MIIDtzCCAp+gAwIBAgIQfcDVmROMDYJLLmjiG5RxIjANBgkqhkiG9w0BAQUFADBB
MRIwEAYKCZImiZPyLGQBGRYCY2gxFDASBgoJkiaJk/IsZAEZFgRjZXJuMRUwEwYD
VQQDEwxDRVJOIFJvb3QgQ0EwHhcNMDYxMDAzMDg1NTE3WhcNMjYxMDAzMDkwMDQ5
WjBBMRIwEAYKCZImiZPyLGQBGRYCY2gxFDASBgoJkiaJk/IsZAEZFgRjZXJuMRUw
EwYDVQQDEwxDRVJOIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQCxCaL9HpImb40Rws2wuJvwIadoY5WK3QQH26VOVlJmfMTVwBzgy9h0EgBC
8HNdgzQS3VApCqkN+i6BqsvmHwcj8xngjEUrWFvY2ZOMr0MAF7oTX7o/1J3c9saf
r+ffY9j6eswJvVCbIBA/Ra8JBBHEg+yqAYvvQy/TnLrSCLrsb6DROpNt8D+KAQF2
f676VHS/Qz3ZUyDz9oKhTlTcibewitFQ3M9xdshQSdflfBDcDCQKlMTZC5f7iwez
0669voGNmhrWq4pwBm5Wkz7VHu9IWHrhMMfOegQ8OoHrB6UxZRiQ9CV2RYN7qK6/
m/ETii0HqazxYs5XmDhd63NXl13jAgMBAAGjgaowgacwCwYDVR0PBAQDAgGGMA8G
A1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJgK9+w+7FnWHa2ZvLUBPt7spudQMBAG
CSsGAQQBgjcVAQQDAgEAMFYGA1UdIARPME0wSwYKKwYBBAFgCgMBATA9MDsGCCsG
AQUFBwIBFi9odHRwOi8vY2EuY2Vybi5jaC9jYS9jcmwvcG9saWN5L2NwLWNwcy1y
b290LnBkZjANBgkqhkiG9w0BAQUFAAOCAQEAUKLcrL3Dtq2f+fxicz+eec9mJ5Lb
Gxzz66Fpq2ZOrNxE7pgN60tM//FC5nxyat1JJRKdMyOjc4e75dtO7DLw6wvA1b4L
tBXJDbEICQncQkmmo3Qlkam4wb1nbht6zJOjL4petGzFb2bq6eY99JITq+t0PCJl
ymGZFIlYRJHO6/6VJVQ8kqdoylECDdkpogmTHnZI3/RmIULlnICbNOmTHbuZh2I2
u/5Yo0TIoo7n/gzEr8CUrbfo1Y0CHdIF13SVoCoD47uFkg9ZPvYqpb1N4Yjgtt5V
FyYG8L6TMDrABc4b3nScaokIS05SCm3zgOOu5GtSgjDAPnLR0Hw86f5E0g==
-----END CERTIFICATE-----
 2 s:C = ch, O = CERN, CN = CERN Root Certification Authority 2
   i:C = ch, O = CERN, CN = CERN Root Certification Authority 2
-----BEGIN CERTIFICATE-----
MIIGqTCCBJGgAwIBAgIQAojDcLlcbrhBX0qrEka4mzANBgkqhkiG9w0BAQ0FADBK
MQswCQYDVQQGEwJjaDENMAsGA1UEChMEQ0VSTjEsMCoGA1UEAxMjQ0VSTiBSb290
IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IDIwHhcNMTMwMzE5MTI1NTM2WhcNMzMw
MzE5MTMwNTM0WjBKMQswCQYDVQQGEwJjaDENMAsGA1UEChMEQ0VSTjEsMCoGA1UE
AxMjQ0VSTiBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IDIwggIiMA0GCSqG
SIb3DQEBAQUAA4ICDwAwggIKAoICAQDxqYPFW2qVVi3Rw1NKlEf7x70xF+6a8uE/
Tu4ZVQF/K2RXI95QLkYfKItZvy9Az3ib/VlUho5f8fBaqy4n70uwC7+qd3Aq1/xQ
ysykPCbBBAsOSQQpTlhrMD2V5Ya9zrirphOhutddiqV96zBCyMM+Gz5uYv9u+cm4
tg1EOmAMGh2UNxfTFNVmXKkk7eFTSC1+zgb28H6nd3xzV27sn9bfOfGh//ZPy5gm
Qx0Oh/tc6WMreWzRZBQm5SJiK0QOzPv09p5WmdY2WxZoqNTFBDACQO7ysFOktc74
fPVFX/lmt4jFNSZRIOvvaACI/qlEaAJTR4FHIY9uSMsV8DrtzhI1Ucyv3kqlQpbF
jDouq44IryA/np4s/124bW+x8+n/v+at/AxPjvHBLiGhB+J38Z6KcJogoDnGzIXR
S+YUr/vGz34jOmkRuDN5STuuAXzyCKFXaoAm0AwjTziIv3E0jxC1taw6FpKevnd1
CLsTLAEUiEjzStFkDhd/Hpipc57zmMFY8VYet2wVqSFjnt2REWOVbZlbCiMHmSeD
u5EuZLiU8xlkiaCfn4A5XZ6X0qprbgDviGJtwxzNvTg7Hn0ziW5/ELryfQXCwZJ+
FVne8Zu8sbgy/sDkX+pyFuyB4XgiM0eMNkoexIXJaRdlMWDIL5ysiIXQKjhynAv5
KLHbRjciVwIDAQABo4IBiTCCAYUwCwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMB
Af8wHQYDVR0OBBYEFPp7+96bDaPyUrds7VsPC6KmpvgEMBAGCSsGAQQBgjcVAQQD
AgEAMIIBMgYDVR0gBIIBKTCCASUwggEhBgorBgEEAWAKBAEBMIIBETCBwgYIKwYB
BQUHAgIwgbUegbIAQwBFAFIATgAgAFIAbwBvAHQAIABDAGUAcgB0AGkAZgBpAGMA
YQB0AGkAbwBuACAAQQB1AHQAaABvAHIAaQB0AHkAIAAyACAAQwBlAHIAdABpAGYA
aQBjAGEAdABlACAAUABvAGwAaQBjAHkAIABhAG4AZAAgAEMAZQByAHQAaQBmAGkA
YwBhAHQAZQAgAFAAcgBhAGMAdABpAGMAZQAgAFMAdABhAHQAZQBtAGUAbgB0MEoG
CCsGAQUFBwIBFj5odHRwOi8vY2FmaWxlcy5jZXJuLmNoL2NhZmlsZXMvY3AtY3Bz
L2Nlcm4tcm9vdC1jYTItY3AtY3BzLnBkZjANBgkqhkiG9w0BAQ0FAAOCAgEAo0Px
l4CZ6C6bDH+b6jV5uUO0NIHtvLuVgQLMdKVHtQ2UaxeIrWwD+Kz1FyJCHTRXrCvE
OFOca9SEYK2XrbqZGvRKdDRsq+XYts6aCampXj5ahh6r4oQJ8U7aLVfziKTK13Gy
dYFoAUeUrlNklICt3v2wWBaa1tg2oSlU2g4iCg9kYpRnIW3VKSrVsdVk2lUa4EXs
nTEJ30OS7rqX3SdqZp8G+awtBEReh2XPhRgJ6w3xiScP/UdWYUam2LflCGX3RibB
/DZhgGHRRoE4/D0kQMP2XTz6cClbNklECTlp0qZIbiaf350HbcDEFzYRSSIi0emv
kRGcMgsi8yTTU87q8Cr4hETxAF3ZbSVNC0ZaTZ8RBbM9BXguhYzKkVBgG/cMpUjs
B6tY2HMZbAZ3TKQRb/bRyUigM9DniKWeXkeL/0Nsno+XbcpAqLjtVIRwCg6jTLUi
1NRsl3BP6C824dVaoI8Ry7m+o6O+mtocw4BMhHfTcoWCO8CWjT0ME67JzaAYa5eM
+OqoWtgbgweBlfO0/3GMnVGMAmI4FlhH2oWKWQgWdgr0Wgh9K05VcxSpJ87/zjhb
MQn/bEojWmp6eUppPaqNFcELvud41qoe6hLsOYQVUQ1sHi7n6ouhg4BAbwS2iyD2
uiA6FHTCeLreFGUzs5osPKiz3GE5D6V9she9xIQ=
-----END CERTIFICATE-----
 3 s:DC = ch, DC = cern, CN = CERN Grid Certification Authority
   i:C = ch, O = CERN, CN = CERN Root Certification Authority 2
-----BEGIN CERTIFICATE-----
MIIJdjCCB16gAwIBAgIKYZhqPwAAAAAAAzANBgkqhkiG9w0BAQ0FADBKMQswCQYD
VQQGEwJjaDENMAsGA1UEChMEQ0VSTjEsMCoGA1UEAxMjQ0VSTiBSb290IENlcnRp
ZmljYXRpb24gQXV0aG9yaXR5IDIwHhcNMTMwNDIyMTExMDE2WhcNMjMwNDIyMTEy
MDE2WjBWMRIwEAYKCZImiZPyLGQBGRYCY2gxFDASBgoJkiaJk/IsZAEZFgRjZXJu
MSowKAYDVQQDEyFDRVJOIEdyaWQgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggIi
MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDS9Ypy1csm0aZA4/QnWe2oaiQI
LqfeekV8kSSvOhW2peo5cLNIKbXATOo1l2iwIbCWV8SRU2TLKxHIL8fAOJud5n9K
mEKBew7nzubl1wG93B4dY0KREdb3/QB/7OkG8ZZvLqrvQZVGT1CgJ+NFFUiJ315D
FWkKctZv27LjQamzCxpX+gZSsmwZmSReY67cnm6P7z+/3xVNhwb+4Z+1Ww4vHhMc
dh1Dsrkv9vXU01UN752QtQ6l56uQLYEB2+vaHB6IpyC9zAQ/33GulCq8Gbj7ykPd
9AcRVBeJAErSK+oMHThtdLD7mhTkZivakaNe4O1EhPFH0rWwV45IFN7ipELA5qDx
djdzo6JtLJQMaSV/TV+amEf2CaKlD0giqGhjfSNiOX5HCmpqV14kbl+7Qho6ykZy
b1DGpf70yILnX+AUtdpd8lulTu1yg1Bg5cFQskUIk5+s4nsC1VpmeNxYaeFEcYZj
Ph2mdD7zLo889MtF7kZv7+6J6p4NBL3fQ9Os8/h8XVlfDatzbpVH4jYKKAd4nwJb
knJaKPE0LzLzVfJBwnDxqe8hb64gI8Frludp+jaOYzvMqlzAe9z4a9971iXIWaaG
unbAoEkXj69y7MsvCjWXB7o9HdBaS9FL+ZtXTKCyXl+XLFseYQoQburKr+eTcRed
KLJNj4tRF1799PO69wIDAQABo4IEUDCCBEwwEAYJKwYBBAGCNxUBBAMCAQAwHQYD
VR0OBBYEFKWg/WZY/bndeuGynZ+j0eVQGJTnMIIBLQYDVR0gBIIBJDCCASAwggEc
BgorBgEEAWAKBAEBMIIBDDCBvgYIKwYBBQUHAgIwgbEega4AQwBFAFIATgAgAEcA
cgBpAGQAIABDAGUAcgB0AGkAZgBpAGMAYQB0AGkAbwBuACAAQQB1AHQAaABvAHIA
aQB0AHkAIABDAGUAcgB0AGkAZgBpAGMAYQB0AGUAIABQAG8AbABpAGMAeQAgAGEA
bgBkACAAQwBlAHIAdABpAGYAaQBjAGEAdABlACAAUAByAGEAYwB0AGkAYwBlACAA
UwB0AGEAdABlAG0AZQBuAHQwSQYIKwYBBQUHAgEWPWh0dHA6Ly9jYWZpbGVzLmNl
cm4uY2gvY2FmaWxlcy9jcC1jcHMvY2Vybi1ncmlkLWNhLWNwLWNwcy5wZGYwGQYJ
KwYBBAGCNxQCBAweCgBTAHUAYgBDAEEwCwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQF
MAMBAf8wHwYDVR0jBBgwFoAU+nv73psNo/JSt2ztWw8Loqam+AQwggFEBgNVHR8E
ggE7MIIBNzCCATOgggEvoIIBK4ZSaHR0cDovL2NhZmlsZXMuY2Vybi5jaC9jYWZp
bGVzL2NybC9DRVJOJTIwUm9vdCUyMENlcnRpZmljYXRpb24lMjBBdXRob3JpdHkl
MjAyLmNybIaB1GxkYXA6Ly8vQ049Q0VSTiUyMFJvb3QlMjBDZXJ0aWZpY2F0aW9u
JTIwQXV0aG9yaXR5JTIwMixDTj1DRVJOUEtJUk9PVDAyLENOPUNEUCxDTj1QdWJs
aWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9u
LERDPWNlcm4sREM9Y2g/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29i
amVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50MIIBRAYIKwYBBQUHAQEEggE2
MIIBMjBnBggrBgEFBQcwAoZbaHR0cDovL2NhZmlsZXMuY2Vybi5jaC9jYWZpbGVz
L2NlcnRpZmljYXRlcy9DRVJOJTIwUm9vdCUyMENlcnRpZmljYXRpb24lMjBBdXRo
b3JpdHklMjAyLmNydDCBxgYIKwYBBQUHMAKGgblsZGFwOi8vL0NOPUNFUk4lMjBS
b290JTIwQ2VydGlmaWNhdGlvbiUyMEF1dGhvcml0eSUyMDIsQ049QUlBLENOPVB1
YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRp
b24sREM9Y2VybixEQz1jaD9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9
Y2VydGlmaWNhdGlvbkF1dGhvcml0eTANBgkqhkiG9w0BAQ0FAAOCAgEAQjzXhTV8
d+6HaLqSnp7k9whxK6E75BZQJNR2Q/rslhhwijs6nekBjb+JPgmM6M0a7ra+D1Oi
4wKaWiCvU9yleZZSqfEkRl7WK9trRYXHqkqVSnmwNJNsediqioBBDHn/ZMnyc25Z
OLbM+99Z+awvoMbyPy0moUrR7ZqKi3C02N2mkiidO0m3bYnXKwxDUvka5n06oLnI
YSZfwFNJ7IEvSSF4mEzdDeQI+A+87+deb5XOTXee8i1ZUyI08Cg6tuZ8W6NdvY7t
+5iNxRmZJ6DBVwrvXutz0JSqklBCw267osEpX0AKGSL9fE2yGlWBX8WfDLB43lVE
z/HP7kQwYEmsfnfT2yTLzkMJrHSeR0Zymm/oB3amZziKex4kGk+/v7yV1pSYKJce
9QDZE+LYio/ndz01sejMPS87prYJqnII5hDYUjg9F1CoaejhjOlpmCU/10wyEVN0
nhSP9Wc5z0+lhzU5C1A9r1gXQMuqCA2e7Cv5wv+r9dS+12Uly52jwmYf8mm6H0ZY
LZQbvMayHebD4WCnB7HNdp2Va4z5JrLvwG3J1EXfTjWiPhqOweevOg0rc6t2yhkM
iB9RXMlFoFzbsuE/4Z4Hd0GQcDijcnWJ/VbT15OD2C16yyBiLvu88nXX1gKuOzxL
vu4cw9FOuQZo147y9KPelpUT/SO+nrePzVs=
-----END CERTIFICATE-----
 4 s:DC = ch, DC = cern, CN = CERN Certification Authority
   i:C = ch, O = CERN, CN = CERN Root Certification Authority 2
-----BEGIN CERTIFICATE-----
MIIJYTCCB0mgAwIBAgIKYQatpwAAAAAABDANBgkqhkiG9w0BAQ0FADBKMQswCQYD
VQQGEwJjaDENMAsGA1UEChMEQ0VSTjEsMCoGA1UEAxMjQ0VSTiBSb290IENlcnRp
ZmljYXRpb24gQXV0aG9yaXR5IDIwHhcNMTMwNzI5MDkwOTM4WhcNMjMwNzI5MDkx
OTM4WjBRMRIwEAYKCZImiZPyLGQBGRYCY2gxFDASBgoJkiaJk/IsZAEZFgRjZXJu
MSUwIwYDVQQDExxDRVJOIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjANBgkq
hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEApSfSKYGp8T2wKAJEaOQli+5wqhcE5gqP
gI/fmnSyISQVDadoSIUt5CgNEHTT59gRzVesuX1qsdvaCRKc63pqsSpk42JIDgoL
hm2LLrrYiOYxzCI4VsCoDfd2pzjnqVzbXbtvkTfMyoWVc8TiW3x8O+FquZnhAxXR
5VJPQqCVaf7MfV1j/VlJI4cVFHLQD5oC/EjrSRbvpZ7vqO4o/dm/FMywnvKzlMo8
sgGGZe8ruNvQR3iCim4A5GfWt3+9Yhr0sc+reCWi5KtqYDbQwR+tPfWP0ov6LRKd
+MEHEE6bJus1VzElh146gn2mbNgkGjFjzm8ulrNA61QQKJN0EjjU5Uxtcyc85U53
UAc/ATMTrOC0hQu6nPAHxI4DhWkAsZzkMPaSobvDIGj/iNkZo+ejNAQc38ocJ49r
CT9I7OL2kynhG0c5af4rwmcUa8H5vHdOsrZ+lYvB3lIj54GBXEUSdLLE3tDyvEde
bkAF8UQYXltFwUiEIFDMT5MEnbFl63+f7IEB6+L6QT6VS0qmOTDPSXdMoZjFlGgV
lkhCxI1+tl2kX6BJvg+XP4vg4xbGVsd2AbqFVnIhiz3VmNUJX0v3VNbFxFdJoO+b
MizHcmRb/Rws5M8B1ATqE1J//7SlhAe4dt3ujoQIx+pkYz2o2useKNIlIOkGvVBB
s+jSBwmhJ98CAwEAAaOCBEAwggQ8MBAGCSsGAQQBgjcVAQQDAgEAMB0GA1UdDgQW
BBQdkBnqyM7MPI0UsUzZ7BTiYUADYTCCAR0GA1UdIASCARQwggEQMIIBDAYKKwYB
BAFgCgUBATCB/TCBtAYIKwYBBQUHAgIwgacegaQAQwBFAFIATgAgAEMAZQByAHQA
aQBmAGkAYwBhAHQAaQBvAG4AIABBAHUAdABoAG8AcgBpAHQAeQAgAEMAZQByAHQA
aQBmAGkAYwBhAHQAZQAgAFAAbwBsAGkAYwB5ACAAYQBuAGQAIABDAGUAcgB0AGkA
ZgBpAGMAYQB0AGUAIABQAHIAYQBjAHQAaQBjAGUAIABTAHQAYQB0AGUAbQBlAG4A
dDBEBggrBgEFBQcCARY4aHR0cDovL2NhZmlsZXMuY2Vybi5jaC9jYWZpbGVzL2Nw
LWNwcy9jZXJuLWNhLWNwLWNwcy5wZGYwGQYJKwYBBAGCNxQCBAweCgBTAHUAYgBD
AEEwCwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAU+nv7
3psNo/JSt2ztWw8Loqam+AQwggFEBgNVHR8EggE7MIIBNzCCATOgggEvoIIBK4ZS
aHR0cDovL2NhZmlsZXMuY2Vybi5jaC9jYWZpbGVzL2NybC9DRVJOJTIwUm9vdCUy
MENlcnRpZmljYXRpb24lMjBBdXRob3JpdHklMjAyLmNybIaB1GxkYXA6Ly8vQ049
Q0VSTiUyMFJvb3QlMjBDZXJ0aWZpY2F0aW9uJTIwQXV0aG9yaXR5JTIwMixDTj1D
RVJOUEtJUk9PVDAyLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxD
Tj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPWNlcm4sREM9Y2g/Y2VydGlm
aWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1
dGlvblBvaW50MIIBRAYIKwYBBQUHAQEEggE2MIIBMjBnBggrBgEFBQcwAoZbaHR0
cDovL2NhZmlsZXMuY2Vybi5jaC9jYWZpbGVzL2NlcnRpZmljYXRlcy9DRVJOJTIw
Um9vdCUyMENlcnRpZmljYXRpb24lMjBBdXRob3JpdHklMjAyLmNydDCBxgYIKwYB
BQUHMAKGgblsZGFwOi8vL0NOPUNFUk4lMjBSb290JTIwQ2VydGlmaWNhdGlvbiUy
MEF1dGhvcml0eSUyMDIsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2Vz
LENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Y2VybixEQz1jaD9jQUNl
cnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0
eTANBgkqhkiG9w0BAQ0FAAOCAgEAa1zEmhE2asDzsrsr7vUFSwsltGvL7nCOKk39
HUeeCOEg5JBSymACvcuOJJGGw90nqr6oMztPCxZLsvhy/P/OwVfbsLFY0RmVgltO
1IvMoDumx6lwKz4+8RdNGq3QpqCPhHIBwB8TzU4y4FtdcEapXKonoUOOru1Gitgc
L6/QKiFfbbfP9FroI4MB5pP2v9f34QjuzTcdQ8kys0O4r19ChpvZ3vGbhsYE5u9v
Ob4rVuwEwcecXDebzyuzxlHZ+ab3OIcPK0kvYnDBLY0X+eqN6yb8ynSj+Zt7JfGJ
dxq465kLPDNgTy9nMCeb3RdCsUtYKZxlRjeZgOp/+Sw3SrOv0onSdMBnxI/eovPY
ROC2FS0SQ7jOFYeKGNhAe5VyVD5efECF5tT7VzdmxOHSXP9ZAqqKlZsPma4T+5Mk
TZuyqNxv3c4lVf4AEzwSntKafv9HaHzBxfI5l2tmOxOqx1ahXGhe+oQ2HNDrnZHI
DTjpOZIWfYZ0w9l1S7tb/5HzXDHxM3rZVBmM1SWD22USjlP/9QAgsYquuGA2t1Dt
iVdH51XIkHAIokn0wC/hz7gbWXCpibsNwkj5TvBbzksyhuS0EsbVt14e4yfMvwdT
BRdFEPKMIceXDLJyjMZ25T0ZhEVHyjFhm8OyaiFSu7eaaJC7jp0IGIoDpB8ZjU03
I+DT4q0=
-----END CERTIFICATE-----
 5 s:DC = ch, DC = cern, CN = CERN Certification Authority
   i:C = ch, O = CERN, CN = CERN Root Certification Authority 2
-----BEGIN CERTIFICATE-----
MIIJiDCCB3CgAwIBAgIKYQRg2QAAAAAACDANBgkqhkiG9w0BAQ0FADBKMQswCQYD
VQQGEwJjaDENMAsGA1UEChMEQ0VSTjEsMCoGA1UEAxMjQ0VSTiBSb290IENlcnRp
ZmljYXRpb24gQXV0aG9yaXR5IDIwHhcNMTcxMDA5MDgxNjE0WhcNMjcxMDA5MDgy
NjE0WjBRMRIwEAYKCZImiZPyLGQBGRYCY2gxFDASBgoJkiaJk/IsZAEZFgRjZXJu
MSUwIwYDVQQDExxDRVJOIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjANBgkq
hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAkUr6oM4NMsAJdEFlC0xG9hHM1qN/9ph6
tSPVQLEuuhCkPKWNW8+sY6AcywQ1tP5XUlPop7YCbOa4Em9HKv9kTg9sSluiFY23
qo0JiuJJYEGMF/a95A12UKocUBjhu7n0QFb5uo2AV7Z1r+CuY1+F/3s6uKEnT6FM
ACrsqxsOx1WSAuUp1ICvr40hfkO7n1uy9cgUX92dRN0n8xadvGHVXhYQzSts4w9V
dX5Hi7pTGqTiA0/A20tKhxdO/mFY7AUZNPyKGEmAtpzh6/f9go2rlnhXjOXmYhAB
+zNlTM2WDehKs9ElSfonfHBm4q+RWX8NPZVNK6RkfJ3ryEamhmYtSleAqydMsa5M
5XOId3JjcdG8e6wjnKhqcIs1AG6N5Ypz6k7D2jxISQjDL5RMM2YOx0ORai0yFnQw
eeip9S30OhLpC3VEFdei9vSyO5KBiefdk+HHukBELlm7n/qBxgJ9A562q5mrAcDM
WR/1o+Df9BDs+uePMACWy21DShCh/RknbCwGcGvkhP9VBvO1QL7ruYltrua5oj8s
jT3axk6Kde/JH+AhgZJm4vbTSY26quA24YyzGbNa38ECMIjhQByDJJYzEUvb99mv
l6dUaauoMp3O4DLYEUafXMo8Jbzn3aiblZDJ8qjNR3nU6wu5KFDrAE4xnE0HNfkd
fZMoB1OyrfUCAwEAAaOCBGcwggRjMBIGCSsGAQQBgjcVAQQFAgMBAAEwIwYJKwYB
BAGCNxUCBBYEFB0EpjgM3gv9L1njBSz3ngfKHBayMB0GA1UdDgQWBBTZ3KNgK5Nq
YLZmUgABTBbdBxHowDCCAR0GA1UdIASCARQwggEQMIIBDAYKKwYBBAFgCgUBATCB
/TCBtAYIKwYBBQUHAgIwgacegaQAQwBFAFIATgAgAEMAZQByAHQAaQBmAGkAYwBh
AHQAaQBvAG4AIABBAHUAdABoAG8AcgBpAHQAeQAgAEMAZQByAHQAaQBmAGkAYwBh
AHQAZQAgAFAAbwBsAGkAYwB5ACAAYQBuAGQAIABDAGUAcgB0AGkAZgBpAGMAYQB0
AGUAIABQAHIAYQBjAHQAaQBjAGUAIABTAHQAYQB0AGUAbQBlAG4AdDBEBggrBgEF
BQcCARY4aHR0cDovL2NhZmlsZXMuY2Vybi5jaC9jYWZpbGVzL2NwLWNwcy9jZXJu
LWNhLWNwLWNwcy5wZGYwGQYJKwYBBAGCNxQCBAweCgBTAHUAYgBDAEEwCwYDVR0P
BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAU+nv73psNo/JSt2zt
Ww8Loqam+AQwggFEBgNVHR8EggE7MIIBNzCCATOgggEvoIIBK4ZSaHR0cDovL2Nh
ZmlsZXMuY2Vybi5jaC9jYWZpbGVzL2NybC9DRVJOJTIwUm9vdCUyMENlcnRpZmlj
YXRpb24lMjBBdXRob3JpdHklMjAyLmNybIaB1GxkYXA6Ly8vQ049Q0VSTiUyMFJv
b3QlMjBDZXJ0aWZpY2F0aW9uJTIwQXV0aG9yaXR5JTIwMixDTj1DRVJOUEtJUk9P
VDAyLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNl
cyxDTj1Db25maWd1cmF0aW9uLERDPWNlcm4sREM9Y2g/Y2VydGlmaWNhdGVSZXZv
Y2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50
MIIBRAYIKwYBBQUHAQEEggE2MIIBMjBnBggrBgEFBQcwAoZbaHR0cDovL2NhZmls
ZXMuY2Vybi5jaC9jYWZpbGVzL2NlcnRpZmljYXRlcy9DRVJOJTIwUm9vdCUyMENl
cnRpZmljYXRpb24lMjBBdXRob3JpdHklMjAyLmNydDCBxgYIKwYBBQUHMAKGgbls
ZGFwOi8vL0NOPUNFUk4lMjBSb290JTIwQ2VydGlmaWNhdGlvbiUyMEF1dGhvcml0
eSUyMDIsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZp
Y2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Y2VybixEQz1jaD9jQUNlcnRpZmljYXRl
P2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTANBgkqhkiG
9w0BAQ0FAAOCAgEA2hPcSgMrfuQHJEm+2VfRvmjeCB4BmyYkQUVfceBH6GntX0KO
owTuiQuaAD6NCZqIX0GH+WDisPi8WNNyaoi5AqeY50zh2ic536yzk9eP6AvmXv1i
EnHLyIQafVEZZpa3nDOdYM8d4QDWT1bK0kpzXy5D+a3e54N+OitQY9IwV+t75i5H
vY6SfuiWYDGR/gWc9U4AucN8aoYYIY/Wx8QLv1V8bK0vL8rdHKiL1xierNZTfbEi
X7ZV3PJ0XXSCd+BcUS53zV4+oW02kAMTWN/xCpVtU6F+sDkVXOH8RsGx65W2LfvU
dYeTzNIAhmekjMaQG2QdReGrs2tNw7aTh+urQTku1bAZrT+NFO8Fuvz73jCGhXgV
K8m/wmD8tv3579EPR5LDFr5lLp4vkwoB9SJnfv4qNvEaONSbi70DFpRaxEWFEVQA
8unwRK2BeCmcLldjK3EALF3pmTHIofjC0V5sMRkcQiBR48PIgw75YrI3KVh/a2n8
jb6jvLZk7EV3qroMCwP0CpTMooEJnVpjOJbuRhYw/sCcc3JzuQEn3wqsvqO6VNTV
1CZMvpQwsuHRpp62VOzpzKnzR4rTa5+NKJtcHosBMPaKONVNFrc/el6H6Mlv5YqV
Ow7QgHHVqprseD03DzHR3Lp0XKqrSm4ClWadRw8ga3ce6OfHRmj8iLfYqBc=
-----END CERTIFICATE-----
 6 s:O = IPAdev CERN, CN = Certificate Authority
   i:O = IPAdev CERN, CN = Certificate Authority
-----BEGIN CERTIFICATE-----
MIIDjzCCAnegAwIBAgIBATANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKDAtJUEFk
ZXYgQ0VSTjEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE5MTEw
NDE3MzAzOFoXDTM5MTEwNDE3MzAzOFowNjEUMBIGA1UECgwLSVBBZGV2IENFUk4x
HjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAMJeqnp7cvpD3eVeeoi+r94tqWEoCvaZCbTlwfN2paRK
Hl99p1lBDAGy1e24jzps3Xj/9LrD33rFvG4ByDwVROL+MJd1/WoFvsyZ5CYRVfqR
LrGobjE4ssMCE3ErJ9HN4/lf7sJqAR/SRM/30rHDT2vfj2YXrWxcpnaGih4gStmh
JXghv3lS4C/mbmkp8u7tLVQa4uSmF45TS0yoECUOO61+dRF7GmMQSkM0xanLv769
4gdW5nsCTxdQ/Hs2Pr2CyfwK2G5BNQ3oQycVeOBJ8okrQN2rBHigol0sSqQgbJcR
Li4hJguA9isej7mMCRnyVotx28wTgAkuma3HRSdTIrECAwEAAaOBpzCBpDAfBgNV
HSMEGDAWgBTVdfZVghFAsKvLgGHvjL+siu15GDAPBgNVHRMBAf8EBTADAQH/MA4G
A1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQU1XX2VYIRQLCry4Bh74y/rIrteRgwQQYI
KwYBBQUHAQEENTAzMDEGCCsGAQUFBzABhiVodHRwOi8vaXBhLWNhLmlwYS1kZXYu
Y2Vybi5jaC9jYS9vY3NwMA0GCSqGSIb3DQEBCwUAA4IBAQAtkTo2TTcemM6q6kEA
VMs6HrBlsTzk2DesbleGEVMuKDHHHpDXoRnVtkY+EhuViDszIWHkxftRE/A5fPbA
DGP2cqtVBtdndFTWUx6DBrjLgd+CHSOICe3wGakL2CURAxmcnlcRVDYaxezQIKfB
4duGEPXlseIe+2V/neGjQ+QrqjmBYpSioOq8B7pdbFFgD7GgzBLIhUpc0PT00dCN
ujg14ZTFepuevAYpmcnEXGcItsideIISQ5N0yDqGqQ13bJnm0hOQ7coUKQ4USfyS
tbH3jswNaX780ZCDzvhk9Wl2cpMYn9T9/V9b67LBbuOGvhaFP23QZU0AEghqrauQ
qub+
-----END CERTIFICATE-----
---
Server certificate
subject=DC = ch, DC = cern, OU = computers, CN = atlas-amazon-cloud.cern.ch

issuer=DC = ch, DC = cern, CN = CERN Grid Certification Authority

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 13500 bytes and written 388 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
DONE

At the beginning of this output you can also see that openssl takes into account only certificates that are really participate in the host CA parent chain.

mlassnig commented 2 years ago

Hi, this blocks us from using the default CERN CA provided host certificates when dealing with commercial Amazon cloud storage. As a workaround for now, is there something we can tell sites to do, e.g. some configuration parameter on dCache? Or do we have to slice'n'dice the host certificate that we get from CERN CA so dCache would accept it? Thanks.

paulmillar commented 2 years ago

Hi guys,

Sorry for the delay ... I was off on holiday.

WOW! There's a lot to say about this issue.

I've broken this down into sections, to make it more digestible.

Provided information.

The information, as presented, isn't terribly easy to read and process.

In this section, I'm reworking only the information (as provided) to make it easier to read. This is partly to explain my thinking and partly to help anyone else who is reading this issue.

First, here is dCache's error message slightly edited to make it more readable:

The peer's certificate with subject's DN
    CN=atlas-amazon-cloud.cern.ch,OU=computers,DC=cern,DC=ch
was rejected.  The peer's certificate status is:  FAILED
The following validation errors were found:

 *  error at position 4 in chain, problematic certificate subject:
        CN=CERN Certification Authority,DC=cern,DC=ch
    The certificate subject is not accepted by any rule of the
    relevant namespace policies.  Policies which matches the issuer
    are:
        /etc/grid-security/certificates/c2a48ab6.namespaces:1
    /etc/grid-security/certificates/c2a48ab6.namespaces:3

 *  error at position 4 in chain, problematic certificate subject:
        CN=CERN Certification Authority,DC=cern,DC=ch
    The certificate subject is not accepted by any rule of the
    relevant namespace policies. Policies which matches the issuer
    are:
        /etc/grid-security/certificates/c2a48ab6.signing_policy
    /etc/grid-security/certificates/c2a48ab6.signing_policy

 *  error at position 5 in chain, problematic certificate subject:
        CN=CERN Certification Authority,DC=cern,DC=ch
    The certificate subject is not accepted by any rule of the
    relevant namespace policies. Policies which matches the issuer
    are:
        /etc/grid-security/certificates/c2a48ab6.namespaces:1
        /etc/grid-security/certificates/c2a48ab6.namespaces:3

 *  error at position 5 in chain, problematic certificate subject:
        CN=CERN Certification Authority,DC=cern,DC=ch
    The certificate subject is not accepted by any rule of the
    relevant namespace policies. Policies which matches the issuer
    are:
        /etc/grid-security/certificates/c2a48ab6.signing_policy
        /etc/grid-security/certificates/c2a48ab6.signing_policy

Here is a summary of the certificates presented, based on the information Petr provided:

 0 s:DC = ch, DC = cern, OU = computers, CN = atlas-amazon-cloud.cern.ch
   i:DC = ch, DC = cern, CN = CERN Grid Certification Authority

 1 s:DC = ch, DC = cern, CN = CERN Root CA
   i:DC = ch, DC = cern, CN = CERN Root CA

 2 s:C = ch, O = CERN, CN = CERN Root Certification Authority 2
   i:C = ch, O = CERN, CN = CERN Root Certification Authority 2

 3 s:DC = ch, DC = cern, CN = CERN Grid Certification Authority
   i:C = ch, O = CERN, CN = CERN Root Certification Authority 2

 4 s:DC = ch, DC = cern, CN = CERN Certification Authority
   i:C = ch, O = CERN, CN = CERN Root Certification Authority 2

 5 s:DC = ch, DC = cern, CN = CERN Certification Authority
   i:C = ch, O = CERN, CN = CERN Root Certification Authority 2

 6 s:O = IPAdev CERN, CN = Certificate Authority
   i:O = IPAdev CERN, CN = Certificate Authority

In an effort to make this information more understandable, I've reformulated this in terms of the certificates roles: EEC, Intermediate CA and Root CA. I've left off the certificate's subject (for the EEC and Root CA certificates), and included the issuer as "by". I've also changed any Certificate Authority in the CN to CA, to make this more readable.

 0.  EEC  (by CERN Grid CA)
 1.  Root (by CERN Root CA, self-signed)
 2.  Root (by CERN Root CA 2, self-signed)
 3.  Intermediate: CERN Grid CA (by CERN Root CA 2)
 4.  Intermediate: CERN CA (by CERN Root CA 2)
 5.  Intermediate: CERN CA (by CERN Root CA 2)
 6.  Root (by IPAdev CERN, self-signed)

In the following section, I've reworking this further. This shows the certificate chains contained within the certificates returned by the server. The number underneath each phrase indicates the certificate that identifies that subject. The arrow (<---) indicates a "signed by" relationship; i.e., the certificate's issuer.

  EEC  <---  CERN Grid CA  <---  CERN Root CA 2 (self)
  0.         3.                  2.

  CERN Root CA (self)
  1.

  CERN CA  <---  CERN Root CA 2 (self)
  4. 5.          2.

  IPAdev CERN (self)
  6.

Observations.

I have a few comments about the certificates presented by the server.

1. Including root CA certificates

Including any root CA certificates in the certificate chain is pointless. Either a root CA is trusted by the peer or it isn't, including the root certificate doesn't change this.

Rather, including a root certificate just makes the TLS handshake take (slightly) longer. More data will need to be transferred, possibly over multiple TLS frames.

Best practice is to avoid including any root CA certificates in TLS handshakes.

2. Completely irrelevant certificates

The server presented many certificates that are not helpful in establishing the trust chain.

Both IPAdev and CERN Root CA certificates are not at all useful in establishing the trust chain. These two are also self-signed root CA certificates, so (first point again) shouldn't be included anyway.

The "CERN Certification Authority" certificate (signed by "CERN Root Certification Authority 2") is also useless in establishing the trust chain. This should have no effect, but including these certificates would anyway make the TLS handshake take longer.

Strangely enough, this "CERN Certification Authority" certificate is included twice. Why do this? Duplicating certificates is pointless and just makes the TLS handshake take longer.

3. Why include any CA certificates?

The EEC is signed by "CERN Grid Certification Authority", which is part of the standard IGTF trust bundle.

In theory, you should not need to include any intermediate or root CAs as the EEC should be sufficient if the client accepts the IGTF trust bundle.

The problem

The problem (as reported) is that dCache rejected the connection because the server presented two certificates (certificates 4. and 5.) that failed the naming policies of the issuing CA.

Certificates 4. and 5. are actually the same certificate (duplicated), so this is really one problem.

Is dCache behaving correctly?

The standard IGTF trust chain does include "CERN Root CA 2". The policy files for this CA (at least, for IGTF v1.116) allow this CA to issue only two certificates:

DC=ch, DC=cern, CN=CERN Grid Certification Authority
DC=ch, DC=cern, CN=CERN LCG IOTA Certification Authority

So, per the signing policies / namespace rules for "Root CA 2", this CA should never have signed "DC=ch, DC=cern, CN=CERN Certification Authority".

Therefore, dCache is operating correctly when it rejects the "Root CA 2" certificate.

One might argue that the "Root CA 2" certificate is irrelevant in establishing the trust for the remote server's DN.

The fact that the EEC is issued by a trusted CA ("CERN Grid Certification Authority" ) and follows the signing policy/namespace for that CA should be sufficient to establish the trust relationship and for dCache to accept the server's DN.

Following this argument, the server should be free to include whatever garbage (expired, self-signed, policy-violating) certificates it wants in the set it returns to the client. It is sufficient for the client to establish a trust chain for the peer's identity to be accepted. The client should simply ignore any garbage certificates.

I believe this is the thrust of Petr's comment.

I'm sympathetic to that point-of-view; however, I'm also not sure of all the security trade-offs involved, which are often far from obvious or trivial.

Moreover, dCache does not implement this behaviour itself. Instead, it relies on an external library (CaNL) to handle certificate validation. dCache rejected the server because CaNL said the presented certificates were unacceptable.

The behaviour you described should probably be opened as an issue against CaNL, so it can either be fixed or the development team can explain why the current policy is correct.

Does namespace checking even make sense?

The signing policy is something introduced by Globus / IGTF to protect identities; specifically, it protects that no two (different) CAs will issue the same DN to two different entities.

In practice, the problem (this policy protects against) only affects certificates issued to people or robots.

The problem doesn't affect host certificates. This is for two main reasons:

The rational for ubiquitous namespace checking is that it is often hard for software to know when a certificate comes from a user or from a remote server: host certificates are sometimes used as client certificates. IGTF tried (and failed) to address this problem.

However, when dCache is using a built-in client (e.g., as the active party in an HTTP-TPC transfer), the pool knows the remote party is an HTTP server. Therefore, these namespace checks actually make no sense for the active party when establishing the data-bearing HTTP transfer.

dCache configuration is quite flexible. It contains the configuration property pool.mover.http-tpc.authn.namespace-mode that controls how stringently the namespace is verified. In current dCache versions, the pool will (through various defaults) enforce namespace policies on HTTP-TPC transfers. Setting this property to IGNORE will switch off namespace verification for HTTP-TPC transfers.

This particular problem is not the first time we've encountered such problems. There is even a patch (see commit 718e3af4df) that updates the defaults so any transfer where dCache is using a client will ignore namespace checks (the pool.authn.namespace-mode configuration property). This commit is "master only". We have no plans to back-port it.

Resolving the problem

There's basically three independent approaches here:

  1. fix the server certificates. The server is presenting a lot of junk, which is causing the problem. Clean this up and the problem should go away.
  2. "fix" dCache behaviour. This involves reporting the problem upstream, to the underlying CaNL library, the CaNL developers accepting the problem, fixing it, releasing a new version of CaNL, releasing a new version of dCache that adopts this new version, sites deploying that new version of dCache.
  3. Update dCache configuration to ignore namespace policies for HTTP-TPC transfers.

My suggestion would be to go with 1. to solve the problem. This is likely the quickest way to get transfers working, as it only requires changes to the server involved.

Option 3. is also an option. We (dCache.org) want to go in this direction, but we're also conscious of potential disruption, so do not want to back-port this change. If a dCache instance is operating within a specific VO and that VO is willing to accept the risk then this process could (easily) be accelerated.

Option 2. should (probably) also be explored; however, this will also be the route that will (likely) take the longest before transfers are successful again.

thdesy commented 2 years ago

Hi all,

just adding my own observations. Last month we received complaints about problems with our HTCondorCEs after we had updated the CEs' host certificates from the previous GridKa CA to new EANT TCS/Sectigo multi-domain host certificates. The problem seems to occur with CE clients failing to correctly parse the pem file bags, which consists of the actual host certificate, the GEANT CA cert and the USERTrust CA Cert signing each other in the chain (with both, GEANT & USERTrust, certs available in the usual grid securtiy certificate dir under their DN symlinks). The issue seems to affect primarily python2.7 clients with older evrsions of gfal/globus, i.e., after updating their python2 DIRAC to the current python3 DIRAC (+libs) Belle2 & ILC could submit again.

In the meantime, we have updated also all of our dCache doors to Sectigo multi-domain certs as well and received again complaints by NAF users, who had issues reading files via Grid protocols including gFTP (where the users had some established workflows, where they are apparently using gFTP due to reasons) - which again seemed to be related for ATLAS users to Athena releases with older clients.

No idea, if it is 100% related, but a bit more complex pem cert bags might cause problems with some client - SEs as well as CEs.

Cheers, Thomas

https://gitlab.desy.de/thomas.hartmann/todos/-/issues/81

msalle commented 2 years ago

Hi all,

just adding my own observations. Last month we received complaints about problems with our HTCondorCEs after we had updated the CEs' host certificates from the previous GridKa CA to new EANT TCS/Sectigo multi-domain host certificates. The problem seems to occur with CE clients failing to correctly parse the pem file bags, which consists of the actual host certificate, the GEANT CA cert and the USERTrust CA Cert signing each other in the chain (with both, GEANT & USERTrust, certs available in the usual grid securtiy certificate dir under their DN symlinks). The issue seems to affect primarily python2.7 clients with older evrsions of gfal/globus, i.e., after updating their python2 DIRAC to the current python3 DIRAC (+libs) Belle2 & ILC could submit again.

In the meantime, we have updated also all of our dCache doors to Sectigo multi-domain certs as well and received again complaints by NAF users, who had issues reading files via Grid protocols including gFTP (where the users had some established workflows, where they are apparently using gFTP due to reasons) - which again seemed to be related for ATLAS users to Athena releases with older clients.

No idea, if it is 100% related, but a bit more complex pem cert bags might cause problems with some client - SEs as well as CEs.

Cheers, Thomas

https://gitlab.desy.de/thomas.hartmann/todos/-/issues/81

Hi all, just to point out that the issue from @thdesy is the same Sectigo issue (but then for hostcerts) as mentioned in https://github.com/eu-emi/canl-java/issues/105 which is not really the same issue as the one reported here. (@dlgroep send a long reply to the wlcg-resource-trust-evolution which might be useful to include here but I don't want to pollute this ticket too much). In short, users need to clean up the chain they get from Sectigo since it contains the wrong CA certs, in particular it should contain the self-signed USERTrust (instead of the subCA version).

mlassnig commented 2 years ago

I can confirm that the third party copy works when the certificate chain on AWS is sliced'n'diced to "only the relevant issuers".

vokac commented 1 year ago

What is the progress with this issue? I can see again fancy certificate chain for DESY dCache that should be fine, but dCache TPC fails

$ export SRC=https://lcg-se0.ifh.de:2880/pnfs/ifh.de/data/atlas/atlasdatadisk/rucio/mc16_13TeV/45/7f/HITS.31660887._173089.pool.root.1
$ export DST=https://lcg-se0.ifh.de:2880/pnfs/ifh.de/data/atlas/atlasdatadisk/SAM/x
$ export TSRC=$(curl --silent --cert /tmp/x509up_u$(id -u) --key /tmp/x509up_u$(id -u) --cacert /tmp/x509up_u$(id -u) --capath /etc/grid-security/certificates -X POST -H 'Content-Type: application/macaroon-request' -d '{"caveats": ["activity:DOWNLOAD"], "validity": "PT30M"}' "$SRC" | jq -r '.macaroon')
$ export TDST=$(curl --silent --cert /tmp/x509up_u$(id -u) --key /tmp/x509up_u$(id -u) --cacert /tmp/x509up_u$(id -u) --capath /etc/grid-security/certificates -X POST -H 'Content-Type: application/macaroon-request' -d '{"caveats": ["activity:UPLOAD,DELETE,LIST"], "validity": "PT30M"}' "$DST" | jq -r '.macaroon')
$
$ curl -v --capath /etc/grid-security/certificates -L -X COPY -H 'Credentials: none' -H "Authorization: Bearer $TDST" -H "TransferHeaderAuthorization: Bearer $TSRC" -H "Source: $SRC" "$DST"
* About to connect() to lcg-se0.ifh.de port 2880 (#0)
*   Trying 2001:638:700:f0c8::1:10...
* Connected to lcg-se0.ifh.de (2001:638:700:f0c8::1:10) port 2880 (#0)
...
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*   subject: CN=lcg-se0.ifh.de,O=Deutsches Elektronen-Synchrotron DESY,ST=Hamburg,C=DE,DC=tcs,DC=terena,DC=org
*   start date: Jan 02 00:00:00 2023 GMT
*   expire date: Feb 01 23:59:59 2024 GMT
*   common name: lcg-se0.ifh.de
*   issuer: CN=GEANT eScience SSL CA 4,O=GEANT Vereniging,C=NL
> COPY /pnfs/ifh.de/data/atlas/atlasdatadisk/SAM/x HTTP/1.1
> User-Agent: curl/7.29.0
> Host: lcg-se0.ifh.de:2880
> Accept: */*
> Credentials: none
> Authorization: Bearer SECRET1
> TransferHeaderAuthorization: Bearer SECRET2
> Source: https://lcg-se0.ifh.de:2880/pnfs/ifh.de/data/atlas/atlasdatadisk/rucio/mc16_13TeV/45/7f/HITS.31660887._173089.pool.root.1
> 
< HTTP/1.1 202 Accepted
< Date: Mon, 02 Jan 2023 22:26:57 GMT
< Server: dCache/7.2.26
< Content-Type: text/perf-marker-stream
< Transfer-Encoding: chunked
< 
Perf Marker
    Timestamp: 1672698417
    State: 9
    State description: Requesting mover
    Stripe Index: 0
    Total Stripe Count: 1
End
failure: The peer's certificate with subject's DN CN=lcg-se0.ifh.de,O=Deutsches Elektronen-Synchrotron DESY,ST=Hamburg,C=DE,DC=tcs,DC=terena,DC=org was rejected. The peer's certificate status is: FAILED The following validation errors were found:;error at position 2 in chain, problematic certificate subject: CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US (category: NAMESPACE): Namespace definition for the certificate issuer (CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB) is not defined, and namespaces are configured to be required.
* Connection #0 to host lcg-se0.ifh.de left intact

Problematic is the last (2 in chain) certificate with issuer /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services that's not defined in the IGTF namespaces

$ echo "" | openssl s_client -connect lcg-se0.ifh.de:2880 -showcerts
CONNECTED(00000003)
depth=3 C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
verify return:1
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = NL, O = GEANT Vereniging, CN = GEANT eScience SSL CA 4
verify return:1
depth=0 DC = org, DC = terena, DC = tcs, C = DE, ST = Hamburg, O = Deutsches Elektronen-Synchrotron DESY, CN = lcg-se0.ifh.de
verify return:1
---
Certificate chain
 0 s:/DC=org/DC=terena/DC=tcs/C=DE/ST=Hamburg/O=Deutsches Elektronen-Synchrotron DESY/CN=lcg-se0.ifh.de
   i:/C=NL/O=GEANT Vereniging/CN=GEANT eScience SSL CA 4
-----BEGIN CERTIFICATE-----
MIII2zCCBsOgAwIBAgIQWIooUzhsgK/O8DiGskB/TjANBgkqhkiG9w0BAQwFADBK
MQswCQYDVQQGEwJOTDEZMBcGA1UEChMQR0VBTlQgVmVyZW5pZ2luZzEgMB4GA1UE
AxMXR0VBTlQgZVNjaWVuY2UgU1NMIENBIDQwHhcNMjMwMTAyMDAwMDAwWhcNMjQw
MjAxMjM1OTU5WjCBqjETMBEGCgmSJomT8ixkARkWA29yZzEWMBQGCgmSJomT8ixk
ARkWBnRlcmVuYTETMBEGCgmSJomT8ixkARkWA3RjczELMAkGA1UEBhMCREUxEDAO
BgNVBAgTB0hhbWJ1cmcxLjAsBgNVBAoTJURldXRzY2hlcyBFbGVrdHJvbmVuLVN5
bmNocm90cm9uIERFU1kxFzAVBgNVBAMTDmxjZy1zZTAuaWZoLmRlMIICIjANBgkq
hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwIIyijPI1+WV/gj3K+7lNF77+30DMYm3
V/Swu63DAgr6MQYSRpg6MWUcMz6+sU3L8N5k5Ri9+I0WUYqNKd+qK+POWz3T6FTL
wTFedIyRfpFWbe1Y8zLwvjNKfttppE+julygqbJnJnmNfHpSwMX5zDBeyjx8c5f/
iqOAhW+QdK5CvFhRlWG2cQjjj7CBi4gn/5aZP1Bak0jgPzy1ELOeSSSI+VIY6Kh6
BWJF+jV4vDvffhhEw66V96fUSB6G1nOQa+Jc+6MaLNr/3y8wAGfsOGmT+w32sva/
Omh1wXn0NEe+h1NkUGzcBtalfQ9bLszVYXr1lbgcGrPmWUSumjSua22dDbGENJLW
6qx5UskZPv2Z1hNA1qZAM1LFzAPzo1hVbxiwWjQbPUAprLTvkXyOA38sw9kZ+wfl
hvopJcUvhUL3CukirWd6XThyUCEMZzY7sVh72yXYe1vf5kaTAQ1T7yv8AymrL7Ua
VL+KlSnPmuP1PlnQCDgb29MLe7+hhugy3txGtTjZutvBFjCFJFoSw5wEW+SuDZ7a
7lJPPqzpnEc0H2HYPs2TLNpxbyEtnM0ljaXRyvJbskjbgpBPuIrCtR3ZLIXc8GTQ
2TFnTenjEd6pbltdl5IhQFUr20b17Bjpr/F+46Ig1jLuhBcIhIPym7pw6TZ3uSrY
KNSIQJPSEhkCAwEAAaOCA1owggNWMB8GA1UdIwQYMBaAFJoriiLWjQzAKqVvZDM/
lmBnFR2yMB0GA1UdDgQWBBQyPqF89Wi2JGMkXq1YI9SeSGmEaDAOBgNVHQ8BAf8E
BAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwdQYDVR0gBG4wbDAMBgoqhkiG90wFAgIBMA0GCyqGSIb3TAUCAwMCMA0GCyqG
SIb3TAUCAwECMDQGCysGAQQBsjEBAgJPMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8v
c2VjdGlnby5jb20vQ1BTMAgGBmeBDAECAjBFBgNVHR8EPjA8MDqgOKA2hjRodHRw
Oi8vR0VBTlQuY3JsLnNlY3RpZ28uY29tL0dFQU5UZVNjaWVuY2VTU0xDQTQuY3Js
MHsGCCsGAQUFBwEBBG8wbTBABggrBgEFBQcwAoY0aHR0cDovL0dFQU5ULmNydC5z
ZWN0aWdvLmNvbS9HRUFOVGVTY2llbmNlU1NMQ0E0LmNydDApBggrBgEFBQcwAYYd
aHR0cDovL0dFQU5ULm9jc3Auc2VjdGlnby5jb20wggF/BgorBgEEAdZ5AgQCBIIB
bwSCAWsBaQB2AHb/iD8KtvuVUcJhzPWHujS0pM27KdxoQgqf5mdMWjp0AAABhXG0
bsMAAAQDAEcwRQIhAKD/w5uRWRua3nodivewmdDHVZEAJSMSSoRYBTbZF0clAiBO
94k+KA0FB5zfoCNtWaM4v1upqmOrPHubPq0kobMX/AB2ANq2v2s/tbYin5vCu1xr
6HCRcWy7UYSFNL2kPTBI1/urAAABhXG0bs4AAAQDAEcwRQIgVIlQoPKai0HYQW95
0gjK/wKYnfJ14UIDZxqk9wio2NACIQC9WI0iecsD4ySsUj3dzehsRpkvrN37MTm3
uHcwnkue7QB3AO7N0GTV2xrOxVy3nbTNE6Iyh0Z8vOzew1FIWUZxH7WbAAABhXG0
bqYAAAQDAEgwRgIhAP5BpZBXkwIIBGaGgV7ZVMUUCgnB3V03zb0FDf4mxZ31AiEA
zz0ADsVDu+X2v5yQk4LEFb4leRn+PDMyAc6KFHQYW9wwGQYDVR0RBBIwEIIObGNn
LXNlMC5pZmguZGUwDQYJKoZIhvcNAQEMBQADggIBAF8wTbQHnvSlngH+GMFfGgji
PEktUz8hDb6g9mqvJOv3dVIB+g7lUshzbS3uo6FAtT32joIB6wMms9PRQh2greug
SV3OWOcjsQYeLE6zG+c5yHB5obK4OGhV0dVP/D+8rBj+QcYndkfvfUv4n5VEN6Nm
+grVmCxpppN1NdDMS3QHysqWLhOJz6v3r62y4Zm2mwSirasUY9hUmYZ57nC/rYlC
q1BCqKxav18cbfsnWQJNvxladgJYyn+o9umulRh0k37WytDUu8FU03AaszFFqJfJ
iBSe18X3D+9BCsQ30QM+bXHDXsUhPas+vMYb3wvq6mGQYTrBYT8khxg946tHF/Jp
RlDXnskYmNcecVzpNi2kPtLFMh+Mo2P+U2GP7rjPEOgIWkOxOocCk2wzaiR1vT/r
/jRIOcKuIgqVRRSBOarTOs/GYZxV22mcQvfWMjw52Ibsd5Oo/SSmd/jPrzu4ZJXB
HW2V5vtDcoo4EUXxzz4pzRSqMJMN1yu+z86NLxaiG9JgJVY4m6A82ksMazRk4njV
wqm61DDUGXa9RkjBnMghLXaystK0+agd1qn775LFLMqmOQz/U3blPlmeQAG0fUB0
Bkfdal+ZYwgRfU8fhgnzsXJxMfSXqqqA8PJ1xEaosP9TnRNBdv9TwW5bacRQvbm7
aP/vWk3lO/6kxfgFPcJ7
-----END CERTIFICATE-----
 1 s:/C=NL/O=GEANT Vereniging/CN=GEANT eScience SSL CA 4
   i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
-----BEGIN CERTIFICATE-----
MIIG6jCCBNKgAwIBAgIQN9uaOAbXCsc+ONHf725RKjANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMjAw
MjE4MDAwMDAwWhcNMzMwNTAxMjM1OTU5WjBKMQswCQYDVQQGEwJOTDEZMBcGA1UE
ChMQR0VBTlQgVmVyZW5pZ2luZzEgMB4GA1UEAxMXR0VBTlQgZVNjaWVuY2UgU1NM
IENBIDQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCUtBhby5HZ4dxN
stR0OaxF/QrC0FENJm59Na5LZzPwXqwTdaq1NJUZwMIrHTXavExQpGqzdqwIKNS0
liyLkTT54vTs5VPh5SYRFtVAX9NLkY+fUIu2icOEGfwlPR6VlYp+kiR2Vj4OwYhy
aM0tj66uaTCaAj3Rz99dN1s64Z1jw/wjckCLat/MGHL4crKuQErYyPfoK1s39BR/
gXis0E2anvfmuyAZ3YDOsAyGKpPhEj3Dxuiz5+qpqJIePs3Vgylyx/ZIoJEH/jAq
v7GbdVTsSfqyMlnyceF0pyGQ6Yzp1DkLw4Dg26zoOSckLYeICtRziSwzrMu3YLYW
VB6h1r0Nw/hnuXMYt6WgLYekfxuwapwbntbw5gAJpK63geBp3Hj7bWnrPb8aLjBz
eutA2St+Y6YodQ8PjbhUpaWVMGzz+c2YJK/xbxTAjWUPOdd8cNrM7ilaOrvbSaLz
e7aPBFWZMpg1kOva5J91qSdOmS45DHyyfT4Xk2X/3HhFRLkKA/cdJaEYE1I/p0P5
A2qFlMdr+QDx7Uar5Zvsbvrm0gn+MER1uq3xugoweC3iegHwQQh4YupAEamo1vPy
n04r3WPn86rLjpe0OLFvlM8CQtvTWV6wOXy3HTnIh8gFGxe/0Wu3XYBtPcJXlBMO
aV7NDi69LE9ZiYNF+wBZ6iUgVw3ZRQIDAQABo4IBizCCAYcwHwYDVR0jBBgwFoAU
U3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFJoriiLWjQzAKqVvZDM/lmBn
FR2yMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdJQQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjA4BgNVHSAEMTAvMC0GBFUdIAAwJTAjBggr
BgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNvbS9DUFMwUAYDVR0fBEkwRzBFoEOg
QYY/aHR0cDovL2NybC51c2VydHJ1c3QuY29tL1VTRVJUcnVzdFJTQUNlcnRpZmlj
YXRpb25BdXRob3JpdHkuY3JsMHYGCCsGAQUFBwEBBGowaDA/BggrBgEFBQcwAoYz
aHR0cDovL2NydC51c2VydHJ1c3QuY29tL1VTRVJUcnVzdFJTQUFkZFRydXN0Q0Eu
Y3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC51c2VydHJ1c3QuY29tMA0GCSqG
SIb3DQEBDAUAA4ICAQAmpZcT3x9evRVo7pAAsdyTx3mmtbOGWIAQFQRiW4po1Jx9
9szSmymPrzDq0s1Lh7EL+sworQnNKEApLYpcFZ/ZeyjWPt+7D/SKGdjhFE9owf71
hNiwWBWzMHZWE/1lYpISw2gbclDk6Mp1GkDQhRVXQL5O6uXeouxNiKpAXZj8QFx7
Sk1kkuXewca4dFRTs9Oadec8ARnR+YzxhTE0p3m2rBkWL3zpNCtl+7zpPJm58eCc
8Oxt7ib/XwoZKE/tKKZ6rcA+kBL6X6xeim+DwVqToJW24yiqVAI2JYQw1741fqm8
lklFlkAoOTJTprMd3jIK2DKYvAXkZiAeY8eD85AVCJgC+DpD/0Oc3OpsP5kljGzF
2rUYGLutL1a9Uxd2YCGkqnAym2f2LsBo5u2+Znk5YzfD5xPSWBrs9K5UtE2G+5B0
iygvf+yl/+hcv4aN3zetNXbfsSArAR0ecdNkNtehXeVaFE7rIZUXFahzHn2cSOLO
n4vjBWKRHJc4lvlqhfz1jaPrcxS0BxaJq0VNrX3skPeajbVSsPAjXXVDh9I5qjdG
yMvAe5TUyUf752JKBN56Zi5mvz5ufbvULGcV4Frnwl2c2ySICF7KGIB+KGhGbgbf
tN6PKXHwC3gvRw9yzFSq6Rdwh7U+3AkmDel0rhdZnMTx2JryjQF/AeBKwkfrUQ==
-----END CERTIFICATE-----
 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
   i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
-----BEGIN CERTIFICATE-----
MIIFgTCCBGmgAwIBAgIQOXJEOvkit1HX02wQ3TE1lTANBgkqhkiG9w0BAQwFADB7
MQswCQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD
VQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UE
AwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTE5MDMxMjAwMDAwMFoXDTI4
MTIzMTIzNTk1OVowgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5
MRQwEgYDVQQHEwtKZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBO
ZXR3b3JrMS4wLAYDVQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0
aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sI
s9CsVw127c0n00ytUINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnG
vDoZtF+mvX2do2NCtnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQ
Ijy8/hPwhxR79uQfjtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfb
IWax1Jt4A8BQOujM8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0
tyA9yn8iNK5+O2hmAUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97E
xwzf4TKuzJM7UXiVZ4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNV
icQNwZNUMBkTrNN9N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5
D9kCnusSTJV882sFqV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJ
WBp/kjbmUZIO8yZ9HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ
5lhCLkMaTLTwJUdZ+gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzG
KAgEJTm4Diup8kyXHAc/DVL17e8vgg8CAwEAAaOB8jCB7zAfBgNVHSMEGDAWgBSg
EQojPpbxB+zirynvgqV/0DCktDAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rID
ZsswDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAG
BgRVHSAAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwuY29tb2RvY2EuY29t
L0FBQUNlcnRpZmljYXRlU2VydmljZXMuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggr
BgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMA0GCSqGSIb3DQEBDAUA
A4IBAQAYh1HcdCE9nIrgJ7cz0C7M7PDmy14R3iJvm3WOnnL+5Nb+qh+cli3vA0p+
rvSNb3I8QzvAP+u431yqqcau8vzY7qN7Q/aGNnwU4M309z/+3ri0ivCRlv79Q2R+
/czSAaF9ffgZGclCKxO/WIu6pKJmBHaIkU4MiRTOok3JMrO66BQavHHxW/BBC5gA
CiIDEOUMsfnNkjcZ7Tvx5Dq2+UUTJnWvu6rvP3t3O9LEApE9GQDTF1w52z97GA1F
zZOFli9d31kWTz9RvdVFGD/tSo7oBmF0Ixa1DVBzJ0RHfxBdiSprhTEUxOipakyA
vGp4z7h/jnZymQyd/teRCBaho1+V
-----END CERTIFICATE-----
---
Server certificate
subject=/DC=org/DC=terena/DC=tcs/C=DE/ST=Hamburg/O=Deutsches Elektronen-Synchrotron DESY/CN=lcg-se0.ifh.de
issuer=/C=NL/O=GEANT Vereniging/CN=GEANT eScience SSL CA 4
---
paulmillar commented 1 year ago

Progress report on the three ways for solving this issue:

  1. Fix the server certificates. I don't think there's much we can do here. The problem is with the remote server which might or might not be dCache. We could update dCache to filter out erroneous intermediate CAs (assuming some specific set of trust anchors), but this would only fix the problem if dCache is both the source and destination.
  2. Fix dCache behaviour. As reported above, @vokac has opened a ticket (see eu-emi/canl-java#116) against CaNL about this problem. Thanks, Petr! The CaNL developers reported that they have not been able to reproduce the problem, and requested more information. This extra information has been given. So we're waiting for the CaNL developers to react.
  3. Update dCache configuration to ignore namespace policies for HTTP-TPC transfers. This change was made with commit 718e3af4df9. This change is part of the 8.2 release series. As mentioned above, we don't plan to backport this chance to existing release series. A simple configuration change allows existing dCache deployments to adopt the same behaviour.