When I try to run Docker container, the error [SSL is required on the server, but not on the client] is output.

[Narushima2030]

We would like to build iRODS and use nfsrods in the following environment.

ubuntu  20.04 
irods    4.3.1
MariaDB 11.3.2

We have configured iRODS, set up SSL, and confirmed that basic iRODS commands such as ils and iput can be performed. I want to use nfsrods and have installed it, but docker is not in the run state.

nfsrods was obtained from git (https://github.com/irods/irods_client_nfsrods).

No particular error occurred during execution.

ubuntu@dmsirods:~$ sudo docker run -d --name nfsrods -p 40049:2049 
-v /local/home/ubuntu/nfsrods_config:/nfsrods_config:ro 
-v /local/home/ubuntu/nfsrods_config/passwd:/etc/passwd:ro 
-v /etc/irods/ssl/dmsirods.riken.jp.pem:/nfsrods_ssl.crt:ro local/nfsrods
16d83714fa3cd3ed167f086fe33f2e16b03a8428c82390cd28e0f66bf2411d96

The docker is not bootable.

ubuntu@dmsirods:~$ sudo docker ps -a
CONTAINER ID   IMAGE           COMMAND        CREATED          STATUS                      PORTS     NAMES
16d83714fa3c   local/nfsrods   "./start.sh"   22 seconds ago   Exited (1) 19 seconds ago             nfsrods

The following messages are obtained from the log.

status [SYS_INVALID_INPUT_PARAM] 
errno [] -- 
message [SSL is required by the server but not requested by the client]

May  7 11:58:09 dmsirods irodsServer[19241]: {"log_category":"agent","log_level":"error","log_message":"[-]\t/irods_source/server/core/src/rodsAgent.cpp:674:int runIrodsAgentFactory(sockaddr_un) :  status [SYS_INVALID_INPUT_PARAM]  errno [] -- message [SSL is required by the server but not requested by the client]\n\t[-]\t/irods_source/server/core/src/irods_server_negotiation.cpp:113:irods::error irods::client_server_negotiation_for_server(irods::network_object_ptr, std::string &) :  status [SYS_INVALID_INPUT_PARAM]  errno [] -- message [SSL is required by the server but not requested by the client]\n\n","server_host":"dmsirods.riken.jp","server_pid":19241,"server_timestamp":"2024-05-07T02:58:09.487Z","server_type":"agent","server_zone":"rikenZone"}

I've consulted with them before. https://github.com/irods/irods_client_nfsrods/issues/193 The following is confirmed, as the phenomenon appears to be similar to

We have confirmed that this correction has been reflected. https://github.com/irods/irods_client_nfsrods/pull/194/commits

We also reacquired jargon and compiled and verified the following reflected https://github.com/DICE-UNC/jargon/pull/430/commits

I am running the program you fixed in https://github.com/irods/irods_client_nfsrods/issues/193, but I cannot use nfsrods in an SSL configured environment. Can you please advise me where I need to check? Your help would be greatly appreciated.

[trel]

Can you confirm you are using "ssl_negotiation_policy" : "CS_NEG_REQUIRE" ?

in your nfsrods_config...

  "irods_client" : {
    "host" : "dmsirods.test.jp",
    "port" : 1247,
    "zone" : "testZone",
    "default_resource" : "irodsResc",
    "ssl_negotiation_policy" : "CS_NEG_REQUIRE",
    "connection_timeout_in_seconds" : 600,
    "proxy_admin_account" : {
      "username" : "rods",
      "password" : "*************"
    }
  }

[Narushima2030]

Thank you for your response.

In nfsrods_config/server.json "ssl_negotiation_policy": "CS_NEG_REQUIRE" is specified.

ubuntu@dmsirods:~$ cat ~/nfsrods_config/server.json

{
    …

    "irods_client": {
        "zone": "rikenZone",
        "host": "dmsirods.riken.jp",
        "port": 1247,
        "default_resource": "dmsresc",
        "ssl_negotiation_policy": "CS_NEG_REQUIRE",
        "connection_timeout_in_seconds": 600,
        "proxy_admin_account": {
            "username": "rods",
            "password": "xxxxxxxxxxxx"
        }
    }
}

[trel]

How is this current configuration (that is NOT working) different from the configuration (that was working) at the end of https://github.com/irods/irods_client_nfsrods/issues/193?

It looks... upon inspection... identical except the zone, host, and default_resource information... which should not be leading to this effect / error.

Can you share the first part of the NFSRODS logs?

[Narushima2030]

Thanks for answering.

I changed DB from postgreSQL to mariaDB and I believe I have the same settings as https://github.com/irods/irods_client_nfsrods/issues/193. The output looks the same as it did before https://github.com/irods/irods_client_nfsrods/issues/193 was modified.

Here are the logs at docker startup. It is taken from var/log/syslog.

May  8 13:01:43 dmsirods irodsServer[4788]: {"log_category":"agent","log_level":"error","log_message":"[-]\t/irods_source/server/core/src/rodsAgent.cpp:674:int runIrodsAgentFactory(sockaddr_un) :  status [SYS_INVALID_INPUT_PARAM]  errno [] -- message [SSL is required by the server but not requested by the client]\n\t[-]\t/irods_source/server/core/src/irods_server_negotiation.cpp:113:irods::error irods::client_server_negotiation_for_server(irods::network_object_ptr, std::string &) :  status [SYS_INVALID_INPUT_PARAM]  errno [] -- message [SSL is required by the server but not requested by the client]\n\n","server_host":"dmsirods.riken.jp","server_pid":4788,"server_timestamp":"2024-05-08T04:01:43.431Z","server_type":"agent","server_zone":"rikenZone"}
May  8 13:01:43 dmsirods irodsServer[3670]: {"log_category":"agent_factory","log_level":"error","log_message":"Agent process [4788] exited with status [1].","server_host":"dmsirods.riken.jp","server_pid":3670,"server_timestamp":"2024-05-08T04:01:43.465Z","server_type":"agent_factory","server_zone":"rikenZone"}
May  8 13:01:44 dmsirods irodsServer[3669]: {"log_category":"legacy","log_level":"error","log_message":"_rcConnect: connectToRhost error, server on dmsirods.riken.jp:1247 is probably down status = -1824000 CLIENT_NEGOTIATION_ERROR","server_host":"dmsirods.riken.jp","server_pid":3669,"server_timestamp":"2024-05-08T04:01:44.083Z","server_type":"server","server_zone":"rikenZone"}
May  8 13:01:44 dmsirods irodsServer[4832]: {"log_category":"agent","log_level":"error","log_message":"[-]\t/irods_source/server/core/src/rodsAgent.cpp:674:int runIrodsAgentFactory(sockaddr_un) :  status [SERVER_NEGOTIATION_ERROR]  errno [] -- message [failure detected from client for result [CS_NEG_FAILURE]]\n\t[-]\t/irods_source/server/core/src/irods_server_negotiation.cpp:208:irods::error irods::client_server_negotiation_for_server(irods::network_object_ptr, std::string &) :  status [SERVER_NEGOTIATION_ERROR]  errno [] -- message [failure detected from client for result [CS_NEG_FAILURE]]\n\n","server_host":"dmsirods.riken.jp","server_pid":4832,"server_timestamp":"2024-05-08T04:01:44.084Z","server_type":"agent","server_zone":"rikenZone"}
May  8 13:01:44 dmsirods irodsServer[3669]: {"log_category":"server","log_level":"error","log_message":"Caught exception in migrate_delay_server(): iRODS Exception:\n    file: /irods_source/lib/core/src/client_connection.cpp\n    function: void irods::experimental::client_connection::only_connect(const std::string &, const int, const irods::experimental::fully_qualified_username &)\n    line: 188\n    code: -305000 (USER_SOCK_CONNECT_ERR)\n    message:\n        Connect error\nstack trace:\n--------------\n 0# irods::stacktrace::dump() const in /lib/libirods_common.so.4.3.1\n 1# irods::exception::assemble_full_display_what() const in /lib/libirods_common.so.4.3.1\n 2# irods::exception::what() const in /lib/libirods_common.so.4.3.1\n 3# std::__1::__function::__func<initServerMain(RsComm*, bool, bool)::$_13, std::__1::allocator<initServerMain(RsComm*, bool, bool)::$_13>, void ()>::operator()() at rodsServer.cpp:?\n 4# irods::experimental::cron::cron_task::operator()() in /usr/sbin/irodsServer\n 5# irods::experimental::cron::cron::run() in /usr/sbin/irodsServer\n 6# void* std::__1::__thread_proxy<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct> >, main::$_10> >(void*) at rodsServer.cpp:?\n 7# 0x00007F50F63B0609 in /lib/x86_64-linux-gnu/libpthread.so.0\n 8# clone in /lib/x86_64-linux-gnu/libc.so.6\n\n","server_host":"dmsirods.riken.jp","server_pid":3669,"server_timestamp":"2024-05-08T04:01:44.114Z","server_type":"server","server_zone":"rikenZone"}
May  8 13:01:44 dmsirods irodsServer[3670]: {"log_category":"agent_factory","log_level":"error","log_message":"Agent process [4832] exited with status [1].","server_host":"dmsirods.riken.jp","server_pid":3670,"server_timestamp":"2024-05-08T04:01:44.116Z","server_type":"agent_factory","server_zone":"rikenZone"}

If the docker startup option is set to it, the output is as follows：

ubuntu@dmsirods:~$ sudo docker run -it --name nfsrods -p 40049:2049 -v /local/home/ubuntu/nfsrods_config:/nfsrod
s_config:ro -v /local/home/ubuntu/nfsrods_config/passwd:/etc/passwd:ro -v /etc/irods/ssl/dmsirods.riken.jp.pem:/
nfsrods_ssl.crt:ro local/nfsrods
Cert found for NFSRODS
keytool error: java.lang.Exception: Alias <nfsrods> does not exist
Importing cert to OpenJDK keystore
Certificate was added to keystore
Done
2024-05-08 04:04:03.103 INFO  Thread-1 [ServerMain] - Build Time    => 2024-05-02T05:54:36+0000
2024-05-08 04:04:03.103 INFO  Thread-1 [ServerMain] - Build Version => 2.2.0
2024-05-08 04:04:03.103 INFO  Thread-1 [ServerMain] - Build SHA     => 22028f190639e298c17a804df2a370bbb32b76e9
2024-05-08 04:04:03.251 INFO  Thread-1 [ServerMain] - main - Server config ==> {
  "nfs_server" : {
    "port" : 2049,
    "irods_mount_point" : "/rikenZone",
    "user_information_refresh_time_in_milliseconds" : 3600000,
    "file_information_refresh_time_in_milliseconds" : 1000,
    "user_access_refresh_time_in_milliseconds" : 1000,
    "object_type_refresh_time_in_milliseconds" : 300000,
    "user_permissions_refresh_time_in_milliseconds" : 300000,
    "user_type_refresh_time_in_milliseconds" : 300000,
    "list_operation_query_results_refresh_time_in_milliseconds" : 30000,
    "allow_overwrite_of_existing_files" : true,
    "using_oracle_database" : false
  },
  "irods_client" : {
    "host" : "dmsirods.riken.jp",
    "port" : 1247,
    "zone" : "rikenZone",
    "default_resource" : "dmsresc",
    "ssl_negotiation_policy" : "CS_NEG_REQUIRE",
    "connection_timeout_in_seconds" : 600,
    "proxy_admin_account" : {
      "username" : "rods",
      "password" : "*************"
    }
  }
}
2024-05-08 04:04:03.269 DEBUG Thread-1 [ServerMain] - configureClientServerNegotiationPolicy - Policy = CS_NEG_REQUIRE
2024-05-08 04:04:03.371 DEBUG Thread-1 [IRODSIdMapper] - IRODSUser - iRODS mount point = /rikenZone
2024-05-08 04:04:03.371 DEBUG Thread-1 [IRODSIdMapper] - IRODSUser - Creating proxy for username [rods] ...
2024-05-08 04:04:03.755 DEBUG Thread-1 [IRODSIdMapper] - InodeToPathMapper - iRODS mount point = /rikenZone

Can you tell me what could be causing this? Any help would be appreciated.

[trel]

Well, those error messages are coming from the same/original place in the server - suggesting the client (in this case, NFSRODS) isn't sending the correct negotiation request. This suggests the changes in Jargon are not included here...

@korydraughn we need to get a jargon release out? Could that be what's happening here? NFSRODS 2.2.0 still using a Jargon release that doesn't include the fixes in https://github.com/DICE-UNC/jargon/pull/430/commits?

@Narushima2030 if you rebuild Jargon, and then rebuild NFSRODS... can you confirm it works, same as at the end of the conversation in #193?

[korydraughn]

It appears to be we need a new jargon release.

[Narushima2030]

Thank you for confirming this.

I reconstructed and validated the jargon in the same way as at the end of https://github.com/irods/irods_client_nfsrods/issues/193 . The result was the same.

[trel]

Okay - so yes, we need to get a jargon release out - and then release NFSRODS using the new jargon.

Thank you.

[korydraughn]

@Narushima2030 Please give PR #202 a try and let us know if the issue still appears.

[korydraughn]

Using tip of main, I've confirmed building a new image and enabling TLS works as intended.

I believe the issue has been resolved. Closing.

@Narushima2030 If you run into issues related to this again, please open a new issue.

[Narushima2030]

Thank you for responding.

I'm late in checking here, but I can confirm that the problem has been resolved. Thank you very much for helping me correct it.