Closed brianhlin closed 4 years ago
Eh, what is standard cert locations? Letsencrypt puts things in /etc/letsencrypt/live/...
The OS location, /etc/pki/tls
:
[root@fermicloud052 ~]# condor_config_val -dump AUTH_SSL
# Configuration from machine: fermicloud052.fnal.gov
# Parameters with names that match AUTH_SSL:
AUTH_SSL_CLIENT_CAFILE = /etc/pki/tls/certs/ca-bundle.crt
AUTH_SSL_SERVER_CAFILE = /etc/pki/tls/certs/ca-bundle.crt
AUTH_SSL_SERVER_CERTFILE = /etc/pki/tls/certs/localhost.crt
AUTH_SSL_SERVER_KEYFILE = /etc/pki/tls/private/localhost.key
Looks good to me. If a site uses a non-osg-ca distributed certificate, how do we configure the collector to trust it?
You can also specify AUTH_SSL_SERVER_CADIR = /etc/grid-security/certificates
but I have to verify that it actually works alongside AUTH_SSL_SERVER_CAFILE
@djw8605 @bbockelm now that htcondor/htcondor-ce#300 has been merged, can one of you take a look at this again?
Tested this on some Fermicloud VMs along with https://github.com/htcondor/htcondor-ce/pull/300 with both HTCondor 8.8 and 8.9 installed on the stash-cache host.
I'm on the fence about setting the
AUTH_SSL_*
variables to use/etc/grid-security
because it'd be nice to use standard cert locations but it's annoying for users to have to set these vars manually if they don't have non-GSI certs.