Advertise to the central collector via SSL (SOFTWARE-3940)

[brianhlin]

Tested this on some Fermicloud VMs along with https://github.com/htcondor/htcondor-ce/pull/300 with both HTCondor 8.8 and 8.9 installed on the stash-cache host.

I'm on the fence about setting the AUTH_SSL_* variables to use /etc/grid-security because it'd be nice to use standard cert locations but it's annoying for users to have to set these vars manually if they don't have non-GSI certs.

[djw8605]

Eh, what is standard cert locations? Letsencrypt puts things in /etc/letsencrypt/live/...

[brianhlin]

The OS location, /etc/pki/tls:

[root@fermicloud052 ~]# condor_config_val -dump AUTH_SSL
# Configuration from machine: fermicloud052.fnal.gov

# Parameters with names that match AUTH_SSL:
AUTH_SSL_CLIENT_CAFILE = /etc/pki/tls/certs/ca-bundle.crt
AUTH_SSL_SERVER_CAFILE = /etc/pki/tls/certs/ca-bundle.crt
AUTH_SSL_SERVER_CERTFILE = /etc/pki/tls/certs/localhost.crt
AUTH_SSL_SERVER_KEYFILE = /etc/pki/tls/private/localhost.key

[djw8605]

Looks good to me. If a site uses a non-osg-ca distributed certificate, how do we configure the collector to trust it?

[brianhlin]

You can also specify AUTH_SSL_SERVER_CADIR = /etc/grid-security/certificates but I have to verify that it actually works alongside AUTH_SSL_SERVER_CAFILE

[brianhlin]

@djw8605 @bbockelm now that htcondor/htcondor-ce#300 has been merged, can one of you take a look at this again?