Hi,
I run a small cluster of 4 machines as a non-root
user.
Upgrading to 9.0.9 I've been trying to get
"condor_status" to work for a couple of days now, I
haven't even tried multi-machines, but it's been to
no avail, maybe someone here can help.
Relevant portion of condor_config
AUTH_SSL_SERVER_CAFILE =
/home/frankie/certs/ca_cert.crt
AUTH_SSL_SERVER_CERTFILE = /home/frankie/certs/condor.crt
AUTH_SSL_SERVER_KEYFILE = /home/frankie/certs/condor.key
AUTH_SSL_CLIENT_CAFILE = /home/frankie/certs/ca_cert.crt
AUTH_SSL_CLIENT_CERTFILE = /home/frankie/certs/condor.crt
AUTH_SSL_CLIENT_KEYFILE = /home/frankie/certs/condor.key
SEC_DEFAULT_AUTHENTICATION = REQUIRED
SEC_DEFAULT_AUTHENTICATION_METHODS = SSL
SEC_DAEMON_AUTHENTICATION = REQUIRED
SEC_DAEMON_AUTHENTICATION_METHODS = SSL
SEC_DAEMON_INTEGRITY = REQUIRE
SEC_DAEMON_ENCRYPTION = REQUIRED
ALLOW_READ = frankie@*
ALLOW_WRITE = frankie@*
ALLOW_ADMINISTRATOR = frankie@*
ALLOW_CONDIG = frankie@*
ALLOW_NEGOTIATOR = frankie@*
ALLOW_DAEMON = frankie@*
CERTIFICATE_MAPFILE =
/home/frankie/certs/condor_mapfile
I have just this one entry on the mapfile:
If I do a "condor_q -debug" everything goes ok.
02/24/22 01:52:48 (fd:4) (pid:37179) (D_SECURITY) SSL
authentication succeeded to /C=UK/L=London/CN=Example
Condor/emailAddress=
frankie@xxxxxxxxxxx
02/24/22 01:52:48 (fd:4) (pid:37179) (D_SECURITY)
Authentication was a Success.
02/24/22 01:52:48 (fd:4) (pid:37179) (D_SECURITY)
AUTHENTICATION: setting default map to ssl@unmapped
02/24/22 01:52:48 (fd:4) (pid:37179) (D_SECURITY)
AUTHENTICATION: Parsing map file.
02/24/22 01:52:48 (fd:4) (pid:37179) (D_SECURITY)
AUTHENTICATION: post-map: current FQU is '
frankie@xxxxxxxxxxxxxxxxx'
(...)
Total for query: 0 jobs; 0 completed, 0 removed, 0
idle, 0 running, 0 held, 0 suspended
If I do a "condor_status -debug" it fails with this:
02/24/22 01:54:17 (fd:4) (pid:37183) (D_SECURITY)
Client trying post connection check.
02/24/22 01:54:17 (fd:4) (pid:37183) (D_SECURITY) SSL
Auth: post_connection_check.
02/24/22 01:54:17 (fd:4) (pid:37183) (D_SECURITY)
SSL_get_peer_certificate returned data.
02/24/22 01:54:17 (fd:4) (pid:37183) (D_SECURITY) No
SSL host name specified.
02/24/22 01:54:17 (fd:4) (pid:37183) (D_SECURITY) SSL
Auth: Error on check of peer certificate
02/24/22 01:54:17 (fd:4) (pid:37183) (D_SECURITY) SSL
Auth: application verification failure
02/24/22 01:54:17 (fd:4) (pid:37183) (D_SECURITY) Client
performs one last exchange of messages.
02/24/22 01:54:17 (fd:4) (pid:37183) (D_SECURITY) SSL
Auth: SSL Authentication failed
(...)
Error: communication error
AUTHENTICATE:1003:Failed to authenticate with any method
AUTHENTICATE:1004:Failed to authenticate using SSL
I followed
these directives to
create the .crt files. The condor.crt file has this info:
Certificate:
Data:
Version: 3 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = UK, L = London, CN =
Example Condor
Validity
Not Before: Feb 23 23:41:18 2022 GMT
Not After : Feb 21 23:41:18 2032 GMT
Subject: C = UK, L = London, CN =
Example Condor, emailAddress =
frankie@xxxxxxxxxxx
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
(...)
X509v3 Subject Alternative Name:
DNS:localhost, DNS:box-1, DNS:
box-1.example.com, IP
Address:192.168.5.121
Signature Algorithm: sha256WithRSAEncryption
I've tried, but can't figure if it's something I'm
messing on the SSL side or on condor side.
Following the message "No SSL host name specified." we
can trace the function here:
if (fqdn.empty()) {
dprintf(D_SECURITY, "No SSL host name specified.\n");
goto err_occured;
}
But it still leaves me empty-handed.
Can anyone spot what I'm doing wrong?
Many thanks,
Frankie
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif){kind=logo}