Hello All,
the certificate of our HTCondor CE will expire soon, and for
reasons out of my control the new certificate has a DN different from the one
presently used (the OU=... part is missing).
After installing the new certificate errors start appearing (and disappear if
I return to the old certificate).
The new certificate looks ok, permissions, owners, file names and locations
are exactly as before.
I did not find any configuration item containing the certificate DN and thus
have no idea about what else should be changed to get things right.
Could you give some hints about this?
Thanks:
Csaba
Error example from SchedLog:
07/07/23 21:52:07 (D_SECURITY) DaemonCommandProtocol: Not enough bytes are
ready for read.
07/07/23 21:52:07 (D_SECURITY) DC_AUTHENTICATE: received DC_AUTHENTICATE from
<169.228.38.43:18657>
07/07/23 21:52:07 (D_SECURITY) DC_AUTHENTICATE: generating AES-GCM key for
session grid108:1557:1688759527:708...
07/07/23 21:52:07 (D_SECURITY) SECMAN: new session, doing initial
authentication.
07/07/23 21:52:07 (D_SECURITY) Returning to DC while we wait for socket to
authenticate.
07/07/23 21:52:07 (D_SECURITY) AUTHENTICATE: setting timeout for (unknown) to
20.
07/07/23 21:52:07 (D_SECURITY) HANDSHAKE: in handshake(my_methods =
'SCITOKENS')
07/07/23 21:52:07 (D_SECURITY) HANDSHAKE: handshake() - i am the server
07/07/23 21:52:07 (D_SECURITY) HANDSHAKE: client sent (methods == 4096)
07/07/23 21:52:07 (D_SECURITY) HANDSHAKE: i picked (method == 4096)
07/07/23 21:52:07 (D_SECURITY) HANDSHAKE: client received (method == 4096)
07/07/23 21:52:07 (D_SECURITY) CADIR: '/etc/grid-security/certificates'
07/07/23 21:52:07 (D_SECURITY) CERTFILE: '/etc/grid-security/hostcert.pem'
07/07/23 21:52:07 (D_SECURITY) KEYFILE: '/etc/grid-security/hostkey.pem'
07/07/23 21:52:07 (D_SECURITY) CIPHERLIST:
'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'
07/07/23 21:52:07 (D_SECURITY) SSL Auth: Error loading private key from file
07/07/23 21:52:07 (D_SECURITY) SSL Auth: Error initializing server security
context
07/07/23 21:52:07 (D_SECURITY) SSL Auth: Error creating SSL context
07/07/23 21:52:07 (D_SECURITY) Will return to DC because authentication is
incomplete.
07/07/23 21:52:07 (D_SECURITY) SSL Auth: SSL Authentication fails; client
status is 0; server status is -1; terminating
07/07/23 21:52:07 (D_SECURITY) AUTHENTICATE: method 4096 (SCITOKENS) failed.
07/07/23 21:52:07 (D_SECURITY) HANDSHAKE: in handshake(my_methods =
'SCITOKENS')
07/07/23 21:52:07 (D_SECURITY) HANDSHAKE: handshake() - i am the server
07/07/23 21:52:07 (D_SECURITY) HANDSHAKE: client sent (methods == 0)
07/07/23 21:52:07 (D_SECURITY) HANDSHAKE: i picked (method == 0)
07/07/23 21:52:07 (D_SECURITY) HANDSHAKE: client received (method == 0)
07/07/23 21:52:07 (cid:55592) (D_AUDIT) Command=QMGMT_WRITE_CMD,
peer=<169.228.38.43:18657>
07/07/23 21:52:07 (cid:55592) (D_AUDIT) Authentication Failed,
MethodsTried=SCITOKENS
07/07/23 21:52:07 (D_ALWAYS) DC_AUTHENTICATE: authentication of
<169.228.38.43:18657> did not result in a valid mapped user name, which is
required for this command (1112 QMGMT_WRITE_CMD), so aborting.
07/07/23 21:52:07 (D_ALWAYS) DC_AUTHENTICATE: reason for authentication
failure: AUTHENTICATE:1003:Failed to authenticate with any
method|AUTHENTICATE:1004:Failed to authenticate using SCITOKENS
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif){kind=logo}