Mailing List ArchivesAuthenticated access |
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif){kind=logo}
|
Mailing List ArchivesAuthenticated access |
|
The scheduler log I see,ÂCondor_Crypy_AESGCM::decrypt: ERROR: input was too smallIO: Failed to unwrap the packetResponse problem from startdÂwhen requesting claim ....On Fri, Jun 23, 2023 at 11:19âAM Rita <rmorgan466@xxxxxxxxx> wrote:Thanks for your responses. I got the instructions from here:Âhttps://wasteofserver.com/htcondor-install-and-configure-as-non-root/I can't use ID tokens because my Central server is running 8.x and I don't think I can upgrade that now as we have many users and jobs. I am setting up a new execute node, which is 10.x.ÂI added AUTH_SSL_SERVER_{CAFILE,CERTFILE,KEYFILE} in both server (collector) and client (new server, running 10.x)I enabled debugging. Seems that works...Now, however when I condor_submit and in my requirement file I have a requirement for the new host.On Fri, Jun 23, 2023 at 9:31âAM Bockelman, Brian <BBockelman@xxxxxxxxxxxxx> wrote:Hi Rita,_______________________________________________
A few thoughts:
1. You can increase the log level. Âe.g., ALL_DEBUG=D_SECURITY:2 is where I usually start.2. HTCondor sets the server and client settings separately. You probably need an AUTH_SSL_SERVER_* equivalent to the client settings below.3. Your "openssl req" command looks valid for a self-signed certificate but it's not clear if you're setting the CA bits as well. I'm unsure if this will cause errors (never tried that approach personally).4. Once the certificate *authenticates*, you may need to map it to an identity (such as "condor@xxxxxxxxxxxx") and adjust ALLOW_* settings.
The setup can certainly be made to work -- but some of the other techniques (particularly, IDTOKENS) might be simpler to setup if that's a concern of yours.
Brian
On Jun 23, 2023, at 7:50 AM, Rita <rmorgan466@xxxxxxxxx> wrote:
I will go with 10.x .I will use ssl authenticationI generate my certs/keys like this.
openssl req -x509 -newkey rsa:1024 -sha256 -days 365 -nodes -keyout node.key -out node.crt -subj '/CN=condor pool'
I then copy the node.key and node.crt to all my nodes. I then putÂ
AUTH_SSL_CLIENT_CAFILE = /usr/local/condor/node.crtAUTH_SSL_CLIENT_CERTFILE = /usr/local/condor/node.crtAUTH_SSL_CLIENT_KEYFILE = /usr/local/condor/node.key
I believe this should work. Howeer, I am gettingÂFailed to authenticate using SSL. Is there a way to get more verbose messages?
On Mon, Apr 24, 2023 at 2:51âPM Greg Thain via HTCondor-users <htcondor-users@xxxxxxxxxxx> wrote:
On 4/19/2023 4:20 PM, Rita wrote:
> even if I run 8.8 on both collector and startdÂnode I get this. I
> dontÂunderstand.
>
Hi Rita:
Would it be possible to upgrade both sides to 10.x? 8.8 hasn't been
supported for a while, and I don't think that it had IDTokens support.
-greg
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/
--
--- Get your facts first, then you can distort them as you please.--_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/----- Get your facts first, then you can distort them as you please.------- Get your facts first, then you can distort them as you please.--