Re: [HTCondor-users] refreshGSIProxy stopped working

[Cole Bollig <cabollig@xxxxxxxx>]

Hi Stefano,

Also, I opened the following ticket to address the blatant issues with the python API function that you pointed out.

https://opensciencegrid.atlassian.net/browse/HTCONDOR-3503

Cheers,

Cole Bollig

---

From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of Stefano Belforte via HTCondor-users <htcondor-users@xxxxxxxxxxx>
Sent: Wednesday, January 14, 2026 1:54 PM
To: Jaime Frey <jfrey@xxxxxxxxxxx>
Cc: Stefano Belforte <stefano.belforte@xxxxxxx>; cms-service-crab-operators (Operators of CMS CRAB service) <cms-service-crab-operators@xxxxxxx>; HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
Subject: Re: [HTCondor-users] refreshGSIProxy stopped working

 

thanks again Jaime. What you just wrote matches my memory. But we did not
thought it worth reporting since submission to 25.3.0 AP's solved.
For historical reasons our current server is built on top of python 3.8 debian image
which has 
`OpenSSL 1.1.1n  15 Mar 2022 (Library: OpenSSL 1.1.1w  11 Sep 2023)`
But we are looking into moving to alma9 image for other reasons.  So if you think
of looking at OpenSSL 1.1 vs. htcondor, do not do it for us !

Of course we'd love to complete the move to v2 API.

Stefano

On 14/01/2026 19:18, Jaime Frey wrote:

The important versions are the OpenSSL version of the sender and the HTCondor version of the receiver.

The receiver creates a Certificate Signing Request (CSR) that the sender signs with the proxy’s key. Older HTCondor versions set the parameters of the CSR in a way that newer OpenSSL versions refuse to sign. So Stefano is correct that this bug shouldn’t trigger if the submitter has an older OpenSSL.

If your submitter has an older OpenSSL, that suggests there may be another bug that we need to investigate once we fix the bugs you encountered in the v2 bindings.

 - Jaime