rucio: More information in "server certificate expired" output
https://github.com/rucio/rucio/blob/63823eceebe68294c98364884a33172d14591da9/bin/rucio#L284
Would it be possible to include the literal server DN(/CA) string in the error given when a server-side certificate failure is detected? This would be much more useful than the generic string “The server certificate expired.”, especially when it may not be the case that the server certificate has expired. We experienced a problem with refreshing and accessing CRL and related signing files, and while the server certificate and chain remained valid, clients saw the following:
2021-11-18 01:57:16,518 ERROR Cannot authenticate. Details: HTTPSConnectionPool(host='{rucio_server}', port=443): Max retries exceeded with url: /auth/x509_proxy (Caused by SSLError(SSLError(1, u'[SSL: SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired (_ssl.c:661)'),)) 2021-11-18 01:57:16,522 ERROR The server certificate expired.
Since we saw nothing wrong on the server side, had this output been more descriptive, we might have been able to solve the issue in a fraction of the time.
Thanks!
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 24 (11 by maintainers)
Outside of Rucio (or directly related as dependencies), this seems due to some sync or conflict involving OpenSSL, NSS, CRLs, and httpd. If we ensure httpd is always restarted immediately after a CRL refresh, the problem is not seen. For completeness, the other variant here from ATLAS is B2 deals with a custom DIRAC component for auth, but that may not be related.
@deesto You’re totally right, the error message is misleading. I will act on that once I was able to reproduce the error, to which the debug output would definitely be helpful.
I don’t know how to properly write this, but let’s hope that your client crushes again? 😄