[HTCondor-users] Change of certificate DN on HTCondor CE

[Csaba Hajdu <hajdu.csaba@xxxxxxxxx>]

Hello All,
             the certificate of our HTCondor CE will expire soon, and for 
reasons out of my control the new certificate has a DN different from the 
one presently used (the OU=... part is missing).

After installing the new certificate errors start appearing (and disappear 
if I return to the old certificate).

The new certificate looks ok, permissions, owners, file names and locations 
are exactly as before.

I did not find any configuration item containing the certificate DN and 
thus have no idea about what else should be changed to get things right.

Could you give some hints about this?

Thanks:
          Csaba



Error example from SchedLog:

07/07/23 21:52:07 (D_SECURITY) DaemonCommandProtocol: Not enough bytes are ready for read.
07/07/23 21:52:07 (D_SECURITY) DC_AUTHENTICATE: received DC_AUTHENTICATE from <169.228.38.43:18657>
07/07/23 21:52:07 (D_SECURITY) DC_AUTHENTICATE: generating AES-GCM key for session grid108:1557:1688759527:708...
07/07/23 21:52:07 (D_SECURITY) SECMAN: new session, doing initial authentication.
07/07/23 21:52:07 (D_SECURITY) Returning to DC while we wait for socket to authenticate.
07/07/23 21:52:07 (D_SECURITY) AUTHENTICATE: setting timeout for (unknown) to 20.
07/07/23 21:52:07 (D_SECURITY) HANDSHAKE: in handshake(my_methods = 'SCITOKENS')
07/07/23 21:52:07 (D_SECURITY) HANDSHAKE: handshake() - i am the server
07/07/23 21:52:07 (D_SECURITY) HANDSHAKE: client sent (methods == 4096)
07/07/23 21:52:07 (D_SECURITY) HANDSHAKE: i picked (method == 4096)
07/07/23 21:52:07 (D_SECURITY) HANDSHAKE: client received (method == 4096)
07/07/23 21:52:07 (D_SECURITY) CADIR:      '/etc/grid-security/certificates'
07/07/23 21:52:07 (D_SECURITY) CERTFILE:   '/etc/grid-security/hostcert.pem'
07/07/23 21:52:07 (D_SECURITY) KEYFILE:    '/etc/grid-security/hostkey.pem'
07/07/23 21:52:07 (D_SECURITY) CIPHERLIST: 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'
07/07/23 21:52:07 (D_SECURITY) SSL Auth: Error loading private key from file
07/07/23 21:52:07 (D_SECURITY) SSL Auth: Error initializing server security context
07/07/23 21:52:07 (D_SECURITY) SSL Auth: Error creating SSL context
07/07/23 21:52:07 (D_SECURITY) Will return to DC because authentication is incomplete.
07/07/23 21:52:07 (D_SECURITY) SSL Auth: SSL Authentication fails; client status is 0; server status is -1; terminating
07/07/23 21:52:07 (D_SECURITY) AUTHENTICATE: method 4096 (SCITOKENS) failed.
07/07/23 21:52:07 (D_SECURITY) HANDSHAKE: in handshake(my_methods = 'SCITOKENS')
07/07/23 21:52:07 (D_SECURITY) HANDSHAKE: handshake() - i am the server
07/07/23 21:52:07 (D_SECURITY) HANDSHAKE: client sent (methods == 0)
07/07/23 21:52:07 (D_SECURITY) HANDSHAKE: i picked (method == 0)
07/07/23 21:52:07 (D_SECURITY) HANDSHAKE: client received (method == 0)
07/07/23 21:52:07 (cid:55592) (D_AUDIT) Command=QMGMT_WRITE_CMD, peer=<169.228.38.43:18657>
07/07/23 21:52:07 (cid:55592) (D_AUDIT) Authentication Failed, MethodsTried=SCITOKENS
07/07/23 21:52:07 (D_ALWAYS) DC_AUTHENTICATE: authentication of <169.228.38.43:18657> did not result in a valid mapped user name, which is required for this command (1112 QMGMT_WRITE_CMD), so aborting.
07/07/23 21:52:07 (D_ALWAYS) DC_AUTHENTICATE: reason for authentication failure: AUTHENTICATE:1003:Failed to authenticate with any method|AUTHENTICATE:1004:Failed to authenticate using SCITOKENS