Hi,
I run a small cluster of 4 machines as a non-root user.Â
Upgrading to 9.0.9 I've been tryingÂto get "condor_status" toÂwork for a couple of days now, I haven't even tried multi-machines, but it's been to noÂavail, maybe someone here can help.
Relevant portion of condor_config
AUTH_SSL_SERVER_CAFILE = Â /home/frankie/certs/ca_cert.crt
AUTH_SSL_SERVER_CERTFILE = /home/frankie/certs/condor.crt
AUTH_SSL_SERVER_KEYFILE = Â/home/frankie/certs/condor.key
AUTH_SSL_CLIENT_CAFILE = Â /home/frankie/certs/ca_cert.crt
AUTH_SSL_CLIENT_CERTFILE = /home/frankie/certs/condor.crt
AUTH_SSL_CLIENT_KEYFILE = Â/home/frankie/certs/condor.key
SEC_DEFAULT_AUTHENTICATION = REQUIRED
SEC_DEFAULT_AUTHENTICATION_METHODS = SSL
SEC_DAEMON_AUTHENTICATION = REQUIRED
SEC_DAEMON_AUTHENTICATION_METHODS = SSL
SEC_DAEMON_INTEGRITY = REQUIRE
SEC_DAEMON_ENCRYPTION = REQUIRED
ALLOW_READ Â Â Â Â Â= frankie@*
ALLOW_WRITE Â Â Â Â = frankie@*
ALLOW_ADMINISTRATOR = frankie@*
ALLOW_CONDIG Â Â Â Â= frankie@*
ALLOW_NEGOTIATOR Â Â= frankie@*
ALLOW_DAEMON Â Â Â Â= frankie@*
CERTIFICATE_MAPFILE = /home/frankie/certs/condor_mapfile
I have just this one entry on the mapfile:
If I do a "condor_q -debug" everything goes ok.
02/24/22 01:52:48 (fd:4) (pid:37179) (D_SECURITY) SSL authentication succeeded to /C=UK/L=London/CN=Example Condor/emailAddress=
frankie@xxxxxxxxxxx02/24/22 01:52:48 (fd:4) (pid:37179) (D_SECURITY) Authentication was a Success.
02/24/22 01:52:48 (fd:4) (pid:37179) (D_SECURITY) AUTHENTICATION: setting default map to ssl@unmapped
02/24/22 01:52:48 (fd:4) (pid:37179) (D_SECURITY) AUTHENTICATION: Parsing map file.
02/24/22 01:52:48 (fd:4) (pid:37179) (D_SECURITY) AUTHENTICATION: post-map: current FQU is '
frankie@xxxxxxxxxxxxxxxxx'
(...)
Total for query: 0 jobs; 0 completed, 0 removed, 0 idle, 0 running, 0 held, 0 suspended
If I do a "condor_status -debug" it fails with this:
02/24/22 01:54:17 (fd:4) (pid:37183) (D_SECURITY) Client trying post connection check.
02/24/22 01:54:17 (fd:4) (pid:37183) (D_SECURITY) SSL Auth: post_connection_check.
02/24/22 01:54:17 (fd:4) (pid:37183) (D_SECURITY) SSL_get_peer_certificate returned data.
02/24/22 01:54:17 (fd:4) (pid:37183) (D_SECURITY) No SSL host name specified.
02/24/22 01:54:17 (fd:4) (pid:37183) (D_SECURITY) SSL Auth: Error on check of peer certificate
02/24/22 01:54:17 (fd:4) (pid:37183) (D_SECURITY) SSL Auth: application verification failure
02/24/22 01:54:17 (fd:4) (pid:37183) (D_SECURITY) Client performs one last exchange of messages.
02/24/22 01:54:17 (fd:4) (pid:37183) (D_SECURITY) SSL Auth: SSL Authentication failed
(...)
Error: communication error
AUTHENTICATE:1003:Failed to authenticate with any method
AUTHENTICATE:1004:Failed to authenticate using SSL
I followed
these directivesÂto create the .crt files. The condor.crt file has this info:
Certificate:
  Data:
    Version: 3 (0x2)
    Signature Algorithm: sha256WithRSAEncryption
    Issuer: C = UK, L = London, CN =Â
Example Condor
    Validity
      Not Before: Feb 23 23:41:18 2022 GMT
      Not After : Feb 21 23:41:18 2032 GMT
    Subject: C = UK, L = London, CN =Â
Example Condor, emailAddress =
frankie@xxxxxxxxxxx    Subject Public Key Info:
      Public Key Algorithm: rsaEncryption
        RSA Public-Key: (2048 bit)
      (...)
      X509v3 Subject Alternative Name:
        DNS:localhost, DNS:box-1, DNS:
box-1.example.com, IP Address:192.168.5.121
  Signature Algorithm: sha256WithRSAEncryption
I've tried, but can't figure if it's something I'm messing on the SSL side or on condor side.
Following the message "No SSL host name specified." we can trace the function here:
if (fqdn.empty()) {
  dprintf(D_SECURITY, "No SSL host name specified.\n");
  goto err_occured;
}
But it still leaves me empty-handed.
Can anyone spot what I'm doing wrong?
Many thanks,
Frankie
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif){kind=logo}