Prefer using system or CVMFS CA certs #4966
Conversation
Try to detect when we can use system certificates or those from CVMFS, and prefer them if possible. This should avoid situations where old O2 tags have expired certs pinned. Still fallback to the old behaviour, which is fine for CI and local development.
|
One weirdness I've run into is that old OpenSSL versions (1.0.2k, on CentOS 7) don't exit with an error status when the CA cert is expired, they only print an error message. This might have to be handled specially... |
| if [file isdirectory /cvmfs/alice.cern.ch/etc/grid-security/certificates] { | ||
| # Prefer current certs from CVMFS, if available. This avoids | ||
| # failures due to expired certs. | ||
| setenv X509_CERT_DIR /cvmfs/alice.cern.ch/etc/grid-security/certificates |
There was a problem hiding this comment.
Rather than an hardcoded single place, I would use the latest version of this package, so that we can still update the grid by simply bumping something in alidist and no "out of band" procedures are involved.
There was a problem hiding this comment.
I.e. something like ls \$::env(BASEDIR)/AliEn-CAs/ | tail -1...
|
Hi @TimoWilken Would be possible to take into account and honor X509_USER_CERT, X509_USER_KEY, X509_CERT_FILE, X509_CERT_DIR? Maybe, even check if X509_CERT_DIR, X509_CERT_FILE are set and if so, keep them? |
|
also, unrelated directly to this but could be worth mentioning, we do a lot of find rsync stuff .. wouldn't be easier to do this directly in alien-cas repository and then just point X509_CERT_DIR to that location? (and also as Giulio already suggested, by adding tags to alien-cas with the same name/ver as IGTF would be easier to manage versioning) |
Try to detect when we can use system certificates or those from CVMFS, and prefer them if possible. This should avoid situations where old O2 tags have expired certs pinned.
Still fallback to the old behaviour, which is fine for CI and local development.
Cc: @ktf @adriansev