Error with subjectAltName checks

[arrabito]

Dear all,

I've just installed 5 additional servers to our instance.

The admins provided us a unique host certificate for all of them but with many SubjectAlternativeName (SAN) entries, containing the diffrent DNS, i.e.:

# openssl x509 -in /etc/grid-security/hostcert.pem -noout -text
...
X509v3 Subject Alternative Name: 
                DNS:ctadirac-01.cscs.cta-observatory.org, DNS:cscs.cta-observatory.org, DNS:ctadirac-02.cscs.cta-observatory.org, DNS:ctadirac-03.cscs.cta-observatory.org, DNS:ctadirac-04.cscs.cta-observatory.org, DNS:ctadirac-05.cscs.cta-observatory.org
...

As far as I understood this is allowed in DIRAC.

Anyway, I've been able to install and run the slave CS on each of them, but I get an error when running the Framework_ComponentSupervisionAgent. On each host I get this kind of error:

Traceback (most recent call last):
  File "/opt/dirac/versions/v2.2.29-1703086468/Linux-x86_64/lib/python3.11/site-packages/DIRAC/Core/DISET/private/BaseClient.py", line 471, in _connect
    retVal = transport.initAsClient()
             ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/dirac/versions/v2.2.29-1703086468/Linux-x86_64/lib/python3.11/site-packages/DIRAC/Core/DISET/private/Transports/M2SSLTransport.py", line 141, in initAsClient
    self.oSocket.connect((host, port))
  File "/opt/dirac/versions/v2.2.29-1703086468/Linux-x86_64/lib/python3.11/site-packages/M2Crypto/SSL/Connection.py", line 330, in connect
    if not check(self.get_peer_cert(),
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/dirac/versions/v2.2.29-1703086468/Linux-x86_64/lib/python3.11/site-packages/M2Crypto/SSL/Checker.py", line 122, in __call__
    raise WrongHost(expectedHost=self.host,
M2Crypto.SSL.Checker.WrongHost: Peer certificate subjectAltName does not match host, expected ctadirac-01, got DNS:ctadirac-01.cscs.cta-observatory.org, DNS:cscs.cta-observatory.org, DNS:ctadirac-02.cscs.cta-observatory.org, DNS:ctadirac-03.cscs.cta-observatory.org, DNS:ctadirac-04.cscs.cta-observatory.org, DNS:ctadirac-05.cscs.cta-observatory.org
2024-01-11 13:07:18 UTC Framework/ComponentSupervisionAgent/Framework/ComponentSupervisionAgent ERROR: Failure to get Agents from system administrator client Can't connect to dips://ctadirac-01:9162/Framework/SystemAdministrator: WrongHost()

2024-01-11 13:04:08 UTC Framework/ComponentSupervisionAgent ERROR: 
Traceback (most recent call last):
  File "/opt/dirac/versions/v2.2.29-1703080818/Linux-x86_64/lib/python3.11/site-packages/DIRAC/Core/DISET/private/BaseClient.py", line 471, in _connect
    retVal = transport.initAsClient()
             ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/dirac/versions/v2.2.29-1703080818/Linux-x86_64/lib/python3.11/site-packages/DIRAC/Core/DISET/private/Transports/M2SSLTransport.py", line 141, in initAsClient
    self.oSocket.connect((host, port))
  File "/opt/dirac/versions/v2.2.29-1703080818/Linux-x86_64/lib/python3.11/site-packages/M2Crypto/SSL/Connection.py", line 330, in connect
    if not check(self.get_peer_cert(),
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/dirac/versions/v2.2.29-1703080818/Linux-x86_64/lib/python3.11/site-packages/M2Crypto/SSL/Checker.py", line 122, in __call__
    raise WrongHost(expectedHost=self.host,
M2Crypto.SSL.Checker.WrongHost: Peer certificate subjectAltName does not match host, expected ctadirac-02, got DNS:ctadirac-01.cscs.cta-observatory.org, DNS:cscs.cta-observatory.org, DNS:ctadirac-02.cscs.cta-observatory.org, DNS:ctadirac-03.cscs.cta-observatory.org, DNS:ctadirac-04.cscs.cta-observatory.org, DNS:ctadirac-05.cscs.cta-observatory.org
2024-01-11 13:04:08 UTC Framework/ComponentSupervisionAgent/Framework/ComponentSupervisionAgent ERROR: Failure to get Agents from system administrator client Can't connect to dips://ctadirac-02:9162/Framework/SystemAdministrator: WrongHost()

All reference to these hosts in the CS are with the full hostname, i.e. ctadirac-01.cscs.cta-observatory.org, ctadirac-02.cscs.cta-observatory.org, etc.

Do you have any idea of why this error happens?

It doesn't seem to me related to the use of multiple SAN, but please let me know.

I'm using DIRAC 8.0.34.

Thank you for your help.

[andresailer]

Hi @arrabito

Could you run the python lines

import socket
print(socket.getfqdn())

On the hosts?
If that doesn't return the server name including the domain, something is wrong on the servers.

The Agent uses that.

DIRAC/src/DIRAC/FrameworkSystem/Agent/ComponentSupervisionAgent.py

Line 593 in 5df0f1d

host = socket.getfqdn()

[arrabito]

Thank you @andresailer.

You are right, the problem comes from fqdn not including the domain name.