Skip to content

Python 3 server no longer accepts X.509 **proxy** certificates

As can be seen here, the Python2 version of the server code accepted "RFC 3820 compliant impersonation proxy" certificates (as well as "end entity credential" certificates ). We have strong inferential evidence that upgrading to the Python3 version of the server code breaks this acceptance, and the code now only accepts "end entity credential" certificates.

(The evidence is that the examples on the wiki page above were generated using the P2 code, and an end user was successfully submitting queries to segments.ligo.org with a proxy cert up to the night before the server code was upgraded to the P3 version, but after the server code was updated, those queries failed, until they switched to an end entity cert., at which point the queries succeeded again. Also, the example with the proxy cert on the wiki page also no longer works. Note that segments.ligo.org was the last server to be converted, so we can't easily test the P2 code anymore, and there could have been something else that changed in those ~10 hours, including a small amount of reconfiguration to accept SciTokens and installation of some security updates to httpd, httpd-tools, mod_ssl, and tzdata.)

Example:

$ ligo-proxy-init -p robert.bruntz
Enter password for 'robert.bruntz' on login.ligo.org: 
$ grid-proxy-info
[...]
type     : RFC 3820 compliant impersonation proxy
[...]
$ ligolw_segment_query_dqsegdb  --segment-url https://segments.ligo.org  --query-segments  --include-segments H1:DMT-ANALYSIS_READY:1  --gps-start-time 1200000000  --gps-end-time 1234500000
Traceback (most recent call last):
  File "/cvmfs/oasis.opensciencegrid.org/ligo/sw/conda/envs/igwn-py39/bin/ligolw_segment_query_dqsegdb", line 734, in <module>
    run_query_segments_dqsegdb(doc, process_id, protocol, server, gps_start_time, gps_end_time, options.include_segments, options.exclude_segments, options.result_name)
[...]
  File "/cvmfs/oasis.opensciencegrid.org/ligo/sw/conda/envs/igwn-py39-20230323/lib/python3.9/urllib/request.py", line 641, in http_error_default
    raise HTTPError(req.full_url, code, msg, hdrs, fp)
urllib.error.HTTPError: HTTP Error 401: Unauthorized
$ grid-proxy-destroy
$ ligo-proxy-init robert.bruntz
Enter password for 'robert.bruntz' on login.ligo.org: 
$ grid-proxy-info
[...]
type     : end entity credential
[...]
$ ligolw_segment_query_dqsegdb  --segment-url https://segments.ligo.org  --query-segments  --include-segments H1:DMT-ANALYSIS_READY:1  --gps-start-time 1200000000  --gps-end-time 1234500000
<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE LIGO_LW SYSTEM "http://ldas-sw.ligo.caltech.edu/doc/ligolwAPI/html/ligolw_dtd.txt">
<LIGO_LW>
	<Table Name="process:table">
		<Column Name="process:comment" Type="lstring"/>
		<Column Name="process:cvs_entry_time" Type="int_4s"/>
[...]
Edited by Robert Bruntz