Request the revival of ca_info.

[geonmo]

Hello, PycurlClient developers.

I am using the dbs3-client program. So, I used the PycurlClient library indirectly.

Our current issue is whether the dbs3-client can be used in a CentOS7 environment without setting an external environment variable such as cmsenv.

I've been working on this for the last few days, and I'm contacting you because there's a problem with the use of the curl when it's compiled with --with-nss.

Currently, for curl compiled with --with-nss, the processing of client certificates is not working properly.

For server certificates, inserting the ca_path as /etc/grid-security/certificates can solve the problem, but for client certificates( exactly, proxy user certificates which are produced by voms-proxy-init), we have to insert a personal certificate as an intermediate chain certificate to trust CA.

When I asked other developers who do similar work, most of them put ca_info (in the case of curl, --cacert option) together with the user certificate and root/grid certificates.

I tried to process it in the same way, but the ca_info was blocked in this python module.

Of course, using environmental variable settings such as cmsenv is an easy problem to solve, but some sites can not install CVMFS and grid middleware packages on their resources. In addition, it has the advantage of being able to use without CMSSW.

Please review it positively.

Regards,

-- Geonmo

[geonmo]

https://github.com/dmwm/PycurlClient/blob/main/src/python/RestClient/AuthHandling/X509Auth.py#L91-L94

[vkuznet]

I do not know if it may help or not, but access to DBS does not require dbs3-client, or pycurl, and can be done via normal REST API calls, see DBS Client and DBS APIs documents for details. Therefore, you do not need per-se neither cmsenv, or dbs3-client or pycurl to communicate with DBS as it can be done via REST APIs using any programming language or tool, e.g. you may use curl or write your own client.

Said that, the issue you pointed out does require passing CAs to the code (as curl does with --cacert) or you may concatenate proxy with any other CA to make a chained certificated. So far we lack of manpower to support that, and you are welcome to provide a proper patch, or contact @klannon to find manpower to fix this issue and/or include it into DMWM priority list.

[amaltaro]

After updating our WM docker images, which uses docker image python:3.8-bullseye (and had an update of the python version from 3.8.16 to 3.8.20 - and likely a few dependent python libraries), see dmwm/CMSKubernetes#1547 for further context; we started seeing communication issues between DBS client and server.

Here is a python traceback:

>>> dbsApi.serverinfo()
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python3.8/site-packages/dbs/apis/dbsClient.py", line 1879, in serverinfo
    return self.__callServer("serverinfo")
  File "/usr/local/lib/python3.8/site-packages/dbs/apis/dbsClient.py", line 474, in __callServer
    self.http_response = method_func(self.url, method, params, data, request_headers)
  File "/usr/local/lib/python3.8/site-packages/RestClient/RestApi.py", line 36, in get
    return http_request(self._curl)
  File "/usr/local/lib/python3.8/site-packages/RestClient/RequestHandling/HTTPRequest.py", line 56, in __call__
    curl_object.perform()
pycurl.error: (77, 'error setting certificate verify locations:\n  CAfile: /etc/pki/tls/certs/ca-bundle.crt\n  CApath: /etc/grid-security/certificates')

The reason this request fails is because the CAINFO has been incorrect set to a non-existent file (at least in the debian based image that we use in WM).

I will soon provide a potential fix for this issue.