When running with OpenSSL3, we noticed the following exception upon delegation, that can be reproduced easily:
python -c "import fts3.rest.client.easy as fts3;ctx = fts3.Context(endpoint='https://fts3-lhcb.cern.ch:8446', ucert='/tmp/x509up_u56212',verify=False);fts3.delegate(ctx,force=True)"
Traceback (most recent call last):
File "/opt/dirac/versions/v8.1.0a7-1676534507/Linux-x86_64/lib/python3.9/site-packages/fts3/rest/client/delegator.py", line 282, in delegate
x509_proxy = self._sign_request(x509_request, lifetime)
File "/opt/dirac/versions/v8.1.0a7-1676534507/Linux-x86_64/lib/python3.9/site-packages/fts3/rest/client/delegator.py", line 187, in _sign_request
identifier_ext = _workaround_new_extension(
File "/opt/dirac/versions/v8.1.0a7-1676534507/Linux-x86_64/lib/python3.9/site-packages/fts3/rest/client/delegator.py", line 71, in _workaround_new_extension
x509_ext_ptr = m2.x509v3_ext_conf(None, ctx, name, value)
M2Crypto.X509.X509Error: unable to get issuer keyid
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/opt/dirac/versions/v8.1.0a7-1676534507/Linux-x86_64/lib/python3.9/site-packages/fts3/rest/client/easy/delegate.py", line 40, in delegate
return delegator.delegate(lifetime, force, delegate_when_lifetime_lt)
File "/opt/dirac/versions/v8.1.0a7-1676534507/Linux-x86_64/lib/python3.9/site-packages/fts3/rest/client/delegator.py", line 291, in delegate
raise ClientError(str(e)).with_traceback(sys.exc_info()[2])
File "/opt/dirac/versions/v8.1.0a7-1676534507/Linux-x86_64/lib/python3.9/site-packages/fts3/rest/client/delegator.py", line 282, in delegate
x509_proxy = self._sign_request(x509_request, lifetime)
File "/opt/dirac/versions/v8.1.0a7-1676534507/Linux-x86_64/lib/python3.9/site-packages/fts3/rest/client/delegator.py", line 187, in _sign_request
identifier_ext = _workaround_new_extension(
File "/opt/dirac/versions/v8.1.0a7-1676534507/Linux-x86_64/lib/python3.9/site-packages/fts3/rest/client/delegator.py", line 71, in _workaround_new_extension
x509_ext_ptr = m2.x509v3_ext_conf(None, ctx, name, value)
fts3.rest.client.exceptions.ClientError: Client error: unable to get issuer keyid
The problem is due to proxies being a grey area when it comes to Authority Key Identifier (https://www.rfc-editor.org/rfc/rfc3280#section-4.2.1.1). In any case, this being a non critical extension, the sensible thing to do is probably to just skip it.
A similar PR was made against VOMS: https://github.com/italiangrid/voms/pull/113