My system has different environment, but it had the same issue. It might
be worth checking the cosign server log if there is an SSL problem.
On my server, it was fixed by installing the root CA and intermediate
certs which match those of the cosign server.
preeyakorn
From: Yadin Flammer [mailto:y...@psu.edu]
Sent: Monday, February 25, 2013 11:27 PM
To: cosign-discuss@lists.sourceforge.net
Subject: Re: [Cosign-discuss] 503 on Ubuntu
Well I found the note on making that directory I missed, my bad, but that
still doesn't fix the issue. As a double check I blew permissions on that
directory wide open and I still get the service unavailable issue.
:/var/cosign$ ls -la
total 12
drwxr-xr-x 3 root root 4096 Feb 25 23:06 .
drwxr-xr-x 15 root root 4096 Feb 25 23:06 ..
drwxrwxrwx 2 www-data root 4096 Feb 25 23:06 filter
date command returns proper time as expected in proper time zone.
Any other ideas?
Yadin
-------------------------------------------------------------------
Yadin Flammer - Systems Administrator
College of Arts & Architecture, Penn State University
228 Borland Building Office Phone: 814-865-0990
University Park, PA 16802 Dept. Phone: 814-865-1571
Email: y...@psu.edu Dept. Fax: 814-863-6227
On 2/25/13 11:05 PM, Yadin Flammer wrote:
I think we're likely on to something. /var/cosign does not exist. Does
this mean the installer failed in some way, or would this have been
created somewhere else based on the OS and apache2 implementation? If it
was somewhere else, how would one find it? When you talk about the temp
files, would that be in that missing directory as well?
As a development note, it might be good to add some logging for these
instances so as to not have mystery situations, even if highly unusual.
Thanks!
Yadin
-------------------------------------------------------------------
Yadin Flammer - Systems Administrator
College of Arts & Architecture, Penn State University
228 Borland Building Office Phone: 814-865-0990
University Park, PA 16802 Dept. Phone: 814-865-1571
Email: y...@psu.edu Dept. Fax: 814-863-6227
On 2/25/13 10:51 PM, Andrew Mortensen wrote:
On Feb 25, 2013, at 3:32 PM, Yadin Flammer <mailto:y...@psu.edu>
<y...@psu.edu> wrote:
Well normally that block is required for cosign to work properly, though
that's likely because we're normally dealing with Drupal sites which are
public and login is to get editor access, and it's not doing anything in
this case. Regardless, removing that block does not resolve the Service
Temporarily Unavailable response.
There are a number of reasons mod_cosign will respond to the client with a
503, but most of them have log messages associated with them. After
looking through the code, I've found a handful of places where no message
is logged when returning Service Temporarily Unavailable, and in all cases
they're related to errors encountered when attempting to check the cookie:
* the httpd user doesn't have read/write/execute rights to the filterdb
directory (/var/cosign/filter by default);
* a gettimeofday call fails when preparing to check the cached cookie in
the filterdb directory;
* kerberos ticket retrieval is configured, but the module couldn't create
a temp file to store the data;
* proxy cookie retrieval is configured, but the module couldn't create a
temp file to store the data
The only message emitted when the filter can't connect to any weblogin
server is "Unable to connect to any Cosign server."
Hope this helps.
andrew
On 2/25/2013 3:27 PM, Andrew Mortensen wrote:
On Feb 25, 2013, at 3:07 PM, Yadin Flammer <mailto:y...@psu.edu>
<y...@psu.edu> wrote:
Using standard settings I always use there, shouldn't be an issue AFAIK.
<LocationMatch "/cosign">
CosignProtected On
CosignAllowPublicAccess Off
AuthType Cosign
</LocationMatch>
Are you really serving protected content out of a "/cosign" directory?
You've already got vhost-global cosign-protection enabled below. This
seems like the problem to me. If you delete the above block, does the 503
go away?
andrew
<Location /cosign/valid>
SetHandler cosign
CosignProtected Off
Allow from all
Satisfy any
</Location>
CosignProtected On
CosignAllowpublicAccess Off
On 2/25/2013 1:15 PM, Andrew Mortensen wrote:
On Feb 25, 2013, at 12:55 PM, Yadin Flammer <mailto:y...@psu.edu>
<y...@psu.edu> wrote:
Ubuntu 12 server apache2 cosign 3.1.2
http and https work fine, but as soon as I include the cosign config
https comes back after sign in as unavailable service.
URL after sign in is that long valid?cosign string so it would appear
auth is working, but cosign on this webserver is not.
If the query string is *very* long, it's likely you have the /cosign/valid
path cosign-protected. It should not be protected. Make sure you have this
somewhere in your vhost's configuration:
<Location /cosign/valid>
SetHandler cosign
CosignProtected Off
Allow from all
Satisfy any
</Location>
If you already have that, make sure you don't have the docroot protected
using Location, e.g.:
<Location />
...
CosignProtected On
...
</Location>
Using the above will override the /cosign/valid Location context. To
protect the docroot, use Directory with the actual local path to the
docroot instead, e.g.:
<Directory "/usr/local/share/www-root/">
...
CosignProtected On
...
</Directory>
andrew
--
-------------------------------------------------------------------
Yadin Flammer - Systems Administrator
College of Arts& Architecture, Penn State University
228 Borland Building Office Phone: 814-865-0990
University Park, PA 16802 Dept. Phone: 814-865-1571
Email: y...@psu.edu Dept. Fax: 814-863-6227
--------------------------------------------------------------------------
----
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
Cosign-discuss mailing list
Cosign-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cosign-discuss
--
-------------------------------------------------------------------
Yadin Flammer - Systems Administrator
College of Arts& Architecture, Penn State University
228 Borland Building Office Phone: 814-865-0990
University Park, PA 16802 Dept. Phone: 814-865-1571
Email: y...@psu.edu Dept. Fax: 814-863-6227
--------------------------------------------------------------------------
----
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
Cosign-discuss mailing list
Cosign-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cosign-discuss
--------------------------------------------------------------------------
----
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
Cosign-discuss mailing list
Cosign-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cosign-discuss
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
Cosign-discuss mailing list
Cosign-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cosign-discuss
