My system has different environment, but it had the same issue. It
might be worth checking the cosign server log if there is an SSL problem.
On my server, it was fixed by installing the root CA and intermediate
certs which match those of the cosign server.
preeyakorn
*From:*Yadin Flammer [mailto:y...@psu.edu]
*Sent:* Monday, February 25, 2013 11:27 PM
*To:* cosign-discuss@lists.sourceforge.net
*Subject:* Re: [Cosign-discuss] 503 on Ubuntu
Well I found the note on making that directory I missed, my bad, but
that still doesn't fix the issue. As a double check I blew
permissions on that directory wide open and I still get the service
unavailable issue.
:/var/cosign$ ls -la
total 12
drwxr-xr-x 3 root root 4096 Feb 25 23:06 .
drwxr-xr-x 15 root root 4096 Feb 25 23:06 ..
drwxrwxrwx 2 www-data root 4096 Feb 25 23:06 filter
date command returns proper time as expected in proper time zone.
Any other ideas?
Yadin
-------------------------------------------------------------------
Yadin Flammer - Systems Administrator
College of Arts& Architecture, Penn State University
228 Borland Building Office Phone: 814-865-0990
University Park, PA 16802 Dept. Phone: 814-865-1571
Email:y...@psu.edu <mailto:y...@psu.edu> Dept. Fax:
814-863-6227
On 2/25/13 11:05 PM, Yadin Flammer wrote:
I think we're likely on to something. /var/cosign does not exist.
Does this mean the installer failed in some way, or would this have
been created somewhere else based on the OS and apache2
implementation? If it was somewhere else, how would one find it?
When you talk about the temp files, would that be in that missing
directory as well?
As a development note, it might be good to add some logging for these
instances so as to not have mystery situations, even if highly unusual.
Thanks!
Yadin
-------------------------------------------------------------------
Yadin Flammer - Systems Administrator
College of Arts& Architecture, Penn State University
228 Borland Building Office Phone: 814-865-0990
University Park, PA 16802 Dept. Phone: 814-865-1571
Email:y...@psu.edu <mailto:y...@psu.edu> Dept. Fax:
814-863-6227
On 2/25/13 10:51 PM, Andrew Mortensen wrote:
On Feb 25, 2013, at 3:32 PM, Yadin Flammer<y...@psu.edu> <mailto:y...@psu.edu>
wrote:
Well normally that block is required for cosign to work properly, though
that's likely because we're normally dealing with Drupal sites which are
public and login is to get editor access, and it's not doing anything in
this case. Regardless, removing that block does not resolve the Service
Temporarily Unavailable response.
There are a number of reasons mod_cosign will respond to the client with a 503,
but most of them have log messages associated with them. After looking through
the code, I've found a handful of places where no message is logged when
returning Service Temporarily Unavailable, and in all cases they're related to
errors encountered when attempting to check the cookie:
* the httpd user doesn't have read/write/execute rights to the filterdb directory (/var/cosign/filter by default);
* a gettimeofday call fails when preparing to check the cached cookie in the
filterdb directory;
* kerberos ticket retrieval is configured, but the module couldn't create a
temp file to store the data;
* proxy cookie retrieval is configured, but the module couldn't create a temp
file to store the data
The only message emitted when the filter can't connect to any weblogin server is "Unable to connect to any Cosign server."
Hope this helps.
andrew
On 2/25/2013 3:27 PM, Andrew Mortensen wrote:
On Feb 25, 2013, at 3:07 PM, Yadin Flammer<y...@psu.edu>
<mailto:y...@psu.edu> wrote:
Using standard settings I always use there, shouldn't be an issue
AFAIK.
<LocationMatch "/cosign">
CosignProtected On
CosignAllowPublicAccess Off
AuthType Cosign
</LocationMatch>
Are you really serving protected content out of a "/cosign" directory?
You've already got vhost-global cosign-protection enabled below. This seems like the
problem to me. If you delete the above block, does the 503 go away?
andrew
<Location /cosign/valid>
SetHandler cosign
CosignProtected Off
Allow from all
Satisfy any
</Location>
CosignProtected On
CosignAllowpublicAccess Off
On 2/25/2013 1:15 PM, Andrew Mortensen wrote:
On Feb 25, 2013, at 12:55 PM, Yadin Flammer<y...@psu.edu>
<mailto:y...@psu.edu> wrote:
Ubuntu 12 server apache2 cosign 3.1.2
http and https work fine, but as soon as I include the
cosign config
https comes back after sign in as unavailable service.
URL after sign in is that long valid?cosign string so it
would appear
auth is working, but cosign on this webserver is not.
If the query string is *very* long, it's likely you have the
/cosign/valid path cosign-protected. It should not be protected. Make sure you
have this somewhere in your vhost's configuration:
<Location /cosign/valid>
SetHandler cosign
CosignProtected Off
Allow from all
Satisfy any
</Location>
If you already have that, make sure you don't have the docroot
protected using Location, e.g.:
<Location />
...
CosignProtected On
...
</Location>
Using the above will override the /cosign/valid Location
context. To protect the docroot, use Directory with the actual local path to
the docroot instead, e.g.:
<Directory "/usr/local/share/www-root/">
...
CosignProtected On
...
</Directory>
andrew
--
-------------------------------------------------------------------
Yadin Flammer - Systems Administrator
College of Arts& Architecture, Penn State University
228 Borland Building Office Phone: 814-865-0990
University Park, PA 16802 Dept. Phone: 814-865-1571
Email:y...@psu.edu <mailto:y...@psu.edu> Dept.
Fax: 814-863-6227
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
Cosign-discuss mailing list
Cosign-discuss@lists.sourceforge.net
<mailto:Cosign-discuss@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/cosign-discuss
--
-------------------------------------------------------------------
Yadin Flammer - Systems Administrator
College of Arts& Architecture, Penn State University
228 Borland Building Office Phone: 814-865-0990
University Park, PA 16802 Dept. Phone: 814-865-1571
Email:y...@psu.edu <mailto:y...@psu.edu> Dept. Fax:
814-863-6227
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
Cosign-discuss mailing list
Cosign-discuss@lists.sourceforge.net
<mailto:Cosign-discuss@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/cosign-discuss
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
Cosign-discuss mailing list
Cosign-discuss@lists.sourceforge.net
<mailto:Cosign-discuss@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/cosign-discuss
