On Wed, Feb 07, 2007 at 12:12:44PM +0100, Joachim Schrod wrote: > Date: Wed, 7 Feb 2007 12:12:44 +0100 > From: Joachim Schrod <[EMAIL PROTECTED]> > Reply-To: "Ideas, tips and discussions about OpenCA installation and > management." <[email protected]> > Subject: Re: [Openca-Users] CA to RA Synchronisation via scp fails > > >>>>> "AC" == Alexei Chetroi <[EMAIL PROTECTED]> writes: > > AC> Have you ran this command locally as root user or as openca user? Make > AC> sure /var/www/.ssh/known_hosts actually contains RA host key and is > AC> readable by openca proccess, eg have root:openca perms. and 0640 access > AC> mode. > > Hmm, at my installation the ssh command is issued by the Web server > and not by the openca process. I.e., it suffices that the files are > readable by wwwrun (or whatever the Web server account is named > today).
What version of openca are you using? AFAIK all of operations are done by the openca server and it is recommended to run openca proccess with uid different from the web server's. Web server only need write access to the openca's socket. --with-openca-user and --with-httpd-user configure options names are a bit misguiding. With openca-user credentials, static stuff is installed so root:root 0644 permissions are recommended for it. With httpd-user credentials, files to which openca process should have access, not the http server. Otherwise, http server have access to sensitive information like CA's private key, which could pose a security risk. Regards, -- Alexei Chetroi Smile... Tomorrow will be worse. (c) Murphy's Law ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
