Hi Massimiliano
the issue: after the installation openca daemon started well only the
first day I was testing it. The following day I tried to start it lots
of times but it died every time
the "patch" is really simple: I noticed that commenting the following
lines from
"/usr/lib/openca/lib/openca/perl_modules/perl5/i386-linux-thread-multi/OpenCA/OpenSSL.pm"
the startup problems that I often had disappeared - I do not absolutely
nothing of perl: I'm a C/C++ and PHP developer, so just I guessed where
the trouble is, but I may did a mistake. However these are the lines to
be commented out
#if( not -e $self->{openssl} ) {
# $self->setError (7700120,
# $self->{gettext} ("There is no path to OpenSSL specified."));
# return undef;
#};
it seemed to me that sometimes it was not able to locate openssl -
notice that I had selinux disabled
this could be a patch
---
/tmp/usr/lib/openca/lib/openca/perl_modules/perl5/i386-linux-thread-multi/OpenCA/OpenSSL.pm
2008-10-02 03:49:13.000000000 +0200
+++
/usr/lib/openca/lib/openca/perl_modules/perl5/i386-linux-thread-multi/OpenCA/OpenSSL.pm
2010-01-02 14:28:44.000000000 +0100
@@ -182,11 +182,11 @@
return undef;
};
- if( not -e $self->{openssl} ) {
- $self->setError (7700120,
- $self->{gettext} ("There is no path to OpenSSL
specified."));
- return undef;
- };
+ #if( not -e $self->{openssl} ) {
+ # $self->setError (7700120,
+ # $self->{gettext} ("There is no path to OpenSSL
specified."));
+# return undef;
+# };
$self->setError (0, "");
unfortunately I trashed the log - sorry I trashed the whole OS image by
mistake: I have only the end part of the log, that is the few lines you
see below. As I remember it was related to the initialization of the
default token ("CA"): it seemed that sometimes it could not locate
openssl and fail
OpenCA::OpenSSL->setParams: key: KEY
OpenCA::OpenSSL->setParams: value: /var/lib/openca/crypto/keys/cakey.pem
OpenCA::OpenSSL->setParams: key: DEBUG
OpenCA::OpenSSL->setParams: value: 0
Logging is not initialized.
Configuration error: Cannot initialize cryptographic layer
(configurationfile /etc/openca/token.xml)!Cannot create new OpenCA Token
object.
Configuration error: 7123080
Compilation failed in require at /etc/openca/openca_start line 65.
I've installed it on a new image and removed my "patch": I'll try to
start and stop openca daemon in the next days trying to reproduce the
issue - Murpy's law: when I needed it to run there were more chances not
to start, now instead it starts well
if I' encounter again the issue I'll send a copy of the whole log to
this list
Kind regards
Marco Carcano
on 01/15/2010 15:47, Massimiliano Pala wrote:
> Hello Marco,
>
> your project is very interesting :D I think it could be useful to many
> people who want to migrate away from MS.. anyhow, can you send me the
> patch you used to get rid of the problems related to openca's startup ?
> (and the logs that describe the problem?)
>
> Later,
> Max
>
>
> On 01/04/2010 09:34 PM, Marco Carcano wrote:
>> Hi
>>
>> I'm writing an installation script that and at the end of the work "I
>> hope" may setup a CentOS 5.x Linux to act as a Windows 2003
>> SmallBusiness.
>> The project name is ECK, you can find it on sourceforge. Altought it is
>> an alpha, I succesfully installed several servers with it (and they
>> could even work!).
>> For now it can succesfully setup in less than 30 minutes ntpd, dhcpd
>> with ddns updates, dnd, openldap kerberized, MIT kerberos, Samba as a
>> PDC who can also work in Kerberos realm (is my bijou!), postfix,
>> dovecot, roundcube and egroupware, ... every package has been tightly
>> integrated within openLDAP (for example Roudcube Addressbook with the
>> egroupware one, you can define mail enabled group (real system group you
>> can use to send mail to members - like Microsoft does)
>>
>> and now why I'm writing to this list: ... I'd like to add OpenCA! I
>> compiled an RPM and add it to ECK repository. I can install OpenCA an
>> start it without particular troubles - altough I had to patch one file -
>> I don't know why without the changes I did it often failed to start - if
>> someone of the developers is interested abut this I could send him a
>> detailed log and the "patch"
>>
>> It seem to work quite well, but I'm struggling with LDAP integration,
>> ... so is there an OpenCA LDAP integration guru out there who want to
>> help me?
>>
>> In ECK I designed a really easy LDAP structure (in our example we use
>> the DC style dc=acme,dc=local), so that LDAP services go under
>>
>> ou=Services,dc=acme,dc=local
>>
>> as about OpenCA, I'd like to put its data under
>> cn=openca,ou=Certificates,ou=Services,dc=acme,dc=local
>>
>> there is also a ou=Users,dc=acme,dc=local and a
>> ou=Groups,dc=acme,dc=local and a ou=Computer,dc=acme,dc=local - you can
>> easily guess what goes under these trees
>>
>> so that I need someone who can help me to configure OpenCA with LDAP
>> with dc style.
>>
>> any help is appreciated: as soon as OpenCA support will be good I'd like
>> to add other usefull things, like Freeradius, StrongSWAN, SQUID, Amanda,
>> ... lots of work, so that your help with openca will be appreciated
>>
>> I hope somebody wants to give me an help - and maybe join my project: I
>> wrote it in such a modular way that it will be even easy enough to
>> anybody to complete the OpenCA module himself
>>
>> Hope to hear somebody of you soon
>>
>> Best regards
>>
>> Marco Carcano
>>
>> PS: If you 'd like to help, you can download ECK and install it on a
>> virtual machine. It is best if you install it with selinux disabled and
>> on an i386 architecture: ECK works also with selinux enabled (what a
>> long battle!) and under x86_64 - I recompiled some packages, but I have
>> never tested OpenCA under x86_64 and with selinux enabled
>>
>> DO NOT DO A COMPLETE INSTALL: it does not install OpenCA: It's better to
>> do a step by step install - it's easy
------------------------------------------------------------------------------
Throughout its 18-year history, RSA Conference consistently attracts the
world's best and brightest in the field, creating opportunities for Conference
attendees to learn about information security's most important issues through
interactions with peers, luminaries and emerging and established companies.
http://p.sf.net/sfu/rsaconf-dev2dev
_______________________________________________
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users
