Re: [Openca-Users] Getting openca to work, "OpenCA Error: Server is not online or does not accept requests "error.

Mon, 13 Feb 2012 12:03:01 -0800 

On 02/13/2012 07:28 PM, Boudewijn Ector wrote:

Hi Guys,
For a project of mine I'm currently trying to implement an OpenCA PKI server. 
My goals are:

1. Making it a Root Certificate Authority .
2. 2nd or 3rd tier CA (it has to be able to accept certificates from other CAs) 
3 User certificate generation  (for RADIUS)
4 Machine certificate generation (for RADIUS), guess that's about the same as #3 

And maybe some webinterface tweaks.
Well, to be honest I'm having a rather hard time getting OpenCA to work using both RPM packages and a source install. I prefer the RPM packages since they're much easier to distribute and replace than source installs, so I'm trying to get those to work first. If there's a good reason for me to start using the sources please tell me (I just had a look but it's not very easy either). I've been running Linux for ~8 years so I know my way around, that shouldn't be much of a problem.
My current test system is a clean Centos 5.6 32bit testing VM on which I installed these packages: 

[root@lumiadca openca]# rpm -qa | grep openca
openca-base-common-1.1.1-1.rhfc12.i686
openca-base-online-1.1.1-1.rhfc12.i686
openca-tools-1.3.0-1.el5.i386
openca-base-offline-1.1.1-1.rhfc12.i686
Okay, I also installed apache and enabled cgi-bin, apache is running as apache:apache (centos default). Okay, then I changed the following stuff in config.xml and restarted openca: 


[root@companyca openca]# diff config.xml config.xml.bak
58c58
< <value>*ZIP*</value>
---
> <value>@default_web_password@</value>
63c63
< <value>CompanyName</value>
---
> <value>OpenCA Labs</value>
71c71
< <value>CompanyName</value>
---
> <value>OpenCA Labs</value>
79c79
< <value>Utrecht</value>
---
> <value></value>
87c87
< <value>Utrecht</value>
---
> <value></value>
96c96
< <value>NL</value>
---
> <value></value>
104c104
< <value>yes</value>
---
> <value>no</value>
109c109
< <value>ope...@company.nl</value>
---
> <value>supp...@pki.openca.org</value>
114c114
< <value>openca-dontre...@company.nl</value>
---
> <value>p...@openca.org</value>
118c118
< <value>https://companyca.boudewijnector.nl/pki/pub/policy.html</value>
---
> <value>https://titan/pki/pub/policy.html</value>
130c130
< <value>companyca.boudewijnector.nl</value>
---
> <value>titan</value>
171c171
< URI.1=http://companyca.boudewijnector.nl/pki/pub/crl/cacrl.crl
---
> URI.1=http://titan/pki/pub/crl/cacrl.crl
182c182
< authorityInfoAccess=caIssuers;URI:http://companyca.boudewijnector.nl/pki/pub/cacert/cacert.crt,OCSP;URI:http://companyca.boudewijnector.nl:2560/,prqpServer;URI:http://companyca.boudewijnector.nl:830/ 
---
> authorityInfoAccess=caIssuers;URI:http://titan/pki/pub/cacert/cacert.crt,OCSP;URI:http://titan:2560/,prqpServer;URI:http://titan:830/ 
187c187
< <value>http://companyca.boudewijnector.nl/pki/pub/crl/cacrl.crl</value>
---
> <value>http://titan/pki/pub/crl/cacrl.crl</value>
199c199
< <value>companyca.boudewijnector.nl</value>
---
> <value>titan</value>
252c252
< <value>*ZIP*</value>
---
> <value>openca</value>
Please note that I've changed the url's and projectname a bit to make sure the project remains a bit more anonymous. 

In /opt/openca/etc/openca/openca_start I also have:

$AUTOCONF {"httpd_user"}     = "apache";
$AUTOCONF {"httpd_group"}    = "apache";

Which ought to be correct too.

Afterwards, I ran
/opt/openca/etc/openca/configure_etc.sh



When going to:

http://<servername>/cgi-bin/pki/ca/ca

I'm getting this error:
OpenCA Error: Server is not online or does not accept requests (/opt/openca/var/openca/tmp/openca_socket - /opt/openca/var/openca/tmp/openca_socket). 

That file indeed does not exist although openca is running:

[root@companyca openca]# ps  aux  | grep openca
apache 4455 0.0 6.7 46152 34412 ? S Feb09 0:00 /usr/bin/perl /opt/openca/etc/openca/openca_start root 4752 0.0 0.1 4344 728 pts/0 S+ 19:18 0:00 grep openca 

I seem to have chown'ed some paths to the apache user:

drwxr-x---. 2 apache apache 4096 Feb  9 02:00 tmp
[root@lumiadca openca]# pwd
/opt/openca/var/openca


I read this post:
https://sites.google.com/site/asidoothings/Home/my-issues-with-getting-openca-working
And it suggests switching to the source-based version. Is that indeed the only fix for this issue, and what am I getting wrong? Chmod777'ing the whole directory is not an acceptable solution to me. 

Cheers,

Boudewijn Ector





------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2


_______________________________________________
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users

Oh gosh, I forgot to scan /opt/openca/var/log/stderr.log...
Now OpenCA can access the DB, and I restarted OpenCA.


The socket now exists:

[root@lumiadca log]# ls  -la /opt/openca/var/openca/tmp/openca_socket
srwxr-xr-x. 1 apache apache 0 Feb 13 20:50 /opt/openca/var/openca/tmp/openca_socket 


[root@lumiadca log]# cat stderr.log
Process Backgrounded
2012/02/13-20:50:43 OpenCA::Server (type Net::Server::Fork) starting! pid(2905) Binding to UNIX socket file /opt/openca/var/openca/tmp/openca_socket using SOCK_STREAM 
Setting gid to "48 48"
Setting uid to "48"

Seems fine.


Can someone point me out where I should start to debug this?

Cheers,

Boudewijn

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users

Reply via email to