Re: [Openca-Users] Getting openca to work, "OpenCA Error: Server is not online or does not accept requests "error.

Rossi Lara C Mon, 13 Feb 2012 13:07:09 -0800

But it seems like the server is working.

The error messages did not change, when you go to the web interface?

Cheers,

Rossi
On 2/13/2012 3:03 PM, Boudewijn Ector wrote:

On 02/13/2012 07:28 PM, Boudewijn Ector wrote:
Hi Guys,

For a project of mine I'm currently trying to implement an OpenCA PKI server.
My goals are:

1. Making it a Root Certificate Authority .
2. 2nd or 3rd tier CA (it has to be able to accept certificates from other CAs)
3 User certificate generation (for RADIUS)
4 Machine certificate generation (for RADIUS), guess that's about the same as #3

And maybe some webinterface tweaks.

Well, to be honest I'm having a rather hard time getting OpenCA to work using both RPM packages and a source install.
I prefer the RPM packages since they're much easier to distribute and replace than source installs, so I'm trying to get those to work first.
If there's a good reason for me to start using the sources please tell me (I just had a look but it's not very easy either).
I've been running Linux for ~8 years so I know my way around, that shouldn't be much of a problem.

My current test system is a clean Centos 5.6 32bit testing VM on which I installed these packages:

[root@lumiadca openca]# rpm -qa | grep openca
openca-base-common-1.1.1-1.rhfc12.i686
openca-base-online-1.1.1-1.rhfc12.i686
openca-tools-1.3.0-1.el5.i386
openca-base-offline-1.1.1-1.rhfc12.i686

Okay, I also installed apache and enabled cgi-bin, apache is running as apache:apache (centos default).
Okay, then I changed the following stuff in config.xml and restarted openca:

[root@companyca openca]# diff config.xml config.xml.bak
58c58
<         <value>*ZIP*</value>
---
>         <value>@default_web_password@</value>
63c63
<             <value>CompanyName</value>
---
>             <value>OpenCA Labs</value>
71c71
<             <value>CompanyName</value>
---
>             <value>OpenCA Labs</value>
79c79
<             <value>Utrecht</value>
---
>             <value></value>
87c87
<             <value>Utrecht</value>
---
>             <value></value>
96c96
<             <value>NL</value>
---
>             <value></value>
104c104
<             <value>yes</value>
---
>             <value>no</value>
109c109
<             <value>ope...@company.nl</value>
---
>             <value>supp...@pki.openca.org</value>
114c114
<             <value>openca-dontre...@company.nl</value>
---
>             <value>p...@openca.org</value>
118c118
<             <value>https://companyca.boudewijnector.nl/pki/pub/policy.html</value>
---
>             <value>https://titan/pki/pub/policy.html</value>
130c130
<             <value>companyca.boudewijnector.nl</value>
---
>             <value>titan</value>
171c171
< URI.1=http://companyca.boudewijnector.nl/pki/pub/crl/cacrl.crl
---
> URI.1=http://titan/pki/pub/crl/cacrl.crl
182c182
< authorityInfoAccess=caIssuers;URI:http://companyca.boudewijnector.nl/pki/pub/cacert/cacert.crt,OCSP;URI:http://companyca.boudewijnector.nl:2560/,prqpServer;URI:http://companyca.boudewijnector.nl:830/
---
> authorityInfoAccess=caIssuers;URI:http://titan/pki/pub/cacert/cacert.crt,OCSP;URI:http://titan:2560/,prqpServer;URI:http://titan:830/
187c187
<             <value>http://companyca.boudewijnector.nl/pki/pub/crl/cacrl.crl</value>
---
>             <value>http://titan/pki/pub/crl/cacrl.crl</value>
199c199
<             <value>companyca.boudewijnector.nl</value>
---
>             <value>titan</value>
252c252
<             <value>*ZIP*</value>
---
>             <value>openca</value>

Please note that I've changed the url's and projectname a bit to make sure the project remains a bit more anonymous.

In /opt/openca/etc/openca/openca_start I also have:

$AUTOCONF {"httpd_user"}     = "apache";
$AUTOCONF {"httpd_group"}    = "apache";

Which ought to be correct too.

Afterwards, I ran
/opt/openca/etc/openca/configure_etc.sh

When going to:

http://<servername>/cgi-bin/pki/ca/ca

I'm getting this error:
OpenCA Error: Server is not online or does not accept requests (/opt/openca/var/openca/tmp/openca_socket - /opt/openca/var/openca/tmp/openca_socket).

That file indeed does not exist although openca is running:

[root@companyca openca]# ps aux | grep openca
apache    4455 0.0 6.7 46152 34412 ?        S    Feb09   0:00 /usr/bin/perl /opt/openca/etc/openca/openca_start
root      4752 0.0 0.1   4344   728 pts/0    S+   19:18   0:00 grep openca

I seem to have chown'ed some paths to the apache user:

drwxr-x---. 2 apache apache 4096 Feb 9 02:00 tmp
[root@lumiadca openca]# pwd
/opt/openca/var/openca

I read this post:
https://sites.google.com/site/asidoothings/Home/my-issues-with-getting-openca-working

And it suggests switching to the source-based version. Is that indeed the only fix for this issue, and what am I getting wrong? Chmod777'ing the whole directory is not an acceptable solution to me.

Cheers,

Boudewijn Ector
------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users
Oh gosh, I forgot to scan /opt/openca/var/log/stderr.log...
Now OpenCA can access the DB, and I restarted OpenCA.

The socket now exists:

[root@lumiadca log]# ls -la /opt/openca/var/openca/tmp/openca_socket
srwxr-xr-x. 1 apache apache 0 Feb 13 20:50 /opt/openca/var/openca/tmp/openca_socket

[root@lumiadca log]# cat stderr.log
Process Backgrounded
2012/02/13-20:50:43 OpenCA::Server (type Net::Server::Fork) starting! pid(2905)
Binding to UNIX socket file /opt/openca/var/openca/tmp/openca_socket using SOCK_STREAM
Setting gid to "48 48"
Setting uid to "48"

Seems fine.

Can someone point me out where I should start to debug this?

Cheers,

Boudewijn
------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users

El contenido de este mensaje (incluidos sus anexos) puede contener información privilegiada y/o confidencial. Si usted no es el destinatario real del mismo, por favor informe de ello a quien lo envía y destrúya esta comunicación de todos los medios de almacenamiento donde se encuentre el mismo, y destruya todas las copias fisicas de manera inmediata. Está prohibida la retención, grabación, utilización o divulgación de este mensaje o sus anexos, por cualquiera que no sea su destinatario original con cualquier propósito. Este mensaje ha sido verificado con software antivirus; sin embargo eso no grantiza que el mismo se encuentre libre de todo virus o código malicioso; en consecuencia de esto, el remitente de éste no se hace responsable por la presencia en él o en sus anexos de algún virus que pueda generar daños en los equipos o programas del destinatario.
-------------------------------------------------------------------------------
This communication (including all attachments) may contain information that is private, confidential and privileged. If you have received this communication in error; please notify the sender immediately, delete this communication from all data storage devices and destroy all hard copies. Any use, dissemination, distribution, copying or disclosure of this message and any attachments, in whole or in part, by anyone other than the intended recipient(s) is strictly prohibited. This message has been checked with an antivirus software; nevertheless, this does not guarantee that it¿s free of any virus or malicious code, accordingly, the sender is not liable for the presence of any virus in attachments that causes or may cause any damage to the recipient's equipment or software.

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2

_______________________________________________
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Getting openca to work, "OpenCA Error: Server is not online or does not accept requests "error.

Reply via email to