On Wed, 2009-03-25 at 16:22 -0400, M. Ranganathan wrote: > On Wed, Mar 25, 2009 at 4:12 PM, Damian Krzeminski <[email protected]> > wrote: > > Arjun Nair wrote: > >> Hi, > >> > >> I am having some keystore problems when setting up an HA system on rev: > >> 14970. The initial setup ("bin/sipxecs-setup") goes fine, but after > >> that, every time sipXconfig on the primary tries to execute a XML-RPC > >> call to the redundant server, it comes across this error : > >> > > > > [...] > > > >> > >> So, to workaround this, you can use this program -- > >> http://blogs.sun.com/andreas/entry/no_more_unable_to_find -- to add the > >> distributed servers certificates to your > >> "etc/sipxpbx/ssl/authorities.jks" keystore. And then the XML-RPC calls > >> start to work normally. > >> > > > > > > Something is not right here: all certificates generated for all the servers > > in the cluster should be generated with the same CA - at least this is how > > it was working in 3.10 and before. > > > > You should not have to update the truststore on the primary server just > > because you added a new distributed server. The distributed server should > > retrieve the certs from the master during initial registration process. > > > > It's possible that it all changed when I was not looking though: Mircea and > > Scott should know more about it. > > D. > > > I think that generate-ssl-keys.sh and install-ssl-keys.sh are being > run when the secondary servers are being installed and are generating > fresh key pairs. > > > These scripts are generating and installing new keys. If there were a > way to know that the script is being called for the secondary server, > we can avoid generating and installing new keys. > > That is what I am suspecting.
What we need is for something to log all the output from the gen-ssl-keys.sh and install-ssl-keys.sh while they are being run by the script that generates the configuration for a new server. From that we should be able to see what's happening and fix it. It's possible that sipXconfig (which is running the install script) could capture that output, or we might need to modify the install script. Damian is correct - the CA cert MUST NOT be modified by the creation of a new distributed server. _______________________________________________ sipx-dev mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-dev Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-dev
