On Thu, Mar 26, 2009 at 11:47 AM, Arjun Nair <[email protected]> wrote:
> M. Ranganathan wrote:
>> sipxconfig supplies an argument for the web cert when that is
>> installed. It should not have any effect on the keystore.
>>
>> My question is does generate-ssl-keys.sh and install-ssl-keys.sh get
>> called when you install the secondary server? I dont know because I
>> did not write that script.
>>
>> Perhaps Arjun can put some tracing into it and try doing an HA
>> install to see if it gets called for HA install and what the arguments
>> are.
>>
>
> No, gen-ssl-keys.sh and install-cert.sh do not get called on the secondary
> server (I have deleted both these files from my secondary). Furthermore, the
> md5sum remains unchanged from the certs that are generated by the primary
> server (by ./libexec/sipXecs/initial-config, to be used in the secondary) and
> the certs being used in the secondary server.
>
>
> Here are the two certificates the secondary server uses --
> bcmdesk6122.ca.nortel.com
>
>
> 1 Subject [email protected],
> CN=bcmdesk6122.ca.nortel.com, OU=sipXecs, O=ca.nortel.com, L=AnyTown,
> ST=AnyState, C=US
> Issuer [email protected],
> CN=ca.bcmsl2167.ca.nortel.com, OU=sipXecs, O=ca.nortel.com, L=AnyTown,
> ST=AnyState, C=US
> sha1 7d f3 ad 0e fe 02 64 63 83 f2 48 8a 35 d1 04 ea ec 5a b3 ad
> md5 95 67 ad 3f 19 01 1f 65 d9 e8 8e 30 7c 3b 9f da
>
> 2 Subject [email protected],
> CN=ca.bcmsl2167.ca.nortel.com, OU=sipXecs, O=ca.nortel.com, L=AnyTown,
> ST=AnyState, C=US
> Issuer [email protected],
> CN=ca.bcmsl2167.ca.nortel.com, OU=sipXecs, O=ca.nortel.com, L=AnyTown,
> ST=AnyState, C=US
> sha1 ca 67 6a 8f 29 1e 05 59 80 0d 5a db f2 55 33 41 13 9c bb 76
> md5 27 73 1c 52 dc 9c 83 46 57 c5 ff 60 cd 3d 39 75
>
>
> And here are the two certs the primary uses -- bcmsl2167.ca.nortel.com
>
>
> 1 Subject [email protected],
> CN=bcmsl2167.ca.nortel.com, OU=sipXecs, O=ca.nortel.com, L=AnyTown,
> ST=AnyState, C=US
> Issuer [email protected],
> CN=ca.bcmsl2167.ca.nortel.com, OU=sipXecs, O=ca.nortel.com, L=AnyTown,
> ST=AnyState, C=US
> sha1 c8 50 f0 31 71 1c 9f 5e f2 af eb c6 04 5c 01 b1 e6 f1 b6 1d
> md5 45 50 d8 67 f3 f8 fc a7 57 46 c9 18 c2 08 31 07
>
> 2 Subject [email protected],
> CN=ca.bcmsl2167.ca.nortel.com, OU=sipXecs, O=ca.nortel.com, L=AnyTown,
> ST=AnyState, C=US
> Issuer [email protected],
> CN=ca.bcmsl2167.ca.nortel.com, OU=sipXecs, O=ca.nortel.com, L=AnyTown,
> ST=AnyState, C=US
> sha1 ca 67 6a 8f 29 1e 05 59 80 0d 5a db f2 55 33 41 13 9c bb 76
> md5 27 73 1c 52 dc 9c 83 46 57 c5 ff 60 cd 3d 39 75
>
>
>
> So, I am not sure why the keystore does not trust the certs from the
> secondary, until you explicitly add it to the keystore.
>
>
> Arjun
>
>
Not sure what is happening exactly and why it is not getting called :
In the bottom of initial-config.sh.in I see
# generate TLS credentials
@SIPX_BINDIR@/ssl-cert/gen-ssl-keys.sh \
--workdir "@SIPX_VARDIR@/certdb" -d -s "${newHostname}" \
|| exit 1
@SIPX_BINDIR@/ssl-cert/install-cert.sh \
--workdir "@SIPX_VARDIR@/certdb" --install-prefix
"${INITIAL_CONFIG}" "${newHostname}" \
|| exit 1
I guess I need to set up a HA system and see whats cooking here.
Ranga
>
>
--
M. Ranganathan
_______________________________________________
sipx-dev mailing list
[email protected]
List Archive: http://list.sipfoundry.org/archive/sipx-dev
Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-dev
