The procedure below does indeed cover it (even w/o the rm's), my problem was that while I changed the hostname in /etc/hosts I had left the host there pointing at the old host. Since the resolver on this box is set up to use /etc/hosts first before going to DNS the wrong IP came back when you tried to connect to the host using its hostname (internally). Sipxsupervisor was trying to validate the certificates using the RPC server on the other (still running) box. Hilarity ensued.
I realized what was going on by running strace on sipxsupervisor as it started and noting that it established a connection off the box. FWIW the docs here: http://sipx-wiki.calivia.com/index.php/Notes_on_SSL_Keys_and_Keystores_used_by_sipx are useful and interesting but actively misleading (wrong) for 4.1; for example the authorities.jks file is not generated nor installed by the cert scripts mentioned. In case someone is googling around here's a rough outline of how to clone a working Fedora (12) system (useful if there's no ISO to install from) then clear it out so it can be used on a new IP. I have a side project to figure out how to update the config database so you don't have to clear it out but that's not fully working for me yet (it seems OK to export the whole sipxconfig database to text with dumpdb, edit the results changing the ips and hostnames, then after initializing everything re-import it, but I suspect I've still missed something and need to test a bit more). 1) clone the filesystems to the new box (I used a live CD boot then manually fdisked and mkfs'ed the root and boot, then used 'tar' to copy the working system over the net) - fdisk /dev/sda , create a boot and root (and swap if needed) - mke2fs -L/boot /dev/sda1 - mke2fs -L/ /dev/sda3 - mkswap -L swap /dev/sda2 - mkdir /zz; mount /dev/sda3 /zz; mkdir /zz/boot; mount /dev/sda1 /zz/boot - cd /zz; ssh r...@source 'cd /; tar --one-file-system -c -f - boot .' | tar -xvpf - 2) install boot blocks and remake the boot initrd - cp -rp /dev /zz/dev - chroot /zz - mount /proc - grub-install - vi /etc/fstab, change it so root and boot are mounted via LABEL= - mkinitrd -f /boot/initram... ... - update /etc/hosts (both the hostname and IP! :) ) - update /etc/sysconfig/network-scripts/ifcfg-eth0 - update /etc/sysconfig/network - update /etc/resolv.conf - rm /etc/udev/rules.d/70-persistent* - chkconfig sipxecs off - exit, unmount everything, sync, reboot 3) log in as the sipxecs user and do the traditional clear/setup - sipxconfig.sh --database drop - sipxconfig.sh --first-run - rm -rf XXX/etc/sipxpbx/ssl/* (paranoia, probably not needed) - sipxecs-setup - sudo chkconfig sipxecs on - sudo service sipxecs start -Eric On Jan 21, 2010, at 5:46 PM, Eric Varsanyi wrote: > I have an installed system that was working fine (EDE 'designer' setup, > recent SVN checkout (see below) with some changes to work on FC12. I cloned > this system to another box to do some further testing, I tried to completely > clear it out and start over (reusing just the installed code, nothing from > the configuration) and set it back up again from scratch. > > To clear things out and reset I did: > (change networking setup, reboot) > sipxconfig.sh --database drop > rm -rf $INSTALL/etc/sipxpbx/ssl/* > rm -rf $INSTALL/var/sipxdata/certdb/* > rm `grep -R -l $INSTALL/etc/sipxecs pbxdev12` [pbxdev12 was the OLD > machine name] > rm `grep -R -l $INSTALL/var/sipxdata pbxdev12` > sipxconfig.sh --database create > sipxconfig.sh --first-run > sipxecs-setup > sstart > > hostname -f reports the correct hostname and /etc/hosts is set up without any > real hostname on either flavor of localhost (ipv4 or ipv6). > > This keeps failing with an SSL certificate check error while trying to > distribute the config files from sipxconfig to the local machine as shown > below. Full log also included in case there is some other hint. > > I realize that I must be missing clearing out something related to the SSL > certificates used internally to distribute config files, can anyone give a > clue what I might have missed? Is there some script/utility that 'zeroes' out > a system to just installed state (if I were using RPM's would an > remove/install of the sipxecs RPMS fully clear things? if so I'll look at > what the pre/post scripts do in them)? > > Thanks for any tips, > -Eric Varsanyi > > "2010-01-21T23:15:30.884000Z":3:JAVA:INFO:pbx.foo21.com:main:00000000:FirstRunTask:"Executing > first run tasks..." > "2010-01-21T23:15:30.888000Z":4:JAVA:INFO:pbx.foo21.com:main:00000000:DomainManagerImpl:"Attempting > to load initial domain-config from > /home/sipxchange/sip1/INSTALL/etc/sipxpbx):" > "2010-01-21T23:15:32.510000Z":5:JAVA:INFO:pbx.foo21.com:background:00000000:SipxReplicationContextImpl:"Start > replication: File replication: domain-config" > "2010-01-21T23:15:32.968000Z":6:JAVA:INFO:pbx.foo21.com:background:00000000:XmlRpcClientInterceptor:"XML/RPC > File.replace with [pbx.foo21.com, /home/sipxchange/sip1/..., 420, > U0lQX0RPTUFJTl9OQU1FID...] on https://pbx.foo21.com:8092/RPC2"; > "2010-01-21T23:15:34.008000Z":7:JAVA:ERR:pbx.foo21.com:background:00000000:XmlRpcClientInterceptor:"Exception > in XML/RPC call" > javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) > at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1627) > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:204) > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:198) > at > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:994) > at > sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:142) > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:533) > at sun.security.ssl.Handshaker.process_record(Handshaker.java:471) > at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:904) > at > sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1132) > at > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1159) > at > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1143) > at > sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:423) > at > sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) > at > sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:858) > at > sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250) > at > org.apache.xmlrpc.DefaultXmlRpcTransport.sendXmlRpc(DefaultXmlRpcTransport.java:83) > at > org.apache.xmlrpc.XmlRpcClientWorker.execute(XmlRpcClientWorker.java:71) > at org.apache.xmlrpc.XmlRpcClient.execute(XmlRpcClient.java:193) > at org.apache.xmlrpc.XmlRpcClient.execute(XmlRpcClient.java:184) > at > org.sipfoundry.sipxconfig.xmlrpc.XmlRpcClientInterceptor$1.call(XmlRpcClientInterceptor.java:118) > at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334) > at java.util.concurrent.FutureTask.run(FutureTask.java:166) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603) > at java.lang.Thread.run(Thread.java:636) > Caused by: sun.security.validator.ValidatorException: PKIX path building > failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to > find valid certification path to requested target > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:302) > at > sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:205) > at sun.security.validator.Validator.validate(Validator.java:235) > at > sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:147) > at > sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:230) > at > sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:270) > at > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:973) > ... 21 more > Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable > to find valid certification path to requested target > at > sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:191) > at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:255) > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:297) > ... 27 more > "2010-01-21T23:15:34.024000Z":8:JAVA:ERR:pbx.foo21.com:background:00000000:ReplicationManagerImpl:"File > replication failed: domain-config" > .. (many more like it) > > ---- > > URL: http://sipxecs.sipfoundry.org/rep/sipXecs/main > Repository Root: http://sipxecs.sipfoundry.org/rep/sipXecs > Repository UUID: ab1d8caa-1f67-47f1-9e81-24633a41865c > Revision: 17748 > Node Kind: directory > Schedule: normal > Last Changed Author: fowlerp > Last Changed Rev: 17748 > Last Changed Date: 2010-01-20 12:35:02 -0600 (Wed, 20 Jan 2010) > > ---- > > <sipxconfig.log.gz>_______________________________________________ > sipx-users mailing list [email protected] > List Archive: http://list.sipfoundry.org/archive/sipx-users > Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users > sipXecs IP PBX -- http://www.sipfoundry.org/ _______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users sipXecs IP PBX -- http://www.sipfoundry.org/
