Russ Allbery writes:
If you don't mind invalidating all existing sessions for this server
(meaning that authenticated users will be bounced through WebLogin
again
when they next hit the page), which at this point is probably not a
problem if it's been broken for a while, just moving the keyring
aside and
letting Apache create a new one should fix the problem.
Good idea; unfortunately it didn't help.
I stopped apache, moved aside the existing keyring, and started Apache.
It created a new keyring file:
-rw------- 1 sesweb sesweb 348 Jul 18 10:34 service_token_cache
-rw------- 1 root root 81 Jul 18 10:33 keyring
-rw------- 1 root root 4820 Jun 24 04:02 keyring.corrupt
But the error_log again shows 11 copies of this message:
[Wed Jul 18 10:33:52 2012] [error] mod_webauth: mwa_cache_keyring:
webauth_keyring_auto_update /usr/local/apache/conf/webauth/keyring
failed: invalid argument to function (22)
And the wa_keyring list still says:
wa_keyring: cannot read keyring /usr/local/apache/conf/webauth/
keyring: invalid argument to function (unsupported key type 0)
If we try to test webauth by visiting a protected page, the error_log
shows one error like this:
[Wed Jul 18 10:42:39 2012] [error] mod_webauth: set_app_state:
webauth_token_encode failed: unable to use key (6)
Followed by 10 errors during the redirect storm:
[Wed Jul 18 10:42:39 2012] [error] mod_webauth:
redirect_request_token: app state is NULL
Our Apache is v2.0.64; is that a problem?
-- Kai
