Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

no valid keys found

Russ Allbery eagle at
Mon Dec 31 21:38:53 PST 2012

YANG ChengFu <youngseph at> writes:

> thanks for your quick reply, finally I figured what happened, I used the
> following cron job to create keyring fils

> sudo -u www-data wa_keyring -f /var/lib/webkdc/keyring add 2d
> sudo -u www-data  wa_keyring -f /var/lib/webkdc/keyring gc -60d
> apache2ctl graceful
> for host in bulger.mdc; do
> rsync -av -e 'ssh' /var/lib/webkdc/keyring $host:/var/lib/webkdc/keyring
> ssh $host apache2ctl graceful
> done

> but it does not works. So I have to enable WebKdcKeyringAutoUpdate, then
> apache create the keyring, then it work

> the two ways to create keyring are in the same place, I am not sure what
> I should do ?

Well, note that the first command creates a key that won't be valid for
two days (to give you time to distribute the key to the other systems).
Then the second command removes everything older than 60 days.

*If* you run the command every day, this should be okay.  Basically,
you'll have a rotating set of 60 keys.  That's what we do at Stanford.

However, you can't use it to create the *initial* keyring, since it won't
create a key that's immediately valid.  For that, you need to do a
wa_keyring -f /var/lib/webkdc/keyring add 0d.  The other place where it
won't work is for some reason the job doesn't run for longer than 60 days
(not adding new keys) and then you run it, since it will add a new
postdated key and then delete all the current keys.

We use pretty much exactly that job on our WebKDCs, so I know it does work
if it runs daily.  I suspect one of the above things happened: either
there wasn't an existing keyring with a full set of keys, or something
prevented it from running for an extended period.

Russ Allbery <eagle at>
Technical Lead, ITS Infrastructure Delivery Group, Stanford University

More information about the webauth-info mailing list