Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

no valid keys found

YANG ChengFu youngseph at
Mon Dec 31 21:48:45 PST 2012

Hello Russ,

thanks a lot, I appreciated your suggestion, I will make the cronjob run
daily !

Orange Key: 35745318S1

On Tue, Jan 1, 2013 at 12:38 AM, Russ Allbery
<eagle at>wrote:

> YANG ChengFu <youngseph at> writes:
> > thanks for your quick reply, finally I figured what happened, I used the
> > following cron job to create keyring fils
> > sudo -u www-data wa_keyring -f /var/lib/webkdc/keyring add 2d
> > sudo -u www-data  wa_keyring -f /var/lib/webkdc/keyring gc -60d
> > apache2ctl graceful
> > for host in bulger.mdc; do
> > rsync -av -e 'ssh' /var/lib/webkdc/keyring $host:/var/lib/webkdc/keyring
> > ssh $host apache2ctl graceful
> > done
> > but it does not works. So I have to enable WebKdcKeyringAutoUpdate, then
> > apache create the keyring, then it work
> > the two ways to create keyring are in the same place, I am not sure what
> > I should do ?
> Well, note that the first command creates a key that won't be valid for
> two days (to give you time to distribute the key to the other systems).
> Then the second command removes everything older than 60 days.
> *If* you run the command every day, this should be okay.  Basically,
> you'll have a rotating set of 60 keys.  That's what we do at Stanford.
> However, you can't use it to create the *initial* keyring, since it won't
> create a key that's immediately valid.  For that, you need to do a
> wa_keyring -f /var/lib/webkdc/keyring add 0d.  The other place where it
> won't work is for some reason the job doesn't run for longer than 60 days
> (not adding new keys) and then you run it, since it will add a new
> postdated key and then delete all the current keys.
> We use pretty much exactly that job on our WebKDCs, so I know it does work
> if it runs daily.  I suspect one of the above things happened: either
> there wasn't an existing keyring with a full set of keys, or something
> prevented it from running for an extended period.
> --
> Russ Allbery <eagle at>
> Technical Lead, ITS Infrastructure Delivery Group, Stanford University
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the webauth-info mailing list