Search Mailing List Archives
no valid keys found
youngseph at gmail.com
Mon Dec 31 21:48:45 PST 2012
thanks a lot, I appreciated your suggestion, I will make the cronjob run
Orange Key: 35745318S1
On Tue, Jan 1, 2013 at 12:38 AM, Russ Allbery
<eagle at windlord.stanford.edu>wrote:
> YANG ChengFu <youngseph at gmail.com> writes:
> > thanks for your quick reply, finally I figured what happened, I used the
> > following cron job to create keyring fils
> > sudo -u www-data wa_keyring -f /var/lib/webkdc/keyring add 2d
> > sudo -u www-data wa_keyring -f /var/lib/webkdc/keyring gc -60d
> > apache2ctl graceful
> > for host in bulger.mdc; do
> > rsync -av -e 'ssh' /var/lib/webkdc/keyring $host:/var/lib/webkdc/keyring
> > ssh $host apache2ctl graceful
> > done
> > but it does not works. So I have to enable WebKdcKeyringAutoUpdate, then
> > apache create the keyring, then it work
> > the two ways to create keyring are in the same place, I am not sure what
> > I should do ?
> Well, note that the first command creates a key that won't be valid for
> two days (to give you time to distribute the key to the other systems).
> Then the second command removes everything older than 60 days.
> *If* you run the command every day, this should be okay. Basically,
> you'll have a rotating set of 60 keys. That's what we do at Stanford.
> However, you can't use it to create the *initial* keyring, since it won't
> create a key that's immediately valid. For that, you need to do a
> wa_keyring -f /var/lib/webkdc/keyring add 0d. The other place where it
> won't work is for some reason the job doesn't run for longer than 60 days
> (not adding new keys) and then you run it, since it will add a new
> postdated key and then delete all the current keys.
> We use pretty much exactly that job on our WebKDCs, so I know it does work
> if it runs daily. I suspect one of the above things happened: either
> there wasn't an existing keyring with a full set of keys, or something
> prevented it from running for an extended period.
> Russ Allbery <eagle at windlord.stanford.edu>
> Technical Lead, ITS Infrastructure Delivery Group, Stanford University
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the webauth-info