[ClusterLabs] Setup Apache virtual IP SSL certificate config

Ken Gaillot kgaillot at redhat.com
Tue Jan 12 12:03:08 EST 2021 

I'd try using the name in the certificate instead of localhost

On Tue, 2021-01-12 at 10:31 +0000, John Karippery wrote:
> 
> Hello, 
> 
> I am so exhausted with SSL with pacemaker.. I tried my level best and
> I did found the solution.
> 
> > >  wget  --no-check-certificate https://localhost/server-status
> > > --2021-01-12 11:25:06--  https://localhost/server-status
> > > Resolving localhost (localhost)... ::1, 127.0.0.1
> > > Connecting to localhost (localhost)|::1|:443... connected.
> > > WARNING: The certificate of 'localhost' is not trusted.
> > > WARNING: The certificate of 'localhost' hasn't got a known
> > > issuer.
> > > The certificate's owner does not match hostname 'localhost'
> > > HTTP request sent, awaiting response... 200 OK
> > > Length: 4236 (4.1K) [text/html]
> > > Saving to: 'server-status.3'
> > > server-status.3                       
> > >  100%[===========================================================
> > > =================>]   4.14K  --.-KB/s    in 0s
> > > 2021-01-12 11:25:06 (404 MB/s) - 'server-status.3' saved
> > > [4236/4236]
> 
> Status.conf
> 
> > >         <Location /server-status>
> > >          SetHandler server-status
> > >          Require local
> > >   
> > >         </Location>
> 
> 
> And I tried 
> > > pcs resource create Apache ocf:heartbeat:apache 
> > > configfile=/etc/apache2/apache2.conf  statusurl="--no-check-
> > > certificate https://localhost/server-status"  op monitor
> > > interval=1min
> > > pcs resource create Apache ocf:heartbeat:apache 
> > > configfile=/etc/apache2/apache2.conf  statusurl=" 
> > > https://localhost/server-status"  op monitor interval=1min
> 
> And I tried to change config  (ocf/resource.d/heartbeat/tomcat)
> 
> > > isrunning_tomcat()
> > > {
> > >     $WGET --no-check-certificate --tries=20 -O /dev/null
> > > $RESOURCE_STATUSURL >/dev/null 2>&1
> > > }
> 
> 
> 
> Error I received 
> 
> > > Failed Resource Actions:
> > > * Apache_start_0 on server1 'unknown error' (1): call=401,
> > > status=complete, exitreason='Failed to access httpd status
> > > page.',
> > >     last-rc-change='Tue Jan 12 11:19:23 2021', queued=1ms,
> > > exec=3439ms
> > > 
> > > 
> 
> Please help me 
> 
> On Tuesday, 27 October, 2020, 04:44:16 pm GMT+1, Timo Schöler <
> timo at kroenchenstadt.de> wrote:
> 
> 
> On 10/27/20 11:33 AM, John Karippery wrote:
> 
> > I have problem on my pacemaker setup while config SSL certificate
> on my 
> > server.
> 
> Can you access https://localhost/server-status (which you use to
> check 
> your web server's health) using wget from the same host?
> 
> Will it throw an error because of the certificate (chain)? If so,
> this 
> will also be the problem regarding the health check.
> 
> wget will ignore certificate woes using the ``--no-check-
> certificate'' 
> option, which you could use to verify it actually is the problem.
> 
> Timo
> 
> 
> > Before using SSL everything was working fine but as soon as I added
> the 
> > (self-signed) SSL certificate, the cluster won't start the web
> server again.
> > 
> > error message is like this.
> > 
> > |/Failed Resource Actions: * mb-web_start_0 on node01 'unknown
> error' 
> > (1): call=128, status=complete, exitreason='Failed to access httpd 
> > status page.', last-rc-change='Mon May 18 12:32:05 2020',
> queued=0ms, 
> > exec=3402ms * mb-web_start_0 on node02 'unknown error' (1):
> call=130, 
> > status=complete, exitreason='Failed to access httpd status page.', 
> > last-rc-change='Mon May 18 12:31:35 2020', queued=0ms, exec=3425ms
> /and 
> > I tried to create apache resource in:
> > 
> > |
> > 
> > |pcs resource create Website1 ocf:heartbeat:apache 
> > configfile=/etc/apache2/apache2.conf 
> > statusurl="http://localhost/server-status" op monitor
> interval=1min|
> > 
> > |pcs resource create Website1 ocf:heartbeat:apache 
> > configfile=/etc/apache2/apache2.conf 
> > statusurl="https://localhost/server-status" op monitor
> interval=1min|
> > 
> > my Apache server status file
> > 
> > |cat <<-END >/etc/apache2/status.conf <Location /server-status> 
> > SetHandler server-status Order Deny,Allow Deny from all Require
> local 
> > </Location> END|
> > 
> > Please help me|
> 
> > 
> > |
> > 
> > 
> > _______________________________________________
> > Manage your subscription:
> > https://lists.clusterlabs.org/mailman/listinfo/users
> > 
> > ClusterLabs home: https://www.clusterlabs.org/
> > 
> _______________________________________________
> Manage your subscription:
> https://lists.clusterlabs.org/mailman/listinfo/users
> 
> ClusterLabs home: https://www.clusterlabs.org/
> 
> _______________________________________________
> Manage your subscription:
> https://lists.clusterlabs.org/mailman/listinfo/users
> 
> ClusterLabs home: https://www.clusterlabs.org/
-- 
Ken Gaillot <kgaillot at redhat.com>

More information about the Users mailing list