[ClusterLabs] Antw: [EXT] Re: Setup Apache virtual IP SSL certificate config

Ulrich Windl Ulrich.Windl at rz.uni-regensburg.de
Wed Jan 13 02:10:52 EST 2021 

Actually I wonder whether an encrypted connection form localhost to localhost
does make much sense at all.

>>> Ken Gaillot <kgaillot at redhat.com> schrieb am 12.01.2021 um 18:03 in
Nachricht
<9de95d50930dd3f83461e7eb63cb904c4b1e7f08.camel at redhat.com>:
> I'd try using the name in the certificate instead of localhost
> 
> On Tue, 2021-01-12 at 10:31 +0000, John Karippery wrote:
>> 
>> Hello, 
>> 
>> I am so exhausted with SSL with pacemaker.. I tried my level best and
>> I did found the solution.
>> 
>> > >  wget  --no-check-certificate https://localhost/server-status 
>> > > --2021-01-12 11:25:06--  https://localhost/server-status 
>> > > Resolving localhost (localhost)... ::1, 127.0.0.1
>> > > Connecting to localhost (localhost)|::1|:443... connected.
>> > > WARNING: The certificate of 'localhost' is not trusted.
>> > > WARNING: The certificate of 'localhost' hasn't got a known
>> > > issuer.
>> > > The certificate's owner does not match hostname 'localhost'
>> > > HTTP request sent, awaiting response... 200 OK
>> > > Length: 4236 (4.1K) [text/html]
>> > > Saving to: 'server-status.3'
>> > > server-status.3                       
>> > >  100%[===========================================================
>> > > =================>]   4.14K  --.-KB/s    in 0s
>> > > 2021-01-12 11:25:06 (404 MB/s) - 'server-status.3' saved
>> > > [4236/4236]
>> 
>> Status.conf
>> 
>> > >         <Location /server-status>
>> > >          SetHandler server-status
>> > >          Require local
>> > >   
>> > >         </Location>
>> 
>> 
>> And I tried 
>> > > pcs resource create Apache ocf:heartbeat:apache 
>> > > configfile=/etc/apache2/apache2.conf  statusurl="--no-check-
>> > > certificate https://localhost/server-status"  op monitor
>> > > interval=1min
>> > > pcs resource create Apache ocf:heartbeat:apache 
>> > > configfile=/etc/apache2/apache2.conf  statusurl=" 
>> > > https://localhost/server-status"  op monitor interval=1min
>> 
>> And I tried to change config  (ocf/resource.d/heartbeat/tomcat)
>> 
>> > > isrunning_tomcat()
>> > > {
>> > >     $WGET --no-check-certificate --tries=20 -O /dev/null
>> > > $RESOURCE_STATUSURL >/dev/null 2>&1
>> > > }
>> 
>> 
>> 
>> Error I received 
>> 
>> > > Failed Resource Actions:
>> > > * Apache_start_0 on server1 'unknown error' (1): call=401,
>> > > status=complete, exitreason='Failed to access httpd status
>> > > page.',
>> > >     last-rc-change='Tue Jan 12 11:19:23 2021', queued=1ms,
>> > > exec=3439ms
>> > > 
>> > > 
>> 
>> Please help me 
>> 
>> On Tuesday, 27 October, 2020, 04:44:16 pm GMT+1, Timo Schöler <
>> timo at kroenchenstadt.de> wrote:
>> 
>> 
>> On 10/27/20 11:33 AM, John Karippery wrote:
>> 
>> > I have problem on my pacemaker setup while config SSL certificate
>> on my 
>> > server.
>> 
>> Can you access https://localhost/server-status (which you use to
>> check 
>> your web server's health) using wget from the same host?
>> 
>> Will it throw an error because of the certificate (chain)? If so,
>> this 
>> will also be the problem regarding the health check.
>> 
>> wget will ignore certificate woes using the ``--no-check-
>> certificate'' 
>> option, which you could use to verify it actually is the problem.
>> 
>> Timo
>> 
>> 
>> > Before using SSL everything was working fine but as soon as I added
>> the 
>> > (self-signed) SSL certificate, the cluster won't start the web
>> server again.
>> > 
>> > error message is like this.
>> > 
>> > |/Failed Resource Actions: * mb-web_start_0 on node01 'unknown
>> error' 
>> > (1): call=128, status=complete, exitreason='Failed to access httpd 
>> > status page.', last-rc-change='Mon May 18 12:32:05 2020',
>> queued=0ms, 
>> > exec=3402ms * mb-web_start_0 on node02 'unknown error' (1):
>> call=130, 
>> > status=complete, exitreason='Failed to access httpd status page.', 
>> > last-rc-change='Mon May 18 12:31:35 2020', queued=0ms, exec=3425ms
>> /and 
>> > I tried to create apache resource in:
>> > 
>> > |
>> > 
>> > |pcs resource create Website1 ocf:heartbeat:apache 
>> > configfile=/etc/apache2/apache2.conf 
>> > statusurl="http://localhost/server-status" op monitor
>> interval=1min|
>> > 
>> > |pcs resource create Website1 ocf:heartbeat:apache 
>> > configfile=/etc/apache2/apache2.conf 
>> > statusurl="https://localhost/server-status" op monitor
>> interval=1min|
>> > 
>> > my Apache server status file
>> > 
>> > |cat <<-END >/etc/apache2/status.conf <Location /server-status> 
>> > SetHandler server-status Order Deny,Allow Deny from all Require
>> local 
>> > </Location> END|
>> > 
>> > Please help me|
>> 
>> > 
>> > |
>> > 
>> > 
>> > _______________________________________________
>> > Manage your subscription:
>> > https://lists.clusterlabs.org/mailman/listinfo/users 
>> > 
>> > ClusterLabs home: https://www.clusterlabs.org/ 
>> > 
>> _______________________________________________
>> Manage your subscription:
>> https://lists.clusterlabs.org/mailman/listinfo/users 
>> 
>> ClusterLabs home: https://www.clusterlabs.org/ 
>> 
>> _______________________________________________
>> Manage your subscription:
>> https://lists.clusterlabs.org/mailman/listinfo/users 
>> 
>> ClusterLabs home: https://www.clusterlabs.org/ 
> -- 
> Ken Gaillot <kgaillot at redhat.com>
> 
> _______________________________________________
> Manage your subscription:
> https://lists.clusterlabs.org/mailman/listinfo/users 
> 
> ClusterLabs home: https://www.clusterlabs.org/

More information about the Users mailing list