Hello, after having investigated the situation more deeply, I finally found that the reason was an inconsistency of the underlying MySQL database: at night, the MySQL server was unavailable for a given time, so the CRL issueing had trouble with this. After having fixed this, openCA works fine again. Nevertheless: it seems that openCA reacts kind of allergic on non-available database backends. The files var/openca/crypto/crlnumber and var/openca/crypto/crlnumber.old were both empty, so the next (manually or automatically) process issueing CRLs was defective. Perhaps you may want to implement a non-emptying of the file after issueing CRLs was unsuccessful.
Harald Am 03.09.2014 um 10:25 schrieb Martin Hecht <he...@hlrs.de>: > Hi Harald, > > it looks as if the mysql server closes the connection unexpectedly after > the authentication. This could happen if the database has been corrupted > somehow (maybe a full disk or power outage?) or if it runs into some > kind of timeout (high load on the machine caused by some processes which > went mad?). > Can you connect using mysql from the command line and select rows from > the tables? > If this is all ok, we need to have a closer look at the process of > issuing a new CRL. The autoCRL daemon > (./src/common/lib/cmds/startAutoCRL) uses sub autoCRLProcess() at the > bottom of the source file, whereas manually issuing a new CRL is done by > sub cmdGenCRL() in ./src/common/lib/cmds/genCRL ). They both call new() > in ./src/modules/openca-crl/CRL.pm to create a new CRL, but obviously, > something must be different if one way works and the other one fails to > connect to the database. > > best regards, > Martin > > On 09/03/2014 07:14 AM, Harald Koch wrote: >> Hello, >> >> I’m running two CAs with openCA, which has run successfully over years now. >> Actually, I’m facing the situation that autoCRL is not working any more. >> This started after I manually revoked one certificate in one of both CAs, >> but this may be perhaps an accident. Actually, I have to issue CRLs manually >> from time to time, since the autoCRL process seems to stop overnight after >> having run for two days. Manually issueing CRLs works perfectly. >> When starting the autoCRL process from the web interface, the log at >> var/openca/log/stderr.log states the following: >> >> CRL::Found Entry -> 6DE70E00C4FF81E0A54B (13) >> CRL::Found Entry -> 7AE329F4AFCAB0DE3D1E (15) >> CRL::Found Entry -> 90BBDBB297A27246C4CE (17) >> CRL::Found Entry -> D460DA7FA19F65076D50 (19) >> CRL::Found Entry -> EB35BF44E2FAA2355CC0 (21) >> DBD::mysql::st execute failed: MySQL server has gone away at <path >> obfuscated>/lib/openca/perl_modules/perl5/OpenCA/DBI.pm line 3309. >> autoCRLProcess()::ERROR::Can not store CRL in DB! >> DBD::mysql::db commit failed: MySQL server has gone away at <path >> obfuscated>/lib/openca/perl_modules/perl5/OpenCA/DBI.pm line 3549. >> >> I learned a bit that the file var/openca/crypto/crlnumber and crlnumber.old >> may have something to do with it. The content is the hexadecimal >> interpretation of the next and actual value of crl_key in the database table >> crl. May this be the reason of cancellation ofthe autoCRL process? What >> other reasons could exist so that the autoCRL process fails? >> >> >> Freundliche Grüße/Best regards, >> >> Harald Koch >> >> c-works GmbH >> Otto-Lilienthal-Str. 36 >> 71034 Böblingen >> http://www.os4x.com >> >> eMail: h.k...@os4x.com >> Support: +49-(0)7031-4924306 >> Fax: +49-(0)7031-4924308 >> >> Geschäftsführer/Managing Director: Harald Koch >> Sitz und Registergericht/Domicile and Court of Registry: Stuttgart >> HRB-Nr./ Commercial Register No. 725882 >> >> >> > > ------------------------------------------------------------------------------ Want excitement? Manually upgrade your production database. When you want reliability, choose Perforce Perforce version control. Predictably reliable. http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk _______________________________________________ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
