Wednesday, 2015-02-04

*** ricardoamaro has quit (Ping timeout: 264 seconds)		02:14
*** ricardoamaro (~ricardoam@drupal.org/user/74228/view) has joined #wikid		09:17
*** Paul_ (d9243c68@gateway/web/freenode/ip.217.36.60.104) has joined #wikid		09:55
Paul_	Morning WiKID, So you are aware Apache 2 API has now changed ad generates a compile error in xradius_chache.c	09:57
Paul_	it is with unixd_config and I beleive this should be ap_unixd_cofig	09:58
Paul_	ap_unixd_config*	09:59
*** ricardoamaro has quit (Quit: Leaving.)		10:23
*** Paul_ has quit (Quit: Page closed)		10:30
*** ricardoamaro (~ricardoam@drupal.org/user/74228/view) has joined #wikid		10:46
*** Paul_ (d9243c68@gateway/web/freenode/ip.217.36.60.104) has joined #wikid		10:57
Paul_	Anyone online?	10:58
*** Paul_ has quit (Quit: Page closed)		11:42
*** ricardoamaro has quit (Ping timeout: 256 seconds)		11:49
*** _markh_ (~chatzilla@wish-hq3.gotadsl.co.uk) has joined #wikid		12:03
*** _markh_ has quit (Client Quit)		12:05
*** ricardoamaro (~ricardoam@drupal.org/user/74228/view) has joined #wikid		12:09
*** ricardoamaro has quit (Ping timeout: 264 seconds)		12:49
*** ricardoamaro (~ricardoam@drupal.org/user/74228/view) has joined #wikid		13:06
*** NickS (540c8c38@gateway/web/freenode/ip.84.12.140.56) has joined #wikid		13:15
*** _markh_ (~chatzilla@wish-hq3.gotadsl.co.uk) has joined #wikid		13:32
_markh_	nowen: can you ping NickS when you get on? Wikid server (commercial) won't start...	13:35
*** ricardoamaro has quit (Ping timeout: 252 seconds)		13:49
*** ricardoamaro (~ricardoam@drupal.org/user/74228/view) has joined #wikid		14:06
*** nowen1 (~nowen@50-194-249-125-static.hfc.comcastbusiness.net) has joined #wikid		14:10
NickS	nowen1: We have a non-working server. Hangs forever on "Waiting for wAuth initialization to complete..". Can you help?	14:20
nowen1	NickS: who are you with?	14:20
NickS	MJog Limited	14:20
*** nowen1 is now known as nowen_office		14:21
nowen_office	what version of WiKID is it?	14:22
NickS	wikid-server-enterprise 3.5.0-b1472 and wikid-utilities 3.4.2 running on Ubuntu 12.04.4 LTS	14:24
nowen_office	is mjog also softoption?	14:24
NickS	Mjog is formally SoftOption. We changed the company name.	14:24
nowen_office	ok - I'm guessing that your certs are expired and that you need to update to the latest rpm	14:25
nowen_office	or deb ;-)	14:25
NickS	I did check the cert earlier and it looked okay. I'll do ita again and post the result.	14:26
nowen_office	hmm	14:26
nowen_office	using keytool?	14:26
nowen_office	check the local host too	14:27
nowen_office	https://www.wikidsystems.com/support/wikid-support-center/troubleshooting-faq/how-do-i-know-if-my-certificate-is-valid	14:27
NickS	keytool -list -v -keystore /opt/WiKID/private/intCAKeys.p12 -storetype pkcs12 -storepass "<redacted>" gives:	14:28
NickS	Valid from: Fri Nov 09 16:31:53 GMT 2012 until: Mon Nov 09 16:31:53 GMT 2015	14:28
nowen_office	ok	14:29
NickS	Umm, however, keytool -list -v -keystore /opt/WiKID/private/localhost.p12 -storetype pkcs12 -storepass "<redacted>" gives:	14:31
NickS	keytool error: java.io.IOException: PKCS12 key store mac invalid - wrong password or corrupted file. java.io.IOException: PKCS12 key store mac invalid - wrong password or corrupted file	14:32
NickS	and, wauth.log says: Exception in thread "main" java.lang.NoClassDefFoundError: sun/security/util/CryptoPrimitive	14:32
nowen_office	hmm. ok - try moving localhost.p12 to a different directory and restarting	14:32
NickS	ok, hang on...	14:33
NickS	I moved localhost.p12 to another directory and still have the same problem, i.e. it's stuck "Waiting for wAuth initialization to complete....". Should it have created a new localhost.p12 file?	14:37
nowen_office	no, you have to do that via the WiKIDAdmin	14:38
nowen_office	did you change anything on the box? do any updates?	14:38
NickS	We don't have a working web console.	14:38
nowen_office	I know	14:39
nowen_office	did you update java or something?	14:39
NickS	Ubuntu unattended upgrades ran last night and rebooted the box. It upgraded: "linux-headers-virtual linux-image-virtual linux-libc-dev linux-virtual unzip"	14:40
nowen_office	hmm	14:40
NickS	It is running: "Linux wikid 3.2.0-76-virtual #111-Ubuntu SMP Tue Jan 13 22:33:42 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux"	14:40
nowen_office	so, something could have changed before that and the reboot killed it	14:41
nowen_office	what version of java is this?	14:41
NickS	java version "1.6.0_33" OpenJDK Runtime Environment (IcedTea6 1.13.5) (6b33-1.13.5-1ubuntu0.12.04) OpenJDK 64-Bit Server VM (build 23.25-b01, mixed mode)	14:42
nowen_office	ok - try moving intCA and starting	14:43
NickS	Is that intCAKeys.p12?	14:43
nowen_office	how many users do you have on this box?	14:43
NickS	a dozen or so users	14:44
nowen_office	ok - might be a good idea to back up the db. can you tar up /var/lib/pgsql/data?	14:45
nowen_office	and yes, ntCAKeys.p12	14:47
nowen_office	hmm	14:47
nowen_office	actually, I think I know the issue	14:47
nowen_office	it's not your certs, it is our cert. our CA expired	14:47
NickS	Well, in the meantime a wikid start has worked. I got a token but still couldn't login and out control panel isn't working	14:48
nowen_office	we updated for the expired cert with 3.5.0-b1428	14:49
*** ricardoamaro has quit (Ping timeout: 250 seconds)		14:49
nowen_office	ok	14:49
nowen_office	is this a VM or a real box?	14:50
NickS	It's a VM running on OpenStack. It's been running fine since late 2013	14:51
nowen_office	yeah, I'm guessing that the cert expired some time ago. you would have an issue with it until wikid restarted	14:51
nowen_office	so, I recommend we take a snapshot, update to the latest and get new certs	14:52
NickS	You said you updated for the expired cert with 3.5.0-b1428, so should the version we're running (3.5.0-b1472) be okay?	14:56
nowen_office	hmm, good point	14:58
nowen_office	and yet it could be any number of other bugs that have been fixed	14:59
nowen_office	tomcat updates alone	15:01
NickS	True. I'll upgrade.	15:01
nowen_office	http://wikidsystems-dl.com/wikid-server-enterprise_4.0.1-b1821-1.deb	15:02
nowen_office	and http://wikidsystems-dl.com/wikid-utilities_3.4.3-1.deb	15:02
NickS	Thanks.	15:02
nowen_office	the CA setup is different now. with better feedback for expirations and license management. I can walk you through it	15:02
*** ricardoamaro (~ricardoam@drupal.org/user/74228/view) has joined #wikid		15:05
NickS	Is this all I have to do (for Ubuntu): https://www.wikidsystems.com/support/wikid-support-center/installation-how-tos/how-to-upgrade-your-wikid-strong-authentication-server	15:07
nowen_office	yes. that should be it	15:08
nowen_office	you might have to run 'sudo apt-get -f install' to make sure about any dependencies	15:09
nowen_office	NickS: the new ca server is at https://ca.wikidsystems.com	15:19
nowen_office	you have to create an account.	15:19
NickS	I've created an account. What do I have to do now?	15:24
nowen_office	did the server start up for you?	15:25
NickS	Yes! I got a passcode and used it to login to a server and I can login to the web control panel	15:29
nowen_office	ok	15:30
nowen_office	do you see the link for the Certificate on the Configuration tab?	15:30
NickS	The "Purchase, add, renew...." link?	15:32
nowen_office	no - the Display Certificate	15:32
nowen_office	click that and copy the cert to the clipboard	15:33
nowen_office	then click the Purchase, Add, Renew link	15:33
NickS	ok	15:34
nowen_office	login and click Add a Server License - paste the cert in there	15:34
NickS	I get: "Error: Submitted data could not be processed as a valid WiKID Certificate"	15:36
NickS	There's no BEGIN/END with the displayed certificate	15:36
nowen_office	ok - did you create a new cert after you started wikid?	15:37
NickS	No	15:37
nowen_office	ok - you will need to do that.	15:37
NickS	Is that with "/opt/WiKID/bin/wikidctl setup"?	15:38
nowen_office	no - via the WiKIDAdmin > Configuration > Create an Intermediate CA. you will also have to create a localhost	15:39
NickS	When I generated the Intermediate CA I just got a menu with a blank page. Is that correct?	15:48
nowen_office	no, did you start with Create An Intermediate CA?	15:48
*** ricardoamaro has quit (Ping timeout: 245 seconds)		15:49
NickS	I did. Filled in the form and pressed "Generate"	15:49
nowen_office	and you get a blank page?	15:49
NickS	Yes. I'll try again.	15:50
nowen_office	ok - can you rerun 'wikidctl setup' and run through the network piece	15:50
nowen_office	in particular the domain name	15:50
NickS	Same again. I'll rerun "wikidctl setup".	15:51
*** ricardoamaro (~ricardoam@drupal.org/user/74228/view) has joined #wikid		16:07
NickS	I'm still getting a blank page when I attempt to generate the intermediate certificate.	16:08
nowen_office	ugh. I'm sorry - what version of java again?	16:08
nowen_office	also - is there an error in the WiKIDAdmin logs?	16:11
NickS	java version "1.6.0_34" OpenJDK Runtime Environment (IcedTea6 1.13.6) (6b34-1.13.6-1ubuntu0.12.04.1) OpenJDK 64-Bit Server VM (build 23.25-b01, mixed mode)	16:13
NickS	There are errors in the logs:	16:13
NickS	ERROR: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown	16:13
NickS	Couldn't validate the client certificate. Verify the validity and dates of the client cert.	16:13
NickS	ERROR: java.net.SocketException: Broken pipe	16:13
NickS	Can't start RADIUS Server	16:14
NickS	With regard to the last error, when I start wikidctl one of the messages states "RADIUS protocol daemon already started."	16:15
nowen_office	can you give me the output of ls -all /opt/WiKID/private plx	16:17
nowen_office	plz	16:17
NickS	ls -all /opt/WiKID/private total 36 drwxr-xr-x 3 wikid root 4096 Feb 4 15:09 . drwxr-xr-x 15 wikid root 4096 Sep 6 2013 .. -rw-r--r-- 1 wikid root 2222 Sep 6 2013 Admin.p12 -rw-r--r-- 1 wikid root 2652 Sep 6 2013 CACertStore drwxr-xr-x 2 wikid root 4096 Feb 4 15:09 googlesso -rw-r--r-- 1 wikid root 2235 Sep 6 2013 HC Admin.p12 -rw-r--r-- 1 wikid root 2931 Sep 6 2013 intCAKeys.p12 -rw-r--r-- 1 wikid root 2174 Sep 6 20	16:18
NickS	I hope that makes sense!	16:18
nowen_office	yes ;-). Try this: mv CACertStore and intCAKeys.p12 and restart wikid.	16:20
nowen_office	I'm worried though, you should have a WiKID4CA.cer in there	16:21
NickS	There is a WiKIDCA.cer, it looks like it got chopped off the end of my copy-paste	16:24
NickS	I've restarted wikidctl, but there was no "Waiting for wAuth initialization to complete", it want straight from "Starting Timecop" to "Starting Tomcat"	16:25
nowen_office	hmm, no WiKID4CA.cer though?	16:27
NickS	Yes, see previous comment	16:28
nowen_office	ok - try to create the int ca again	16:30
NickS	I'm still getting a blank page	16:31
NickS	(with menu and logo)	16:31
nowen_office	ugh, usually that's some issue with the hostname and re-running setup fixes it	16:33
NickS	So when I ran the set up I first put in the hostname as wikid.local.example.com as that is the hostname of the box. I then tried it again (and it is now) wikid.example.com, as that is how we access it from other servers	16:35
nowen_office	that should be fine	16:38
nowen_office	I'm booting up an old ubuntu server to see if I can recreate	16:38
NickS	Thanks	16:39
*** ricardoamaro has quit (Ping timeout: 240 seconds)		16:49
*** ricardoamaro (~ricardoam@drupal.org/user/74228/view) has joined #wikid		17:06
nowen_office	NickS: ok - i have replicated.	17:29
nowen_office	can you move your certs back to /opt/WiKID/private and try to get it working again?	17:29
nowen_office	oh wait	17:30
nowen_office	run: sudo apt-get install openjdk-7-jdk	17:30
nowen_office	and restart	17:30
nowen_office	NickS: you see that?	17:32
NickS	Ok	17:33
*** ricardoamaro has quit (Ping timeout: 264 seconds)		17:49
NickS	I have upgraded to jdk7, copied the certs back, restarted and generated and intermediate certificate and pasted that into the "Add server" on the certificate management site	17:51
NickS	btw. our license was due to expire on 15th and we renewed that earlier today	17:52
nowen_office	yes - saw taht	17:54
nowen_office	that	17:54
nowen_office	ok - so add users and the term and you pay via PO. I will process the order based on what you paid today	17:55
NickS	I've added a 10 user pack, to match what we paid earlier.	17:58
nowen_office	ok - you need to add a term	18:00
nowen_office	and then the payment button should appear	18:01
nowen_office	term == Add/Extend License	18:01
nowen_office	once you do, the Purchase License button should appear.	18:01
NickS	Done. Can you fix expiry date when you match PO to earlier payment?	18:03
NickS	Do I need to put the cert on the server?	18:03
nowen_office	yes - Configuration > Install Intermediate cert	18:04
nowen_office	wait - let me fix the expiration first	18:05
nowen_office	you said 2/15/15?	18:05
*** ricardoamaro (~ricardoam@drupal.org/user/74228/view) has joined #wikid		18:06
NickS	Yes	18:09
nowen_office	ok - you will most likely have to log out and log in again	18:09
nowen_office	you should see that it is paid and expires 2.15.16	18:10
NickS	So, I tried to paste the cert back in and it's failed the license validation check as we have 18 users listed, but there are only 9 actual people as each has entries for 2 domains, Apparently we've only ever paid on the basis of the number of actual people	18:10
nowen_office	lol	18:11
nowen_office	each license is a user in a domain - a user can have more than one token on the same license on the same domain but not two domains	18:12
NickS	When did that change?	18:13
nowen_office	never	18:13
nowen_office	it just wasn't really enforced very well	18:14
NickS	okay, can you sort us out with something short term as we've been offline all day and I'll pass this on to our technical director to resolve?	18:15
nowen_office	yeah, go in and add more seats. then pay via PO again. You should get a cert that's good for 60 days	18:16
NickS	ok thanks.	18:17
NickS	I can't make the "Purchase" button active.	18:20
nowen_office	hmm, should be Add A user License and then Add/Extend License. no go?	18:21
nowen_office	try logging out/in again	18:21
nowen_office	some odd session things seem to be going on	18:22
NickS	Logging in/out did resolve it.	18:26
NickS	I had trouble pasting cert in. Your instructions say to include the BEGIN/END, but in fact it only works without BEGIN/END	18:26
nowen_office	ugh - that's supposed to be fixed	18:27
NickS	Am restarting server...	18:27
nowen_office	I see the 2nd order	18:30
NickS	Restarted ok. I can get passcodes and use them to log okay. The web console works and recognises the licence. So is that all okay now?	18:30
nowen_office	are you showing 20 license?	18:31
NickS	Yes	18:31
NickS	20 licenses	18:31
nowen_office	ok - should be good for 60 days	18:31
NickS	okay, thanks. I will pass the license issue across to our technical director. Will you be sending him the invoice for the outstanding licenses?	18:32
nowen_office	I can	18:32
nowen_office	is that Mark?	18:32
NickS	yes it is.	18:32
nowen_office	ok	18:33
NickS	And thank you very much for your help this afternoon	18:33
nowen_office	np. sorry for the isse	18:33
NickS	Bye.	18:33
nowen_office	you really need to update the wikid server every once in a while	18:33
nowen_office	you should subscribe to the newsletter	18:34
laszlof	lol	18:34
NickS	Yes. Thanks again.	18:34
nowen_office	later	18:34
*** NickS has quit (Ping timeout: 246 seconds)		18:38
*** ricardoamaro has quit (Ping timeout: 240 seconds)		18:40
*** ricardoamaro (~ricardoam@drupal.org/user/74228/view) has joined #wikid		19:32
*** ricardoamaro has quit (Quit: Leaving.)		19:40
*** ricardoamaro (~ricardoam@drupal.org/user/74228/view) has joined #wikid		19:56
*** nowen_office has quit (Quit: Leaving.)		20:18
*** Paul_ (5e019438@gateway/web/freenode/ip.94.1.148.56) has joined #wikid		20:58
Paul_	@nowen, you online?	20:58
*** nowen1 (~nowen@50-194-249-125-static.hfc.comcastbusiness.net) has joined #wikid		20:58
*** nowen1 is now known as nowen_office		21:01
Paul_	nowen_office, you online?	21:03
nowen_office	yes	21:03
Paul_	Sent you an email. The forums aren't sending registration links...and looking for support with the software and interfacing it with Apache2	21:05
nowen_office	Paul: did you restart the WiKID service after adding apache as a network client?	21:05
Paul_	yup.	21:05
Paul_	a few times.	21:05
nowen_office	ok	21:06
Paul_	com.wikidsystems.radius.log.DBSvrLogImpl<136> Access-Request(1) LEN=69 10.0.1.5:40418 Access-Request by user2 Failed: AccessRejectException: Access Denied com.wikidsystems.radius.access.WikidAccess4Access denied for user2, domain code: 010000001006 client: /10.0.1.5 com.wikidsystems.radius.log.DBSvrLogImpl<136> Access-Request(1) LEN=69 10.0.1.5:38203 Access-Request by user2 Failed: AccessRejectException: Access Denied com.wikidsystems.	21:06
nowen_office	ok - I guess you saw the radius debug page?	21:06
Paul_	that doesn't really help that line actually. I have sent the full log....is there somewhere i can upload it to make easier.	21:06
Paul_	Yup. I have a full log	21:06
nowen_office	sure - pastebin.com - just note that it's public	21:07
nowen_office	but first - is user2 still enabled?	21:07
Paul_	Yer. I reenabled all the users.	21:08
Paul_	http://pastebin.com/ciQfVacX	21:08
Paul_	As you can see from the logs, the 2 clients work using the example.jsp script. However, neither work when they attempt to authenticate web a web browser at the relevant directory. When I followed the instructions on https://www.wikidsystems.com/support/wikid-support-center/how-to/two-factor-authentication-for-apache-2.2-or-higher I had to modify xradius_cache.c from unixd_config to ap_unixd_config whoever errors still came up, but comp	21:08
nowen_office	ahh	21:08
nowen_office	I see	21:08
nowen_office	Access-Accept(2) LEN=69 10.0.1.5:35600 Access-Request by user2 succeeded	21:08
Paul_	followed the remainder of the instructions and move the mod_auth_xradius.so file to the correct directory. The AuthXRadiusAddServer "10.0.1.6:1812" "super_secret" has been set. The network client also is correct set by IP and to use xradius. Any idea?	21:08
nowen_office	yes - something is wrong with the cache	21:09
nowen_office	it's trying to authenticate every http request	21:09
nowen_office	which is a problem with a one-time passcode	21:09
nowen_office	do you have: AuthXRadiusCache dbm conf/authxcache?	21:10
Paul_	yes i have that line in the config along with the load module.	21:12
Paul_	Just going to check that directory exists thought	21:13
Paul_	though*	21:13
nowen_office	yeah - and the permissions	21:13
Paul_	do you know what the permissions should be www-data?	21:13
nowen_office	it would need read/write I suspect	21:14
nowen_office	I don't have a working test of apache right now	21:14
nowen_office	I know that the authors of freeradius complain about apache changing their interface for no reason, and that's why mod_auth_radius stopped working	21:15
nowen_office	is this ubuntu or redhat?	21:15
Paul_	ubuntu	21:17
nowen_office	https://www.howtoforge.com/how-to-configure-apache-to-use-radius-for-wikid-two-factor-authentication-on-ubuntu might be a better guide	21:17
Paul_	thanks. I only have an image of the machine with me. The AuthXRadiusCache dbm ... is that based on the root directory of the system or with the /etc/apache2 ?	21:21
Paul_	ls	21:21
Paul_	cancel*	21:21
nowen_office	I would think it's the /etc/apache2. you can try /etc/apache2/conf/authxcache	21:22
nowen_office	instead of just conf/authxcache	21:22
Paul_	Ok cheers. I'll try that tomorrow and add sudo chown -R :www-data /etc/apache2/conf/authxcahe and sudo chmod g+r user	21:23
Paul_	that should sort the permissions out	21:23
nowen_office	ok I guess I need to update those apache tutorials	21:24
nowen_office	I see one for ubuntu 8	21:24
Paul_	If i get it up and running, I an writing the documentation up anyway for my system. So can send you a copy of what i did.	21:25
nowen_office	awesome!	21:25
Paul_	no worries. thanks for your time tonight Nick. I'll give it a shot tomorrow and email you with the settings if all goes well. If not, i'll see you on here.	21:26
nowen_office	ok ;-)	21:26
*** Paul_ has quit (Ping timeout: 246 seconds)		21:32
*** ricardoamaro has quit (Quit: Leaving.)		22:40
*** nowen_office has quit (Quit: Leaving.)		23:06

Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!