Yubico Forum https://forum.yubico.com/ |
|
ykval-queue:synclib:Timeout. https://forum.yubico.com/viewtopic.php?f=5&t=2658 |
Page 1 of 1 |
Author: | nitmpez715 [ Tue Jun 27, 2017 9:32 pm ] |
Post subject: | ykval-queue:synclib:Timeout. |
I been trying to setup ssl syncing between validation servers and so far have had no luck. I've created certificates for both servers using openssl. I then added the certificate to the /etc/ssl/certs/ca-certificates.crt for both servers. This fixed the issue of me calling curl and getting a cert error. I thought everything would be working now, since I could manually call a sync and get a good status, but logged onto the mysql dabase and saw my queue was full. I then checked /var/log/syslog and saw the following error: Jun 27 15:22:38 testval1 ykval[3982]: LOG_DEBUG:ykval-queue:synclib:handle indicated to be for https://testval2/wsapi/2.0/sync. Jun 27 15:22:38 testval2 ykval[3982]: LOG_NOTICE:ykval-queue:synclib:Timeout. Stopping queue resync for server https://testval2/wsapi/2.0/sync If i call curl directly using: curl 'https://testval2/wsapi/2.0/sync?otp=<otpval>&modified=<mod_val>&yk_publicname=<public_id>yk_counter=5&yk_use=5&yk_high=229&yk_low=52183&nonce=<nonce>,local_counter=5&local_use=4' The status comes back as OK. Any help would be appreciated. Update: My current work around until I can get a better fix is to set verifypeer to false in the curl options: Code: $baseParams['__YKVAL_SYNC_CURL_OPTS__'] = array( CURLOPT_SSL_VERIFYPEER => false ); What I found was it appears I'm getting a CURLE_SSL_CACERT error from ykval-queue. I created a simple test.php to debug this with the following: Code: <?php $urls = array( "https://testval2/wsapi/2.0/verify?id=1&nonce=sopxxrlklguqquyvbkwwqthyvofukjzc&otp=llkddjeccccckgvidcnbhhjvbvuicbdjnhblitfhvlfr×tamp=1", "http://testval2/wsapi/2.0/verify?id=1&nonce=sopxxrlklguqquyvbkwwqthyvofukjzd&otp=llkddjeccccckgvidcnbhhjvbvuicbdjnhblitfhvlfr×tamp=1" ); $mh = curl_multi_init(); var_dump('start'); foreach ($urls as $i => $url) { $conn[$i] = curl_init($url); curl_setopt($conn[$i], CURLOPT_RETURNTRANSFER, 1); // curl_setopt($conn[$i], CURLOPT_CAPATH, "/etc/ssl/certs/"); // curl_setopt($conn[$i], CURLOPT_CAINFO, "/etc/ssl/certs/ca-certificates.crt"); curl_setopt($conn[$i], CURLOPT_CAINFO, "/test/blah.pem"); // curl_setopt($conn[$i], CURLOPT_SSL_VERIFYPEER, 0); curl_multi_add_handle($mh, $conn[$i]); } var_dump('doloop'); do { $status = curl_multi_exec($mh, $active); $info = curl_multi_info_read($mh); if (false !== $info) { var_dump($info); } } while ($status === CURLM_CALL_MULTI_PERFORM || $active); var_dump('another loop'); foreach ($urls as $i => $url) { $res[$i] = curl_multi_getcontent($conn[$i]); curl_close($conn[$i]); } var_dump('enddump'); var_dump(curl_multi_info_read($mh)); ?> Which gives me the following: Code: string(5) "start" string(6) "doloop" array(3) { ["msg"]=> int(1) ["result"]=> int(60) <--- HERE IS THE CURLE_SSL_CACERT ERROR ["handle"]=> resource(5) of type (curl) } array(3) { ["msg"]=> int(1) ["result"]=> int(0) ["handle"]=> resource(6) of type (curl) } string(12) "another loop" string(7) "enddump" bool(false) So my manual example is as follows, i moved my certificate out of the /etc/ssl/certs/ca-certificates.crt file to just a /test/blah.pem file, and get the following: Code: curl 'https://testval2/wsapi/2.0/verify?id=1&nonce=sopxxrlklguqquyvbkwwqthyvofukjzc&otp=llkddjeccccckgvidcnbhhjvbvuicbdjnhblitfhvlfr×tamp=1' curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. And pointing to the cert: Code: curl --cacert blah.pem 'https://testval2/wsapi/2.0/verify?id=1&nonce=sopxxrlklguqquyvbkwwqthyvofukjzc&otp=llkddjeccccckgvidcnbhhjvbvuicbdjnhblitfhvlfr×tamp=1' h=RoeWTtwokPc0wbIQ17rOqHrGux8= t=2017-06-29T15:15:08Z0971 otp=llkddjeccccckgvidcnbhhjvbvuicbdjnhblitfhvlfr nonce=sopxxrlklguqquyvbkwwqthyvofukjzc status=REPLAYED_OTP For some reason calling curl from command line with the certificate in /etc/ssl/certs/ca-certificates.crt file has no issue. It will automatically pickup the cert, but the ykval-queue and test.php for some reason is having issues with the cert. I tried setting some curl_opts to specify the cert, but had no luck with those. Again any help would be appreciated, as I don't think setting the verifypeer option to false is a great work around. |
Page 1 of 1 | All times are UTC + 1 hour |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |