| *** tosky has quit IRC | 00:06 | |
| *** iurygregory has quit IRC | 01:32 | |
| *** johnsom has quit IRC | 04:46 | |
| *** johnsom has joined #openstack-barbican | 04:49 | |
| *** johnsom has quit IRC | 05:18 | |
| *** johnsom has joined #openstack-barbican | 05:20 | |
| *** johnsom has quit IRC | 06:27 | |
| *** johnsom has joined #openstack-barbican | 06:27 | |
| *** rm_work has quit IRC | 07:26 | |
| *** rm_work has joined #openstack-barbican | 07:28 | |
| *** gagehugo has quit IRC | 07:51 | |
| *** gagehugo has joined #openstack-barbican | 07:51 | |
| *** iurygregory has joined #openstack-barbican | 08:52 | |
| *** tosky has joined #openstack-barbican | 08:56 | |
| *** JohnnyRainbow has joined #openstack-barbican | 09:00 | |
| *** xek has joined #openstack-barbican | 09:36 | |
| *** JohnnyRainbow has quit IRC | 11:11 | |
| *** JohnnyRainbow has joined #openstack-barbican | 11:14 | |
| *** JohnnyRainbow has joined #openstack-barbican | 11:15 | |
| JohnnyRainbow | Hi Guys, @ade_lee just a question for you, based on this error message: http://paste.openstack.org/show/800058/ -> Is barbican able to cooperate with the newest freeipa release, as I see it requires nss_db and certificate, but freeipa doesn't serve kra_admin_cert anymore, as per that document: https://www.freeipa.org/page/V4/Replace_NSS_with_OpenSSL they changed NSS with OpenSSL. I'm | 11:33 |
|---|---|---|
| JohnnyRainbow | just wondering if I'm able to integrate barbican with dogtag from freeipa somehow, seems that integration is a bit different than in this tutorial: https://vakwetu.wordpress.com/2015/11/30/barbican-and-dogtagipa/ Is anyone having experience with this and can share some useful hints? Thanks in advance | 11:33 |
| *** raildo_ has joined #openstack-barbican | 12:14 | |
| *** raildo has quit IRC | 12:16 | |
| *** Luzi has joined #openstack-barbican | 12:36 | |
| redrobot | #startmeeting barbican | 13:00 |
| openstack | Meeting started Tue Nov 17 13:00:27 2020 UTC and is due to finish in 60 minutes. The chair is redrobot. Information about MeetBot at http://wiki.debian.org/MeetBot. | 13:00 |
| openstack | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 13:00 |
| *** openstack changes topic to " (Meeting topic: barbican)" | 13:00 | |
| openstack | The meeting name has been set to 'barbican' | 13:00 |
| redrobot | #topic Roll Call | 13:00 |
| *** openstack changes topic to "Roll Call (Meeting topic: barbican)" | 13:00 | |
| redrobot | Courtesy ping for ade_lee dave-mccowan hrybacki jamespage Luzi lxkong mhen moguimar raildo rm_work xek nearyo | 13:00 |
| Luzi | o/ | 13:00 |
| rm_work | o/ | 13:01 |
| redrobot | Hi y'all! | 13:01 |
| rm_work | Anything interesting going on? :) | 13:03 |
| redrobot | rm_work, good to see you! :D | 13:03 |
| redrobot | Same 'ol same 'ol | 13:03 |
| redrobot | We'll eventually add that pkcs12 secret type | 13:03 |
| rm_work | Sweet, LMK | 13:03 |
| rm_work | I'm about to write a castellan driver for our custom in-house secret storage thing | 13:04 |
| rm_work | So that should be fun | 13:04 |
| redrobot | Hehe | 13:04 |
| redrobot | Okay, let's see ... | 13:04 |
| redrobot | #topic Review Past Action Items | 13:05 |
| *** openstack changes topic to "Review Past Action Items (Meeting topic: barbican)" | 13:05 | |
| redrobot | #link http://eavesdrop.openstack.org/meetings/barbican/2020/barbican.2020-11-10-13.00.html | 13:05 |
| redrobot | I did not do these :( | 13:05 |
| rm_work | That makes me feel better about all the stuff I'm probably supposed to be doing but am not :D | 13:06 |
| redrobot | #action redrobot to add a kanban card for Cinder -> Barbican + Vault issue | 13:06 |
| redrobot | rm_work, lol | 13:06 |
| redrobot | #action redrobot to update the kanban board | 13:06 |
| redrobot | ^^ is update to include action items from PTG | 13:06 |
| redrobot | OK, moving on | 13:07 |
| redrobot | #topic Liaison Updates | 13:07 |
| *** openstack changes topic to "Liaison Updates (Meeting topic: barbican)" | 13:07 | |
| redrobot | moguimar? tosky? | 13:07 |
| tosky | no news from me | 13:07 |
| redrobot | cool, thanks tosky | 13:08 |
| redrobot | not sure if moguimar is around | 13:08 |
| redrobot | #topic Kanban Review | 13:09 |
| *** openstack changes topic to "Kanban Review (Meeting topic: barbican)" | 13:09 | |
| redrobot | #link https://tree.taiga.io/project/dmend-openstack-barbican/kanban | 13:09 |
| redrobot | not much movement happened there this week | 13:09 |
| redrobot | I did add a card to track the 1.1 Microversion | 13:09 |
| redrobot | #topic Bug Review | 13:10 |
| *** openstack changes topic to "Bug Review (Meeting topic: barbican)" | 13:10 | |
| redrobot | #link https://storyboard.openstack.org/#!/project_group/barbican | 13:10 |
| redrobot | Looks like the only new bug was for the Cinder + Barbican->Vault issue | 13:11 |
| redrobot | #link https://bugs.launchpad.net/castellan/+bugs?orderby=-id&start=0 | 13:13 |
| redrobot | Look like no new bugs in Castellan either | 13:13 |
| redrobot | We'd usually do the Wayward Reviews right now, but there does not seem to be any other cores logged on right now | 13:13 |
| redrobot | so, | 13:13 |
| redrobot | #topic Open Discussion | 13:13 |
| *** openstack changes topic to "Open Discussion (Meeting topic: barbican)" | 13:14 | |
| redrobot | anything else y'all want to talk about? | 13:14 |
| rm_work | Did y'all ever enact the plan to split out the cert request stuff entirely and make that a separate service from secret management? | 13:17 |
| redrobot | we did deprecate it | 13:19 |
| redrobot | and then had a patch to remove it, which I need to rebase | 13:19 |
| redrobot | We don't have any plans for a new cert service | 13:20 |
| redrobot | I'd suggest deploying an ACME server | 13:20 |
| redrobot | like Boulder | 13:20 |
| rm_work | Hmm ok | 13:21 |
| redrobot | If ade_lee was here he'd suggest IPA for certs :) | 13:22 |
| rm_work | We have our own internal certificate system so I think we don't technically need stuff like that, but was just curious :D | 13:22 |
| redrobot | Right on | 13:26 |
| redrobot | OK, it sounds like we're done for the day | 13:26 |
| redrobot | thanks for joining everyone! | 13:27 |
| redrobot | #endmeeting | 13:27 |
| *** openstack changes topic to "OpenStack Barbican Development - Weekly Meeting Agenda: https://etherpad.openstack.org/p/barbican-weekly-meeting" | 13:27 | |
| openstack | Meeting ended Tue Nov 17 13:27:24 2020 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 13:27 |
| openstack | Minutes: http://eavesdrop.openstack.org/meetings/barbican/2020/barbican.2020-11-17-13.00.html | 13:27 |
| openstack | Minutes (text): http://eavesdrop.openstack.org/meetings/barbican/2020/barbican.2020-11-17-13.00.txt | 13:27 |
| openstack | Log: http://eavesdrop.openstack.org/meetings/barbican/2020/barbican.2020-11-17-13.00.log.html | 13:27 |
| *** xek has quit IRC | 14:18 | |
| *** Luzi has quit IRC | 14:18 | |
| *** xek has joined #openstack-barbican | 14:18 | |
| *** d34dh0r53 has quit IRC | 14:22 | |
| *** d34dh0r53 has joined #openstack-barbican | 14:30 | |
| JohnnyRainbow | Hi @ade_lee, I just have seen your message at #freeipa channel, but just wanted to tell you that issue still exist. It looks like nss_db parameters are mandatory for dogtag plugin and new format of KRA cert is poiting to my error which I observed. So the question is how to disable nss or my understanding is incorrect? | 15:23 |
| ade_lee | JohnnyRainbow, sorry - in a meeting right now - but I'll respond shortly | 15:24 |
| JohnnyRainbow | sure, thanks a lot | 15:24 |
| *** iurygregory has quit IRC | 16:29 | |
| *** xek has quit IRC | 16:32 | |
| *** iurygregory has joined #openstack-barbican | 17:19 | |
| *** xek has joined #openstack-barbican | 18:15 | |
| *** d34dh0r53 has quit IRC | 18:43 | |
| *** d34dh0r53 has joined #openstack-barbican | 18:46 | |
| ade_lee | JohnnyRainbow, ok - back - sorry, meetings and catching up from my day off | 18:54 |
| ade_lee | JohnnyRainbow, so, looking at the plugin code .. | 18:55 |
| ade_lee | JohnnyRainbow, the code that is failing is likely here -- https://opendev.org/openstack/barbican/src/branch/master/barbican/plugin/dogtag.py#L64-L76 | 18:57 |
| ade_lee | JohnnyRainbow, which is pointing to cryptoutil.NSSCryptoProvider.setup_database() | 18:58 |
| ade_lee | which is in pki.Crypto | 18:59 |
| ade_lee | pki.crypto,NSSCryptoProvider.setup_database() | 18:59 |
| ade_lee | JohnnyRainbow, where are you getting the dogtag client packages? | 18:59 |
| ade_lee | JohnnyRainbow, my guess is that whatever you have is calling this -- https://github.com/dogtagpki/pki/blob/master/base/common/python/pki/crypto.py#L145 | 19:02 |
| ade_lee | and that the error you have is due to a change in the format of the nss database (ie. old vs. new_ | 19:03 |
| ade_lee | JohnnyRainbow, what params do you have for your barbican dogtag config? | 19:07 |
| ade_lee | JohnnyRainbow, I'm wondering actually if you just need to have created the directory for the nss db | 19:11 |
| *** xek has quit IRC | 19:44 | |
| *** xek has joined #openstack-barbican | 19:44 | |
| JohnnyRainbow | @ade_lee sorry, I was AFK. But anwering to your questions, as a dogtag client packages I'm using pki-tools pki-base-java and pki-base packages for ubuntu. I can deliever exact versions if needed, but it was part of our previous discussion at #freeipa and #dogtag-pki channels | 20:35 |
| JohnnyRainbow | about dogtag config, everything is here: http://paste.openstack.org/show/800113/ -> so looks like normal config :) At least connection with dogtag host is working but then issue is with NSS, as it's part of Freeipa 4.8.4 and it seems it's not there. Additionally I'm not fully sure if my kra_admin_cert.pem is correct as I concatenated it from ra-agent.pem and ra-agent.key from | 20:39 |
| JohnnyRainbow | /var/lib/ipa directory as that was suggested in this docs: https://www.freeipa.org/page/V4/Replace_NSS_with_OpenSSL | 20:39 |
| ade_lee | JohnnyRainbow, does the directory /etc/barbican/alias exist? | 21:03 |
| JohnnyRainbow | I created it manually, but I believe it should be created automatically, right? | 21:10 |
| JohnnyRainbow | when I deleted it,, then I got an error in logs | 21:10 |
| ade_lee | JohnnyRainbow, yeah - it should be, but I recall times in the past where it was easiest just to create it | 21:11 |
| ade_lee | JohnnyRainbow, so yeah - if you create it manually first (empty), does the deployment succeed? | 21:11 |
| JohnnyRainbow | yeah, but when I created it, then in logs I see this: The nss_db_path provid | 21:13 |
| JohnnyRainbow | ed already exists, so the database is assumed to be already set up. | 21:13 |
| JohnnyRainbow | y | 21:13 |
| ade_lee | ah ok | 21:13 |
| JohnnyRainbow | and later on I have an error with this invalid cert | 21:13 |
| JohnnyRainbow | I mean The certificate/key database is in an old, unsupported format.: nss.error.NSPRError: | 21:13 |
| ade_lee | right - and what do you see in that directory? | 21:14 |
| JohnnyRainbow | it's empty: http://paste.openstack.org/show/800115/ | 21:15 |
| JohnnyRainbow | maybe something wrong is with my kra cert? It looks like that: http://paste.openstack.org/show/800116/ | 21:16 |
| ade_lee | no thats ok | 21:16 |
| ade_lee | what's supposed to go into the /etc/barbican/alias is an nss db with the transport cert inside | 21:17 |
| ade_lee | JohnnyRainbow, we can try to create it manually | 21:17 |
| ade_lee | JohnnyRainbow, and see where its failing | 21:17 |
| JohnnyRainbow | hmm...how to do this? | 21:17 |
| ade_lee | so -- cd /etc/barbican/alias | 21:18 |
| JohnnyRainbow | I'm there | 21:18 |
| ade_lee | JohnnyRainbow, let me pastebin somehting .. just a sec | 21:19 |
| JohnnyRainbow | sure, no rush | 21:19 |
| ade_lee | JohnnyRainbow, who owns /etc/barbican/alias? | 21:19 |
| ade_lee | (just wondering if the db is not being created because of a perms issue | 21:20 |
| JohnnyRainbow | drwxr-xr-x 2 root barbican 4.0K Nov 17 16:58 alias | 21:21 |
| ade_lee | http://paste.openstack.org/show/800117/ | 21:23 |
| ade_lee | JohnnyRainbow, what do you see when that happens? | 21:23 |
| JohnnyRainbow | http://paste.openstack.org/show/800118/ | 21:24 |
| JohnnyRainbow | here you can find a result | 21:24 |
| ade_lee | ok some files should have been created, right? | 21:25 |
| JohnnyRainbow | basically it's empty database, I have only few secrets in my barbican so far | 21:26 |
| JohnnyRainbow | http://paste.openstack.org/show/800119/ | 21:26 |
| JohnnyRainbow | here is a content with files | 21:26 |
| ade_lee | JohnnyRainbow, ok - thats interesting -- its a db with the old legacy nss format | 21:27 |
| ade_lee | which will be empty right now | 21:27 |
| ade_lee | now we need to populate it with the kra transport cert | 21:27 |
| JohnnyRainbow | so...should I copy my kra_admin_cert.pem there? | 21:28 |
| ade_lee | no thats not the same thing | 21:28 |
| ade_lee | the admin cert is the cert used for authenticating the admin user to be able to store secrets in dogtag | 21:29 |
| ade_lee | the transport cert is used to encrypt the data between barbican and the kra | 21:29 |
| JohnnyRainbow | ok, got it | 21:29 |
| ade_lee | we just need to get the transport cert and put it in this new nss db | 21:30 |
| JohnnyRainbow | so, the transport cert should be somehow loaded automatically, but it's not, right? | 21:30 |
| ade_lee | well -- sorta -- we're doing this -- https://opendev.org/openstack/barbican/src/branch/master/barbican/plugin/dogtag.py#L101-L104 | 21:31 |
| ade_lee | JohnnyRainbow, so the initial db create -- which is just what we did manually -- failed | 21:32 |
| ade_lee | for some reason | 21:32 |
| JohnnyRainbow | ok, I see | 21:32 |
| ade_lee | JohnnyRainbow, if you can modify the code to remove the conditional on line 103 -- then it should pull in the certs automatically | 21:33 |
| ade_lee | otherwise we need to do whats in line 104 manually | 21:33 |
| JohnnyRainbow | ok, let me find it | 21:34 |
| JohnnyRainbow | just to be sure, it should be like that: http://paste.openstack.org/show/800120/ | 21:40 |
| ade_lee | JohnnyRainbow, yeah line up the # with the previous line too though | 21:41 |
| JohnnyRainbow | hmm...I haven't done it yet, but a bit new error: http://paste.openstack.org/show/800121/ | 21:42 |
| ade_lee | hmm .. well its trying to get the cert in .. | 21:44 |
| ade_lee | ok -- lets do it manually // | 21:44 |
| JohnnyRainbow | hmm...looks like connectivity? | 21:44 |
| ade_lee | not sure | 21:44 |
| JohnnyRainbow | what port it should be hitted? | 21:44 |
| ade_lee | what happens when you try to go to /curl -> https://<dogtag_url>:9443/rest/config/cert/transport ? | 21:45 |
| JohnnyRainbow | 9443 or 8443? | 21:47 |
| ade_lee | not sure - its been awhile -- I thought it was 9443 by default .. | 21:47 |
| ade_lee | whatever is correct in your enviornment | 21:48 |
| JohnnyRainbow | http://paste.openstack.org/show/800122/ | 21:50 |
| JohnnyRainbow | I have 404 not found | 21:50 |
| ade_lee | JohnnyRainbow, I'm looking here -- https://github.com/dogtagpki/pki/blob/master/base/common/python/pki/systemcert.py#L61 | 21:51 |
| ade_lee | oh -- maybe .. https://<dogtag_url>:8443/kra/rest/config/cert/transport | 21:53 |
| JohnnyRainbow | that actually works http://paste.openstack.org/show/800123/ | 21:54 |
| ade_lee | JohnnyRainbow, ok -- copy / paste the cert part of that into a file | 21:55 |
| JohnnyRainbow | should it be saved under specific filename? | 21:56 |
| ade_lee | nah | 21:56 |
| ade_lee | JohnnyRainbow, now you need to import that cert into the db | 21:58 |
| ade_lee | certutil -A -d . -n "KRA transport cert" -t ",," -i foo.txt | 22:00 |
| ade_lee | where foo.txt is the cert file you just created | 22:00 |
| ade_lee | JohnnyRainbow, if that doesn't work - you might need to strip off the header and footer -- I don't remember what works or not .. | 22:01 |
| ade_lee | make sure there are no extra chars | 22:01 |
| ade_lee | once done, you can do a certutil -L -d . to see the cert imported | 22:02 |
| JohnnyRainbow | yeah, I just played a bit with certificate retrieved via curl as it contains some special characters | 22:02 |
| JohnnyRainbow | http://paste.openstack.org/show/800124/ | 22:03 |
| JohnnyRainbow | looks like it's added | 22:03 |
| ade_lee | cool -- what about certutil -L -d . -n "KRA transport cert" | 22:03 |
| ade_lee | that should show you the cert | 22:04 |
| JohnnyRainbow | yeah, it is | 22:04 |
| JohnnyRainbow | like openssl x509, right? | 22:04 |
| ade_lee | JohnnyRainbow, yup | 22:04 |
| ade_lee | you should now be set -- revert that code change | 22:04 |
| JohnnyRainbow | ok, I have it | 22:04 |
| ade_lee | and again | 22:04 |
| JohnnyRainbow | ok, let me do this | 22:05 |
| JohnnyRainbow | hmm...looks like it was not taken into account: http://paste.openstack.org/show/800126/ | 22:07 |
| JohnnyRainbow | again it's failing with certificate format | 22:07 |
| ade_lee | JohnnyRainbow, wish there were a stack trace to see where that error is being thrown | 22:08 |
| JohnnyRainbow | can I somehow get it? | 22:09 |
| ade_lee | is there anything further up in the log? | 22:09 |
| JohnnyRainbow | here is a full print: http://paste.openstack.org/show/800127/ | 22:10 |
| JohnnyRainbow | and my testing command is: barbican secret store --payload-content-type='text/plain' --name='private_key_barbican_scenario1' --payload="$(cat server2.key)" | 22:10 |
| JohnnyRainbow | I was using it easily with simple_crypto | 22:11 |
| ade_lee | the other thing we can try is making sure the nssdb is using the new format, and not the old one | 22:11 |
| ade_lee | so to do that , you have to delete the nssdb you created | 22:12 |
| JohnnyRainbow | hmm...somehow by certutil tool? | 22:13 |
| JohnnyRainbow | or just /etc/barbican/alias directory? | 22:13 |
| ade_lee | that is delete the cert8* file and the key* file | 22:13 |
| ade_lee | keep the rest -- you'll need them again | 22:13 |
| JohnnyRainbow | those two files from here: http://paste.openstack.org/show/800128/ ? | 22:14 |
| ade_lee | yup and the secmod one | 22:14 |
| ade_lee | then .. | 22:15 |
| ade_lee | export NSS_DEFAULT_DB_TYPE="sql" | 22:15 |
| ade_lee | and try create the db again .. | 22:15 |
| JohnnyRainbow | that export globally? | 22:15 |
| ade_lee | just for this session | 22:16 |
| JohnnyRainbow | ok, done | 22:16 |
| JohnnyRainbow | and execute my barbican command again? | 22:16 |
| ade_lee | so recreeate the db as before .. | 22:16 |
| ade_lee | certutil -N -d . (etc) | 22:16 |
| ade_lee | what does it look like now? | 22:17 |
| JohnnyRainbow | if like that then I hit an error: http://paste.openstack.org/show/800129/ | 22:18 |
| ade_lee | huh? you did ... http://paste.openstack.org/show/800117/ ? | 22:20 |
| JohnnyRainbow | nope, just certutil...ok, I can repeat all commands | 22:20 |
| *** xek has quit IRC | 22:22 | |
| JohnnyRainbow | http://paste.openstack.org/show/800130/ | 22:23 |
| JohnnyRainbow | seems it is recreated | 22:23 |
| ade_lee | JohnnyRainbow, cool - and notice the different file names | 22:23 |
| ade_lee | thats the new format db | 22:23 |
| ade_lee | now import the kra cert as before | 22:24 |
| ade_lee | (and make sure its there) | 22:24 |
| JohnnyRainbow | ok, let me do this | 22:24 |
| JohnnyRainbow | ok, done | 22:25 |
| ade_lee | JohnnyRainbow, ok - lets try again :) | 22:26 |
| JohnnyRainbow | a step ahead, but it is failing because of secretstore: http://paste.openstack.org/show/800131/ | 22:27 |
| ade_lee | ok progress | 22:28 |
| JohnnyRainbow | yeah | 22:29 |
| JohnnyRainbow | http://paste.openstack.org/show/800132/ secretstore config is really simple. do not know what is wrong for barbican there :) | 22:30 |
| ade_lee | did you restart barbican? | 22:30 |
| JohnnyRainbow | nope, but I didn't change anything in config at all | 22:31 |
| JohnnyRainbow | we just played with certificates manually :) | 22:31 |
| ade_lee | lets try restart it | 22:31 |
| JohnnyRainbow | ok, all components? | 22:31 |
| JohnnyRainbow | or just api? | 22:31 |
| ade_lee | just api | 22:32 |
| JohnnyRainbow | same story...but a bit strange, seems for stein it changed, but for ubuntu I don't have barbican-api service, I have: barbican-keystone-listener.service barbican-worker.service | 22:36 |
| JohnnyRainbow | so I restarted both | 22:36 |
| ade_lee | yeah -- there must be a barbican-api | 22:37 |
| ade_lee | or something similar -- thats the important one | 22:37 |
| JohnnyRainbow | hmm...apache2? | 22:37 |
| ade_lee | hmm .. maybe? I don't know much about how ubuntu delivers this .. | 22:38 |
| JohnnyRainbow | ok, I see it's wsgi and apache2 responsible for barbican-api | 22:39 |
| ade_lee | ok | 22:39 |
| JohnnyRainbow | http://paste.openstack.org/show/800133/ | 22:39 |
| ade_lee | so year restart apache | 22:40 |
| JohnnyRainbow | after restart of apache, I'm back to issue with invalid cert: http://paste.openstack.org/show/800134/ | 22:41 |
| JohnnyRainbow | I mean unsupported format...that what we fixed before :) | 22:42 |
| ade_lee | um .. the nssdb is still there, right? | 22:43 |
| ade_lee | and still has the cert in it? | 22:43 |
| JohnnyRainbow | it is http://paste.openstack.org/show/800135/ | 22:44 |
| JohnnyRainbow | if I can believe this command :) | 22:44 |
| ade_lee | I wonder if this is a perms thing -- maybe apache can't read the directory/certdb? | 22:45 |
| JohnnyRainbow | do you mean /etc/barbican/alias? | 22:46 |
| ade_lee | yup | 22:46 |
| JohnnyRainbow | hmm...I added user www-data to barbican group | 22:51 |
| JohnnyRainbow | but still issue exist | 22:51 |
| ade_lee | JohnnyRainbow, weird | 22:53 |
| ade_lee | first off I would have expected to see the message that the db was already set up | 22:53 |
| JohnnyRainbow | I do not want to change owner of that directory, I believe barbican is ok and adding www-data to it, should be ok | 22:53 |
| ade_lee | JohnnyRainbow, yeah | 22:54 |
| JohnnyRainbow | hmm...actually there is a message like that, I just created error codes | 22:54 |
| JohnnyRainbow | 2020-11-17 23:52:22.577 30011 INFO barbican.plugin.dogtag [req-7ca0c8dd-e3fb-4ee3-b1f9-8e03c2c5bc68 0d63c8861a124f4fbebe4170a9d59e61 175e079b3aef47a38da16d125863fd9d - default default] The nss_db_path provided already exists, so the database is assumed to be already set up. | 22:54 |
| JohnnyRainbow | that is before, but that is INFO log :) | 22:54 |
| ade_lee | ok - thats good - | 22:55 |
| JohnnyRainbow | sorry for not pasting everything | 22:55 |
| ade_lee | it would be useful to figure out where the exception is coming from .. | 22:55 |
| JohnnyRainbow | not really easy to inject something to dogtag.py code :) | 22:56 |
| ade_lee | JohnnyRainbow, well you can always add debug statements .. | 22:57 |
| ade_lee | JohnnyRainbow, basically in here -- https://opendev.org/openstack/barbican/src/branch/master/barbican/plugin/dogtag.py#L184 | 22:58 |
| JohnnyRainbow | add some log.INFO? | 22:59 |
| ade_lee | so statements of "I got here" before line 190 and 191 etc. | 22:59 |
| ade_lee | yup | 22:59 |
| JohnnyRainbow | let me add | 23:00 |
| ade_lee | JohnnyRainbow, Ihave to head out - but if you can figure out where the exception is being thrown , we can figure out why | 23:00 |
| JohnnyRainbow | hmm...ok, thanks a lot for your help, seems my logs are not printed to api.log, even if I configured it like that: http://paste.openstack.org/show/800136/ | 23:05 |
| ade_lee | JohnnyRainbow, hmm .. feel free to ping me tommorow once you figure out where the logs are -- | 23:07 |
| ade_lee | maybe apache logs? | 23:07 |
| JohnnyRainbow | let me see | 23:09 |
| JohnnyRainbow | ok, I got the point, it seems function DogtagKRAPlugin is not even executed yet, as i.e. that log is printed LOG.info("The nss_db_path provided already exists, so the " | 23:17 |
| JohnnyRainbow | ok, I need to think about it easily | 23:17 |
| JohnnyRainbow | thanks a lot for your help today, I will let you know about progress tomorrow | 23:17 |
| *** tosky has quit IRC | 23:58 | |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!