sks-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] Need help with clustered setup

From: Kristian Fiskerstrand
Subject: Re: [Sks-devel] Need help with clustered setup
Date: Wed, 7 Sep 2016 14:24:01 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 
On 09/07/2016 01:30 PM, Danny Horne wrote:
> Hi all,
> 
> My main keyserver (from now on I'll call this the master) listens on
> both external and internal interfaces, ports 11370 & 11371 are open on
> both interfaces.  As a standalone server this has been running fine.
> 
> I've now set up another keyserver (I'll call this the slave) which only
> listens on its internal interface, ports 11370 and 11371 are open on
> this interface.
> 
> Both master and slave have each other in their membership file
> 
> The slave is requesting and receiving keys from the master, this shows
> in its recon.log
> 
> The master is requesting keys from the slave but the logs appear to say
> the connection is timing out -
> 
> 2016-09-07 11:20:25 Requesting 100 missing keys from <ADDR_INET
> [10.78.100.5]:11371>, starting with 48E84C85DFB97E46E8F042CF177F52C3
> 2016-09-07 11:22:32 Error getting missing keys: Unix error: Connection
> timed out - connect()

And you can manually access 10.78.100.5:11371 and do post on
/pks/hashquery or a regular get like /pks/lookup?op=stats from the slave?

> 
> I'm assuming it's a firewall issue (firewalld on Fedora 24) but I'm
> clueless what to look for
> 

As this is accessed internally, is it using spearate listening IP than
you're configured for using nginx, and sks listens loopback only, etc?

> All help appreciated
> 

ps, still getting Technical details of temporary failure:
... tried to deliver your message, but it was rejected by the server for
the recipient domain lockmail.net by smtp.trisect.uk.
[2001:41d0:1:f41f:16::1].

The error that the other server returned was:
451 4.3.5 <address@hidden>: Recipient address rejected: Server
configuration problem

-- 
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP certificate at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
"If you cannot convince them, confuse them"
(Harry S Truman)

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]