[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] Need help with clustered setup
From: |
Kristian Fiskerstrand |
Subject: |
Re: [Sks-devel] Need help with clustered setup |
Date: |
Wed, 7 Sep 2016 14:24:01 +0200 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 |
On 09/07/2016 01:30 PM, Danny Horne wrote:
> Hi all,
>
> My main keyserver (from now on I'll call this the master) listens on
> both external and internal interfaces, ports 11370 & 11371 are open on
> both interfaces. As a standalone server this has been running fine.
>
> I've now set up another keyserver (I'll call this the slave) which only
> listens on its internal interface, ports 11370 and 11371 are open on
> this interface.
>
> Both master and slave have each other in their membership file
>
> The slave is requesting and receiving keys from the master, this shows
> in its recon.log
>
> The master is requesting keys from the slave but the logs appear to say
> the connection is timing out -
>
> 2016-09-07 11:20:25 Requesting 100 missing keys from <ADDR_INET
> [10.78.100.5]:11371>, starting with 48E84C85DFB97E46E8F042CF177F52C3
> 2016-09-07 11:22:32 Error getting missing keys: Unix error: Connection
> timed out - connect()
And you can manually access 10.78.100.5:11371 and do post on
/pks/hashquery or a regular get like /pks/lookup?op=stats from the slave?
>
> I'm assuming it's a firewall issue (firewalld on Fedora 24) but I'm
> clueless what to look for
>
As this is accessed internally, is it using spearate listening IP than
you're configured for using nginx, and sks listens loopback only, etc?
> All help appreciated
>
ps, still getting Technical details of temporary failure:
... tried to deliver your message, but it was rejected by the server for
the recipient domain lockmail.net by smtp.trisect.uk.
[2001:41d0:1:f41f:16::1].
The error that the other server returned was:
451 4.3.5 <address@hidden>: Recipient address rejected: Server
configuration problem
--
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP certificate at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
"If you cannot convince them, confuse them"
(Harry S Truman)
signature.asc
Description: OpenPGP digital signature