HASync Failing Since Admin Password Change / Slave Lighty Not Answering SSL

dannyman

Hello,

I have been trying to tackle a very annoying set of messages that go like:
[ A communications error occurred while attempting XMLRPC sync with username admin https://10.9.7.2:443.]

These first came up after I changed the admin password on our master firewall.  I went and manually changed the admin password on our slave firewall, but the messages persist.

I have found "are you sure the web configurator interface is running on the slave" but no details on how to ensure this.  In any event, I can not get to port 10.9.7.2:443 from the master, from the slave, or, say, localhost 443 on the slave . . .

I have tried entering option 11 and rebooting the slave, to no avail.

I have confirmed that routes are correct and that there are no firewall rules blocking access.  I can ping and SSH . . . .

I found another reference to the firewall on the slave possibly locking out the master after a series of failed password attempts.  pfctl -d on the slave doesn't make any difference.

Looking at the backup config history on the slave, I see stuff like this:

15. 4/9/14 13:13:47    v9.8    (system)@10.10.5.2                             
    Merged in config (haproxy sections) from XMLRPC client.

14. 4/9/14 13:19:51    v9.8    (system)@10.9.7.1                             
    Merged in config (staticroutes,gateways,virtualip,system,dnsmasq,ipsec,aliases,wol,load_balancer,openvpn,cert,ca,crl,schedules,filter,nat,dhcpd sections) from XMLRPC client.

TWO different IPs?

There is some confusion here . . . System > HA Sync
There are two sections: pfsync and XMLRPC Sync
Both target 10.9.7.2
There is a very confusing set of warnings in the second section:
NOTE: Do not use the Synchronize Config to IP and password option on backup cluster members!
NOTE: Do not use the Synchronize Config to IP and username option on backup cluster members!

Is this directed at me?  How do you syncronize config to backup cluster members?

From shell, how do I assure that the web interface is running, debug it if it is not?

Okay, here's what I see in ps on both hosts:
/usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.conf

YET … on the master:
grep ssl /var/etc/lighty-webConfigurator.conf

ssl configuration

ssl.engine = "enable"
ssl.pemfile = "/var/etc/cert.pem"

ssl configuration

ssl.engine = "enable"
ssl.pemfile = "/var/etc/cert.pem"
ssl.use-sslv2 = "disable"
ssl.cipher-list = "DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:CAMELLIA256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:CAMELLIA128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:RC4-SHA:RC4-MD5:!aNULL:!eNULL:!3DES:@STRENGTH"

On the slave:
grep ssl /var/etc/lighty-webConfigurator.conf

• chirping crickets *

Hrmm ... so, how do I turn on SSL?  Or, tell the master to use http?  (I can telnet port 80 .......)

Thanks,
-danny

dannyman

Fix: on the slave, bring up web ui (port 80)
System > Advanced > Admin Access
Switch from HTTP to HTTPS.

Easy peasy!

cthomas

When you update the Master Password - it is synchronized to the slave, but it does not update the "password" field on the password under 'Configuration Synchronization Settings (XMLRPC Sync)'.  You have to manually update this.