search

jethrocarr / namedmanager

AGPL web-based DNS management interface in PHP
350 stars 125 forks source link

connecting secondary dns to namedmanager #8

Open wolfjohns opened 9 years ago

wolfjohns commented 9 years ago

I had configured named manager and it runs as a primary dns server and I want to connect a secondary dns server. The secondary dns server is running on centos 6.7 with bind-chroot. I have configured the config-bind.php I have added the secondary name server in the named manager interface but I cannot get it to sync. I get the error below. [root@ns2 namedmanager]# php -q /usr/share/namedmanager/bind/namedmanager_bind_configwriter.php PHP: syntax error, unexpected '(' in /etc/php.ini on line 1654 Error: Unknown failure whilst attempting to authenticate with the API - Could not connect to host the primary dns server is running centos 7 with named manager -www and named manager -bind rpms and the secondary dns server has named manager-bind rpm My question is it possible to add dns servers to the server running namedmanager-www by adding the named-manager bind and configuring config-bind.php to use the api_url, api_server_name and api_auth_key of the server running named manager-www ? Or should I just configure the secondary dns server normally without using namedmanager-bind package?

fedebros commented 9 years ago

I have 2 CentOS, both with namedmanager and they are syncing each other. I took some time to understand that the $config['api_url'] in config-bind.php must be the same for each server of the pool, and I put the url of the first server for each namedmanager. api_server_name should contain the name of the server you are configuring. And api_auth_key, obviously the same key. I'm just an user, if case of mistakes, please someone corrects me!

wolfjohns commented 9 years ago

Hi Thanks for replying. I made changes to my /etc/php.ini so I do not get the PHP syntax error. I have in the name of the first server in $config['api_url'] as you mentioned. I also have the fqdn of the server I am configuring as well as its api_auth_key which is been configured in the API Authentication key in the web server configuration under Name Servers - > Adjust Server Configuration for the secondary dns server. I now get the error. [root@ns2 wolf]# php -q /usr/share/namedmanager/bind/namedmanager_bind_configwriter.php PHP Fatal error: SOAP-ERROR: Parsing WSDL: Couldn't load from 'https://nt01.xxx.xxx/api/namedmanager.wsdl' : failed to load external entity "https://nt01.xxx.xxx/api/namedmanager.wsdl" in /usr/share/namedmanager/bind/include/application/inc_soap_api.php on line 33 PHP Fatal error: Uncaught SoapFault exception: [WSDL] SOAP-ERROR: Parsing WSDL: Couldn't load from 'https://nt01.xxx.xxx/api/namedmanager.wsdl' : failed to load external entity "https://nt01.xxx.xxx/api/namedmanager.wsdl" in /usr/share/namedmanager/bind/include/application/inc_soap_api.php:33 Stack trace:

0 /usr/share/namedmanager/bind/include/application/inc_soap_api.php(33): SoapClient->SoapClient('https://nt01.br...')

1 /usr/share/namedmanager/bind/namedmanager_bind_configwriter.php(108): soap_api->authenticate()

2 {main}

thrown in /usr/share/namedmanager/bind/include/application/inc_soap_api.php on line 33

fedebros commented 9 years ago

I don't know if we have the same version of namedmanager, but in the api_url I've just put "namedmanager": $config["api_url"] = "https://ns1.xxxx.xx/namedmanager";

wolfjohns commented 9 years ago

My api_url is correct as it is the website, but I will give it a try. I will change my api_url as you suggest and see if that works.

wolfjohns commented 9 years ago

I have figured the problem out. It is because the ssl certificate is self signed on the api_url server that the communication is failing. I am now trying to figure out if I can fix this by importing the certificate or by making some changes to the php soap so that it does not check.

fedebros commented 9 years ago

I'm using self-signed certificates and I didn't made adjustments...

wolfjohns commented 9 years ago

Hi It works now that I added the certificate from api_url = "https://ns1.xxx.xxx" to /etc/pki/ca-trust/source/anchors and ran update-ca-trust extract (more about how this is done can be found at http://kb.kerio.com/product/kerio-connect/server-configuration/ssl-certificates/adding-trusted-root-certificates-to-the-server-1605.html). I ran [root@ns2 anchors]# php -q /usr/share/namedmanager/bind/namedmanager_bind_configwriter.php Error: Unable to open file /var/named/chroot/etc/named.namedmanager.conf for reading Error: Some errors occured whilst attempting to deploy domain configuration Checked /var/named/chroot and then ran the command [root@ns2 chroot]# php -q /usr/share/namedmanager/bind/namedmanager_bind_configwriter.php and everything has synced. Thank you so much for your help and time.

jethrocarr commented 9 years ago

thanks for helping out @fedebros - it could be something like a different PHP version enforcing cert validation (which it should!) whereas your version might not have been enforcing validation.

It's annoying that it's not throwing a clear exception, means I can't easily catch it and write a nice clear end user message. TBH, I think the SOAP API probably needs to be replaced by a nicer REST API at some point that actually fails in a nice fashion.

markfqs commented 7 years ago

I faced this issue today

I thought (and should confirm) the comment from Jethro: Different PHP version.

I have exactly the same setup in 3 servers (Debian 8 jessie with PHP 5), and now I'm deploying a new server to replace one of them. The new server is Ubuntu LTS 16.04, using PHP7 and I copied exactly the same namedmanager (not last namedmanager version, although) and same configuration. I get the same error:

PHP Fatal error: SOAP-ERROR: Parsing WSDL: Couldn't load from 'https://www.l3jane.net/namedmanager/api/namedmanager.wsdl' : failed to load external entity "https://www.l3jane.net/namedmanager/api/namedmanager.wsdl" in /usr/local/share/namedmanager/include/application/inc_soap_api.php on line 33 PHP Fatal error: Uncaught SoapFault exception: [WSDL] SOAP-ERROR: Parsing WSDL: Couldn't load from 'https://www.l3jane.net/namedmanager/api/namedmanager.wsdl' : failed to load external entity "https://www.l3jane.net/namedmanager/api/namedmanager.wsdl" in /usr/local/share/namedmanager/include/application/inc_soap_api.php:33 Stack trace:

0 /usr/local/share/namedmanager/include/application/inc_soap_api.php(33): SoapClient->SoapClient('https://www.l3j...')

1 /usr/local/share/namedmanager/namedmanager_bind_configwriter.php(108): soap_api->authenticate()

2 {main}

thrown in /usr/local/share/namedmanager/include/application/inc_soap_api.php on line 33

But .... I'm using a certificate issued by my own CA (not self-signed) and didn't faced issues before.

Although as this is a new machine, I just issued 'c_rehash' command (this command updates the trusted certificate db/cache of the system) and now it works.

So seems clearly a certificate trust issue, also confirmed by the fact I didn't see the HTTP-request on the web server log when I launch namedmanager_bind. May be PHP7 do more checks on SSL certificates?

So basically you should install the certificates (CA o or self-signed) on the bind system and issue 'c_rehash' to make PHP SOAP trusts the server.