Topic: PhpKi after backup/restore

[DanB35]

As I recently posted in another thread, I just migrated my SME 9 installation to a virtual machine under Proxmox 4 by doing console backup, new install, console restore, yum update, and then reinstalling my contribs.  Two of those contribs were openvpn-bridge and phpki.

Since then, I've been getting an email periodically stating that "CRL update failed".  Google led me to the wiki page for openvpn-bridge, and that suggested phpki.  When I went to the certificate management page on my server, I found that phpki does not appear to be configured--it's asking me to create a new CA.

...and as I was writing this, I read through the rest of the wiki page on phpki, and found this section: http://wiki.contribs.org/PHPki#Re-install.  It looks like I need the old config.php file, which isn't part of the backup and apparently isn't templated.  Fortunately, my original drives are still available and haven't been altered.  But before I hook one of them up to start pulling data off it, what else wasn't backed up that I will need to get phpki working again?  Should I just copy the whole /opt/phpki directory?

[DanB35]

Well, I figured it wouldn't likely hurt anything...  I followed the instructions at the Reinstalling link above, copied /opt/phpki/html/config.php and /opt/phpki/phpki-store/ from the old install, and it seems to be working.  I expect that will stop the errors about the CRL update.

[DanB35]

On further review...

It seems the PHPki system and datastore are present, but I'm only able to see the public page.  When I click on Certificate Management in the server-manager, or when I browse to https://myserver/phpki/ca, I only see the public content menu.  At the time of the request, I see the following lines in /var/log/httpd/access_log which may be relevant:

Code: [Select]

familybrown.org 192.168.1.216 - - [10/Dec/2015:10:52:55 -0500] "GET /phpki/ca/ HTTP/1.1" 302 1 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.73 Safari/537.36"
familybrown.org 192.168.1.216 - - [10/Dec/2015:10:52:55 -0500] "GET /phpki/index.php HTTP/1.1" 200 1925 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.73 Safari/537.36"Where should I be looking?

[Daniel B.]

To get access to your old PHPki store

- Make sur /opt/phpki/phpki-store belongs to the correct user (on the new system it could have a different uid). Should be phpki:phpki
- Delete /opt/phpki/html/index.php (which is a symlink to setup.php-presetup) and create it as a symlink to main.php instead

[DanB35]

Code: [Select]

[root@e-smith ~]# ll /opt/phpki/html
total 144
-rw-r--r-- 1 root root   1305 Nov 15  2005 about.php
drwxr-xr-x 2 root root   4096 Nov 12 13:41 admin
drwxrwx--- 2 root phpki  4096 Nov 12 13:41 ca
-rw-r--r-- 1 root root   5750 Jul 22  2007 CHANGELOG
-rw-rw---- 1 root phpki   164 Nov 13 12:15 config.php
drwxr-xr-x 2 root root   4096 Nov 12 13:41 css
drwxr-xr-x 2 root root   4096 Nov 12 13:41 help
-rw-r--r-- 1 root root    647 Nov 15  2005 help.php
drwxr-xr-x 2 root root   4096 Nov 12 13:41 images
drwxr-xr-x 2 root root   4096 Nov 12 13:41 include
lrwxrwxrwx 1 root root      8 Nov 13 10:18 index.php -> main.php
lrwxrwxrwx 1 root root     34 Nov 12 13:41 index.php.old -> /opt/phpki/html/setup.php-presetup
-rw-r--r-- 1 root root  18091 Mar 25  2003 LICENSE.TXT
-rw-r--r-- 1 root root   1800 Nov 12  2013 main.php
-rw-r--r-- 1 root root   1685 Jul 22  2007 Makefile
-rw-r--r-- 1 root root    925 Nov 15  2005 ns_revoke_query.php
-rw-rw---- 1 root phpki  6285 Nov 12  2013 openssl.cnf
-rw-r--r-- 1 root root    404 Apr 11  2003 policy.html
-rw-r--r-- 1 root root   4514 Jul 22  2007 README
-rw-r--r-- 1 root root    264 Nov 15  2005 readme.php
-rw-r--r-- 1 root root   5263 Nov 12  2013 search.php
lrwxrwxrwx 1 root root     34 Nov 12 13:41 setup.php.old -> /opt/phpki/html/setup.php-presetup
-rw-r--r-- 1 root root  28744 Nov 12  2013 setup.php-presetup
-rw-r--r-- 1 root root    680 Jan  4  2007 TODO
[root@e-smith ~]# ll /opt/phpki
total 16
drwxr-xr-x 2 root  root  4096 Nov 12 13:41 bin
drwxrwx--- 8 root  phpki 4096 Nov 13 10:18 html
drwxrwx--- 5 phpki phpki 4096 Nov 21  2014 phpki-store


[Daniel B.]

Forgot the last step: in /opt/phpki/html/ca also delete index.php and create it again as a symlink to main.php (the one under /ca)

[DanB35]

That was the missing link.  Thanks!

[Daniel B.]

Could you please add this on the wiki if it's missing ?

[DanB35]

It's there--not sure how I missed it last month when I did the reinstall and restore, but I obviously did (I'd blame it on wiki edits, but the history shows no changes in the last year).  Thanks again.

[janet]

DanB35

I prefer to add /opt to the backup inclusion list, just to be "safe", along with any other "selected" folders I deem necessary that are not included in a standard backup
http://wiki.contribs.org/Backup_with_dar#Adding.2FExcluding_Directories_and_Files_from_the_backup_list

[DanB35]

Yeah, I've now made that change--since I needed to add /etc/letsencrypt anyway it seemed like a good idea.