| Table of Contents |
|---|
Scope
The information from this article applies to connections between master and Agent that make use of JobScheduler Universal Agent - Secure HTTPS communication
Setting up a reverse proxy
[ssl:warn] [pid xxx] AH01909: RSA certificate configured for SERVER does NOT include an ID which matches the server name
When setting up a reverse proxy with Apache, you might the following warning when looking at in the log file ssl_error_log (per default you should find this file the file is stored under /var/log/httpd):
| Code Block |
|---|
[ssl:warn] [pid xxx] AH01909: RSA certificate configured for SERVER does NOT include an ID which matches the server name |
In that case, follow the instructions as described in this post (have only a look only at the answer marked with a 
): http://serverfault.com/questions/578061/rsa-certificate-configured-for-server-does-not-include-an-id-which-matches-the-s
[ssl:warn] [pid xxx] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
When setting up a reverse proxy with Apache, you might the following warning when looking at in the log file ssl_error_log (per default you should find this file the file is stored under /var/log/httpd):
| Code Block |
|---|
[ssl:warn] [pid xxx] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) |
In that case, follow the instructions as described in this article: http://sysadmin.compxtreme.ro/how-to-deal-with-rsa-server-certificate-is-a-ca-certificate-basicconstraints-ca-true-problem/
httpd service can not be restarted
Configuration errors
This might happen because there is an error in the Apache configuration (either in httpd.conf, in conf.d/ssl.conf or in an any extra configuration file you would include). In order to know the reason why the service could not be started, type the following command:
| Code Block |
|---|
journalctl -xelu httpd |
Missing SELinux permissions
If there is no error in your Apache configuration and the service restart throws the following error:
...
Then you have to add the specific port you are doing the configuration for (in our case we use the port 24445 as in the example in the article JobScheduler Universal Agent - connecting via HTTPS through a proxy) tot to your sistem's system SELinux configuration and allow this port for httpd as follows:
| Code Block |
|---|
sudo semanage port -a -t http_port_t -p tcp 24445 |
List of
...
certificates in Java Truststore
In case you created a self-signed certificate and imported this certificate into the Java Truststore of JobScheduler Master, you can use the following command the following command in order to see if the certificate was added properly to the Java Truststore and get the detailed information of the certificate:
| Code Block |
|---|
"<path_to_java_for_job_scheduler>jobscheduler>\bin\keytool" -list -keystore "<path_to_java_for_job_scheduler>jobscheduler>\lib\security\cacerts" -storepass changeit |
Setting Logging Level to Debug for Apache
Either in httpd.conf, in conf.d/ssl.conf or in an extra configuration file you would include in order to configure the reverse proxy, add the following line to your configuration:
...
This will activate the debug level for SSL and Proxy, which you can then find in the following logs (per default you should find this file underthese file are stored under /var/log/httpd) :
ssl_access_logssl_error_logssl_request_log
Logging in JobScheduer Master
All informations you will find in the JobScheduler Master are located either in the order logs (under Order History) when starting an order for a job chain or in the task logs when starting a standalone job. Possible messages are described below.
[ WARN ] SCHEDULER-489 No remote JobScheduler is accessible. Waiting before trying again
If a warning like this is thrown in the order log:
| Code Block |
|---|
[WARN] (Task xxx/job1:147691) SCHEDULER-489 No remote JobScheduler is accessible. Waiting before trying again
[WARN] (Task xxx/job1:147691) SCHEDULER-488 This remote JobScheduler 'Agent(0,https://192.11.0.111:24445,None)' is not accessible: spray.can.Http$ConnectionException: Aborted |
Again please check which HTTP error is thrown in the logs under /var/log/httpd :
ssl_access_logssl_error_logssl_request_log
| Info |
|---|
In this case you might get a HTTP error 408 - request timeout, which means, that the connection from Master to the Proxy has been established, but the redirection from the proxy to the agent can not be done. Otherwise, the JobScheduler Master is not even reaching the proxy. |
[ERROR] Z-JAVA-105 Java exception spray.httpx.UnsuccessfulResponseException: Status: 503 Service Unavailable
If an error like this is thrown in the order log or the task log:
| Code Block |
|---|
[ERROR] (xxx/job1:147694) Z-JAVA-105 Java exception spray.httpx.UnsuccessfulResponseException: Status: 503 Service Unavailable
[ERROR] (xxx/job1:147694) Body: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
[ERROR] (xxx/job1:147694) <html><head>
[ERROR] (xxx/job1:147694) <title>503 Service Unavailable</title>
[ERROR] (xxx/job1:147694) </head><body>
[ERROR] (xxx/job1:147694) <h1>Service Unavailable</h1>
[ERROR] (xxx/job1:147694) <p>The server is temporarily unable to service your
[ERROR] (xxx/job1:147694) request due to maintenance downtime or capacity
[ERROR] (xxx/job1:147694) problems. Please try again later.</p>
[ERROR] (xxx/job1:147694) </body></html>, method=CallObjectMethodA [] |
Again please check which HTTP error is thrown in the logs under /var/log/httpd :
ssl_access_logssl_error_logssl_request_log
In case you get the following error in the ssl_error_log:
| Code Block |
|---|
[proxy:error] (13)Permission denied: proxy: AJP: attempt to connect to 10.x.x.x:7009 (virtualhost.virtualdomain.com) failed |
You need then to change a system configuration as described in the following article: http://sysadminsjourney.com/content/2010/02/01/apache-modproxy-error-13permission-denied-error-rhel/