<div dir="ltr"><div dir="ltr"><div>Hi Hunter</div><div><br></div><div>It is dangerous to run a networked process, such as ndncert-ca-server, as root.</div><div>This also has nothing to do with whether op_yufeng can write to the relevant directory.</div><div dir="ltr"><br></div><div>The proper solution is:</div><div><ol><li>Create /var/lib/ndn/ndncert-ca directory, owned by 'ndn' user.</li><li>ndncert-ca-server runs as 'ndn' user.</li><li>In systemd unit file, set HOME environment variable to /var/lib/ndn/ndncert-ca . Reference: <a href="https://github.com/named-data/ndn-tools/blob/2cd6ae8495861416f90428ef9e59c2ec380a37f2/systemd/ndn-ping-server.service.in#L30">ndnpingserver systemd unit file</a>.</li><li>Import the CA key to the KeyChain located in /var/lib/ndn/ndncert-ca . Whenever you access this KeyChain, you should impersonate as 'ndn' user using a command line like `sudo HOME=/var/lib/ndn/ndncert-ca -u ndn ndnsec list -c`. Never access this KeyChain as root or any other user.</li></ol></div><div dir="ltr"><br></div><div>Yours, Junxiao</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Nov 19, 2019 at 12:28 PM Hunter Dellaverson <<a href="mailto:hdellaverson@gmail.com">hdellaverson@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr">Ah, so sorry, just realized a quick hotfix -- changed systemd to be running as root. Should be working now. </div>Best,<br>Hunter</div></blockquote></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">---------- Forwarded message ---------<br>From: <strong class="gmail_sendername" dir="auto">Hunter Dellaverson</strong> <span dir="auto"><<a href="mailto:hdellaverson@gmail.com">hdellaverson@gmail.com</a>></span><br>Date: Tue, Nov 19, 2019 at 12:22 PM<br>Subject: Re: Push the Deployment of NDNCERT<br></div><br><div dir="ltr">Hi Junxiao!<div>As far as I can tell, systemd is currently having a permissions issue [1] (image generated from journalctl command). Ndncert tries to create a file in /var/lib/ndn, which is owned by the ndn group [2] (ls -al). Yufeng, though part of the ndn group [3] doesn't have write permissions, if I'm reading this correctly. I'm hesitant to change permissions on the spurs server without permission, though from what I understand someone shot a message to John D. Hart. In the meantime, I've manually restarted the server. </div><div>If you have a quick/easy fix for this, would be much appreciated.</div><div>Best,<br>Hunter</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Nov 19, 2019 at 6:21 AM Junxiao Shi <<a href="mailto:shijunxiao@email.arizona.edu" target="_blank">shijunxiao@email.arizona.edu</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Hi Yufeng</div><div><br></div><div>Did you add the necessary flags into the systemd file? Or did you disable systemd and start the server in a console?<br></div>Server crashed 10 minutes ago, and systemd didn't bring it up.<br><div><br></div><div>Yours, Junxiao<br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr"><br></div><div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
</blockquote></div>
<br></div></div></div>
</blockquote></div>
</div></div>