Hi Stefan et al,

It's hard to work out exactly what's going on.

First make sure that all certificates including the IPA CA
certificate are within their validity period.  Make sure that CA
certificate(s) have the correct trust flags in the /etc/httpd/alias
NSSDB:

    certutil -d /etc/httpd/alias -L

Check /var/log/ipaupgrade.log for any errors that may have occurred
during upgrade.

If you put SELinux into permissive mode, do run `ipactl restart`
afterwards, before attempting to log in.

Finally, the log message:

  /usr/lib/python2.7/site-packages/urllib3/connection.py:251: SecurityWarning:
  Certificate has no `subjectAltName`, falling back to check for a `commonName`
  for now. This feature is being removed by major browsers and deprecated by RFC
  2818. (See https://github.com/shazow/urllib3/issues/497 for details.)

... is not the cause, and can be ignored for the purposes of
diagnosing the current problem.

Cheers,
Fraser



On Fri, Aug 18, 2017 at 08:16:19AM +0200, Troels Hansen via FreeIPA-users wrote:
> Hi Jason 
> 
> You aren't the only one having weird problems after updating to IPA 4.5 on 
> RHEL 7.4 
> We are also facing problems accessing the web-ui and having a support case 
> open with Red Hat and can see from the linked (private) Red Hat bugzilla that 
> others are facing the same or other problems. 
> 
> My best shot would be to raise the issue with Red Hat. After all, that what 
> you pay them for :-) 
> Also, for Red Hat to get a full picture of the problems I guess it they need 
> all the corner-cases... 
> 
> ----- On Aug 17, 2017, at 6:12 PM, Stefan Uygur via FreeIPA-users 
> <freeipa-users@lists.fedorahosted.org> wrote: 
> 
> > Hi Jason,
> 
> > Thanks for the reply, but I did try that already, setting selinux in 
> > permissive
> > mode rather than enforcing and it didn’t help.
> 
> > However, I didn’t see anything in audit logs that would indicate selinux as
> > culprit.
> 
> > I just tried one more time right now with no joy, exact same result.
> 
> > Stefan
> 
> > From: Jason Sherrill via FreeIPA-users
> > [mailto:freeipa-users@lists.fedorahosted.org]
> > Sent: 17 August 2017 17:07
> > To: FreeIPA users list
> > Cc: Jason Sherrill
> > Subject: [Freeipa-users] Re: web UI - login failed after updates on server
> 
> > Stefan,
> 
> > I resolved a similar issue on a Fedora host by setting selinux to permissive
> > instead of enforcing. The setting is located in
> 
> > /etc/selinux/config
> 
> > On Thu, Aug 17, 2017 at 10:37 AM, Stefan Uygur via FreeIPA-users <
> > freeipa-users@lists.fedorahosted.org > wrote:
> 
> > Hi everyone,
> 
> > I have an IPA instance installed and working for the last 6 months but 
> > after the
> > patching yesterday the Web UI login has stopped to work.
> 
> > To be clear the IPA server is fully functional at the backend, the problem 
> > is
> > when I try to login via web UI I get the following error:
> 
> > Login failed due to an unknown reason.
> 
> > The server is a Red Hat Enterprise Linux Server release 7.4 (Maipo) with 
> > the IPA
> > VERSION: 4.5.0, API_VERSION: 2.228
> 
> > Furthermore, this is what I get from apache error logs while trying to login
> > using web UI:
> 
> > [Thu Aug 17 11:58:40.727456 2017] [:error] [pid 20879] ipa: INFO: *** 
> > PROCESS
> > START ***
> 
> > [Thu Aug 17 11:58:40.911349 2017] [:error] [pid 20878] ipa: INFO: *** 
> > PROCESS
> > START ***
> 
> > [Thu Aug 17 11:58:57.224594 2017] [auth_gssapi:error] [pid 20884] [client
> > IPADDR:54323] NO AUTH DATA Client did not send any authentication headers,
> > referer: https://-ipa1.example.com/ipa/ui/
> 
> > [Thu Aug 17 11:58:57.266259 2017] [auth_gssapi:error] [pid 20884] [client
> > IPADDR:54323] GSS ERROR In Negotiate Auth: gss_accept_sec_context() failed: 
> > [An
> > unsupported mechanism was requested (Unknown error)], referer:
> > https://ipa1.example.com/ipa/ui/
> 
> > /usr/lib/python2.7/site-packages/urllib3/connection.py:251: SecurityWarning:
> > Certificate has no `subjectAltName`, falling back to check for a 
> > `commonName`
> > for now. This feature is being removed by major browsers and deprecated by 
> > RFC
> > 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
> 
> > SecurityWarning
> 
> > [Thu Aug 17 11:59:03.637157 2017] [:error] [pid 20878] ipa: INFO: 404 Not 
> > Found:
> > URL="/ipa/session/cookie", URL fragment "/session/cookie" does not have a
> > handler
> 
> > [Thu Aug 17 11:59:03.638346 2017] [:error] [pid 20879] ipa: INFO: 401
> > Unauthorized: No session cookie found
> 
> > [Thu Aug 17 12:00:01.567042 2017] [:error] [pid 20882] SSL Library Error: 
> > -12195
> > Peer does not recognize and trust the CA that issued your certificate
> 
> > [Thu Aug 17 12:00:01.617683 2017] [:error] [pid 21225] SSL Library Error: 
> > -12195
> > Peer does not recognize and trust the CA that issued your certificate
> 
> > [Thu Aug 17 12:00:09.967173 2017] [auth_gssapi:error] [pid 20881] [client
> > IPADDR:54377] NO AUTH DATA Client did not send any authentication headers,
> > referer: https://-ipa1.example.com/ipa/ui/
> 
> > /usr/lib/python2.7/site-packages/urllib3/connection.py:251: SecurityWarning:
> > Certificate has no `subjectAltName`, falling back to check for a 
> > `commonName`
> > for now. This feature is being removed by major browsers and deprecated by 
> > RFC
> > 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
> 
> > SecurityWarning
> 
> > [Thu Aug 17 12:00:17.495782 2017] [:error] [pid 20879] ipa: INFO: 404 Not 
> > Found:
> > URL="/ipa/session/cookie", URL fragment "/session/cookie" does not have a
> > handler
> 
> > [Thu Aug 17 12:00:17.497067 2017] [:error] [pid 20878] ipa: INFO: 401
> > Unauthorized: No session cookie found
> 
> > I know it is complaining about the new mod_gssapi but never seen this sort 
> > of
> > problem before on IPA.
> 
> > Any help would be greatly appreciated.
> 
> > Stefan
> 
> > __________________________________________ __________
> > Stefan Uygur | First Derivatives Ireland Ltd | +353 16307761 |
> > suy...@firstderivatives.com
> 
> > *******************************************************************************************************************************
> 
> > This email, its contents and any files attached are a confidential 
> > communication
> > and are intended only for the named addressees indicated in the message.
> 
> > If you are not the named addressee or if you have received this email in 
> > error,
> > you may not, without the consent of First Derivatives, copy, use or rely on 
> > any
> > information or attachments in any way. Please notify the sender by return 
> > email
> > and delete it from your email system.
> 
> > Unless separately agreed, First Derivatives does not accept any 
> > responsibility
> > for the accuracy or completeness of the contents of this email or its
> > attachments. Please note that any views, opinion or advice contained in this
> > communication are those of the sending individual and not those of First
> > Derivatives and First Derivatives shall have no liability whatsoever in
> > relation to this communication (or its content) unless separately agreed.
> 
> > *******************************************************************************************************************************
> 
> > *******************************************************************************************************************************
> 
> > This email, its contents and any files attached are a confidential 
> > communication
> > and are intended only for the named addressees indicated in the message.
> 
> > If you are not the named addressee or if you have received this email in 
> > error,
> > you may not, without the consent of First Derivatives, copy, use or rely on 
> > any
> > information or attachments in any way. Please notify the sender by return 
> > email
> > and delete it from your email system.
> 
> > Unless separately agreed, First Derivatives does not accept any 
> > responsibility
> > for the accuracy or completeness of the contents of this email or its
> > attachments. Please note that any views, opinion or advice contained in this
> > communication are those of the sending individual and not those of First
> > Derivatives and First Derivatives shall have no liability whatsoever in
> > relation to this communication (or its content) unless separately agreed.
> 
> > *******************************************************************************************************************************
> 
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> 
> > --
> 
> > Jason Sherrill
> 
> > IT Specialist
> 
> > Deeplocal Inc.
> 
> > mobile: 412-636-2073
> 
> > office: 412-362-0201
> 
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> 
> -- 
> 
> Med venlig hilsen 
> 
> Troels Hansen 
> 
> Systemkonsulent 
> 
> Casalogic A/S 
> 
> T (+45) 70 20 10 63 
> 
> M (+45) 22 43 71 57 
> 
> Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og 
> meget mere. 

> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to