On Fri, Aug 18, 2017 at 05:28:12PM +1000, Fraser Tweedale wrote: > Hi Stefan et al, > > It's hard to work out exactly what's going on. > > First make sure that all certificates including the IPA CA > certificate are within their validity period. Make sure that CA > certificate(s) have the correct trust flags in the /etc/httpd/alias > NSSDB: > > certutil -d /etc/httpd/alias -L > > Check /var/log/ipaupgrade.log for any errors that may have occurred > during upgrade. > > If you put SELinux into permissive mode, do run `ipactl restart` > afterwards, before attempting to log in. > > Finally, the log message: > > /usr/lib/python2.7/site-packages/urllib3/connection.py:251: SecurityWarning: > Certificate has no `subjectAltName`, falling back to check for a > `commonName` > for now. This feature is being removed by major browsers and deprecated by > RFC > 2818. (See https://github.com/shazow/urllib3/issues/497 for details.) > > ... is not the cause, and can be ignored for the purposes of > diagnosing the current problem. > > Cheers, > Fraser > One more thing; one the affected master try putting `debug = True` in /etc/ipa/default.conf and restarting FreeIPA. You will get a lot more debug output in the httpd logs which could help narrow down the problem.
> > > On Fri, Aug 18, 2017 at 08:16:19AM +0200, Troels Hansen via FreeIPA-users > wrote: > > Hi Jason > > > > You aren't the only one having weird problems after updating to IPA 4.5 on > > RHEL 7.4 > > We are also facing problems accessing the web-ui and having a support case > > open with Red Hat and can see from the linked (private) Red Hat bugzilla > > that others are facing the same or other problems. > > > > My best shot would be to raise the issue with Red Hat. After all, that what > > you pay them for :-) > > Also, for Red Hat to get a full picture of the problems I guess it they > > need all the corner-cases... > > > > ----- On Aug 17, 2017, at 6:12 PM, Stefan Uygur via FreeIPA-users > > <[email protected]> wrote: > > > > > Hi Jason, > > > > > Thanks for the reply, but I did try that already, setting selinux in > > > permissive > > > mode rather than enforcing and it didn’t help. > > > > > However, I didn’t see anything in audit logs that would indicate selinux > > > as > > > culprit. > > > > > I just tried one more time right now with no joy, exact same result. > > > > > Stefan > > > > > From: Jason Sherrill via FreeIPA-users > > > [mailto:[email protected]] > > > Sent: 17 August 2017 17:07 > > > To: FreeIPA users list > > > Cc: Jason Sherrill > > > Subject: [Freeipa-users] Re: web UI - login failed after updates on server > > > > > Stefan, > > > > > I resolved a similar issue on a Fedora host by setting selinux to > > > permissive > > > instead of enforcing. The setting is located in > > > > > /etc/selinux/config > > > > > On Thu, Aug 17, 2017 at 10:37 AM, Stefan Uygur via FreeIPA-users < > > > [email protected] > wrote: > > > > > Hi everyone, > > > > > I have an IPA instance installed and working for the last 6 months but > > > after the > > > patching yesterday the Web UI login has stopped to work. > > > > > To be clear the IPA server is fully functional at the backend, the > > > problem is > > > when I try to login via web UI I get the following error: > > > > > Login failed due to an unknown reason. > > > > > The server is a Red Hat Enterprise Linux Server release 7.4 (Maipo) with > > > the IPA > > > VERSION: 4.5.0, API_VERSION: 2.228 > > > > > Furthermore, this is what I get from apache error logs while trying to > > > login > > > using web UI: > > > > > [Thu Aug 17 11:58:40.727456 2017] [:error] [pid 20879] ipa: INFO: *** > > > PROCESS > > > START *** > > > > > [Thu Aug 17 11:58:40.911349 2017] [:error] [pid 20878] ipa: INFO: *** > > > PROCESS > > > START *** > > > > > [Thu Aug 17 11:58:57.224594 2017] [auth_gssapi:error] [pid 20884] [client > > > IPADDR:54323] NO AUTH DATA Client did not send any authentication headers, > > > referer: https://-ipa1.example.com/ipa/ui/ > > > > > [Thu Aug 17 11:58:57.266259 2017] [auth_gssapi:error] [pid 20884] [client > > > IPADDR:54323] GSS ERROR In Negotiate Auth: gss_accept_sec_context() > > > failed: [An > > > unsupported mechanism was requested (Unknown error)], referer: > > > https://ipa1.example.com/ipa/ui/ > > > > > /usr/lib/python2.7/site-packages/urllib3/connection.py:251: > > > SecurityWarning: > > > Certificate has no `subjectAltName`, falling back to check for a > > > `commonName` > > > for now. This feature is being removed by major browsers and deprecated > > > by RFC > > > 2818. (See https://github.com/shazow/urllib3/issues/497 for details.) > > > > > SecurityWarning > > > > > [Thu Aug 17 11:59:03.637157 2017] [:error] [pid 20878] ipa: INFO: 404 Not > > > Found: > > > URL="/ipa/session/cookie", URL fragment "/session/cookie" does not have a > > > handler > > > > > [Thu Aug 17 11:59:03.638346 2017] [:error] [pid 20879] ipa: INFO: 401 > > > Unauthorized: No session cookie found > > > > > [Thu Aug 17 12:00:01.567042 2017] [:error] [pid 20882] SSL Library Error: > > > -12195 > > > Peer does not recognize and trust the CA that issued your certificate > > > > > [Thu Aug 17 12:00:01.617683 2017] [:error] [pid 21225] SSL Library Error: > > > -12195 > > > Peer does not recognize and trust the CA that issued your certificate > > > > > [Thu Aug 17 12:00:09.967173 2017] [auth_gssapi:error] [pid 20881] [client > > > IPADDR:54377] NO AUTH DATA Client did not send any authentication headers, > > > referer: https://-ipa1.example.com/ipa/ui/ > > > > > /usr/lib/python2.7/site-packages/urllib3/connection.py:251: > > > SecurityWarning: > > > Certificate has no `subjectAltName`, falling back to check for a > > > `commonName` > > > for now. This feature is being removed by major browsers and deprecated > > > by RFC > > > 2818. (See https://github.com/shazow/urllib3/issues/497 for details.) > > > > > SecurityWarning > > > > > [Thu Aug 17 12:00:17.495782 2017] [:error] [pid 20879] ipa: INFO: 404 Not > > > Found: > > > URL="/ipa/session/cookie", URL fragment "/session/cookie" does not have a > > > handler > > > > > [Thu Aug 17 12:00:17.497067 2017] [:error] [pid 20878] ipa: INFO: 401 > > > Unauthorized: No session cookie found > > > > > I know it is complaining about the new mod_gssapi but never seen this > > > sort of > > > problem before on IPA. > > > > > Any help would be greatly appreciated. > > > > > Stefan > > > > > __________________________________________ __________ > > > Stefan Uygur | First Derivatives Ireland Ltd | +353 16307761 | > > > [email protected] > > > > > ******************************************************************************************************************************* > > > > > This email, its contents and any files attached are a confidential > > > communication > > > and are intended only for the named addressees indicated in the message. > > > > > If you are not the named addressee or if you have received this email in > > > error, > > > you may not, without the consent of First Derivatives, copy, use or rely > > > on any > > > information or attachments in any way. Please notify the sender by return > > > email > > > and delete it from your email system. > > > > > Unless separately agreed, First Derivatives does not accept any > > > responsibility > > > for the accuracy or completeness of the contents of this email or its > > > attachments. Please note that any views, opinion or advice contained in > > > this > > > communication are those of the sending individual and not those of First > > > Derivatives and First Derivatives shall have no liability whatsoever in > > > relation to this communication (or its content) unless separately agreed. > > > > > ******************************************************************************************************************************* > > > > > ******************************************************************************************************************************* > > > > > This email, its contents and any files attached are a confidential > > > communication > > > and are intended only for the named addressees indicated in the message. > > > > > If you are not the named addressee or if you have received this email in > > > error, > > > you may not, without the consent of First Derivatives, copy, use or rely > > > on any > > > information or attachments in any way. Please notify the sender by return > > > email > > > and delete it from your email system. > > > > > Unless separately agreed, First Derivatives does not accept any > > > responsibility > > > for the accuracy or completeness of the contents of this email or its > > > attachments. Please note that any views, opinion or advice contained in > > > this > > > communication are those of the sending individual and not those of First > > > Derivatives and First Derivatives shall have no liability whatsoever in > > > relation to this communication (or its content) unless separately agreed. > > > > > ******************************************************************************************************************************* > > > > > _______________________________________________ > > > FreeIPA-users mailing list -- [email protected] > > > To unsubscribe send an email to [email protected] > > > > > -- > > > > > Jason Sherrill > > > > > IT Specialist > > > > > Deeplocal Inc. > > > > > mobile: 412-636-2073 > > > > > office: 412-362-0201 > > > > > _______________________________________________ > > > FreeIPA-users mailing list -- [email protected] > > > To unsubscribe send an email to [email protected] > > > > -- > > > > Med venlig hilsen > > > > Troels Hansen > > > > Systemkonsulent > > > > Casalogic A/S > > > > T (+45) 70 20 10 63 > > > > M (+45) 22 43 71 57 > > > > Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos > > og meget mere. > > > _______________________________________________ > > FreeIPA-users mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
