On Fri, Aug 18, 2017 at 05:28:12PM +1000, Fraser Tweedale wrote:
> Hi Stefan et al,
> 
> It's hard to work out exactly what's going on.
> 
> First make sure that all certificates including the IPA CA
> certificate are within their validity period.  Make sure that CA
> certificate(s) have the correct trust flags in the /etc/httpd/alias
> NSSDB:
> 
>     certutil -d /etc/httpd/alias -L
> 
> Check /var/log/ipaupgrade.log for any errors that may have occurred
> during upgrade.
> 
> If you put SELinux into permissive mode, do run `ipactl restart`
> afterwards, before attempting to log in.
> 
> Finally, the log message:
> 
>   /usr/lib/python2.7/site-packages/urllib3/connection.py:251: SecurityWarning:
>   Certificate has no `subjectAltName`, falling back to check for a 
> `commonName`
>   for now. This feature is being removed by major browsers and deprecated by 
> RFC
>   2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
> 
> ... is not the cause, and can be ignored for the purposes of
> diagnosing the current problem.
> 
> Cheers,
> Fraser
> 
One more thing; one the affected master try putting `debug = True`
in /etc/ipa/default.conf and restarting FreeIPA.  You will get a lot
more debug output in the httpd logs which could help narrow down the
problem.

> 
> 
> On Fri, Aug 18, 2017 at 08:16:19AM +0200, Troels Hansen via FreeIPA-users 
> wrote:
> > Hi Jason 
> > 
> > You aren't the only one having weird problems after updating to IPA 4.5 on 
> > RHEL 7.4 
> > We are also facing problems accessing the web-ui and having a support case 
> > open with Red Hat and can see from the linked (private) Red Hat bugzilla 
> > that others are facing the same or other problems. 
> > 
> > My best shot would be to raise the issue with Red Hat. After all, that what 
> > you pay them for :-) 
> > Also, for Red Hat to get a full picture of the problems I guess it they 
> > need all the corner-cases... 
> > 
> > ----- On Aug 17, 2017, at 6:12 PM, Stefan Uygur via FreeIPA-users 
> > <freeipa-users@lists.fedorahosted.org> wrote: 
> > 
> > > Hi Jason,
> > 
> > > Thanks for the reply, but I did try that already, setting selinux in 
> > > permissive
> > > mode rather than enforcing and it didn’t help.
> > 
> > > However, I didn’t see anything in audit logs that would indicate selinux 
> > > as
> > > culprit.
> > 
> > > I just tried one more time right now with no joy, exact same result.
> > 
> > > Stefan
> > 
> > > From: Jason Sherrill via FreeIPA-users
> > > [mailto:freeipa-users@lists.fedorahosted.org]
> > > Sent: 17 August 2017 17:07
> > > To: FreeIPA users list
> > > Cc: Jason Sherrill
> > > Subject: [Freeipa-users] Re: web UI - login failed after updates on server
> > 
> > > Stefan,
> > 
> > > I resolved a similar issue on a Fedora host by setting selinux to 
> > > permissive
> > > instead of enforcing. The setting is located in
> > 
> > > /etc/selinux/config
> > 
> > > On Thu, Aug 17, 2017 at 10:37 AM, Stefan Uygur via FreeIPA-users <
> > > freeipa-users@lists.fedorahosted.org > wrote:
> > 
> > > Hi everyone,
> > 
> > > I have an IPA instance installed and working for the last 6 months but 
> > > after the
> > > patching yesterday the Web UI login has stopped to work.
> > 
> > > To be clear the IPA server is fully functional at the backend, the 
> > > problem is
> > > when I try to login via web UI I get the following error:
> > 
> > > Login failed due to an unknown reason.
> > 
> > > The server is a Red Hat Enterprise Linux Server release 7.4 (Maipo) with 
> > > the IPA
> > > VERSION: 4.5.0, API_VERSION: 2.228
> > 
> > > Furthermore, this is what I get from apache error logs while trying to 
> > > login
> > > using web UI:
> > 
> > > [Thu Aug 17 11:58:40.727456 2017] [:error] [pid 20879] ipa: INFO: *** 
> > > PROCESS
> > > START ***
> > 
> > > [Thu Aug 17 11:58:40.911349 2017] [:error] [pid 20878] ipa: INFO: *** 
> > > PROCESS
> > > START ***
> > 
> > > [Thu Aug 17 11:58:57.224594 2017] [auth_gssapi:error] [pid 20884] [client
> > > IPADDR:54323] NO AUTH DATA Client did not send any authentication headers,
> > > referer: https://-ipa1.example.com/ipa/ui/
> > 
> > > [Thu Aug 17 11:58:57.266259 2017] [auth_gssapi:error] [pid 20884] [client
> > > IPADDR:54323] GSS ERROR In Negotiate Auth: gss_accept_sec_context() 
> > > failed: [An
> > > unsupported mechanism was requested (Unknown error)], referer:
> > > https://ipa1.example.com/ipa/ui/
> > 
> > > /usr/lib/python2.7/site-packages/urllib3/connection.py:251: 
> > > SecurityWarning:
> > > Certificate has no `subjectAltName`, falling back to check for a 
> > > `commonName`
> > > for now. This feature is being removed by major browsers and deprecated 
> > > by RFC
> > > 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
> > 
> > > SecurityWarning
> > 
> > > [Thu Aug 17 11:59:03.637157 2017] [:error] [pid 20878] ipa: INFO: 404 Not 
> > > Found:
> > > URL="/ipa/session/cookie", URL fragment "/session/cookie" does not have a
> > > handler
> > 
> > > [Thu Aug 17 11:59:03.638346 2017] [:error] [pid 20879] ipa: INFO: 401
> > > Unauthorized: No session cookie found
> > 
> > > [Thu Aug 17 12:00:01.567042 2017] [:error] [pid 20882] SSL Library Error: 
> > > -12195
> > > Peer does not recognize and trust the CA that issued your certificate
> > 
> > > [Thu Aug 17 12:00:01.617683 2017] [:error] [pid 21225] SSL Library Error: 
> > > -12195
> > > Peer does not recognize and trust the CA that issued your certificate
> > 
> > > [Thu Aug 17 12:00:09.967173 2017] [auth_gssapi:error] [pid 20881] [client
> > > IPADDR:54377] NO AUTH DATA Client did not send any authentication headers,
> > > referer: https://-ipa1.example.com/ipa/ui/
> > 
> > > /usr/lib/python2.7/site-packages/urllib3/connection.py:251: 
> > > SecurityWarning:
> > > Certificate has no `subjectAltName`, falling back to check for a 
> > > `commonName`
> > > for now. This feature is being removed by major browsers and deprecated 
> > > by RFC
> > > 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
> > 
> > > SecurityWarning
> > 
> > > [Thu Aug 17 12:00:17.495782 2017] [:error] [pid 20879] ipa: INFO: 404 Not 
> > > Found:
> > > URL="/ipa/session/cookie", URL fragment "/session/cookie" does not have a
> > > handler
> > 
> > > [Thu Aug 17 12:00:17.497067 2017] [:error] [pid 20878] ipa: INFO: 401
> > > Unauthorized: No session cookie found
> > 
> > > I know it is complaining about the new mod_gssapi but never seen this 
> > > sort of
> > > problem before on IPA.
> > 
> > > Any help would be greatly appreciated.
> > 
> > > Stefan
> > 
> > > __________________________________________ __________
> > > Stefan Uygur | First Derivatives Ireland Ltd | +353 16307761 |
> > > suy...@firstderivatives.com
> > 
> > > *******************************************************************************************************************************
> > 
> > > This email, its contents and any files attached are a confidential 
> > > communication
> > > and are intended only for the named addressees indicated in the message.
> > 
> > > If you are not the named addressee or if you have received this email in 
> > > error,
> > > you may not, without the consent of First Derivatives, copy, use or rely 
> > > on any
> > > information or attachments in any way. Please notify the sender by return 
> > > email
> > > and delete it from your email system.
> > 
> > > Unless separately agreed, First Derivatives does not accept any 
> > > responsibility
> > > for the accuracy or completeness of the contents of this email or its
> > > attachments. Please note that any views, opinion or advice contained in 
> > > this
> > > communication are those of the sending individual and not those of First
> > > Derivatives and First Derivatives shall have no liability whatsoever in
> > > relation to this communication (or its content) unless separately agreed.
> > 
> > > *******************************************************************************************************************************
> > 
> > > *******************************************************************************************************************************
> > 
> > > This email, its contents and any files attached are a confidential 
> > > communication
> > > and are intended only for the named addressees indicated in the message.
> > 
> > > If you are not the named addressee or if you have received this email in 
> > > error,
> > > you may not, without the consent of First Derivatives, copy, use or rely 
> > > on any
> > > information or attachments in any way. Please notify the sender by return 
> > > email
> > > and delete it from your email system.
> > 
> > > Unless separately agreed, First Derivatives does not accept any 
> > > responsibility
> > > for the accuracy or completeness of the contents of this email or its
> > > attachments. Please note that any views, opinion or advice contained in 
> > > this
> > > communication are those of the sending individual and not those of First
> > > Derivatives and First Derivatives shall have no liability whatsoever in
> > > relation to this communication (or its content) unless separately agreed.
> > 
> > > *******************************************************************************************************************************
> > 
> > > _______________________________________________
> > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> > 
> > > --
> > 
> > > Jason Sherrill
> > 
> > > IT Specialist
> > 
> > > Deeplocal Inc.
> > 
> > > mobile: 412-636-2073
> > 
> > > office: 412-362-0201
> > 
> > > _______________________________________________
> > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> > 
> > -- 
> > 
> > Med venlig hilsen 
> > 
> > Troels Hansen 
> > 
> > Systemkonsulent 
> > 
> > Casalogic A/S 
> > 
> > T (+45) 70 20 10 63 
> > 
> > M (+45) 22 43 71 57 
> > 
> > Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos 
> > og meget mere. 
> 
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to