Pete Fuller wrote: > http error log has nothing. This is with http restart and a failed > request for web ui. The request has no error. Is there a different log > that I am overlooking that might have more information?
No. Create /etc/ipa/server.conf with these contents: [global] debug = True Restart Apache. Try with a browser and see what gets logged, if anything. I'd also try with the cli to compare. With the client you can add -vvv to get a lot more client-side logging: ipa -vvv user-show admin rob > > > [Mon May 08 10:46:14.842162 2017] [:warn] [pid 25471] > NSSSessionCacheTimeout is deprecated. Ignoring. > [Mon May 08 10:46:15.136803 2017] [auth_digest:notice] [pid 25471] > AH01757: generating secret for digest authentication ... > [Mon May 08 10:46:15.137403 2017] [lbmethod_heartbeat:notice] [pid > 25471] AH02282: No slotmem from mod_heartmonitor > [Mon May 08 10:46:15.137422 2017] [:warn] [pid 25471] > NSSSessionCacheTimeout is deprecated. Ignoring. > [Mon May 08 10:46:15.145343 2017] [mpm_prefork:notice] [pid 25471] > AH00163: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.4.0 mod_auth_kerb/5.4 > mod_nss/1.0.14 NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5 configured > -- resuming normal operations > [Mon May 08 10:46:15.145378 2017] [core:notice] [pid 25471] AH00094: > Command line: '/usr/sbin/httpd -D FOREGROUND' > [Mon May 08 10:46:18.234880 2017] [:error] [pid 25476] ipa: INFO: *** > PROCESS START *** > [Mon May 08 10:46:18.431700 2017] [:error] [pid 25475] ipa: INFO: *** > PROCESS START ** > > > >> On May 8, 2017, at 1:43 PM, Rob Crittenden <rcrit...@redhat.com >> <mailto:rcrit...@redhat.com>> wrote: >> >> Pete Fuller wrote: >>> IPA command line seems to work. Have been able to use ipa user-find >>> and ipa cert-find. Can also sudo and kinit from other machines as >>> IPA user. >>> >>> Another clue here, looks like even when querying with the ipa cli tools, >>> I’m getting 400 errors in the access logs. The top one is obviously a >>> browser request. The next 4 were following a cli call to ipa user-find. >>> That request does respond back with users, so not sure what is failing >>> there. The 192.168.0.95 IP is the local ip of the IPA server itself. >>> >>> 192.168.51.20 - - [08/May/2017:10:31:46 -0700] "GET / HTTP/1.1" 400 347 >>> "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:53.0) >>> Gecko/20100101 Firefox/53.0" >>> 192.168.0.95 - - [08/May/2017:10:32:40 -0700] "POST /ipa/json HTTP/1.1" >>> 400 347 >>> 192.168.0.95 - - [08/May/2017:10:32:43 -0700] "POST /ipa/json HTTP/1.1" >>> 400 347 >>> 192.168.0.95 - - [08/May/2017:10:33:01 -0700] "POST /ipa/json HTTP/1.1" >>> 400 347 >>> 192.168.0.95 - - [08/May/2017:10:33:10 -0700] "POST /ipa/json HTTP/1.1" >>> 400 347 >> >> Note that client activity (login, sudo, etc) does not go through Apache. >> Only the IPA API does (so web UI and cli). >> >> Still need to see the error log. >> >> rob >> >>> >>> >>>> On May 8, 2017, at 1:20 PM, Rob Crittenden <rcrit...@redhat.com >>>> <mailto:rcrit...@redhat.com> >>>> <mailto:rcrit...@redhat.com>> wrote: >>>> >>>> Pete Fuller wrote: >>>>> I ran the 4.4 upgrade yesterday on a group of Centos7 servers that are >>>>> IPA replicas for my North American datacenters. All seem to have the >>>>> same issue that I am now unable to connect to the web UI, with the >>>>> following error in the browser… >>>>> >>>>> >>>>> Bad Request >>>>> >>>>> Your browser sent a request that this server could not understand. >>>>> >>>>> Additionally, a 400 Bad Request error was encountered while trying to >>>>> use an ErrorDocument to handle the request. >>>>> >>>>> >>>>> >>>>> The maddening thing is I can’t find any reference in the apache logs to >>>>> what is generating the error and why a direct request to the UI would >>>>> error. >>>>> >>>>> As far as I can tell IPA is otherwise working. Logins seem to work, >>>>> sudo rules are working, DNS is working. >>>>> >>>>> [root@lb3 httpd]# ipactl status >>>>> Directory Service: RUNNING >>>>> krb5kdc Service: RUNNING >>>>> kadmin Service: RUNNING >>>>> named Service: RUNNING >>>>> ipa_memcached Service: RUNNING >>>>> httpd Service: RUNNING >>>>> ipa-custodia Service: RUNNING >>>>> ntpd Service: RUNNING >>>>> pki-tomcatd Service: RUNNING >>>>> ipa-otpd Service: RUNNING >>>>> ipa-dnskeysyncd Service: RUNNING >>>>> >>>>> I can see one file in the httpd/conf.d directory that was changed - >>>>> nss.conf. I attempted reverting and that did not work. >>>>> >>>>> Has anyone run upon this error? >>>> >>>> Does the ipa command-line tool work? >>>> >>>> What are you seeing in the Apache error log? >>>> >>>> rob > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project