Re: [Freeipa-users] Web UI unavailable after 4.4 upgrade - 400 error

2017-05-09 Thread Rob Crittenden 
Pete Fuller wrote:
> From the cli - it looks like the answers I’m getting are actually coming
> from one of my non-upgraded servers.The window for those servers is
> later tonight.   The request gets denied on the localhost it seems.  
> 
> (Lb3 is the local server.  Ipa11 is offsite server that has not been
> upgraded)

It is getting a 400 from lb3 so falling back to ipa11.

I'm not sure why Apache is throwing the 400. It sure seems like it is
failing before it gets to IPA though given that nothing is logged. You
can try setting LogLevel debug in /etc/httpd/conf.d/nss.conf and
restarting to get additional debug logging out of Apache, that might
provide some insight.

Or you can diff the working and non-working ipa* conf files in
/etc/httpd/conf.d.

rob

> 
> [pfuller@lb3 ~]$ ipa -vvv user-show admin
> ipa: INFO: trying https://lb3.sac.3si/ipa/json
> ipa: INFO: Request: {
> "id": 0,
> "method": "ping",
> "params": [
> [],
> {}
> ]
> }
> send: u'POST /ipa/json HTTP/1.1\r\nHost: lb3.sac.3si\r\nAccept-Encoding:
> gzip\r\nAccept-Language: en-us\r\nReferer:
> https://lb3.sac.3si/ipa/xml\r\nAuthorization: negotiate
> YIICRwYJKoZIhvcSAQICAQBuggI2MIICMqADAgEFoQMCAQ6iBwMFACCjggFMYYIBSDCCAUSgAwIBBaEJGwdTQUMuM1NJoh4wHKADAgEDoRUwExsESFRUUBsLbGIzLnNhYy4zc2mjggEQMIIBDKADAgESoQMCAQKigf8Egfw9Y4DEIZmX3gITIPK11rvcTf0HhPKGCAEsHKQCUTxQp1eXXl8b5vDJ/0eN6aKq23jlNcQAA4OmHLj87I/uJc4EtcXIBmFIisPr5rEIf/6haUtALoL0OJKBIbITpWDB+2IwXobDHA2/IS6TUsZx2yAseJdL4z+q6H0NfuPh3dvFmlYkY6YavX/ZG98J8IrcIqolX5YDCWBqncHZolZXbfhVCLuO9q++F+dzv6OlKLkVg0g3RTd6qkpZvy+6UyhctDbpWXB2J3oN5kkb9tqsZnG7Z/1mOUqiBVaEYKkm0jEKOVm8b1uIDeLF3vMIWli6hCnwGxW47JseV+EjGsekgcwwgcmgAwIBEqKBwQSBvgcl6IIwRu2/C0xB8WFgRQ3VfBdFwL4HtdnyOPCIx8eIHfcL6yyVvUJDMWXF9Pn7K6oDHGzKSFCVJilubuywBIhWBa/fbElFVcNfho6kGjrGZZuXGM25y28xenEFSoN6PKjl81N92gjlRdLo1QZ4YkxO9Re278sCJ8QwVb9jj7lZsJoVlut+lF0LVfgJ9AIzgmtGBBeyTNVPAcLwIDAlM7zSxTYwlOsEV8SFyrA0RSr90HrELQpotUYVeL6CgGo=\r\nUser-Agent:
> xmlrpclib.py/1.0.1 (by www.pythonware.com
> )\r\nContent-Type:
> application/json\r\nContent-Length: 47\r\n\r\n{"params": [[], {}],
> "method": "ping", "id": 0}'
> reply: 'HTTP/1.1 400 Bad Request\r\n'
> header: Date: Mon, 08 May 2017 18:04:19 GMT
> header: Server: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.4.0
> mod_auth_kerb/5.4 mod_nss/1.0.14 NSS/3.21 Basic ECC mod_wsgi/3.4
> Python/2.7.5
> header: Content-Length: 347
> header: Connection: close
> header: Content-Type: text/html; charset=iso-8859-1
> ipa: INFO: trying https://ipa11.be.3si/ipa/json
> ipa: INFO: Request: {
> "id": 0,
> "method": "ping",
> "params": [
> [],
> {}
> ]
> }
> 
> 
> 
> Not seeing much in the http logs
> 
> [Mon May 08 10:59:12.855952 2017] [mpm_prefork:notice] [pid 25471]
> AH00170: caught SIGWINCH, shutting down gracefully
> [Mon May 08 10:59:14.776824 2017] [suexec:notice] [pid 26007] AH01232:
> suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
> [Mon May 08 10:59:14.777094 2017] [:warn] [pid 26007]
> NSSSessionCacheTimeout is deprecated. Ignoring.
> [Mon May 08 10:59:15.044478 2017] [auth_digest:notice] [pid 26007]
> AH01757: generating secret for digest authentication ...
> [Mon May 08 10:59:15.045068 2017] [lbmethod_heartbeat:notice] [pid
> 26007] AH02282: No slotmem from mod_heartmonitor
> [Mon May 08 10:59:15.045085 2017] [:warn] [pid 26007]
> NSSSessionCacheTimeout is deprecated. Ignoring.
> [Mon May 08 10:59:15.053163 2017] [mpm_prefork:notice] [pid 26007]
> AH00163: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.4.0 mod_auth_kerb/5.4
> mod_nss/1.0.14 NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5 configured
> -- resuming normal operations
> [Mon May 08 10:59:15.053200 2017] [core:notice] [pid 26007] AH00094:
> Command line: '/usr/sbin/httpd -D FOREGROUND'
> [Mon May 08 10:59:15.321418 2017] [:error] [pid 26014] ipa: DEBUG:
> importing all plugin modules in ipaserver.plugins...
> [Mon May 08 10:59:15.322362 2017] [:error] [pid 26014] ipa: DEBUG:
> importing plugin module ipaserver.plugins.aci
> [Mon May 08 10:59:15.345957 2017] [:error] [pid 26014] ipa: DEBUG:
> importing plugin module ipaserver.plugins.automember
> [Mon May 08 10:59:15.364950 2017] [:error] [pid 26014] ipa: DEBUG:
> importing plugin module ipaserver.plugins.automount
> [Mon May 08 10:59:15.370011 2017] [:error] [pid 26014] ipa: DEBUG:
> importing plugin module ipaserver.plugins.baseldap
> [Mon May 08 10:59:15.370124 2017] [:error] [pid 26014] ipa: DEBUG:
> ipaserver.plugins.baseldap is not a valid plugin module
> [Mon May 08 10:59:15.370198 2017] [:error] [pid 26014] ipa: DEBUG:
> importing plugin module ipaserver.plugins.baseuser
> [Mon May 08 10:59:15.404084 2017] [:error] [pid 26014] ipa: DEBUG:
> importing plugin module ipaserver.plugins.batch
> [Mon May 08 10:59:15.404901 2017] [:error] [pid 26014] ipa: DEBUG:
> importing plugin module ipaserver.plugins.ca 
> [Mon May 08 10:59:15.451277 2017] [:error] [pid 26014] ipa: DEBUG:
> importing plugin

Re: [Freeipa-users] Web UI unavailable after 4.4 upgrade - 400 error

2017-05-08 Thread Pete Fuller 
From the cli - it looks like the answers I’m getting are actually coming from 
one of my non-upgraded servers.The window for those servers is later tonight.   
The request gets denied on the localhost it seems.  

(Lb3 is the local server.  Ipa11 is offsite server that has not been upgraded)

[pfuller@lb3 ~]$ ipa -vvv user-show admin
ipa: INFO: trying https://lb3.sac.3si/ipa/json
ipa: INFO: Request: {
"id": 0,
"method": "ping",
"params": [
[],
{}
]
}
send: u'POST /ipa/json HTTP/1.1\r\nHost: lb3.sac.3si\r\nAccept-Encoding: 
gzip\r\nAccept-Language: en-us\r\nReferer: 
https://lb3.sac.3si/ipa/xml\r\nAuthorization: negotiate 
YIICRwYJKoZIhvcSAQICAQBuggI2MIICMqADAgEFoQMCAQ6iBwMFACCjggFMYYIBSDCCAUSgAwIBBaEJGwdTQUMuM1NJoh4wHKADAgEDoRUwExsESFRUUBsLbGIzLnNhYy4zc2mjggEQMIIBDKADAgESoQMCAQKigf8Egfw9Y4DEIZmX3gITIPK11rvcTf0HhPKGCAEsHKQCUTxQp1eXXl8b5vDJ/0eN6aKq23jlNcQAA4OmHLj87I/uJc4EtcXIBmFIisPr5rEIf/6haUtALoL0OJKBIbITpWDB+2IwXobDHA2/IS6TUsZx2yAseJdL4z+q6H0NfuPh3dvFmlYkY6YavX/ZG98J8IrcIqolX5YDCWBqncHZolZXbfhVCLuO9q++F+dzv6OlKLkVg0g3RTd6qkpZvy+6UyhctDbpWXB2J3oN5kkb9tqsZnG7Z/1mOUqiBVaEYKkm0jEKOVm8b1uIDeLF3vMIWli6hCnwGxW47JseV+EjGsekgcwwgcmgAwIBEqKBwQSBvgcl6IIwRu2/C0xB8WFgRQ3VfBdFwL4HtdnyOPCIx8eIHfcL6yyVvUJDMWXF9Pn7K6oDHGzKSFCVJilubuywBIhWBa/fbElFVcNfho6kGjrGZZuXGM25y28xenEFSoN6PKjl81N92gjlRdLo1QZ4YkxO9Re278sCJ8QwVb9jj7lZsJoVlut+lF0LVfgJ9AIzgmtGBBeyTNVPAcLwIDAlM7zSxTYwlOsEV8SFyrA0RSr90HrELQpotUYVeL6CgGo=\r\nUser-Agent:
 xmlrpclib.py/1.0.1 (by www.pythonware.com)\r\nContent-Type: 
application/json\r\nContent-Length: 47\r\n\r\n{"params": [[], {}], "method": 
"ping", "id": 0}'
reply: 'HTTP/1.1 400 Bad Request\r\n'
header: Date: Mon, 08 May 2017 18:04:19 GMT
header: Server: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.4.0 mod_auth_kerb/5.4 
mod_nss/1.0.14 NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5
header: Content-Length: 347
header: Connection: close
header: Content-Type: text/html; charset=iso-8859-1
ipa: INFO: trying https://ipa11.be.3si/ipa/json
ipa: INFO: Request: {
"id": 0,
"method": "ping",
"params": [
[],
{}
]
}



Not seeing much in the http logs

[Mon May 08 10:59:12.855952 2017] [mpm_prefork:notice] [pid 25471] AH00170: 
caught SIGWINCH, shutting down gracefully
[Mon May 08 10:59:14.776824 2017] [suexec:notice] [pid 26007] AH01232: suEXEC 
mechanism enabled (wrapper: /usr/sbin/suexec)
[Mon May 08 10:59:14.777094 2017] [:warn] [pid 26007] NSSSessionCacheTimeout is 
deprecated. Ignoring.
[Mon May 08 10:59:15.044478 2017] [auth_digest:notice] [pid 26007] AH01757: 
generating secret for digest authentication ...
[Mon May 08 10:59:15.045068 2017] [lbmethod_heartbeat:notice] [pid 26007] 
AH02282: No slotmem from mod_heartmonitor
[Mon May 08 10:59:15.045085 2017] [:warn] [pid 26007] NSSSessionCacheTimeout is 
deprecated. Ignoring.
[Mon May 08 10:59:15.053163 2017] [mpm_prefork:notice] [pid 26007] AH00163: 
Apache/2.4.6 (CentOS) mod_auth_gssapi/1.4.0 mod_auth_kerb/5.4 mod_nss/1.0.14 
NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5 configured -- resuming normal 
operations
[Mon May 08 10:59:15.053200 2017] [core:notice] [pid 26007] AH00094: Command 
line: '/usr/sbin/httpd -D FOREGROUND'
[Mon May 08 10:59:15.321418 2017] [:error] [pid 26014] ipa: DEBUG: importing 
all plugin modules in ipaserver.plugins...
[Mon May 08 10:59:15.322362 2017] [:error] [pid 26014] ipa: DEBUG: importing 
plugin module ipaserver.plugins.aci
[Mon May 08 10:59:15.345957 2017] [:error] [pid 26014] ipa: DEBUG: importing 
plugin module ipaserver.plugins.automember
[Mon May 08 10:59:15.364950 2017] [:error] [pid 26014] ipa: DEBUG: importing 
plugin module ipaserver.plugins.automount
[Mon May 08 10:59:15.370011 2017] [:error] [pid 26014] ipa: DEBUG: importing 
plugin module ipaserver.plugins.baseldap
[Mon May 08 10:59:15.370124 2017] [:error] [pid 26014] ipa: DEBUG: 
ipaserver.plugins.baseldap is not a valid plugin module
[Mon May 08 10:59:15.370198 2017] [:error] [pid 26014] ipa: DEBUG: importing 
plugin module ipaserver.plugins.baseuser
[Mon May 08 10:59:15.404084 2017] [:error] [pid 26014] ipa: DEBUG: importing 
plugin module ipaserver.plugins.batch
[Mon May 08 10:59:15.404901 2017] [:error] [pid 26014] ipa: DEBUG: importing 
plugin module ipaserver.plugins.ca
[Mon May 08 10:59:15.451277 2017] [:error] [pid 26014] ipa: DEBUG: importing 
plugin module ipaserver.plugins.caacl
[Mon May 08 10:59:15.451621 2017] [:error] [pid 26014] ipa: DEBUG: importing 
plugin module ipaserver.plugins.cert
[Mon May 08 10:59:15.451817 2017] [:error] [pid 26014] ipa: DEBUG: importing 
plugin module ipaserver.plugins.certprofile
[Mon May 08 10:59:15.451978 2017] [:error] [pid 26014] ipa: DEBUG: importing 
plugin module ipaserver.plugins.config
[Mon May 08 10:59:15.462890 2017] [:error] [pid 26013] ipa: DEBUG: importing 
all plugin modules in ipaserver.plugins...
[Mon May 08 10:59:15.463836 2017] [:error] [pid 26013] ipa: DEBUG: importing 
plugin module ipaserver.plugins.aci
[Mon May 08 10:59:15.471193 2017]

Re: [Freeipa-users] Web UI unavailable after 4.4 upgrade - 400 error

2017-05-08 Thread Rob Crittenden 
Pete Fuller wrote:
> http error log has nothing.  This is with http restart and a failed
> request for web ui.  The request has no error.  Is there a different log
> that I am overlooking that might have more information?

No.

Create /etc/ipa/server.conf with these contents:

[global]
debug = True

Restart Apache.

Try with a browser and see what gets logged, if anything.

I'd also try with the cli to compare. With the client you can add -vvv
to get a lot more client-side logging: ipa -vvv user-show admin

rob

> 
> 
> [Mon May 08 10:46:14.842162 2017] [:warn] [pid 25471]
> NSSSessionCacheTimeout is deprecated. Ignoring.
> [Mon May 08 10:46:15.136803 2017] [auth_digest:notice] [pid 25471]
> AH01757: generating secret for digest authentication ...
> [Mon May 08 10:46:15.137403 2017] [lbmethod_heartbeat:notice] [pid
> 25471] AH02282: No slotmem from mod_heartmonitor
> [Mon May 08 10:46:15.137422 2017] [:warn] [pid 25471]
> NSSSessionCacheTimeout is deprecated. Ignoring.
> [Mon May 08 10:46:15.145343 2017] [mpm_prefork:notice] [pid 25471]
> AH00163: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.4.0 mod_auth_kerb/5.4
> mod_nss/1.0.14 NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5 configured
> -- resuming normal operations
> [Mon May 08 10:46:15.145378 2017] [core:notice] [pid 25471] AH00094:
> Command line: '/usr/sbin/httpd -D FOREGROUND'
> [Mon May 08 10:46:18.234880 2017] [:error] [pid 25476] ipa: INFO: ***
> PROCESS START ***
> [Mon May 08 10:46:18.431700 2017] [:error] [pid 25475] ipa: INFO: ***
> PROCESS START **
> 
> 
> 
>> On May 8, 2017, at 1:43 PM, Rob Crittenden > > wrote:
>>
>> Pete Fuller wrote:
>>> IPA command line seems to work.   Have been able to use ipa user-find
>>> and ipa cert-find.  Can also sudo and kinit from other machines as
>>> IPA user.
>>>
>>> Another clue here, looks like even when querying with the ipa cli tools,
>>> I’m getting 400 errors in the access logs.  The top one is obviously a
>>> browser request.  The next 4 were following a cli call to ipa user-find.
>>> That request does respond back with users, so not sure what is failing
>>> there.  The 192.168.0.95 IP is the local ip of the IPA server itself. 
>>>
>>> 192.168.51.20 - - [08/May/2017:10:31:46 -0700] "GET / HTTP/1.1" 400 347
>>> "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:53.0)
>>> Gecko/20100101 Firefox/53.0"
>>> 192.168.0.95 - - [08/May/2017:10:32:40 -0700] "POST /ipa/json HTTP/1.1"
>>> 400 347
>>> 192.168.0.95 - - [08/May/2017:10:32:43 -0700] "POST /ipa/json HTTP/1.1"
>>> 400 347
>>> 192.168.0.95 - - [08/May/2017:10:33:01 -0700] "POST /ipa/json HTTP/1.1"
>>> 400 347
>>> 192.168.0.95 - - [08/May/2017:10:33:10 -0700] "POST /ipa/json HTTP/1.1"
>>> 400 347
>>
>> Note that client activity (login, sudo, etc) does not go through Apache.
>> Only the IPA API does (so web UI and cli).
>>
>> Still need to see the error log.
>>
>> rob
>>
>>>
>>>
 On May 8, 2017, at 1:20 PM, Rob Crittenden 
 > wrote:

 Pete Fuller wrote:
> I ran the 4.4 upgrade yesterday on a group of Centos7 servers that are
> IPA replicas for my North American datacenters.  All seem to have the
> same issue that I am now unable to connect to the web UI, with the
> following error in the browser…
>
>
> Bad Request
>
> Your browser sent a request that this server could not understand.
>
> Additionally, a 400 Bad Request error was encountered while trying to
> use an ErrorDocument to handle the request.
>
>
>
> The maddening thing is I can’t find any reference in the apache logs to
> what is generating the error and why a direct request to the UI would
> error. 
>
> As far as I can tell IPA is otherwise working.  Logins seem to work,
> sudo rules are working, DNS is working.  
>
> [root@lb3 httpd]# ipactl status
> Directory Service: RUNNING
> krb5kdc Service: RUNNING
> kadmin Service: RUNNING
> named Service: RUNNING
> ipa_memcached Service: RUNNING
> httpd Service: RUNNING
> ipa-custodia Service: RUNNING
> ntpd Service: RUNNING
> pki-tomcatd Service: RUNNING
> ipa-otpd Service: RUNNING
> ipa-dnskeysyncd Service: RUNNING
>
> I can see one file in the httpd/conf.d directory that was changed -
> nss.conf.  I attempted reverting and that did not work.
>
> Has anyone run upon this error?  

 Does the ipa command-line tool work?

 What are you seeing in the Apache error log?

 rob
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Web UI unavailable after 4.4 upgrade - 400 error

2017-05-08 Thread Pete Fuller 
http error log has nothing.  This is with http restart and a failed request for 
web ui.  The request has no error.  Is there a different log that I am 
overlooking that might have more information?


[Mon May 08 10:46:14.842162 2017] [:warn] [pid 25471] NSSSessionCacheTimeout is 
deprecated. Ignoring.
[Mon May 08 10:46:15.136803 2017] [auth_digest:notice] [pid 25471] AH01757: 
generating secret for digest authentication ...
[Mon May 08 10:46:15.137403 2017] [lbmethod_heartbeat:notice] [pid 25471] 
AH02282: No slotmem from mod_heartmonitor
[Mon May 08 10:46:15.137422 2017] [:warn] [pid 25471] NSSSessionCacheTimeout is 
deprecated. Ignoring.
[Mon May 08 10:46:15.145343 2017] [mpm_prefork:notice] [pid 25471] AH00163: 
Apache/2.4.6 (CentOS) mod_auth_gssapi/1.4.0 mod_auth_kerb/5.4 mod_nss/1.0.14 
NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5 configured -- resuming normal 
operations
[Mon May 08 10:46:15.145378 2017] [core:notice] [pid 25471] AH00094: Command 
line: '/usr/sbin/httpd -D FOREGROUND'
[Mon May 08 10:46:18.234880 2017] [:error] [pid 25476] ipa: INFO: *** PROCESS 
START ***
[Mon May 08 10:46:18.431700 2017] [:error] [pid 25475] ipa: INFO: *** PROCESS 
START **



> On May 8, 2017, at 1:43 PM, Rob Crittenden  wrote:
> 
> Pete Fuller wrote:
>> IPA command line seems to work.   Have been able to use ipa user-find
>> and ipa cert-find.  Can also sudo and kinit from other machines as IPA user.
>> 
>> Another clue here, looks like even when querying with the ipa cli tools,
>> I’m getting 400 errors in the access logs.  The top one is obviously a
>> browser request.  The next 4 were following a cli call to ipa user-find.
>> That request does respond back with users, so not sure what is failing
>> there.  The 192.168.0.95 IP is the local ip of the IPA server itself. 
>> 
>> 192.168.51.20 - - [08/May/2017:10:31:46 -0700] "GET / HTTP/1.1" 400 347
>> "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:53.0)
>> Gecko/20100101 Firefox/53.0"
>> 192.168.0.95 - - [08/May/2017:10:32:40 -0700] "POST /ipa/json HTTP/1.1"
>> 400 347
>> 192.168.0.95 - - [08/May/2017:10:32:43 -0700] "POST /ipa/json HTTP/1.1"
>> 400 347
>> 192.168.0.95 - - [08/May/2017:10:33:01 -0700] "POST /ipa/json HTTP/1.1"
>> 400 347
>> 192.168.0.95 - - [08/May/2017:10:33:10 -0700] "POST /ipa/json HTTP/1.1"
>> 400 347
> 
> Note that client activity (login, sudo, etc) does not go through Apache.
> Only the IPA API does (so web UI and cli).
> 
> Still need to see the error log.
> 
> rob
> 
>> 
>> 
>>> On May 8, 2017, at 1:20 PM, Rob Crittenden >> 
>>> >> wrote:
>>> 
>>> Pete Fuller wrote:
 I ran the 4.4 upgrade yesterday on a group of Centos7 servers that are
 IPA replicas for my North American datacenters.  All seem to have the
 same issue that I am now unable to connect to the web UI, with the
 following error in the browser…
 
 
 Bad Request
 
 Your browser sent a request that this server could not understand.
 
 Additionally, a 400 Bad Request error was encountered while trying to
 use an ErrorDocument to handle the request.
 
 
 
 The maddening thing is I can’t find any reference in the apache logs to
 what is generating the error and why a direct request to the UI would
 error. 
 
 As far as I can tell IPA is otherwise working.  Logins seem to work,
 sudo rules are working, DNS is working.  
 
 [root@lb3 httpd]# ipactl status
 Directory Service: RUNNING
 krb5kdc Service: RUNNING
 kadmin Service: RUNNING
 named Service: RUNNING
 ipa_memcached Service: RUNNING
 httpd Service: RUNNING
 ipa-custodia Service: RUNNING
 ntpd Service: RUNNING
 pki-tomcatd Service: RUNNING
 ipa-otpd Service: RUNNING
 ipa-dnskeysyncd Service: RUNNING
 
 I can see one file in the httpd/conf.d directory that was changed -
 nss.conf.  I attempted reverting and that did not work.
 
 Has anyone run upon this error?  
>>> 
>>> Does the ipa command-line tool work?
>>> 
>>> What are you seeing in the Apache error log?
>>> 
>>> rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Web UI unavailable after 4.4 upgrade - 400 error

2017-05-08 Thread Rob Crittenden 
Pete Fuller wrote:
> IPA command line seems to work.   Have been able to use ipa user-find
> and ipa cert-find.  Can also sudo and kinit from other machines as IPA user.
> 
> Another clue here, looks like even when querying with the ipa cli tools,
> I’m getting 400 errors in the access logs.  The top one is obviously a
> browser request.  The next 4 were following a cli call to ipa user-find.
>  That request does respond back with users, so not sure what is failing
> there.  The 192.168.0.95 IP is the local ip of the IPA server itself. 
> 
> 192.168.51.20 - - [08/May/2017:10:31:46 -0700] "GET / HTTP/1.1" 400 347
> "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:53.0)
> Gecko/20100101 Firefox/53.0"
> 192.168.0.95 - - [08/May/2017:10:32:40 -0700] "POST /ipa/json HTTP/1.1"
> 400 347
> 192.168.0.95 - - [08/May/2017:10:32:43 -0700] "POST /ipa/json HTTP/1.1"
> 400 347
> 192.168.0.95 - - [08/May/2017:10:33:01 -0700] "POST /ipa/json HTTP/1.1"
> 400 347
> 192.168.0.95 - - [08/May/2017:10:33:10 -0700] "POST /ipa/json HTTP/1.1"
> 400 347

Note that client activity (login, sudo, etc) does not go through Apache.
Only the IPA API does (so web UI and cli).

Still need to see the error log.

rob

> 
> 
>> On May 8, 2017, at 1:20 PM, Rob Crittenden > > wrote:
>>
>> Pete Fuller wrote:
>>> I ran the 4.4 upgrade yesterday on a group of Centos7 servers that are
>>> IPA replicas for my North American datacenters.  All seem to have the
>>> same issue that I am now unable to connect to the web UI, with the
>>> following error in the browser…
>>>
>>>
>>>  Bad Request
>>>
>>> Your browser sent a request that this server could not understand.
>>>
>>> Additionally, a 400 Bad Request error was encountered while trying to
>>> use an ErrorDocument to handle the request.
>>>
>>>
>>>
>>> The maddening thing is I can’t find any reference in the apache logs to
>>> what is generating the error and why a direct request to the UI would
>>> error. 
>>>
>>> As far as I can tell IPA is otherwise working.  Logins seem to work,
>>> sudo rules are working, DNS is working.  
>>>
>>> [root@lb3 httpd]# ipactl status
>>> Directory Service: RUNNING
>>> krb5kdc Service: RUNNING
>>> kadmin Service: RUNNING
>>> named Service: RUNNING
>>> ipa_memcached Service: RUNNING
>>> httpd Service: RUNNING
>>> ipa-custodia Service: RUNNING
>>> ntpd Service: RUNNING
>>> pki-tomcatd Service: RUNNING
>>> ipa-otpd Service: RUNNING
>>> ipa-dnskeysyncd Service: RUNNING
>>>
>>> I can see one file in the httpd/conf.d directory that was changed -
>>> nss.conf.  I attempted reverting and that did not work.
>>>
>>> Has anyone run upon this error?  
>>
>> Does the ipa command-line tool work?
>>
>> What are you seeing in the Apache error log?
>>
>> rob
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Web UI unavailable after 4.4 upgrade - 400 error

2017-05-08 Thread Pete Fuller 
That was my first thought too.  Tried with different browsers, in incognito, 
etc.  


> On May 8, 2017, at 1:24 PM, Per Qvindesland  wrote:
> 
> Tried with another browser? 400 normally means an issue with cookies or cache.
> 
> Sent from my Commodore 64
> 
>> On 8 May 2017, at 17:59, Pete Fuller  wrote:
>> 
>> an


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Web UI unavailable after 4.4 upgrade - 400 error

2017-05-08 Thread Per Qvindesland 
Tried with another browser? 400 normally means an issue with cookies or cache.

Sent from my Commodore 64

> On 8 May 2017, at 17:59, Pete Fuller  wrote:
> 
> an

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Web UI unavailable after 4.4 upgrade - 400 error

2017-05-08 Thread Rob Crittenden 
Pete Fuller wrote:
> I ran the 4.4 upgrade yesterday on a group of Centos7 servers that are
> IPA replicas for my North American datacenters.  All seem to have the
> same issue that I am now unable to connect to the web UI, with the
> following error in the browser…
> 
> 
>   Bad Request
> 
> Your browser sent a request that this server could not understand.
> 
> Additionally, a 400 Bad Request error was encountered while trying to
> use an ErrorDocument to handle the request.
> 
> 
> 
> The maddening thing is I can’t find any reference in the apache logs to
> what is generating the error and why a direct request to the UI would
> error. 
> 
> As far as I can tell IPA is otherwise working.  Logins seem to work,
> sudo rules are working, DNS is working.  
> 
> [root@lb3 httpd]# ipactl status
> Directory Service: RUNNING
> krb5kdc Service: RUNNING
> kadmin Service: RUNNING
> named Service: RUNNING
> ipa_memcached Service: RUNNING
> httpd Service: RUNNING
> ipa-custodia Service: RUNNING
> ntpd Service: RUNNING
> pki-tomcatd Service: RUNNING
> ipa-otpd Service: RUNNING
> ipa-dnskeysyncd Service: RUNNING
> 
> I can see one file in the httpd/conf.d directory that was changed -
> nss.conf.  I attempted reverting and that did not work.
> 
> Has anyone run upon this error?  

Does the ipa command-line tool work?

What are you seeing in the Apache error log?

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project