[Freeipa-users] Web UI unavailable after 4.4 upgrade - 400 error

Rob Crittenden rcritten at redhat.com
Mon May 8 17:43:53 UTC 2017 

Pete Fuller wrote:
> IPA command line seems to work.   Have been able to use ipa user-find
> and ipa cert-find.  Can also sudo and kinit from other machines as IPA user.
> 
> Another clue here, looks like even when querying with the ipa cli tools,
> I’m getting 400 errors in the access logs.  The top one is obviously a
> browser request.  The next 4 were following a cli call to ipa user-find.
>  That request does respond back with users, so not sure what is failing
> there.  The 192.168.0.95 IP is the local ip of the IPA server itself. 
> 
> 192.168.51.20 - - [08/May/2017:10:31:46 -0700] "GET / HTTP/1.1" 400 347
> "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:53.0)
> Gecko/20100101 Firefox/53.0"
> 192.168.0.95 - - [08/May/2017:10:32:40 -0700] "POST /ipa/json HTTP/1.1"
> 400 347
> 192.168.0.95 - - [08/May/2017:10:32:43 -0700] "POST /ipa/json HTTP/1.1"
> 400 347
> 192.168.0.95 - - [08/May/2017:10:33:01 -0700] "POST /ipa/json HTTP/1.1"
> 400 347
> 192.168.0.95 - - [08/May/2017:10:33:10 -0700] "POST /ipa/json HTTP/1.1"
> 400 347

Note that client activity (login, sudo, etc) does not go through Apache.
Only the IPA API does (so web UI and cli).

Still need to see the error log.

rob

> 
> 
>> On May 8, 2017, at 1:20 PM, Rob Crittenden <rcritten at redhat.com
>> <mailto:rcritten at redhat.com>> wrote:
>>
>> Pete Fuller wrote:
>>> I ran the 4.4 upgrade yesterday on a group of Centos7 servers that are
>>> IPA replicas for my North American datacenters.  All seem to have the
>>> same issue that I am now unable to connect to the web UI, with the
>>> following error in the browser…
>>>
>>>
>>>  Bad Request
>>>
>>> Your browser sent a request that this server could not understand.
>>>
>>> Additionally, a 400 Bad Request error was encountered while trying to
>>> use an ErrorDocument to handle the request.
>>>
>>>
>>>
>>> The maddening thing is I can’t find any reference in the apache logs to
>>> what is generating the error and why a direct request to the UI would
>>> error. 
>>>
>>> As far as I can tell IPA is otherwise working.  Logins seem to work,
>>> sudo rules are working, DNS is working.  
>>>
>>> [root at lb3 httpd]# ipactl status
>>> Directory Service: RUNNING
>>> krb5kdc Service: RUNNING
>>> kadmin Service: RUNNING
>>> named Service: RUNNING
>>> ipa_memcached Service: RUNNING
>>> httpd Service: RUNNING
>>> ipa-custodia Service: RUNNING
>>> ntpd Service: RUNNING
>>> pki-tomcatd Service: RUNNING
>>> ipa-otpd Service: RUNNING
>>> ipa-dnskeysyncd Service: RUNNING
>>>
>>> I can see one file in the httpd/conf.d directory that was changed -
>>> nss.conf.  I attempted reverting and that did not work.
>>>
>>> Has anyone run upon this error?  
>>
>> Does the ipa command-line tool work?
>>
>> What are you seeing in the Apache error log?
>>
>> rob
>

More information about the Freeipa-users mailing list