[Freeipa-users] Web UI unavailable after 4.4 upgrade - 400 error
Pete Fuller
pfuller at 3sitracking.com
Mon May 8 17:49:28 UTC 2017
http error log has nothing. This is with http restart and a failed request for web ui. The request has no error. Is there a different log that I am overlooking that might have more information?
[Mon May 08 10:46:14.842162 2017] [:warn] [pid 25471] NSSSessionCacheTimeout is deprecated. Ignoring.
[Mon May 08 10:46:15.136803 2017] [auth_digest:notice] [pid 25471] AH01757: generating secret for digest authentication ...
[Mon May 08 10:46:15.137403 2017] [lbmethod_heartbeat:notice] [pid 25471] AH02282: No slotmem from mod_heartmonitor
[Mon May 08 10:46:15.137422 2017] [:warn] [pid 25471] NSSSessionCacheTimeout is deprecated. Ignoring.
[Mon May 08 10:46:15.145343 2017] [mpm_prefork:notice] [pid 25471] AH00163: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.4.0 mod_auth_kerb/5.4 mod_nss/1.0.14 NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5 configured -- resuming normal operations
[Mon May 08 10:46:15.145378 2017] [core:notice] [pid 25471] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Mon May 08 10:46:18.234880 2017] [:error] [pid 25476] ipa: INFO: *** PROCESS START ***
[Mon May 08 10:46:18.431700 2017] [:error] [pid 25475] ipa: INFO: *** PROCESS START **
> On May 8, 2017, at 1:43 PM, Rob Crittenden <rcritten at redhat.com> wrote:
>
> Pete Fuller wrote:
>> IPA command line seems to work. Have been able to use ipa user-find
>> and ipa cert-find. Can also sudo and kinit from other machines as IPA user.
>>
>> Another clue here, looks like even when querying with the ipa cli tools,
>> I’m getting 400 errors in the access logs. The top one is obviously a
>> browser request. The next 4 were following a cli call to ipa user-find.
>> That request does respond back with users, so not sure what is failing
>> there. The 192.168.0.95 IP is the local ip of the IPA server itself.
>>
>> 192.168.51.20 - - [08/May/2017:10:31:46 -0700] "GET / HTTP/1.1" 400 347
>> "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:53.0)
>> Gecko/20100101 Firefox/53.0"
>> 192.168.0.95 - - [08/May/2017:10:32:40 -0700] "POST /ipa/json HTTP/1.1"
>> 400 347
>> 192.168.0.95 - - [08/May/2017:10:32:43 -0700] "POST /ipa/json HTTP/1.1"
>> 400 347
>> 192.168.0.95 - - [08/May/2017:10:33:01 -0700] "POST /ipa/json HTTP/1.1"
>> 400 347
>> 192.168.0.95 - - [08/May/2017:10:33:10 -0700] "POST /ipa/json HTTP/1.1"
>> 400 347
>
> Note that client activity (login, sudo, etc) does not go through Apache.
> Only the IPA API does (so web UI and cli).
>
> Still need to see the error log.
>
> rob
>
>>
>>
>>> On May 8, 2017, at 1:20 PM, Rob Crittenden <rcritten at redhat.com <mailto:rcritten at redhat.com>
>>> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>> wrote:
>>>
>>> Pete Fuller wrote:
>>>> I ran the 4.4 upgrade yesterday on a group of Centos7 servers that are
>>>> IPA replicas for my North American datacenters. All seem to have the
>>>> same issue that I am now unable to connect to the web UI, with the
>>>> following error in the browser…
>>>>
>>>>
>>>> Bad Request
>>>>
>>>> Your browser sent a request that this server could not understand.
>>>>
>>>> Additionally, a 400 Bad Request error was encountered while trying to
>>>> use an ErrorDocument to handle the request.
>>>>
>>>>
>>>>
>>>> The maddening thing is I can’t find any reference in the apache logs to
>>>> what is generating the error and why a direct request to the UI would
>>>> error.
>>>>
>>>> As far as I can tell IPA is otherwise working. Logins seem to work,
>>>> sudo rules are working, DNS is working.
>>>>
>>>> [root at lb3 httpd]# ipactl status
>>>> Directory Service: RUNNING
>>>> krb5kdc Service: RUNNING
>>>> kadmin Service: RUNNING
>>>> named Service: RUNNING
>>>> ipa_memcached Service: RUNNING
>>>> httpd Service: RUNNING
>>>> ipa-custodia Service: RUNNING
>>>> ntpd Service: RUNNING
>>>> pki-tomcatd Service: RUNNING
>>>> ipa-otpd Service: RUNNING
>>>> ipa-dnskeysyncd Service: RUNNING
>>>>
>>>> I can see one file in the httpd/conf.d directory that was changed -
>>>> nss.conf. I attempted reverting and that did not work.
>>>>
>>>> Has anyone run upon this error?
>>>
>>> Does the ipa command-line tool work?
>>>
>>> What are you seeing in the Apache error log?
>>>
>>> rob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170508/adb26515/attachment.htm>
More information about the Freeipa-users
mailing list