[Freeipa-users] Web UI unavailable after 4.4 upgrade - 400 error

Pete Fuller pfuller at 3sitracking.com
Mon May 8 17:49:28 UTC 2017 

http error log has nothing.  This is with http restart and a failed request for web ui.  The request has no error.  Is there a different log that I am overlooking that might have more information?


[Mon May 08 10:46:14.842162 2017] [:warn] [pid 25471] NSSSessionCacheTimeout is deprecated. Ignoring.
[Mon May 08 10:46:15.136803 2017] [auth_digest:notice] [pid 25471] AH01757: generating secret for digest authentication ...
[Mon May 08 10:46:15.137403 2017] [lbmethod_heartbeat:notice] [pid 25471] AH02282: No slotmem from mod_heartmonitor
[Mon May 08 10:46:15.137422 2017] [:warn] [pid 25471] NSSSessionCacheTimeout is deprecated. Ignoring.
[Mon May 08 10:46:15.145343 2017] [mpm_prefork:notice] [pid 25471] AH00163: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.4.0 mod_auth_kerb/5.4 mod_nss/1.0.14 NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5 configured -- resuming normal operations
[Mon May 08 10:46:15.145378 2017] [core:notice] [pid 25471] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Mon May 08 10:46:18.234880 2017] [:error] [pid 25476] ipa: INFO: *** PROCESS START ***
[Mon May 08 10:46:18.431700 2017] [:error] [pid 25475] ipa: INFO: *** PROCESS START **



> On May 8, 2017, at 1:43 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> 
> Pete Fuller wrote:
>> IPA command line seems to work.   Have been able to use ipa user-find
>> and ipa cert-find.  Can also sudo and kinit from other machines as IPA user.
>> 
>> Another clue here, looks like even when querying with the ipa cli tools,
>> I’m getting 400 errors in the access logs.  The top one is obviously a
>> browser request.  The next 4 were following a cli call to ipa user-find.
>> That request does respond back with users, so not sure what is failing
>> there.  The 192.168.0.95 IP is the local ip of the IPA server itself. 
>> 
>> 192.168.51.20 - - [08/May/2017:10:31:46 -0700] "GET / HTTP/1.1" 400 347
>> "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:53.0)
>> Gecko/20100101 Firefox/53.0"
>> 192.168.0.95 - - [08/May/2017:10:32:40 -0700] "POST /ipa/json HTTP/1.1"
>> 400 347
>> 192.168.0.95 - - [08/May/2017:10:32:43 -0700] "POST /ipa/json HTTP/1.1"
>> 400 347
>> 192.168.0.95 - - [08/May/2017:10:33:01 -0700] "POST /ipa/json HTTP/1.1"
>> 400 347
>> 192.168.0.95 - - [08/May/2017:10:33:10 -0700] "POST /ipa/json HTTP/1.1"
>> 400 347
> 
> Note that client activity (login, sudo, etc) does not go through Apache.
> Only the IPA API does (so web UI and cli).
> 
> Still need to see the error log.
> 
> rob
> 
>> 
>> 
>>> On May 8, 2017, at 1:20 PM, Rob Crittenden <rcritten at redhat.com <mailto:rcritten at redhat.com>
>>> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>> wrote:
>>> 
>>> Pete Fuller wrote:
>>>> I ran the 4.4 upgrade yesterday on a group of Centos7 servers that are
>>>> IPA replicas for my North American datacenters.  All seem to have the
>>>> same issue that I am now unable to connect to the web UI, with the
>>>> following error in the browser…
>>>> 
>>>> 
>>>> Bad Request
>>>> 
>>>> Your browser sent a request that this server could not understand.
>>>> 
>>>> Additionally, a 400 Bad Request error was encountered while trying to
>>>> use an ErrorDocument to handle the request.
>>>> 
>>>> 
>>>> 
>>>> The maddening thing is I can’t find any reference in the apache logs to
>>>> what is generating the error and why a direct request to the UI would
>>>> error. 
>>>> 
>>>> As far as I can tell IPA is otherwise working.  Logins seem to work,
>>>> sudo rules are working, DNS is working.  
>>>> 
>>>> [root at lb3 httpd]# ipactl status
>>>> Directory Service: RUNNING
>>>> krb5kdc Service: RUNNING
>>>> kadmin Service: RUNNING
>>>> named Service: RUNNING
>>>> ipa_memcached Service: RUNNING
>>>> httpd Service: RUNNING
>>>> ipa-custodia Service: RUNNING
>>>> ntpd Service: RUNNING
>>>> pki-tomcatd Service: RUNNING
>>>> ipa-otpd Service: RUNNING
>>>> ipa-dnskeysyncd Service: RUNNING
>>>> 
>>>> I can see one file in the httpd/conf.d directory that was changed -
>>>> nss.conf.  I attempted reverting and that did not work.
>>>> 
>>>> Has anyone run upon this error?  
>>> 
>>> Does the ipa command-line tool work?
>>> 
>>> What are you seeing in the Apache error log?
>>> 
>>> rob

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170508/adb26515/attachment.htm>

More information about the Freeipa-users mailing list