[Freeipa-users] Web UI unavailable after 4.4 upgrade - 400 error

Rob Crittenden rcritten at redhat.com
Mon May 8 17:57:42 UTC 2017 

Pete Fuller wrote:
> http error log has nothing.  This is with http restart and a failed
> request for web ui.  The request has no error.  Is there a different log
> that I am overlooking that might have more information?

No.

Create /etc/ipa/server.conf with these contents:

[global]
debug = True

Restart Apache.

Try with a browser and see what gets logged, if anything.

I'd also try with the cli to compare. With the client you can add -vvv
to get a lot more client-side logging: ipa -vvv user-show admin

rob

> 
> 
> [Mon May 08 10:46:14.842162 2017] [:warn] [pid 25471]
> NSSSessionCacheTimeout is deprecated. Ignoring.
> [Mon May 08 10:46:15.136803 2017] [auth_digest:notice] [pid 25471]
> AH01757: generating secret for digest authentication ...
> [Mon May 08 10:46:15.137403 2017] [lbmethod_heartbeat:notice] [pid
> 25471] AH02282: No slotmem from mod_heartmonitor
> [Mon May 08 10:46:15.137422 2017] [:warn] [pid 25471]
> NSSSessionCacheTimeout is deprecated. Ignoring.
> [Mon May 08 10:46:15.145343 2017] [mpm_prefork:notice] [pid 25471]
> AH00163: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.4.0 mod_auth_kerb/5.4
> mod_nss/1.0.14 NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5 configured
> -- resuming normal operations
> [Mon May 08 10:46:15.145378 2017] [core:notice] [pid 25471] AH00094:
> Command line: '/usr/sbin/httpd -D FOREGROUND'
> [Mon May 08 10:46:18.234880 2017] [:error] [pid 25476] ipa: INFO: ***
> PROCESS START ***
> [Mon May 08 10:46:18.431700 2017] [:error] [pid 25475] ipa: INFO: ***
> PROCESS START **
> 
> 
> 
>> On May 8, 2017, at 1:43 PM, Rob Crittenden <rcritten at redhat.com
>> <mailto:rcritten at redhat.com>> wrote:
>>
>> Pete Fuller wrote:
>>> IPA command line seems to work.   Have been able to use ipa user-find
>>> and ipa cert-find.  Can also sudo and kinit from other machines as
>>> IPA user.
>>>
>>> Another clue here, looks like even when querying with the ipa cli tools,
>>> I’m getting 400 errors in the access logs.  The top one is obviously a
>>> browser request.  The next 4 were following a cli call to ipa user-find.
>>> That request does respond back with users, so not sure what is failing
>>> there.  The 192.168.0.95 IP is the local ip of the IPA server itself. 
>>>
>>> 192.168.51.20 - - [08/May/2017:10:31:46 -0700] "GET / HTTP/1.1" 400 347
>>> "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:53.0)
>>> Gecko/20100101 Firefox/53.0"
>>> 192.168.0.95 - - [08/May/2017:10:32:40 -0700] "POST /ipa/json HTTP/1.1"
>>> 400 347
>>> 192.168.0.95 - - [08/May/2017:10:32:43 -0700] "POST /ipa/json HTTP/1.1"
>>> 400 347
>>> 192.168.0.95 - - [08/May/2017:10:33:01 -0700] "POST /ipa/json HTTP/1.1"
>>> 400 347
>>> 192.168.0.95 - - [08/May/2017:10:33:10 -0700] "POST /ipa/json HTTP/1.1"
>>> 400 347
>>
>> Note that client activity (login, sudo, etc) does not go through Apache.
>> Only the IPA API does (so web UI and cli).
>>
>> Still need to see the error log.
>>
>> rob
>>
>>>
>>>
>>>> On May 8, 2017, at 1:20 PM, Rob Crittenden <rcritten at redhat.com
>>>> <mailto:rcritten at redhat.com>
>>>> <mailto:rcritten at redhat.com>> wrote:
>>>>
>>>> Pete Fuller wrote:
>>>>> I ran the 4.4 upgrade yesterday on a group of Centos7 servers that are
>>>>> IPA replicas for my North American datacenters.  All seem to have the
>>>>> same issue that I am now unable to connect to the web UI, with the
>>>>> following error in the browser…
>>>>>
>>>>>
>>>>> Bad Request
>>>>>
>>>>> Your browser sent a request that this server could not understand.
>>>>>
>>>>> Additionally, a 400 Bad Request error was encountered while trying to
>>>>> use an ErrorDocument to handle the request.
>>>>>
>>>>>
>>>>>
>>>>> The maddening thing is I can’t find any reference in the apache logs to
>>>>> what is generating the error and why a direct request to the UI would
>>>>> error. 
>>>>>
>>>>> As far as I can tell IPA is otherwise working.  Logins seem to work,
>>>>> sudo rules are working, DNS is working.  
>>>>>
>>>>> [root at lb3 httpd]# ipactl status
>>>>> Directory Service: RUNNING
>>>>> krb5kdc Service: RUNNING
>>>>> kadmin Service: RUNNING
>>>>> named Service: RUNNING
>>>>> ipa_memcached Service: RUNNING
>>>>> httpd Service: RUNNING
>>>>> ipa-custodia Service: RUNNING
>>>>> ntpd Service: RUNNING
>>>>> pki-tomcatd Service: RUNNING
>>>>> ipa-otpd Service: RUNNING
>>>>> ipa-dnskeysyncd Service: RUNNING
>>>>>
>>>>> I can see one file in the httpd/conf.d directory that was changed -
>>>>> nss.conf.  I attempted reverting and that did not work.
>>>>>
>>>>> Has anyone run upon this error?  
>>>>
>>>> Does the ipa command-line tool work?
>>>>
>>>> What are you seeing in the Apache error log?
>>>>
>>>> rob
>

More information about the Freeipa-users mailing list