Bug 1367162

Summary: Repeated SSL warnings in httpd logs
Product: Red Hat Satellite Reporter: Tasos Papaioannou <tpapaioa>
Component: InstallationAssignee: Justin Sherrill <jsherril>
Status: CLOSED ERRATA QA Contact: Renzo Nuccitelli <rnuccite>
Severity: low Docs Contact:
Priority: low    
Version: 6.2.0CC: ajoseph, aymeric.marchal, bbuckingham, bkearney, brcoca, cmarinea, daniele, dmoessne, dojones, egolov, ehelms, jcallaha, jsherril, ktordeur, mvanderw, omaciel, pdwyer, rnuccite, stbenjam, zhunting
Target Milestone: UnspecifiedKeywords: Reopened, Triaged
Target Release: Unused   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: katello-installer-base-3.0.0.79-1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1426389 (view as bug list) Environment:
Last Closed: 2017-05-08 19:11:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1426389    

Description Tasos Papaioannou 2016-08-15 18:05:20 UTC 
Description of problem:

Description of problem:

Any web UI page loads generate warnings like the following:

==> /var/log/httpd/foreman-ssl_error_ssl.log <==
[Mon Aug 15 09:25:47.939160 2016] [ssl:warn] [pid 2269] [client 10.13.57.116:52042] AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN', referer: https://fusor.example.com/users/login
[Mon Aug 15 09:25:48.093272 2016] [ssl:warn] [pid 2269] [client 10.13.57.116:52042] AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN', referer: https://fusor.example.com/hosts
[Mon Aug 15 09:25:48.093563 2016] [ssl:warn] [pid 2269] [client 10.13.57.116:52042] AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN', referer: https://fusor.example.com/hosts


Version-Release number of selected component (if applicable):

satellite-6.2.0-21.2.el7sat.noarch
foreman-installer-1.11.0.9-1.el7sat.noarch

How reproducible:

100%

Steps to Reproduce:
1.) After navigating to any page in the web UI, view /var/log/httpd/foreman-ssl_error_ssl.log

Actual results:

Repeated "AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN'" warnings spamming the httpd logs:

----
# ll /var/log/httpd/foreman-ssl_error_ssl.log*
-rw-r--r--. 1 root root   78672 Aug 15 12:48 /var/log/httpd/foreman-ssl_error_ssl.log
-rw-r--r--. 1 root root 1101416 Aug 12 19:01 /var/log/httpd/foreman-ssl_error_ssl.log-20160814

# grep -v AH02227 /var/log/httpd/foreman-ssl_error_ssl.log
#
----

Expected results:

No warnings if client certificate is not used for the given url.

Additional info:

/etc/httpd/conf.d/05-foreman-ssl.d/katello.conf sets "SSLUsername SSL_CLIENT_S_DN_CN" regardless of the Location, so it tries to read a client certificate's CN even for web browser access, which leads to this repeated warn-level logging.

----
#
# WARNING: THIS CONFIGURATION WAS GENERATED BY KATELLO-CONFIGURE TOOL,
# CHANGES WILL LIKELY BE OVERWRITTEN.
#

SSLUsername SSL_CLIENT_S_DN_CN

Alias /pub /var/www/html/pub
<Location /pub>
  
  PassengerEnabled off
  
  Options +FollowSymLinks +Indexes
</Location>

<LocationMatch /rhsm|/subscription|/katello/api>
  # if ssl_client_certa is present set the header, otherwise don't override
  # a reverse proxy may already be sending the cert through this header
  SetEnvIf SSL_CLIENT_CERT "^..*" client_cert_present=1
  RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s" env=!client_cert_present
  SSLVerifyClient optional
  SSLRenegBufferSize 16777216
  SSLVerifyDepth 2

  # report to CLI and RHSM nicely when Katello is down
  ErrorDocument 500 '{"displayMessage": "Internal error, contact administrator", "errors": ["Internal error, contact administrator"], "status": "500" }'
  ErrorDocument 503 '{"displayMessage": "Service unavailable or restarting, try later", "errors": ["Service unavailable or restarting, try later"], "status": "503" }'
</LocationMatch>

KeepAlive On
MaxKeepAliveRequests 10000
----

This spamming of the logs is low severity, but can be misleading to the user and make actual errors less easily noticeable.
Comment 2 Stephen Benjamin 2016-08-23 17:34:44 UTC 
Created redmine issue http://projects.theforeman.org/issues/16256 from this bug
Comment 4 Bryan Kearney 2016-09-07 20:17:55 UTC 
Upstream bug assigned to jsherril
Comment 5 Bryan Kearney 2016-09-07 20:17:58 UTC 
Upstream bug assigned to jsherril
Comment 6 Bryan Kearney 2016-09-26 18:19:11 UTC 
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/16256 has been resolved.
Comment 9 Og Maciel 2016-10-19 17:47:27 UTC 
I'm still seeing this on Satellite 6.3.0 SNAP 5.0:

==> /var/log/httpd/foreman-ssl_error_ssl.log <==
[Wed Oct 19 13:43:31.869160 2016] [ssl:warn] [pid 27376] [client 10.10.61.88:52441] AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN', referer: https://ibm-x3250m4-03.lab.eng.rdu2.redhat.com/
[Wed Oct 19 13:43:31.921959 2016] [ssl:warn] [pid 25997] [client 10.10.61.88:52443] AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN', referer: https://ibm-x3250m4-03.lab.eng.rdu2.redhat.com/
[Wed Oct 19 13:43:31.990926 2016] [ssl:warn] [pid 26003] [client 10.10.61.88:52444] AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN', referer: https://ibm-x3250m4-03.lab.eng.rdu2.redhat.com/
[Wed Oct 19 13:43:32.050508 2016] [ssl:warn] [pid 26000] [client 10.10.61.88:52445] AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN', referer: https://ibm-x3250m4-03.lab.eng.rdu2.redhat.com/
[Wed Oct 19 13:43:32.138571 2016] [ssl:warn] [pid 27378] [client 10.10.61.88:52446] AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN', referer: https://ibm-x3250m4-03.lab.eng.rdu2.redhat.com/
[Wed Oct 19 13:43:32.230467 2016] [ssl:warn] [pid 26005] [client 10.10.61.88:52447] AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN', referer: https://ibm-x3250m4-03.lab.eng.rdu2.redhat.com/
Comment 10 Og Maciel 2016-10-19 18:04:55 UTC 
This FailsQE for Satellite 6.3.0 SNAP 5.0. Talked to jsherrill and he told me that we missed the following changeset: https://github.com/Katello/puppet-pulp/commit/d6e07431d5b6a1f21055ec20b84f0cf3564dca5e
Comment 13 Satellite Program 2017-02-23 21:09:05 UTC 
Please add verifications steps for this bug to help QE verify
Comment 14 Justin Sherrill 2017-03-13 13:39:24 UTC 
Verification steps.

a) on your satellite run:

tail -f -n 0 /var/log/httpd/*

login to the web UI, make sure the following error doesn't appear: 
AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN', referer: 


b) verify that the following still is functional:

 1) capsule sync
 2) creating repositories
Comment 15 Renzo Nuccitelli 2017-03-23 16:43:59 UTC 
Verified on 6.2.9
Comment 17 errata-xmlrpc 2017-05-01 13:53:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1191
Comment 18 Kenny Tordeurs 2017-05-08 08:37:26 UTC 
After updating Satellite from 6.2.8 to 6.2.9. 
We can no longer log in to the Satellite WEB-UI using Single Sign On with our smart cards.
We have located the source to our problem in /etc/httpd/conf.d/05-foreman-ssl.d/katello.conf 

BugZilla 1367162 limits the URL scope of how the Apache webserver handles a SSL username supplied from the client. This change in katello.conf breaks the method of how we log in to the Satellite WEB-UI using our smart cards. 

Detailed info
===================== 
https://bugzilla.redhat.com/show_bug.cgi?id=1367162
--- /etc/httpd/conf.d/05-foreman-ssl.d/katello.conf	2016-11-02 09:22:48.308639320 +0100
+++ /tmp/puppet-file20170502-25928-101m16o	2017-05-02 09:30:58.026811503 +0200
@@ -3,7 +3,9 @@
 # CHANGES WILL LIKELY BE OVERWRITTEN.
 #
 
-SSLUsername SSL_CLIENT_S_DN_CN
+<Location /pulp/api>
+  SSLUsername SSL_CLIENT_S_DN_CN
+</Location>
 
 Alias /pub /var/www/html/pub
 <Location /pub>
=============================

Can a broader URL scope (Location) that includes the login URL be applied or alternatively find another solution.

Customer got it working by changing these lines in /etc/httpd/conf.d/05-foreman-ssl.d/katello.conf

Removed this section
#<Location /pulp/api>
#  SSLUsername SSL_CLIENT_S_DN_CN
#</Location>

Added this section
<LocationMatch /pulp/api|/users/extlogin>
  SSLUsername SSL_CLIENT_S_DN_CN
</LocationMatch>
Comment 19 Justin Sherrill 2017-05-08 19:11:35 UTC 
Kenny,

"Can a broader URL scope (Location) that includes the login URL be applied or alternatively find another solution."

Yes indeed, I think this should be a new bugzilla though as it has a different cause, solution, and release.  Moving this one back to close.  Generally we should not reopen a bz that has gone out with an errata until the actual issue is not fixed (and even then i'm not sure thats the right approach).  So yes, please open another bz, I'm pretty sure that apache config was not intentionally covering that route, but if it makes it work for SSO with smart cards, we should add it back.

-Justin
Comment 21 Christian Marineau 2017-08-10 13:42:40 UTC 
Hi, 

I am still seeing the warning repeating under the latest Satellite version (6.2.10):
  AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN'

Can someone confirms we should not see this repeated warning again?

Thanks
Comment 23 Aymeric Marchal SG 2021-11-18 18:25:06 UTC 
Hi,
Is it normal that I can see it still on the our red hat satellite 6.10 :

/var/log/httpd/foreman-ssl_error_ssl.log :
[Thu Nov 18 19:00:22.377188 2021] [ssl:warn] [pid 3792] [client XXX.XXXX.XXX.XXX:YYYY] AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN'



Regards,
Aymeric Marchal