Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1367162 - Repeated SSL warnings in httpd logs [NEEDINFO]
Repeated SSL warnings in httpd logs
Status: CLOSED ERRATA
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Installer (Show other bugs)
6.2.0
All Linux
low Severity low (vote)
: 6.2.9
: Unused
Assigned To: Justin Sherrill
Renzo Nuccitelli
: Reopened, Triaged
Depends On:
Blocks: 1426389
  Show dependency treegraph
 
Reported: 2016-08-15 14:05 EDT by Tasos Papaioannou
Modified: 2018-02-06 17:35 EST (History)
18 users (show)

See Also:
Fixed In Version: katello-installer-base-3.0.0.79-1
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1426389 (view as bug list)
Environment:
Last Closed: 2017-05-08 15:11:35 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
cmarinea: needinfo? (rnuccite)

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 2184801 None None None 2016-10-31 05:10 EDT
Foreman Issue Tracker 16256 None None None 2016-08-23 13:34 EDT
Red Hat Product Errata RHBA-2017:1191 normal SHIPPED_LIVE Satellite 6.2.9 Async Bug Release 2017-05-01 13:49:42 EDT

  None (edit)
Description Tasos Papaioannou 2016-08-15 14:05:20 EDT 
Description of problem:

Description of problem:

Any web UI page loads generate warnings like the following:

==> /var/log/httpd/foreman-ssl_error_ssl.log <==
[Mon Aug 15 09:25:47.939160 2016] [ssl:warn] [pid 2269] [client 10.13.57.116:52042] AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN', referer: https://fusor.example.com/users/login
[Mon Aug 15 09:25:48.093272 2016] [ssl:warn] [pid 2269] [client 10.13.57.116:52042] AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN', referer: https://fusor.example.com/hosts
[Mon Aug 15 09:25:48.093563 2016] [ssl:warn] [pid 2269] [client 10.13.57.116:52042] AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN', referer: https://fusor.example.com/hosts


Version-Release number of selected component (if applicable):

satellite-6.2.0-21.2.el7sat.noarch
foreman-installer-1.11.0.9-1.el7sat.noarch

How reproducible:

100%

Steps to Reproduce:
1.) After navigating to any page in the web UI, view /var/log/httpd/foreman-ssl_error_ssl.log

Actual results:

Repeated "AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN'" warnings spamming the httpd logs:

----
# ll /var/log/httpd/foreman-ssl_error_ssl.log*
-rw-r--r--. 1 root root   78672 Aug 15 12:48 /var/log/httpd/foreman-ssl_error_ssl.log
-rw-r--r--. 1 root root 1101416 Aug 12 19:01 /var/log/httpd/foreman-ssl_error_ssl.log-20160814

# grep -v AH02227 /var/log/httpd/foreman-ssl_error_ssl.log
#
----

Expected results:

No warnings if client certificate is not used for the given url.

Additional info:

/etc/httpd/conf.d/05-foreman-ssl.d/katello.conf sets "SSLUsername SSL_CLIENT_S_DN_CN" regardless of the Location, so it tries to read a client certificate's CN even for web browser access, which leads to this repeated warn-level logging.

----
#
# WARNING: THIS CONFIGURATION WAS GENERATED BY KATELLO-CONFIGURE TOOL,
# CHANGES WILL LIKELY BE OVERWRITTEN.
#

SSLUsername SSL_CLIENT_S_DN_CN

Alias /pub /var/www/html/pub
<Location /pub>
  
  PassengerEnabled off
  
  Options +FollowSymLinks +Indexes
</Location>

<LocationMatch /rhsm|/subscription|/katello/api>
  # if ssl_client_certa is present set the header, otherwise don't override
  # a reverse proxy may already be sending the cert through this header
  SetEnvIf SSL_CLIENT_CERT "^..*" client_cert_present=1
  RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s" env=!client_cert_present
  SSLVerifyClient optional
  SSLRenegBufferSize 16777216
  SSLVerifyDepth 2

  # report to CLI and RHSM nicely when Katello is down
  ErrorDocument 500 '{"displayMessage": "Internal error, contact administrator", "errors": ["Internal error, contact administrator"], "status": "500" }'
  ErrorDocument 503 '{"displayMessage": "Service unavailable or restarting, try later", "errors": ["Service unavailable or restarting, try later"], "status": "503" }'
</LocationMatch>

KeepAlive On
MaxKeepAliveRequests 10000
----

This spamming of the logs is low severity, but can be misleading to the user and make actual errors less easily noticeable.
Comment 2 Stephen Benjamin 2016-08-23 13:34:44 EDT 
Created redmine issue http://projects.theforeman.org/issues/16256 from this bug
Comment 4 Bryan Kearney 2016-09-07 16:17:55 EDT 
Upstream bug assigned to jsherril@redhat.com
Comment 5 Bryan Kearney 2016-09-07 16:17:58 EDT 
Upstream bug assigned to jsherril@redhat.com
Comment 6 Bryan Kearney 2016-09-26 14:19:11 EDT 
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/16256 has been resolved.
Comment 9 Og Maciel 2016-10-19 13:47:27 EDT 
I'm still seeing this on Satellite 6.3.0 SNAP 5.0:

==> /var/log/httpd/foreman-ssl_error_ssl.log <==
[Wed Oct 19 13:43:31.869160 2016] [ssl:warn] [pid 27376] [client 10.10.61.88:52441] AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN', referer: https://ibm-x3250m4-03.lab.eng.rdu2.redhat.com/
[Wed Oct 19 13:43:31.921959 2016] [ssl:warn] [pid 25997] [client 10.10.61.88:52443] AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN', referer: https://ibm-x3250m4-03.lab.eng.rdu2.redhat.com/
[Wed Oct 19 13:43:31.990926 2016] [ssl:warn] [pid 26003] [client 10.10.61.88:52444] AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN', referer: https://ibm-x3250m4-03.lab.eng.rdu2.redhat.com/
[Wed Oct 19 13:43:32.050508 2016] [ssl:warn] [pid 26000] [client 10.10.61.88:52445] AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN', referer: https://ibm-x3250m4-03.lab.eng.rdu2.redhat.com/
[Wed Oct 19 13:43:32.138571 2016] [ssl:warn] [pid 27378] [client 10.10.61.88:52446] AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN', referer: https://ibm-x3250m4-03.lab.eng.rdu2.redhat.com/
[Wed Oct 19 13:43:32.230467 2016] [ssl:warn] [pid 26005] [client 10.10.61.88:52447] AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN', referer: https://ibm-x3250m4-03.lab.eng.rdu2.redhat.com/
Comment 10 Og Maciel 2016-10-19 14:04:55 EDT 
This FailsQE for Satellite 6.3.0 SNAP 5.0. Talked to jsherrill and he told me that we missed the following changeset: https://github.com/Katello/puppet-pulp/commit/d6e07431d5b6a1f21055ec20b84f0cf3564dca5e
Comment 13 pm-sat@redhat.com 2017-02-23 16:09:05 EST 
Please add verifications steps for this bug to help QE verify
Comment 14 Justin Sherrill 2017-03-13 09:39:24 EDT 
Verification steps.

a) on your satellite run:

tail -f -n 0 /var/log/httpd/*

login to the web UI, make sure the following error doesn't appear: 
AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN', referer: 


b) verify that the following still is functional:

 1) capsule sync
 2) creating repositories
Comment 15 Renzo Nuccitelli 2017-03-23 12:43:59 EDT 
Verified on 6.2.9
Comment 17 errata-xmlrpc 2017-05-01 09:53:43 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1191
Comment 18 Kenny Tordeurs 2017-05-08 04:37:26 EDT 
After updating Satellite from 6.2.8 to 6.2.9. 
We can no longer log in to the Satellite WEB-UI using Single Sign On with our smart cards.
We have located the source to our problem in /etc/httpd/conf.d/05-foreman-ssl.d/katello.conf 

BugZilla 1367162 limits the URL scope of how the Apache webserver handles a SSL username supplied from the client. This change in katello.conf breaks the method of how we log in to the Satellite WEB-UI using our smart cards. 

Detailed info
===================== 
https://bugzilla.redhat.com/show_bug.cgi?id=1367162
--- /etc/httpd/conf.d/05-foreman-ssl.d/katello.conf	2016-11-02 09:22:48.308639320 +0100
+++ /tmp/puppet-file20170502-25928-101m16o	2017-05-02 09:30:58.026811503 +0200
@@ -3,7 +3,9 @@
 # CHANGES WILL LIKELY BE OVERWRITTEN.
 #
 
-SSLUsername SSL_CLIENT_S_DN_CN
+<Location /pulp/api>
+  SSLUsername SSL_CLIENT_S_DN_CN
+</Location>
 
 Alias /pub /var/www/html/pub
 <Location /pub>
=============================

Can a broader URL scope (Location) that includes the login URL be applied or alternatively find another solution.

Customer got it working by changing these lines in /etc/httpd/conf.d/05-foreman-ssl.d/katello.conf

Removed this section
#<Location /pulp/api>
#  SSLUsername SSL_CLIENT_S_DN_CN
#</Location>

Added this section
<LocationMatch /pulp/api|/users/extlogin>
  SSLUsername SSL_CLIENT_S_DN_CN
</LocationMatch>
Comment 19 Justin Sherrill 2017-05-08 15:11:35 EDT 
Kenny,

"Can a broader URL scope (Location) that includes the login URL be applied or alternatively find another solution."

Yes indeed, I think this should be a new bugzilla though as it has a different cause, solution, and release.  Moving this one back to close.  Generally we should not reopen a bz that has gone out with an errata until the actual issue is not fixed (and even then i'm not sure thats the right approach).  So yes, please open another bz, I'm pretty sure that apache config was not intentionally covering that route, but if it makes it work for SSO with smart cards, we should add it back.

-Justin
Comment 21 Christian Marineau 2017-08-10 09:42:40 EDT 
Hi, 

I am still seeing the warning repeating under the latest Satellite version (6.2.10):
  AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN'

Can someone confirms we should not see this repeated warning again?

Thanks
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.