Description of problem: Description of problem: Any web UI page loads generate warnings like the following: ==> /var/log/httpd/foreman-ssl_error_ssl.log <== [Mon Aug 15 09:25:47.939160 2016] [ssl:warn] [pid 2269] [client 10.13.57.116:52042] AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN', referer: https://fusor.example.com/users/login [Mon Aug 15 09:25:48.093272 2016] [ssl:warn] [pid 2269] [client 10.13.57.116:52042] AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN', referer: https://fusor.example.com/hosts [Mon Aug 15 09:25:48.093563 2016] [ssl:warn] [pid 2269] [client 10.13.57.116:52042] AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN', referer: https://fusor.example.com/hosts Version-Release number of selected component (if applicable): satellite-6.2.0-21.2.el7sat.noarch foreman-installer-1.11.0.9-1.el7sat.noarch How reproducible: 100% Steps to Reproduce: 1.) After navigating to any page in the web UI, view /var/log/httpd/foreman-ssl_error_ssl.log Actual results: Repeated "AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN'" warnings spamming the httpd logs: ---- # ll /var/log/httpd/foreman-ssl_error_ssl.log* -rw-r--r--. 1 root root 78672 Aug 15 12:48 /var/log/httpd/foreman-ssl_error_ssl.log -rw-r--r--. 1 root root 1101416 Aug 12 19:01 /var/log/httpd/foreman-ssl_error_ssl.log-20160814 # grep -v AH02227 /var/log/httpd/foreman-ssl_error_ssl.log # ---- Expected results: No warnings if client certificate is not used for the given url. Additional info: /etc/httpd/conf.d/05-foreman-ssl.d/katello.conf sets "SSLUsername SSL_CLIENT_S_DN_CN" regardless of the Location, so it tries to read a client certificate's CN even for web browser access, which leads to this repeated warn-level logging. ---- # # WARNING: THIS CONFIGURATION WAS GENERATED BY KATELLO-CONFIGURE TOOL, # CHANGES WILL LIKELY BE OVERWRITTEN. # SSLUsername SSL_CLIENT_S_DN_CN Alias /pub /var/www/html/pub <Location /pub> PassengerEnabled off Options +FollowSymLinks +Indexes </Location> <LocationMatch /rhsm|/subscription|/katello/api> # if ssl_client_certa is present set the header, otherwise don't override # a reverse proxy may already be sending the cert through this header SetEnvIf SSL_CLIENT_CERT "^..*" client_cert_present=1 RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s" env=!client_cert_present SSLVerifyClient optional SSLRenegBufferSize 16777216 SSLVerifyDepth 2 # report to CLI and RHSM nicely when Katello is down ErrorDocument 500 '{"displayMessage": "Internal error, contact administrator", "errors": ["Internal error, contact administrator"], "status": "500" }' ErrorDocument 503 '{"displayMessage": "Service unavailable or restarting, try later", "errors": ["Service unavailable or restarting, try later"], "status": "503" }' </LocationMatch> KeepAlive On MaxKeepAliveRequests 10000 ---- This spamming of the logs is low severity, but can be misleading to the user and make actual errors less easily noticeable.
Created redmine issue http://projects.theforeman.org/issues/16256 from this bug
Upstream bug assigned to jsherril
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/16256 has been resolved.
I'm still seeing this on Satellite 6.3.0 SNAP 5.0: ==> /var/log/httpd/foreman-ssl_error_ssl.log <== [Wed Oct 19 13:43:31.869160 2016] [ssl:warn] [pid 27376] [client 10.10.61.88:52441] AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN', referer: https://ibm-x3250m4-03.lab.eng.rdu2.redhat.com/ [Wed Oct 19 13:43:31.921959 2016] [ssl:warn] [pid 25997] [client 10.10.61.88:52443] AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN', referer: https://ibm-x3250m4-03.lab.eng.rdu2.redhat.com/ [Wed Oct 19 13:43:31.990926 2016] [ssl:warn] [pid 26003] [client 10.10.61.88:52444] AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN', referer: https://ibm-x3250m4-03.lab.eng.rdu2.redhat.com/ [Wed Oct 19 13:43:32.050508 2016] [ssl:warn] [pid 26000] [client 10.10.61.88:52445] AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN', referer: https://ibm-x3250m4-03.lab.eng.rdu2.redhat.com/ [Wed Oct 19 13:43:32.138571 2016] [ssl:warn] [pid 27378] [client 10.10.61.88:52446] AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN', referer: https://ibm-x3250m4-03.lab.eng.rdu2.redhat.com/ [Wed Oct 19 13:43:32.230467 2016] [ssl:warn] [pid 26005] [client 10.10.61.88:52447] AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN', referer: https://ibm-x3250m4-03.lab.eng.rdu2.redhat.com/
This FailsQE for Satellite 6.3.0 SNAP 5.0. Talked to jsherrill and he told me that we missed the following changeset: https://github.com/Katello/puppet-pulp/commit/d6e07431d5b6a1f21055ec20b84f0cf3564dca5e
Please add verifications steps for this bug to help QE verify
Verification steps. a) on your satellite run: tail -f -n 0 /var/log/httpd/* login to the web UI, make sure the following error doesn't appear: AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN', referer: b) verify that the following still is functional: 1) capsule sync 2) creating repositories
Verified on 6.2.9
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1191
After updating Satellite from 6.2.8 to 6.2.9. We can no longer log in to the Satellite WEB-UI using Single Sign On with our smart cards. We have located the source to our problem in /etc/httpd/conf.d/05-foreman-ssl.d/katello.conf BugZilla 1367162 limits the URL scope of how the Apache webserver handles a SSL username supplied from the client. This change in katello.conf breaks the method of how we log in to the Satellite WEB-UI using our smart cards. Detailed info ===================== https://bugzilla.redhat.com/show_bug.cgi?id=1367162 --- /etc/httpd/conf.d/05-foreman-ssl.d/katello.conf 2016-11-02 09:22:48.308639320 +0100 +++ /tmp/puppet-file20170502-25928-101m16o 2017-05-02 09:30:58.026811503 +0200 @@ -3,7 +3,9 @@ # CHANGES WILL LIKELY BE OVERWRITTEN. # -SSLUsername SSL_CLIENT_S_DN_CN +<Location /pulp/api> + SSLUsername SSL_CLIENT_S_DN_CN +</Location> Alias /pub /var/www/html/pub <Location /pub> ============================= Can a broader URL scope (Location) that includes the login URL be applied or alternatively find another solution. Customer got it working by changing these lines in /etc/httpd/conf.d/05-foreman-ssl.d/katello.conf Removed this section #<Location /pulp/api> # SSLUsername SSL_CLIENT_S_DN_CN #</Location> Added this section <LocationMatch /pulp/api|/users/extlogin> SSLUsername SSL_CLIENT_S_DN_CN </LocationMatch>
Kenny, "Can a broader URL scope (Location) that includes the login URL be applied or alternatively find another solution." Yes indeed, I think this should be a new bugzilla though as it has a different cause, solution, and release. Moving this one back to close. Generally we should not reopen a bz that has gone out with an errata until the actual issue is not fixed (and even then i'm not sure thats the right approach). So yes, please open another bz, I'm pretty sure that apache config was not intentionally covering that route, but if it makes it work for SSO with smart cards, we should add it back. -Justin
Hi, I am still seeing the warning repeating under the latest Satellite version (6.2.10): AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN' Can someone confirms we should not see this repeated warning again? Thanks
Hi, Is it normal that I can see it still on the our red hat satellite 6.10 : /var/log/httpd/foreman-ssl_error_ssl.log : [Thu Nov 18 19:00:22.377188 2021] [ssl:warn] [pid 3792] [client XXX.XXXX.XXX.XXX:YYYY] AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN' Regards, Aymeric Marchal