Created attachment 1713326 [details] RHV Login Error Description of problem: New Red Hat Virtualization Manager 4.4 has been deployed successfully but not able to login to Administration portal with following ERROR: ~~~ Warning alert:app_url domain differs from SSO_ENGINE_URL or SSO_ALTERNATE_ENGINE_FQDN domains ~~~ Version-Release number of selected component (if applicable): rhvm-4.4.1.10-0.1.el8ev.noarch ~~~ $ grep "app_url domain differs from SSO_ENGINE_URL or SSO_ALTERNATE_ENGINE_FQDN domains" var/log/ovirt-engine/engine.log 2020-08-28 22:29:38,808+05 ERROR [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-2) [] app_url domain differs from SSO_ENGINE_URL or SSO_ALTERNATE_ENGINE_FQDN domains 2020-08-28 22:29:42,273+05 ERROR [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-2) [] app_url domain differs from SSO_ENGINE_URL or SSO_ALTERNATE_ENGINE_FQDN domains 2020-08-28 22:29:46,203+05 ERROR [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-2) [] app_url domain differs from SSO_ENGINE_URL or SSO_ALTERNATE_ENGINE_FQDN domains 2020-08-28 22:29:52,293+05 ERROR [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-2) [] app_url domain differs from SSO_ENGINE_URL or SSO_ALTERNATE_ENGINE_FQDN domains 2020-08-28 22:34:24,867+05 ERROR [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-8) [] app_url domain differs from SSO_ENGINE_URL or SSO_ALTERNATE_ENGINE_FQDN domains 2020-08-28 22:34:34,481+05 ERROR [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-8) [] app_url domain differs from SSO_ENGINE_URL or SSO_ALTERNATE_ENGINE_FQDN domains 2020-08-28 22:34:34,542+05 ERROR [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-8) [] app_url domain differs from SSO_ENGINE_URL or SSO_ALTERNATE_ENGINE_FQDN domains ~~~ => SSO_ENGINE_URL is set: ~~~ 2020-08-28 22:25:49,331+05 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (ServerService Thread Pool -- 54) [] Value of property 'SSO_ENGINE_URL' is 'https://<RHV-Manager-FQDN>:443/ovirt-engine/'. ~~~ Actual results: Users are not allowed to login to the Admin and VM Portal [Error Screenshot attached] Expected results: RHV Manager should let users login into Admin and VM Portal.
The error is quite clear, customers are trying to access RHV Manager using different FQDN than they have used within engine-setup. So for example they have used FQDN in engine-setup and then they are trying to access RHV Manager using IP address instead. If this is intended behavior (to access RHV Manager by multiple FQDNs), then they need to configure alternate FQDNs (such as IP addresses) by definining SSO_ALTERNATE_ENGINE_FQDN as described in BZ1325746 Suggesting to close the bug as NOTABUG
I have seen many customers using hostname in FQDN as uppercase and domain name in lower case. These customers will not be able to login when they upgrade the environment to 4.4. Looks like change was introduced as per https://gerrit.ovirt.org/#/c/110685/. I think we should make this check case insensitive since DNS names are case insensitive as per https://tools.ietf.org/html/rfc4343.
You are right, Nijin. Unfortunately we have introduced this bug when fixing security related issue, but there is a simple workaround: 1. Login to RHV Manager using ssh 2. Edit /etc/ovirt-engine/engine.conf.d/10-setup-protocols.conf and convert the value of ENGINE_FQDN to lowercase only. For example current value ENGINE_FQDN=MIXED-case-HOSTname should be changed to ENGINE_FQDN=mixed-case-hostname 3. Restart ovirt-engine service systemctl restart ovirt-engine After a restart customers can successfully login using both FQDN's case variants: https://MIXED-case-HOSTname/ovirt-engine https://mixed-case-hostname/ovirt-engine
Verified on ovirt-engine-4.4.2.4-0.1.el8ev.noarch
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (RHV Manager (ovirt-engine) 4.4.z [ovirt-4.4.2] 0-day), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:3821