Bug 1874543 - [RHV 4.4] Can not login to RHV Manager "Warning alert:app_url domain differs from SSO_ENGINE_URL or SSO_ALTERNATE_ENGINE_FQDN domains"
Summary: [RHV 4.4] Can not login to RHV Manager "Warning alert:app_url domain differs ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine
Version: 4.4.1
Hardware: x86_64
OS: Unspecified
high
urgent
Target Milestone: ovirt-4.4.2
: 4.4.2
Assignee: Artur Socha
QA Contact: Petr Matyáš
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-09-01 14:57 UTC by Chetan Nagarkar
Modified: 2023-12-15 19:07 UTC (History)
7 users (show)

Fixed In Version: rhv-4.4.2-6, ovirt-engine-4.4.2.4
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-09-23 16:12:20 UTC
oVirt Team: Infra
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
RHV Login Error (132.08 KB, image/jpeg)
2020-09-01 14:57 UTC, Chetan Nagarkar 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 5357381 0 None None None 2020-09-01 15:10:11 UTC
Red Hat Product Errata RHBA-2020:3821 0 None None None 2020-09-23 16:12:31 UTC
oVirt gerrit 111081 0 master MERGED sso: app_url validation - use lowercased urls 2021-02-19 16:24:03 UTC
oVirt gerrit 111095 0 ovirt-engine-4.4.2.z MERGED sso: app_url validation - use lowercased urls 2021-02-19 16:24:03 UTC

Description Chetan Nagarkar 2020-09-01 14:57:23 UTC 
Created attachment 1713326 [details]
RHV Login Error

Description of problem:
New Red Hat Virtualization Manager 4.4 has been deployed successfully but not able to login to Administration portal with following ERROR:

~~~
Warning alert:app_url domain differs from SSO_ENGINE_URL or SSO_ALTERNATE_ENGINE_FQDN domains
~~~

Version-Release number of selected component (if applicable):
rhvm-4.4.1.10-0.1.el8ev.noarch

~~~
$ grep "app_url domain differs from SSO_ENGINE_URL or SSO_ALTERNATE_ENGINE_FQDN domains" var/log/ovirt-engine/engine.log
2020-08-28 22:29:38,808+05 ERROR [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-2) [] app_url domain differs from SSO_ENGINE_URL or SSO_ALTERNATE_ENGINE_FQDN domains
2020-08-28 22:29:42,273+05 ERROR [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-2) [] app_url domain differs from SSO_ENGINE_URL or SSO_ALTERNATE_ENGINE_FQDN domains
2020-08-28 22:29:46,203+05 ERROR [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-2) [] app_url domain differs from SSO_ENGINE_URL or SSO_ALTERNATE_ENGINE_FQDN domains
2020-08-28 22:29:52,293+05 ERROR [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-2) [] app_url domain differs from SSO_ENGINE_URL or SSO_ALTERNATE_ENGINE_FQDN domains
2020-08-28 22:34:24,867+05 ERROR [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-8) [] app_url domain differs from SSO_ENGINE_URL or SSO_ALTERNATE_ENGINE_FQDN domains
2020-08-28 22:34:34,481+05 ERROR [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-8) [] app_url domain differs from SSO_ENGINE_URL or SSO_ALTERNATE_ENGINE_FQDN domains
2020-08-28 22:34:34,542+05 ERROR [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-8) [] app_url domain differs from SSO_ENGINE_URL or SSO_ALTERNATE_ENGINE_FQDN domains
~~~

=> SSO_ENGINE_URL is set:
~~~
2020-08-28 22:25:49,331+05 INFO  [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (ServerService Thread Pool -- 54) [] Value of property 'SSO_ENGINE_URL' is 'https://<RHV-Manager-FQDN>:443/ovirt-engine/'.
~~~


Actual results:
Users are not allowed to login to the Admin and VM Portal [Error Screenshot attached]

Expected results:
RHV Manager should let users login into Admin and VM Portal.
Comment 1 Martin Perina 2020-09-01 16:07:57 UTC 
The error is quite clear, customers are trying to access RHV Manager using different FQDN than they have used within engine-setup. So for example they have used FQDN in engine-setup and then they are trying to access RHV Manager using IP address instead.

If this is intended behavior (to access RHV Manager by multiple FQDNs), then they need to configure alternate FQDNs (such as IP addresses) by definining SSO_ALTERNATE_ENGINE_FQDN as described in BZ1325746

Suggesting to close the bug as NOTABUG
Comment 5 nijin ashok 2020-09-02 03:52:28 UTC 
I have seen many customers using hostname in FQDN as uppercase and domain name in lower case. These customers will not be able to login when they upgrade the environment to 4.4. Looks like change was introduced as per https://gerrit.ovirt.org/#/c/110685/. I think we should make this check case insensitive since DNS names are case insensitive as per https://tools.ietf.org/html/rfc4343.
Comment 6 Martin Perina 2020-09-02 07:55:53 UTC 
You are right, Nijin. Unfortunately we have introduced this bug when fixing security related issue, but there is a simple workaround:

1. Login to RHV Manager using ssh

2. Edit /etc/ovirt-engine/engine.conf.d/10-setup-protocols.conf and convert the value of ENGINE_FQDN to lowercase only.
   For example current value

       ENGINE_FQDN=MIXED-case-HOSTname

   should be changed to

       ENGINE_FQDN=mixed-case-hostname

3. Restart ovirt-engine service

       systemctl restart ovirt-engine

After a restart customers can successfully login using both FQDN's case variants:

    https://MIXED-case-HOSTname/ovirt-engine
    https://mixed-case-hostname/ovirt-engine
Comment 9 Petr Matyáš 2020-09-08 07:40:50 UTC 
Verified on ovirt-engine-4.4.2.4-0.1.el8ev.noarch
Comment 11 errata-xmlrpc 2020-09-23 16:12:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (RHV Manager (ovirt-engine) 4.4.z [ovirt-4.4.2] 0-day), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3821
Note You need to log in before you can comment on or make changes to this bug.