Project

General

Profile

Actions

Bug #16256

closed

Repeated SSL warnings in httpd logs

Added by Stephen Benjamin over 7 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Low
Category:
Installer
Target version:
Fixed in Releases:
Found in Releases:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1367162
Description of problem:

Description of problem:

Any web UI page loads generate warnings like the following:

> /var/log/httpd/foreman-ssl_error_ssl.log <
[Mon Aug 15 09:25:47.939160 2016] [ssl:warn] [pid 2269] [client 10.13.57.116:52042] AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN', referer: https://fusor.example.com/users/login
[Mon Aug 15 09:25:48.093272 2016] [ssl:warn] [pid 2269] [client 10.13.57.116:52042] AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN', referer: https://fusor.example.com/hosts
[Mon Aug 15 09:25:48.093563 2016] [ssl:warn] [pid 2269] [client 10.13.57.116:52042] AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN', referer: https://fusor.example.com/hosts

Version-Release number of selected component (if applicable):

satellite-6.2.0-21.2.el7sat.noarch
foreman-installer-1.11.0.9-1.el7sat.noarch

How reproducible:

100%

Steps to Reproduce:
1.) After navigating to any page in the web UI, view /var/log/httpd/foreman-ssl_error_ssl.log

Actual results:

Repeated "AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN'" warnings spamming the httpd logs:


  1. ll /var/log/httpd/foreman-ssl_error_ssl.log*
    rw-r--r-. 1 root root 78672 Aug 15 12:48 /var/log/httpd/foreman-ssl_error_ssl.log
    rw-r--r-. 1 root root 1101416 Aug 12 19:01 /var/log/httpd/foreman-ssl_error_ssl.log-20160814
  1. grep -v AH02227 /var/log/httpd/foreman-ssl_error_ssl.log #
    ----

Expected results:

No warnings if client certificate is not used for the given url.

Additional info:

/etc/httpd/conf.d/05-foreman-ssl.d/katello.conf sets "SSLUsername SSL_CLIENT_S_DN_CN" regardless of the Location, so it tries to read a client certificate's CN even for web browser access, which leads to this repeated warn-level logging.


#
  1. WARNING: THIS CONFIGURATION WAS GENERATED BY KATELLO-CONFIGURE TOOL,
  2. CHANGES WILL LIKELY BE OVERWRITTEN. #

SSLUsername SSL_CLIENT_S_DN_CN

Alias /pub /var/www/html/pub
<Location /pub>

PassengerEnabled off
Options +FollowSymLinks +Indexes
&lt;/Location&gt;

<LocationMatch /rhsm|/subscription|/katello/api> # if ssl_client_certa is present set the header, otherwise don't override # a reverse proxy may already be sending the cert through this header
SetEnvIf SSL_CLIENT_CERT "^..*" client_cert_present=1
RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s" env=!client_cert_present
SSLVerifyClient optional
SSLRenegBufferSize 16777216
SSLVerifyDepth 2

  1. report to CLI and RHSM nicely when Katello is down
    ErrorDocument 500 '{"displayMessage": "Internal error, contact administrator", "errors": ["Internal error, contact administrator"], "status": "500" }'
    ErrorDocument 503 '{"displayMessage": "Service unavailable or restarting, try later", "errors": ["Service unavailable or restarting, try later"], "status": "503" }'
    </LocationMatch>

KeepAlive On
MaxKeepAliveRequests 10000
----

This spamming of the logs is low severity, but can be misleading to the user and make actual errors less easily noticeable.

Actions #1

Updated by Justin Sherrill over 7 years ago

  • Subject changed from Repeated SSL warnings in httpd logs to Repeated SSL warnings in httpd logs
  • Status changed from New to Assigned
  • Assignee set to Justin Sherrill
Actions #2

Updated by Justin Sherrill over 7 years ago

  • Target version set to 126
  • translation missing: en.field_release set to 162
  • Difficulty set to easy
Actions #3

Updated by Justin Sherrill over 7 years ago

  • Pull request https://github.com/Katello/puppet-pulp/pull/166 added
Actions #4

Updated by Justin Sherrill over 7 years ago

  • Status changed from Assigned to Closed
Actions #5

Updated by Klaas D about 7 years ago

Hi, I think you need to reopen this bug, you fixed it in pulp/templates/etc/httpd/conf.d/_ssl_vhost.conf.erb but its also in katello/templates/etc/httpd/conf.d/05-foreman-ssl.d/katello.conf.erb - in any case I'm still seeing these kind of error messages in katello 3.2.3
[Thu Jan 19 15:06:18.178268 2017] [ssl:warn] [pid 7414] [client 0.0.0.0:50109] AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN', referer: https://[...]

Actions #6

Updated by Michael Schmidt about 7 years ago

Hi, the problem was by me in /etc/httpd/conf.d/05-foreman-ssl.d/katello.conf
i added in LocationMatch additionally path |/pulp/repos
for adding the client_cert

Actions #7

Updated by Michael Schmidt about 7 years ago

ignore my last massage, it's a fail

Actions #8

Updated by Justin Sherrill about 7 years ago

  • translation missing: en.field_release changed from 162 to 226
Actions #9

Updated by Justin Sherrill about 7 years ago

  • Status changed from Closed to Assigned
  • Target version changed from 126 to 169
Actions #10

Updated by Justin Sherrill about 7 years ago

  • Pull request https://github.com/Katello/puppet-katello/pull/169 added
Actions #11

Updated by Justin Sherrill about 7 years ago

  • Status changed from Assigned to Closed
Actions #12

Updated by Justin Sherrill almost 7 years ago

  • translation missing: en.field_release changed from 226 to 211

moving to 3.4.0 as there will not be an installer rebuild for 3.3.2

Actions

Also available in: Atom PDF