Project

General

Profile

Bug #16256

Repeated SSL warnings in httpd logs

Added by Stephen Benjamin almost 3 years ago. Updated 11 months ago.

Status:
Closed
Priority:
Low
Category:
Installer
Target version:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1367162
Description of problem:

Description of problem:

Any web UI page loads generate warnings like the following:

> /var/log/httpd/foreman-ssl_error_ssl.log <
[Mon Aug 15 09:25:47.939160 2016] [ssl:warn] [pid 2269] [client 10.13.57.116:52042] AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN', referer: https://fusor.example.com/users/login
[Mon Aug 15 09:25:48.093272 2016] [ssl:warn] [pid 2269] [client 10.13.57.116:52042] AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN', referer: https://fusor.example.com/hosts
[Mon Aug 15 09:25:48.093563 2016] [ssl:warn] [pid 2269] [client 10.13.57.116:52042] AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN', referer: https://fusor.example.com/hosts

Version-Release number of selected component (if applicable):

satellite-6.2.0-21.2.el7sat.noarch
foreman-installer-1.11.0.9-1.el7sat.noarch

How reproducible:

100%

Steps to Reproduce:
1.) After navigating to any page in the web UI, view /var/log/httpd/foreman-ssl_error_ssl.log

Actual results:

Repeated "AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN'" warnings spamming the httpd logs:


  1. ll /var/log/httpd/foreman-ssl_error_ssl.log*
    rw-r--r-. 1 root root 78672 Aug 15 12:48 /var/log/httpd/foreman-ssl_error_ssl.log
    rw-r--r-. 1 root root 1101416 Aug 12 19:01 /var/log/httpd/foreman-ssl_error_ssl.log-20160814
  1. grep -v AH02227 /var/log/httpd/foreman-ssl_error_ssl.log #
    ----

Expected results:

No warnings if client certificate is not used for the given url.

Additional info:

/etc/httpd/conf.d/05-foreman-ssl.d/katello.conf sets "SSLUsername SSL_CLIENT_S_DN_CN" regardless of the Location, so it tries to read a client certificate's CN even for web browser access, which leads to this repeated warn-level logging.


#
  1. WARNING: THIS CONFIGURATION WAS GENERATED BY KATELLO-CONFIGURE TOOL,
  2. CHANGES WILL LIKELY BE OVERWRITTEN. #

SSLUsername SSL_CLIENT_S_DN_CN

Alias /pub /var/www/html/pub
<Location /pub>

PassengerEnabled off
Options +FollowSymLinks +Indexes
&lt;/Location&gt;

<LocationMatch /rhsm|/subscription|/katello/api> # if ssl_client_certa is present set the header, otherwise don't override # a reverse proxy may already be sending the cert through this header
SetEnvIf SSL_CLIENT_CERT "^..*" client_cert_present=1
RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s" env=!client_cert_present
SSLVerifyClient optional
SSLRenegBufferSize 16777216
SSLVerifyDepth 2

  1. report to CLI and RHSM nicely when Katello is down
    ErrorDocument 500 '{"displayMessage": "Internal error, contact administrator", "errors": ["Internal error, contact administrator"], "status": "500" }'
    ErrorDocument 503 '{"displayMessage": "Service unavailable or restarting, try later", "errors": ["Service unavailable or restarting, try later"], "status": "503" }'
    </LocationMatch>

KeepAlive On
MaxKeepAliveRequests 10000
----

This spamming of the logs is low severity, but can be misleading to the user and make actual errors less easily noticeable.

Associated revisions

Revision 0ae1d294 (diff)
Added by Justin Sherrill about 2 years ago

Fixes #16256 - only use SSLUsername for /pulp/api

History

#1 Updated by Justin Sherrill over 2 years ago

  • Subject changed from Repeated SSL warnings in httpd logs to Repeated SSL warnings in httpd logs
  • Status changed from New to Assigned
  • Assignee set to Justin Sherrill

#2 Updated by Justin Sherrill over 2 years ago

  • Target version set to 126
  • Legacy Backlogs Release (now unused) set to 162
  • Difficulty set to easy

#3 Updated by Justin Sherrill over 2 years ago

  • Pull request https://github.com/Katello/puppet-pulp/pull/166 added

#4 Updated by Justin Sherrill over 2 years ago

  • Status changed from Assigned to Closed

#5 Updated by Klaas D over 2 years ago

Hi, I think you need to reopen this bug, you fixed it in pulp/templates/etc/httpd/conf.d/_ssl_vhost.conf.erb but its also in katello/templates/etc/httpd/conf.d/05-foreman-ssl.d/katello.conf.erb - in any case I'm still seeing these kind of error messages in katello 3.2.3
[Thu Jan 19 15:06:18.178268 2017] [ssl:warn] [pid 7414] [client 0.0.0.0:50109] AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN', referer: https://[...]

#6 Updated by Michael Schmidt over 2 years ago

Hi, the problem was by me in /etc/httpd/conf.d/05-foreman-ssl.d/katello.conf
i added in LocationMatch additionally path |/pulp/repos
for adding the client_cert

#7 Updated by Michael Schmidt over 2 years ago

ignore my last massage, it's a fail

#8 Updated by Justin Sherrill about 2 years ago

  • Legacy Backlogs Release (now unused) changed from 162 to 226

#9 Updated by Justin Sherrill about 2 years ago

  • Status changed from Closed to Assigned
  • Target version changed from 126 to 169

#10 Updated by Justin Sherrill about 2 years ago

  • Pull request https://github.com/Katello/puppet-katello/pull/169 added

#11 Updated by Justin Sherrill about 2 years ago

  • Status changed from Assigned to Closed

#12 Updated by Justin Sherrill about 2 years ago

  • Legacy Backlogs Release (now unused) changed from 226 to 211

moving to 3.4.0 as there will not be an installer rebuild for 3.3.2

Also available in: Atom PDF