Plugins » Katello

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1367162
Description of problem:

Description of problem:

Any web UI page loads generate warnings like the following:

> /var/log/httpd/foreman-ssl_error_ssl.log <
[Mon Aug 15 09:25:47.939160 2016] [ssl:warn] [pid 2269] [client 10.13.57.116:52042] AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN', referer: https://fusor.example.com/users/login
[Mon Aug 15 09:25:48.093272 2016] [ssl:warn] [pid 2269] [client 10.13.57.116:52042] AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN', referer: https://fusor.example.com/hosts
[Mon Aug 15 09:25:48.093563 2016] [ssl:warn] [pid 2269] [client 10.13.57.116:52042] AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN', referer: https://fusor.example.com/hosts

Version-Release number of selected component (if applicable):

satellite-6.2.0-21.2.el7sat.noarch
foreman-installer-1.11.0.9-1.el7sat.noarch

How reproducible:

100%

Steps to Reproduce:
1.) After navigating to any page in the web UI, view /var/log/httpd/foreman-ssl_error_ssl.log

Actual results:

Repeated "AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN'" warnings spamming the httpd logs:

---

1. ll /var/log/httpd/foreman-ssl_error_ssl.log*
   rw-r--r-. 1 root root 78672 Aug 15 12:48 /var/log/httpd/foreman-ssl_error_ssl.log
   rw-r--r-. 1 root root 1101416 Aug 12 19:01 /var/log/httpd/foreman-ssl_error_ssl.log-20160814

1. grep -v AH02227 /var/log/httpd/foreman-ssl_error_ssl.log #
   ----

Expected results:

No warnings if client certificate is not used for the given url.

Additional info:

/etc/httpd/conf.d/05-foreman-ssl.d/katello.conf sets "SSLUsername SSL_CLIENT_S_DN_CN" regardless of the Location, so it tries to read a client certificate's CN even for web browser access, which leads to this repeated warn-level logging.

---

#

1. WARNING: THIS CONFIGURATION WAS GENERATED BY KATELLO-CONFIGURE TOOL,
2. CHANGES WILL LIKELY BE OVERWRITTEN. #

SSLUsername SSL_CLIENT_S_DN_CN

Alias /pub /var/www/html/pub
<Location /pub>

PassengerEnabled off

Options +FollowSymLinks +Indexes
</Location>

<LocationMatch /rhsm|/subscription|/katello/api> # if ssl_client_certa is present set the header, otherwise don't override # a reverse proxy may already be sending the cert through this header
SetEnvIf SSL_CLIENT_CERT "^..*" client_cert_present=1
RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s" env=!client_cert_present
SSLVerifyClient optional
SSLRenegBufferSize 16777216
SSLVerifyDepth 2

1. report to CLI and RHSM nicely when Katello is down
   ErrorDocument 500 '{"displayMessage": "Internal error, contact administrator", "errors": ["Internal error, contact administrator"], "status": "500" }'
   ErrorDocument 503 '{"displayMessage": "Service unavailable or restarting, try later", "errors": ["Service unavailable or restarting, try later"], "status": "503" }'
   </LocationMatch>

KeepAlive On
MaxKeepAliveRequests 10000
----

This spamming of the logs is low severity, but can be misleading to the user and make actual errors less easily noticeable.