Open AdrianDutu opened 4 years ago
ryanpetrello
commented
4 years ago @AdrianDutu it looks like you've reported similar issues before?
https://github.com/ansible/awx/issues/5324
Given SSL routines:tls_process_server_certificate:certificate verify failed, it could also be a duplicate/symptom of something like this?
ghost
commented
4 years ago It seems you are using a self-signed CA from the LDAP server. Make sure all intermediaries (if any) are in the certificate file. Also make sure you set, in the AWX-LDAP-Configuration, the exact LDAP-server hostname which is specified in the certificate. We had problems with this as the people making those self-signed certs do not put in proper names (e.g. use ldap-server.local or ldap.server etc., see PR #7575 for fix with the docker-compose install method).
The error messages are not always very clear. We found the "SERVER_DOWN/Can't contact LDAP Server" error in the log, does not always indicate a network connection problem, but might point to problems with the CA certificate. Additionally I think I read somewhere that with the K8s install update-ca-certificates is not called automatically so the mounted cert is not added to the trust bundle (I might confuse things here, but it might be worthile to check).
ISSUE TYPE
SUMMARY
LDAP integration fails because of certificate validation. I have on my awx hosts the certificates in /etc/pki/ca-trust/source/anchors. This dir is mounted and if I check the containers I can see the certificates there. If I do an ldapsearch from the hosts, it successfully connects and retrieves the data.
But if i try to login to awx with an ldap user I see in the logs:
2020-07-09 10:23:19,088 DEBUG django_auth_ldap Initiating TLS 2020-07-09 10:23:19,111 WARNING django_auth_ldap Caught LDAPError while authenticating a.addu01: SERVER_DOWN({'desc': "Can't contact LDAP server", 'info': 'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain)'},) 2020-07-09 10:23:19,118 WARNING awx.api.generics Login failed for user a.addu01 from 10.244.0.1 2020-07-09 10:23:19,126 WARNING django.request Unauthorized: /api/login/ 2020-07-09 10:23:19,126 WARNING django.request Unauthorized: /api/login/ENVIRONMENT
STEPS TO REPRODUCE
EXPECTED RESULTS
Login successful.
ACTUAL RESULTS
Connectivity to the ldap server fails with cert validation.
ADDITIONAL INFORMATION
I'm not sure if this is related, but I also see a lot of these errors in the awx-web logs:
2020-07-09 10:23:23,150 ERROR django.security.DisallowedHost Invalid HTTP_HOST header: '_:443'. The domain name provided is not valid according to RFC 1034/1035. 2020-07-09 10:23:23,156 WARNING django.request Bad Request: / 2020-07-09 10:23:23,156 WARNING django.request Bad Request: / [pid: 85|app: 0|req: 329/1643] 10.244.0.1 () {28 vars in 288 bytes} [Thu Jul 9 10:23:23 2020] GET / => generated 3884 bytes in 43 msecs ( 400) 4 headers in 155 bytes (1 switches on core 0) 10.244.0.1 - - [09/Jul/2020:10:23:23 +0000] "GET /" 400 3884 "-" "-" "-" 2020-07-09 10:23:26,311 ERROR django.security.DisallowedHost Invalid HTTP_HOST header: '_:443'. The domain name provided is not valid according to RFC 1034/1035. 2020-07-09 10:23:26,318 WARNING django.request Bad Request: / 2020-07-09 10:23:26,318 WARNING django.request Bad Request: /