Closed zhangmingld closed 8 years ago
cf-gitbot
commented
8 years ago We have created an issue in Pivotal Tracker to manage this:
https://www.pivotaltracker.com/story/show/121722775
The labels on this github issue will be updated when the story is started.
dkoper
commented
8 years ago Hi @zhangmingld
It means the API endpoint is not returning any user friendly error message for the CLI to show to you. It is not likely due to a wrong password.
You could try to run the same command with -v to see the API server's raw response to see if there is a message in there that the CLI failed to print. Also, to check to which API call the server responded with a 400, and whether it was talking to the Cloud Controller or UAA.
Otherwise, you could try https instead of http in the API endpoint url (I noticed you use --skip-ssl-validation but there is no ssl anyway if you don't use the https protocol in the url).
Regards, Dies Koper CF CLI PM
dkoper
commented
8 years ago Closing as we've provided as many suggestions as we can with the info provided. Feel free to reopen or submit a new issue with the output of all steps above for us to dig deeper.
mponce
commented
8 years ago I'm facing this error with cf-release 237 and 238 deployed on OpenStack (kilo), here is the some debugging information:
ubuntu@bosh-cli:~$ bosh stemcells
RSA 1024 bit CA certificates are loaded due to old openssl compatibility
Acting as user 'admin' on 'my-bosh'
+-------------------------------------------+---------------+---------+--------------------------------------+
| Name | OS | Version | CID |
+-------------------------------------------+---------------+---------+--------------------------------------+
| bosh-openstack-kvm-ubuntu-trusty-go_agent | ubuntu-trusty | 3262.2* | 7cd94e9e-8f52-4035-9729-550e649e956b |
+-------------------------------------------+---------------+---------+--------------------------------------+
(*) Currently in-use
Stemcells total: 1
ubuntu@bosh-cli:~$ bosh releases
RSA 1024 bit CA certificates are loaded due to old openssl compatibility
Acting as user 'admin' on 'my-bosh'
+------+------------+-------------+
| Name | Versions | Commit Hash |
+------+------------+-------------+
| cf | 237+dev.1* | 67b9709b |
+------+------------+-------------+
(*) Currently deployed
Releases total: 1All the vms in the deployment are running:
ubuntu@bosh-cli:~$ bosh vms
RSA 1024 bit CA certificates are loaded due to old openssl compatibility
Acting as user 'admin' on 'my-bosh'
Deployment 'my-cloud'
Director task 1107
Task 1107 done
+---------------------------------------------------------------------------+---------+-----+-----------+---------------+
| VM | State | AZ | VM Type | IPs |
+---------------------------------------------------------------------------+---------+-----+-----------+---------------+
| api_z1/0 (4df8427b-3508-451e-9d44-628d1cc81759) | running | n/a | large_z1 | 192.168.X.X |
| blobstore_z1/0 (e4420585-b8a6-4743-a95a-5ea3d9975b5a) | running | n/a | medium_z1 | 192.168.X.X |
| consul_z1/0 (1542fca8-2311-41ad-9bb6-11d9c8313353) | running | n/a | small_z1 | 192.168.X.X |
| doppler_z1/0 (054a8863-51e2-4f0d-9dfd-b2960705fbe2) | running | n/a | medium_z1 | 192.168.X.X |
| etcd_z1/0 (e830cd60-e3dd-4199-a5ea-dbfc32d72592) | running | n/a | medium_z1 | 192.168.X.X |
| ha_proxy_z1/0 (aa7e6c7e-926e-4580-a589-3f3ebf8967de) | running | n/a | router_z1 | 192.168.X.X |
| | | | | 10.20.X.X |
| hm9000_z1/0 (bf3a4914-5bab-4ec2-a862-838c3cf849c4) | running | n/a | medium_z1 | 192.168.X.X |
| loggregator_trafficcontroller_z1/0 (53bf79c3-88d3-4906-bba6-366dab62e300) | running | n/a | small_z1 | 192.168.X.X |
| nats_z1/0 (4fd11cca-c20d-4d22-8163-312aa9e92c44) | running | n/a | medium_z1 | 192.168.X.X |
| postgres_z1/0 (8ab06f5a-dfe5-4018-9c9f-0ca8a9bc1fb6) | running | n/a | medium_z1 | 192.168.X.X |
| router_z1/0 (3efde4f8-24e0-4188-b6f0-f9bc1a530697) | running | n/a | router_z1 | 192.168.X.X |
| runner_z1/0 (eae514bb-6b77-480e-82da-2641f3bb9ff2) | running | n/a | runner_z1 | 192.168.X.X |
| stats_z1/0 (edd899b0-7959-46d0-b47a-9fda54f8e876) | running | n/a | small_z1 | 192.168.X.X |
| uaa_z1/0 (cb0c72f4-d481-4712-9cd9-ce6e1688be13) | running | n/a | medium_z1 | 192.168.X.X |
+---------------------------------------------------------------------------+---------+-----+-----------+---------------+
VMs total: 14However when I try to login using the cf login the uaa service complaints with error:
ssl: HTTP Status 400 - request must be over https
ubuntu@bosh-cli:~$ CF_TRACE=true cf api https://api.example.com --skip-ssl-validation
Setting api endpoint to https://api.example.com...
REQUEST: [2016-07-09T16:16:36Z]
GET /v2/info HTTP/1.1
Host: api.example.com
Accept: application/json
Content-Type: application/json
User-Agent: go-cli 6.20.0+25b1961 / linux
RESPONSE: [2016-07-09T16:16:36Z]
HTTP/1.1 200 OK
Content-Length: 550
Content-Type: application/json;charset=utf-8
Date: Sat, 09 Jul 2016 16:17:38 GMT
Server: nginx
X-Content-Type-Options: nosniff
X-Vcap-Request-Id: f8434b24-8885-4499-495c-08bc65349485
X-Vcap-Request-Id: f8434b24-8885-4499-495c-08bc65349485::0ffd9d20-375d-4305-a7e1-d30c6d96c467
{"name":"","build":"","support":"http://support.cloudfoundry.com","version":0,"description":"","authorization_endpoint":"http://login.example.com","token_endpoint":"https://uaa.example.com","min_cli_version":null,"min_recommended_cli_version":null,"api_version":"2.56.0","app_ssh_endpoint":"ssh.example.com:2222","app_ssh_host_key_fingerprint":null,"app_ssh_oauth_client":"ssh-proxy","logging_endpoint":"wss://loggregator.example.com:4443","doppler_logging_endpoint":"wss://doppler.example.com:4443"}
OK
API endpoint: https://api.example.com (API version: 2.56.0)
Not logged in. Use 'cf login' to log in.
ubuntu@bosh-cli:~$ CF_TRACE=true cf login
API endpoint: https://api.example.com
REQUEST: [2016-07-09T16:17:40Z]
GET /v2/info HTTP/1.1
Host: api.example.com
Accept: application/json
Content-Type: application/json
User-Agent: go-cli 6.20.0+25b1961 / linux
RESPONSE: [2016-07-09T16:17:40Z]
HTTP/1.1 200 OK
Content-Length: 550
Content-Type: application/json;charset=utf-8
Date: Sat, 09 Jul 2016 16:18:43 GMT
Server: nginx
X-Content-Type-Options: nosniff
X-Vcap-Request-Id: 3c4df495-66a2-4c81-7040-55f6464d75ab
X-Vcap-Request-Id: 3c4df495-66a2-4c81-7040-55f6464d75ab::9af417a1-5b19-473e-a5ad-0968bc0ab7b0
{"name":"","build":"","support":"http://support.cloudfoundry.com","version":0,"description":"","authorization_endpoint":"http://login.example.com","token_endpoint":"https://uaa.example.com","min_cli_version":null,"min_recommended_cli_version":null,"api_version":"2.56.0","app_ssh_endpoint":"ssh.example.com:2222","app_ssh_host_key_fingerprint":null,"app_ssh_oauth_client":"ssh-proxy","logging_endpoint":"wss://loggregator.example.com:4443","doppler_logging_endpoint":"wss://doppler.example.com:4443"}
REQUEST: [2016-07-09T16:17:40Z]
GET /login HTTP/1.1
Host: login.example.com
Accept: application/json
Content-Type: application/json
User-Agent: go-cli 6.20.0+25b1961 / linux
REQUEST: [2016-07-09T16:17:40Z]
GET /login HTTP/0.0
Host: login.example.com
Accept: application/json
Referer: http://login.example.com/login
User-Agent: go-cli 6.20.0+25b1961 / linux
RESPONSE: [2016-07-09T16:17:40Z]
HTTP/1.1 200 OK
Content-Length: 471
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Cache-Control: no-store
Content-Language: en-US
Content-Type: application/json;charset=UTF-8
Date: Sat, 09 Jul 2016 16:18:54 GMT
Expires: 0
Pragma: no-cache
Server: Apache-Coyote/1.1
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-Vcap-Request-Id: 1fe26828-6c47-4ee3-46a3-0972c69fb00f
X-Xss-Protection: 1; mode=block
{"app":{"version":"3.3.0.1"},"links":{"uaa":"https://uaa.example.com","passwd":"https://console.example.com/password_resets/new","login":"https://login.example.com","register":"https://console.example.com/register"},"zone_name":"uaa","entityID":"login.example.com","commit_id":"5c23774","idpDefinitions":{},"prompts":{"username":["text","Email"],"password":["password","Password"]},"timestamp":"2016-05-04T21:17:48+0000"}
Email> admin
Password>
Authenticating...
REQUEST: [2016-07-09T16:17:48Z]
POST /oauth/token HTTP/1.1
Host: login.example.com
Accept: application/json
Authorization: [PRIVATE DATA HIDDEN]
Content-Type: application/x-www-form-urlencoded
User-Agent: go-cli 6.20.0+25b1961 / linux
grant_type=password&password=[PRIVATE DATA HIDDEN]&scope=&username=admin
RESPONSE: [2016-07-09T16:17:48Z]
HTTP/1.1 400 Bad Request
Content-Length: 1086
Content-Language: en
Content-Type: text/html;charset=utf-8
Date: Sat, 09 Jul 2016 16:19:02 GMT
Server: Apache-Coyote/1.1
X-Vcap-Request-Id: ec64ab35-e8c8-413c-4a0d-157f4662583c
<html><head><title>Apache Tomcat/7.0.61 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 400 - {"error": "request must be over https"}</h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u>{"error": "request must be over https"}</u></p><p><b>description</b> <u>The request sent by the client was syntactically incorrect.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/7.0.61</h3></body></html>
Server error, status code: 400, error code: , message:
Password>
ubuntu@bosh-cli:~$I tried setting require_https: false in uaa.yml but then I face a 404 not found error the router complains that the login.example.com route is not found even when route registrar is working fine and announcing the routes to the nats service.
Another thing I tried is enabling ssl in the router but again I face the route 404 not found error.
services running in ha_proxy, router, uaa and api vms:
ha_proxy_z1:
The Monit daemon 5.2.5 uptime: 14h 30m
Process 'consul_template' running
File 'haproxy_config' accessible
Process 'haproxy' running
Process 'metron_agent' running
Process 'consul_agent' running
System 'system_localhost' runningrouter_z1:
The Monit daemon 5.2.5 uptime: 14h 15m
Process 'consul_agent' running
Process 'gorouter' running
Process 'metron_agent' running
System 'system_localhost' runninguaa_z1
The Monit daemon 5.2.5 uptime: 14h 21m
Process 'uaa' running
Process 'metron_agent' running
Process 'consul_agent' running
Process 'route_registrar' running
Process 'statsd-injector' running
System 'system_localhost' runningapi_z1:
The Monit daemon 5.2.5 uptime: 14h 22m
Process 'consul_agent' running
Process 'cloud_controller_ng' running
Process 'cloud_controller_worker_local_1' running
Process 'cloud_controller_worker_local_2' running
Process 'nginx_cc' running
Process 'cloud_controller_migration' running
Process 'cloud_controller_clock' running
Process 'cloud_controller_worker_1' running
Process 'metron_agent' running
Process 'statsd-injector' running
Process 'route_registrar' running
System 'system_localhost' running
jessehu
commented
7 years ago I met the same issue as @mponce. Any suggestion? I'm using latest cf-247 release.
mponce
commented
7 years ago Hi @jessehu,
This could happening because the uaa expects requests over https, check if this enabled in the properties:
properties.login.protocol = https
properties.cc.external_protocol = httpsSee issue https://github.com/cloudfoundry/cli/issues/884
Regards, Mario Ponce
jessehu
commented
7 years ago Thanks @mponce . It solves my problem.
Command
cf login --skip-ssl-validation -a http://api.mybosh.com login -u admin -p c1oudc0w
CLI Version
6.19.0+b29b4e0-2016-06-08
Error
server error,statuscode:400 error code: message:
does that mean an wrong password? or the api has errors? t mean an wrong password? or the api has errors?