Password reset "Proxy Error"

[kbetsis]

Hi after resolving the kerberos ticket access writes the reset page ends with a Proxy Error just like shown below:

In addition we see a lot of errors due to IPv6 connectivity attempts

Nov 14 15:00:07 secauth02 python: ipa: INFO: [try 1]: Forwarding 'user_show/1' to json server 'https://secauth02.security.pccwglobal.com/ipa/session/json' Nov 14 15:00:07 secauth02 named-pkcs11[2233]: network unreachable resolving 'smpt.mailgun.org/A/IN': 2600:9000:5306:4e00::1#53 Nov 14 15:00:07 secauth02 named-pkcs11[2233]: network unreachable resolving 'smpt.mailgun.org/A/IN': 2600:9000:5300:8500::1#53 Nov 14 15:00:07 secauth02 named-pkcs11[2233]: network unreachable resolving 'smpt.mailgun.org/A/IN': 2600:9000:5302:4a00::1#53

When we try this from bash everything works OK.

[root@secauth02 ~]# nslookup

smtp.mailgun.com Server: X.X.X.X Address: X.X.X.X#53

Non-authoritative answer: smtp.mailgun.com canonical name = smtp.mailgun.org. Name: smtp.mailgun.org Address: 3.82.80.86 Name: smtp.mailgun.org Address: 52.45.160.225 Name: smtp.mailgun.org Address: 35.170.180.73

Any suggestions?

[larrabee]

Hello. Check your bind settings. I think bind trying to connect to mailgun.com NS server over IPv6 then you do request over IPv6. You can check this case with command: dig -6 smtp.mailgun.com

[kbetsis]

We get IPv4 from the system

(virtualenv) [root@secauth02 ldap-passwd-reset]# dig -6 smtp.mailgun.com

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -6 smtp.mailgun.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18706 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 2

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;smtp.mailgun.com. IN A

;; ANSWER SECTION: smtp.mailgun.com. 300 IN CNAME smtp.mailgun.org. smtp.mailgun.org. 60 IN A 52.34.36.243 smtp.mailgun.org. 60 IN A 52.37.231.98

;; AUTHORITY SECTION: mailgun.org. 86295 IN NS ns-133.awsdns-16.com. mailgun.org. 86295 IN NS ns-1614.awsdns-09.co.uk. mailgun.org. 86295 IN NS ns-586.awsdns-09.net. mailgun.org. 86295 IN NS ns-1482.awsdns-57.org.

;; ADDITIONAL SECTION: ns-1482.awsdns-57.org. 86295 IN A 205.251.197.202

;; Query time: 37 msec ;; SERVER: ::1#53(::1) ;; WHEN: Thu Nov 14 16:51:09 UTC 2019 ;; MSG SIZE rcvd: 257

And this is the error from the app

[Thu Nov 14 16:50:22.002210 2019] [proxy_http:error] [pid 13862] (70007)The timeout specified has expired: [client 192.168.121.130:61075] AH01102: error reading status line from remote server 127.0.0.1:8000, referer: https://secauth02.security.pccwglobal.com/reset/gettoken/ [Thu Nov 14 16:50:22.002319 2019] [proxy:error] [pid 13862] [client 192.168.121.130:61075] AH00898: Error reading from remote server returned by /reset/gettoken/, referer: https://secauth02.security.pccwglobal.com/reset/gettoken/ [Thu Nov 14 16:50:32.270996 2019] [:warn] [pid 14315] [client 192.168.121.158:47808] failed to set perms (3140) on file (/var/run/ipa/ccaches/ldap-passwd-reset@SECURITY.PCCWGLOBAL.COM)!, referer: https://secauth02.security.pccwglobal.com/ipa/xml [Thu Nov 14 16:50:32.295118 2019] [:error] [pid 12744] ipa: INFO: [jsonserver_session] ldap-passwd-reset@SECURITY.PCCWGLOBAL.COM: ping(): SUCCESS [Thu Nov 14 16:50:32.300849 2019] [:warn] [pid 14315] [client 192.168.121.158:47808] failed to set perms (3140) on file (/var/run/ipa/ccaches/ldap-passwd-reset@SECURITY.PCCWGLOBAL.COM)!, referer: https://secauth02.security.pccwglobal.com/ipa/xml [Thu Nov 14 16:50:32.328481 2019] [:error] [pid 12745] ipa: INFO: [jsonserver_session] ldap-passwd-reset@SECURITY.PCCWGLOBAL.COM: user_show/1(u'testreset', all=True, version=u'2.231'): SUCCESS

[kbetsis]

BTW our FreeIPA installation is 4.6.5 if that makes a difference.

[larrabee]

Try to set system resolver to 8.8.8.8 (you should change file /etc/resolv.conf) and check the app.