Cannot access the server manager

ssl
v7
server-manager

(!) #1

NethServer Version: 7.4.1708
Module: httpd

I install a new NethServer v7.4.1708 in two time :

  • Install CentOs 7
  • yum install nethserver

After the install went correctly i cannot logon to https://192.168.65.11:980/ my Firefox stood stuck waiting for ssl negotiation until time out.
I looked at /var/log/httpd/error_log and found the errors hereafter :

[Sat Feb 24 13:37:23.992270 2018] [suexec:notice] [pid 1385] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sat Feb 24 13:37:24.039361 2018] [ssl:error] [pid 1385] AH02217: ssl_stapling_init_cert: can’t retrieve issuer certificate! [subject: L=Hometown,C=–,emailAddress=root@localhost.localdomain,OU=Main,ST=SomeState,O=Example Org,CN=NethServer / issuer: L=Hometown,C=–,emailAddress=root@localhost.localdomain,OU=Main,ST=SomeState,O=Example Org,CN=NethServer / serial: 5A9141F1 / notbefore: Feb 24 10:44:01 2018 GMT / notafter: Feb 22 10:44:01 2028 GMT]
[Sat Feb 24 13:37:24.039376 2018] [ssl:error] [pid 1385] AH02235: Unable to configure server certificate for stapling
[Sat Feb 24 13:37:24.039380 2018] [ssl:warn] [pid 1385] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sat Feb 24 13:37:24.039384 2018] [ssl:warn] [pid 1385] AH01909: RSA certificate configured for localhost.localdomain:443 does NOT include an ID which matches the server name
AH00558: httpd: Could not reliably determine the server’s fully qualified domain name, using localhost.localdomain. Set the ‘ServerName’ directive globally to suppress this message
[Sat Feb 24 13:37:24.056326 2018] [auth_digest:notice] [pid 1385] AH01757: generating secret for digest authentication …
[Sat Feb 24 13:37:24.056729 2018] [lbmethod_heartbeat:notice] [pid 1385] AH02282: No slotmem from mod_heartmonitor
[Sat Feb 24 13:37:24.056967 2018] [ssl:warn] [pid 1385] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache]
[Sat Feb 24 13:37:24.067946 2018] [ssl:error] [pid 1385] AH02217: ssl_stapling_init_cert: can’t retrieve issuer certificate! [subject: L=Hometown,C=–,emailAddress=root@localhost.localdomain,OU=Main,ST=SomeState,O=Example Org,CN=NethServer / issuer: L=Hometown,C=–,emailAddress=root@localhost.localdomain,OU=Main,ST=SomeState,O=Example Org,CN=NethServer / serial: 5A9141F1 / notbefore: Feb 24 10:44:01 2018 GMT / notafter: Feb 22 10:44:01 2028 GMT]
[Sat Feb 24 13:37:24.067957 2018] [ssl:error] [pid 1385] AH02235: Unable to configure server certificate for stapling
[Sat Feb 24 13:37:24.067960 2018] [ssl:warn] [pid 1385] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sat Feb 24 13:37:24.067964 2018] [ssl:warn] [pid 1385] AH01909: RSA certificate configured for localhost.localdomain:443 does NOT include an ID which matches the server name
[Sat Feb 24 13:37:24.093458 2018] [mpm_prefork:notice] [pid 1385] AH00163: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16 configured – resuming normal operations
[Sat Feb 24 13:37:24.093475 2018] [core:notice] [pid 1385] AH00094: Command line: ‘/usr/sbin/httpd -f /etc/httpd/admin-conf/httpd.conf -c MaxConnectionsPerChild 12 -D FOREGROUND’

I goggled different AHAxxxx errors that conduct me to modify different files but it doesn’t correct anything at all :

1.) I modify /etc/httpd/conf/httpd.conf and at the first line add “ServerName localhost.localdomain”, reboot -> doesn’t correct anything at all.
2.) The error “AH02217: ssl_stapling_init_cert: can’t retrieve issuer certificate!” send me to “https://httpd.apache.org/docs/trunk/fr/ssl/ssl_howto.html” where I found that i can try correcting /etc/httpd/admin-conf/httpd.conf and adding the missing line SSLCACertificateFile /etc/ssl/certs/ca-bundle.crt, reboot -> doesn’t correct anything at all.
3.) I add HOSTNAME=localhost.localdomain in /etc/sysconfig/network, reboot -> doesn’t correct anything at all.

Obviously this fucking certificate doesn’t correspond to the host. I had to re-openssl a good one but i was afraid to get the things worse. I had to simplify things. “Blink Idea !”.
So lets use a basic browser in local : sudo yum install lynx !!!

Wikipedia : Lynx is a customizable text-based web browser for use on cursor-addressable character cell terminals.[6][7] As of May 2017, it is the oldest web browser still in general use and active development,[8] having started in 1992.

So I “lynx https://192.168.65.11:980/” and can access to the server manager to finish the installation. I had to be careful on what i did because lynx found a lot of “Erreur SSL : self signed certificate - Continuer? (o)” but in the end I can finish the basic configuration and change modules “Date & Time, Network, Organization contacts, Server name” and in the end “Server certificate”.

After that Firefox can access my Nethserver via https.

So if you have such a problem, think Lynx ! :wink:


Problem access after interactive installation
(Rob Bosch) #2

I never encountered such behavior. On what hardware did you install NS? And how did you install? From CD/DVD/USB/mounted ISO image?
Did you try an alternative browser too (besides lynx)?


(Filippo Carletti) #3

I suspect it’s a problem in firefox. I’d try chrome.


(!) #4

So here the hardware :
Vendeur HPE
Modèle ML10Gen9, Intel® C236 Chipset
Modèle de CPU 4 x Intel® Xeon® CPU E3-1225 v5 @ 3.30GHz
Memory Utilisation 648 / 15734 MB ecc udimm

Version du noyau 3.10.0-693.17.1.el7.x86_64

As you can see it’s not esoteric hardware. It’s handle my home esxi lab on others DD.
But i had huge problems before installing NS in raid mode. (I must dd zeroed the two ST 3Tb hard drives).

Installed from a usb key that i used to use for my installs. (The classic NS installer on CD didn’t succeed (same problem)).

I also tried Chrome and Konqueror as alternative browser (and a second computer). I do not have Microsoft oses.

Voila,
Bon week-end !
Rémy.


(Michael Kicks) #5

Following the docs…
http://docs.nethserver.org/en/v7/installation.html#install-on-centos

yum localinstall -y http://mirror.nethserver.org/nethserver/nethserver-release-7.rpm 

then nethserver-install

is this right?

Which modules are you interested in install also?


(Rob Bosch) #6

@pike That’s the way to go if you install on top of a centos minimal install…


(Michael Kicks) #7

I was asking to @Remy if it was the path he followed on his problematic setup…


(!) #8

For Pike and Rob,

I think finally it’s a browser issue too. On another install (Fujitsu TX1320M3) everything goes nice.


(Saito Benkei) #9

Try this:

  • Access to the dashboard via Chrome
  • Regenerate the certificate: Server Certificate -> click on the dropdown menu in the upper-left corner and select “Edit self-signed certificate” -> Click on the red button “Edit self-signed certificate”

Try again to access with Firefox


(Dan) #10

The docs in this regard need to be fixed–first, the localinstall command to yum is deprecated in favor of a simple install. Second, the command isn’t, in fact, installing a local file, so even if localinstall weren’t deprecated, it wouldn’t be the appropriate command to use. Doesn’t have anything to do with OP’s problem, but still needs to be fixed.


(Michael Träumner) #11

Could you do a pullrequest?

https://github.com/NethServer/docs/blob/master/administrator-manual/en/installation.rst


(Marc) #12

Thanks @danb35. PR done, it should be fixed soon.