Rspamd configuration page credential error when based on 7.9.2009 ISO

Hello all,

it seems that when installing Nethserver based on the latest nethserver-7.9.2009-x86_64.iso there is some configuration mistake that leads to the rpsamd webinterface configuration page (h**ps://192.168.2.218:980/rspamd/#configuration) not being able to properly login.

I will post the information like passwords unscrambled, they are from a local test installation anyhow.

Problem
Opening the page (regardless if opened from Cockpit or standalone, providing credentials) makes the page request two addresses:

  1. GET h**ps://rspamd:UsRr1L_CIAdMgKiK@192.168.2.218:980/rspamd/actions
    Results in a “403 Forbidden”.

  2. GET h**ps://rspamd:UsRr1L_CIAdMgKiK@192.168.2.218:980/rspamd/maps
    Results in a “200 OK” and seems to return the expected JSON object.

This results in the webinterface in showing two messages:

  • “local > Request failed: Forbidden”
  • “Request failed”

How to reproduce

  1. Start with nethserver-7.9.2009-x86_64.iso
    No special instructions for installation. Root password has been set, no user created.

  2. Once installation is done, login to cockpit on port 9090 as root.

  3. Set FQDN and install the mail server from the software collection.
    No need to update the packages first (also tested with updating first, no change).

Further information/tests done

  1. Previously used (on another server) nethserver-7.8.2003-x86_64.iso does not show this problem.

  2. Upgrading and updating 7.8.2003 to the latest version available via the “Software Center” does not show this problem, which is the reason why I myself and most other users might not have ran into this yet when using their existing installations.

  3. When upgrading and updating 7.8.2003, it does not matter if you install the mail server package before or after the upgrade/update. Both ways result in a working configuration page.

  4. Using different credentials to open the Rspamd interface (with credentials of a user in domain admin group does not work either). Easiest way:
    h**ps://user_in_domain_admin_group:pass@192.168.2.218:980/rspamd/
    You might have to setup a port forwarding to use another port (or reconfigure the Rspamd web port from 980 to something else) if your browser does not allow you to use other credentials. This can be done for example using “socat”:
    socat tcp-listen:9800,reuseaddr,fork tcp:localhost:980

I did find other promising topics but in the end they did not match this specific problem and ended in solutions that do not seem to be related to this behavior.

Hope this helps to identify/solve this problem if other are experiencing this as well (which new users most likely do).

Regards,
X

4 Likes

Thank you for your sharing your experiances.

Today I got the same error within a fresh installed server.
I…

  • Installed Nethserver 7.9
  • updated “-”
  • installed active directory
  • created LE-certs
  • created users
  • installed mail server

I logged into Rspamd with the Nethserver Admin and got the same error.

Then I used your tip (h**ps://user_in_domain_admin_group:pass@192.168.2.218:980/rspamd/) and logged in with an additional domain admin user – no success, the error persists.

I am really surprised about this previously unknown error.

Does anybody have an idea?
Sincerely, Marko

I reinstalled the server without updating. Now Rspamd works without errors.
Just now I will update.

Thanks, Marko

ps.: after update NS the error exists again

I identified the problem: The admin-Pw starts with a “:” (colon).
Therefore, the resulting URL is h**ps://user_in_domain_admin_group::anything@192.168.2.218:980/rspamd with a double colon in the middle.

After the change of the PW all works fine.
But it remains a mystery to me why I have to change the PW via URL first and it doesn’t just take the PW from the AD user.
Sincerely, Marko

1 Like

Maybe @stephdl has an idea on it.

we store a password in /var/lib/nethserver/secrets/rspamd, does it got a :

EDIT: you stated

could you confirm it that the password start by a :

We should not have the double colon in our password, it is not a true symbol

2 Likes

I confirm it

I also have a # and a . within the PW.
If there are any limitations, that should be communicated and validated. I myself deliberately leave the choice of password to my password manager at random.

If a wrongly chosen (even root) password (according to nomenclature rules by NethServer standards) there must be a mechanism that prevents this. Otherwise one searches oneself silly for possible error sources.

1 Like

Could you send me in pm

cat /var/lib/nethserver/secrets/*

done…

1 Like

after final research with @stephdl we have to point out that passwords must not contain a : to be used with the rspamd webpage UI.

many thanks to @stephdl.

3 Likes

Glad that you were able to figure out a solution to this sub or kind of similar looking problem.
However this is not an actual solution to the original problem reported.

I just test installed 7.9.2009 again and updated before installing the mail server and Rspamd to check if the problem still persists and it actually does.

I also double checked on the passwords generated by the installation and they contain only the characters that were pointed out by @stephdl to be valid characters. These are the actual passwords generated by the system:

HQB41TtUhd_wjtJz
z_3PY1VEzyfZvqQi
VCOzHC6vf1LP_zz4
8KzjY_6q90w2gOi6

What the http-admin log error says ?