Unable to "Upload a certificate file to the server"

v7

(Miroslav ÄŽurian) #1

The subject says it all. When uploading certificate, this error appears:

This page has expired

The request cannot be completed
because this page has expired

/var/log/messages says:

May 17 14:41:09 dpi httpd: [ERROR] Nethgui\Framework: CSRF token verification failed!

/var/log/httpd-admin/access_log contains:

    10.1.8.252 - - [17/May/2018:14:25:18 +0200] "GET /en-US/Pki HTTP/1.1" 200 19734
    10.1.8.252 - - [17/May/2018:14:40:39 +0200] "GET /en-US/Pki/Upload.json?_=1526559919524 HTTP/1.1" 200 429
    10.1.8.252 - - [17/May/2018:14:40:39 +0200] "GET /css/img/mandatory_normal.png HTTP/1.1" 200 250
    10.1.8.252 - - [17/May/2018:14:40:39 +0200] "GET /css/img/red-inset-normal.png HTTP/1.1" 200 217
    10.1.8.252 - - [17/May/2018:14:40:49 +0200] "POST /en-US/Pki/Upload.json HTTP/1.1" 400 59
    10.1.8.252 - - [17/May/2018:14:41:51 +0200] "GET /en-US/Pki HTTP/1.1" 200 19734
    10.1.8.252 - - [17/May/2018:14:41:52 +0200] "GET /css/ui/jquery-ui-1.8.16.custom.css HTTP/1.1" 200 33719
    10.1.8.252 - - [17/May/2018:14:41:52 +0200] "GET /css/base.css HTTP/1.1" 200 17784
    10.1.8.252 - - [17/May/2018:14:41:52 +0200] "GET /css/font-awesome.css HTTP/1.1" 200 33233
    10.1.8.252 - - [17/May/2018:14:41:52 +0200] "GET /js/jquery-migrate-1.4.1.min.js HTTP/1.1" 200 10056
    10.1.8.252 - - [17/May/2018:14:41:52 +0200] "GET /css/jquery.timepicker.css HTTP/1.1" 200 1584
    10.1.8.252 - - [17/May/2018:14:41:52 +0200] "GET /js/jquery.timepicker.min.js HTTP/1.1" 200 15297
    10.1.8.252 - - [17/May/2018:14:41:52 +0200] "GET /js/percent.js HTTP/1.1" 200 910
    10.1.8.252 - - [17/May/2018:14:41:52 +0200] "GET /js/jquery.dataTables.min.js HTTP/1.1" 200 82638
    10.1.8.252 - - [17/May/2018:14:41:52 +0200] "GET /js/jquery-1.12.4.min.js HTTP/1.1" 200 97163
    10.1.8.252 - - [17/May/2018:14:41:52 +0200] "GET /js/file-size.js HTTP/1.1" 200 1213
    10.1.8.252 - - [17/May/2018:14:41:52 +0200] "GET /js/ip-address.js HTTP/1.1" 200 1921
    10.1.8.252 - - [17/May/2018:14:41:52 +0200] "GET /js/mustache.js HTTP/1.1" 200 16469
    10.1.8.252 - - [17/May/2018:14:41:52 +0200] "GET /en-US/Resource/27dd3ddb.css HTTP/1.1" 200 226
    10.1.8.252 - - [17/May/2018:14:41:52 +0200] "GET /en-US/Resource/753b61bd.js HTTP/1.1" 200 57374
    10.1.8.252 - - [17/May/2018:14:41:52 +0200] "GET /js/jquery-ui-1.8.23.min.js HTTP/1.1" 200 200748
    10.1.8.252 - - [17/May/2018:14:41:53 +0200] "GET /js/datatable-en-US.json HTTP/1.1" 200 726
    10.1.8.252 - - [17/May/2018:14:41:54 +0200] "GET /images/logo.png HTTP/1.1" 200 4031
    10.1.8.252 - - [17/May/2018:14:41:54 +0200] "GET /css/ui/images/ui-bg_inset-soft_75_e6e6e6_1x100.png HTTP/1.1" 200 95
    10.1.8.252 - - [17/May/2018:14:41:54 +0200] "GET /css/ui/images/ui-bg_flat_75_cccccc_40x100.png HTTP/1.1" 200 180
    10.1.8.252 - - [17/May/2018:14:41:54 +0200] "GET /css/ui/images/ui-icons_888888_256x240.png HTTP/1.1" 200 4369
    10.1.8.252 - - [17/May/2018:14:41:54 +0200] "GET /css/img/red-inset-normal.png HTTP/1.1" 200 217
    10.1.8.252 - - [17/May/2018:14:41:54 +0200] "GET /css/img/mandatory_normal.png HTTP/1.1" 200 250
    10.1.8.252 - - [17/May/2018:14:41:54 +0200] "GET /fonts/fontawesome-webfont.woff2?v=4.5.0 HTTP/1.1" 200 66624
    10.1.8.252 - - [17/May/2018:14:41:54 +0200] "GET /images/light-polygons/toolbar.png HTTP/1.1" 200 108933

Any help is welcomed.


(Giacomo Sanchietti) #2

Sorry, but I can’t reproduce it with latest RPM available: nethserver-httpd-admin-2.2.1-1.ns7.noarch

Make sure to have nethserver-httpd-admin fully updated, also you can eventually logout, clean the cache and retry (or use an anonymous session).

Just to do basics checks, report the output of following commands:

cat /etc/redhat-release
rpm -q nethserver-httpd-admin --changelog 
config show httpd-admin

(Miroslav ÄŽurian) #3

All packages are fully updated. I have logged out and cleaned the cache, but result is the same. The requested output is here: https://ghostbin.com/paste/ng6ar
Thank you for your help.


(Giacomo Sanchietti) #4

Everything seems correct.

@davidep could you take a look at this?


(Davide Principi) #5

The only things I note are

  • 15 minutes between page generation and POST request
  • the error in messages timestamp does not correlate with access log: 20 seconds offset

(Miroslav ÄŽurian) #6

I’ve tried it ones more, to be sure, about the time and there is 20 seconds between upload and the error. What that means?

/var/log/httpd-admin/access_log

    10.1.16.6 - - [21/May/2018:11:49:16 +0200] "GET /en-US/Pki HTTP/1.1" 200 19734
    10.1.16.6 - - [21/May/2018:11:49:17 +0200] "GET /css/ui/jquery-ui-1.8.16.custom.css HTTP/1.1" 200 33719
    10.1.16.6 - - [21/May/2018:11:49:17 +0200] "GET /js/jquery-1.12.4.min.js HTTP/1.1" 200 97163
    10.1.16.6 - - [21/May/2018:11:49:17 +0200] "GET /js/jquery.dataTables.min.js HTTP/1.1" 200 82638
    10.1.16.6 - - [21/May/2018:11:49:17 +0200] "GET /en-US/Resource/27dd3ddb.css HTTP/1.1" 200 226
    10.1.16.6 - - [21/May/2018:11:49:17 +0200] "GET /en-US/Resource/753b61bd.js HTTP/1.1" 200 57374
    10.1.16.6 - - [21/May/2018:11:49:18 +0200] "GET /js/datatable-en-US.json HTTP/1.1" 200 726
    10.1.16.6 - - [21/May/2018:11:49:18 +0200] "GET /css/ui/images/ui-icons_454545_256x240.png HTTP/1.1" 200 4369
    10.1.16.6 - - [21/May/2018:11:49:19 +0200] "GET /css/ui/images/ui-bg_flat_65_ffffff_40x100.png HTTP/1.1" 200 178
    10.1.16.6 - - [21/May/2018:11:49:19 +0200] "GET /css/ui/images/ui-bg_flat_0_aaaaaa_40x100.png HTTP/1.1" 200 180
    10.1.16.6 - - [21/May/2018:11:49:19 +0200] "GET /css/img/ajax-loader-big.gif HTTP/1.1" 200 15685
    10.1.16.6 - - [21/May/2018:11:49:19 +0200] "GET /en-US/Pki/Upload.json?_=1526896158012 HTTP/1.1" 200 429
    10.1.16.6 - - [21/May/2018:11:49:19 +0200] "GET /css/img/mandatory_normal.png HTTP/1.1" 200 250
    10.1.16.6 - - [21/May/2018:11:49:28 +0200] "POST /en-US/Pki/Upload.json HTTP/1.1" 400 59

/var/log/messages

May 21 11:49:48 dpi httpd: [ERROR] Nethgui\Framework: CSRF token verification failed!


(Davide Principi) #7

I don’t know by now… Do you see the error dialog just after starting the upload, or you actually wait 20 seconds then get the error?

Is there anything between your browser and Server Manager? Antivirus, web proxy, firewall, router, WAN connection…


(Miroslav ÄŽurian) #8

There is 20s delay before the error pops out after I hit the upload button.

AFAIK there are 2 manageable switches between me and the server. We are on the same LAN and VLAN and I am connected through a “green” interface to the server.


(Davide Principi) #9

…So the upload of a couple of .pem files should run for a fraction of second! What is your browser version? Can you reproduce the problem with another one?


(Miroslav ÄŽurian) #10

Browser is Firefox 60.

Now I have tried Chromium 66. When clicking “Upload Cerficate”, it just flickers the upload animation dots for a fraction of a second and doesn’t show any message. The Upload certificate screen stays open. There is no error in /var/log/messages and no record in /var/log/httpd-admin/access_log

Konqueror doesn’t open the Server Manager: ERR_INSECURE_RESPONSE
Midori does the same with error: Unacceptable TLS certificate


(Davide Principi) #11

Thank you for going deeper @aasami! I still have no idea of what’s happening :thinking:

Could you open to the browser development console (just press F12 on FF)?

The Network tab and the console window could display additional information…


(Miroslav ÄŽurian) #12


(Davide Principi) #13

Did you try to disable the “HTTPS everywhere” FF extension? Do you use it also in Chromium?


(Miroslav ÄŽurian) #14

Disabling “HTTPS everywhere” FF extension and all other extensions doesn’t help.
Results are the same. In Chromium there are no plugins at all.


(Davide Principi) #15

The fact that the response comes back with a regular delay of 20 seconds is suspect, but I cannot reproduce this behavior here… I’m sorry I cannot figure out why it behaves like this.

As workaround try to follow the instructions to set a custom certificate from the console. This is the procedure for NS6 (when upload from UI was still not implemented) and should work for NS7 too.

http://docs.nethserver.org/en/v6/base_system.html#server-certificate


(Miroslav ÄŽurian) #16

That’s OK with me. I have followed the instructions and it works as expected.
Thank you for your help and patience davidep.


(Davide Principi) #17

Thank you for your time! Even if we didn’t find a solution, I hope this thread can be useful to anyone who hits a similar issue.


(Miroslav ÄŽurian) #18

Now I have found the root cause by accident. There was a routing problem on the PC from which I’ve uploaded the certs. I had two default routes configured. Now it works flawlessly. :slight_smile: Thank you again and God bless you!