Fedora directory users - Apr 2006 - Directory Server gateway over SSL

Hi all,
After sorting out my SSL problems for the admin server I''ve run into an
odd issue.  The Directory server gateway runs very slowly and misses 
page items (images, form fields, etc):  the "Authentication" tab, for 
instance, shows only the top menu bar and nothing else - the forms are 
left out.  "Advanced Search" shows only the drop-down for "is, is
not
etc...".  If I turn SSL off for the admin server and restart it, things 
go back to working great.  Turn it on, and it slows and breaks again.  
Not sure what could cause this.  The system is REH 3 with FDS 1.0.2.  
Anyone else see this behavior?
-Jason

Jason Russler wrote:
> Hi all,
> After sorting out my SSL problems for the admin server I''ve run
into an
> odd issue.  The Directory server gateway runs very slowly and misses 
> page items (images, form fields, etc):  the "Authentication" tab,
for
> instance, shows only the top menu bar and nothing else - the forms are 
> left out.  "Advanced Search" shows only the drop-down for
"is, is not
> etc...".  If I turn SSL off for the admin server and restart it,
things
> go back to working great.  Turn it on, and it slows and breaks again.  
> Not sure what could cause this.  The system is REH 3 with FDS 1.0.2.  
> Anyone else see this behavior?
> -Jason
Can you look in /opt/fedora-ds/admin-serv/logs/errors? The problem is 
likely being logged there.

rob

Crud - I was looking at the wrong logs.... At any rate here''s what I
see
in the admin server''s error logs:


[Mon Apr 24 15:28:34 2006] [notice] child pid 17051 exit signal 
Segmentation fault (11)
[Mon Apr 24 15:28:36 2006] [notice] [client x.x.x.x] 
admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x
[Mon Apr 24 15:28:37 2006] [notice] child pid 17151 exit signal 
Segmentation fault (11)
[Mon Apr 24 15:28:38 2006] [notice] [client x.x.x.x] 
admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x
[Mon Apr 24 15:28:39 2006] [notice] child pid 17226 exit signal 
Segmentation fault (11)
[Mon Apr 24 15:28:40 2006] [notice] [client x.x.x.x] 
admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x
[Mon Apr 24 15:28:41 2006] [notice] child pid 17298 exit signal 
Segmentation fault (11)
[Mon Apr 24 15:28:42 2006] [notice] [client x.x.x.x] 
admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x
[Mon Apr 24 15:28:43 2006] [notice] child pid 17374 exit signal 
Segmentation fault (11)
...

Where x.x.x.x is the ip of the client system (accessing the admin server 
via a web browser).  "% host x.x.x.x" executed on the server system 
returns the correct host name for the remote client.  Now, if I turn off 
SSL for the admin server I get similar entries:

...
[Mon Apr 24 16:01:27 2006] [notice] [client x.x.x.x] 
admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x, 
referer: 
http://this.here.host:49657/clients/dsgw/bin/csearch?context=dsgw&file=base
[Mon Apr 24 16:01:27 2006] [notice] [client x.x.x.x] 
admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x, 
referer: 
http://this.here.host:49657/clients/dsgw/bin/csearch?context=dsgw&file=attr
[Mon Apr 24 16:01:27 2006] [notice] [client x.x.x.x] 
admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x, 
referer: 
http://this.here.host:49657/clients/dsgw/bin/csearch?context=dsgw&file=match
[Mon Apr 24 16:01:27 2006] [notice] [client x.x.x.x] 
admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x, 
referer: 
http://this.here.host:49657/clients/dsgw/bin/csearch?context=dsgw&file=string
...

This is now without the segfault following every entry.   Everything 
works fine, just over a unencrypted connection. 


The system in question here is on 3 networks and is on one of our 
higher-end administrative systems (and the backup system when I get this 
one working).  The /etc/hosts file entry for the system''s
"real"
external IP address is not correct - the actual DNS name is associated 
with a private internal interface - for a pile of reasons that I won''t 
go into.   However DNS ("% host [system''s full name]")
resolves the
system''s real external IP address just fine.  My wild guess is that the
discrepancy between the hosts file and DNS is causing trouble when using 
SSL?  But it is filling the error logs with or without SSL enabled.  I 
have a stand-alone test system with one interface (running FC5) that 
works just fine over SSL - sucks for me that I have to get it working on 
the more complicated system.

-Jason




Rob Crittenden wrote:
> Jason Russler wrote:
>> Hi all,
>> After sorting out my SSL problems for the admin server I''ve
run into
>> an odd issue.  The Directory server gateway runs very slowly and 
>> misses page items (images, form fields, etc):  the
"Authentication"
>> tab, for instance, shows only the top menu bar and nothing else - the 
>> forms are left out.  "Advanced Search" shows only the
drop-down for
>> "is, is not etc...".  If I turn SSL off for the admin server
and
>> restart it, things go back to working great.  Turn it on, and it 
>> slows and breaks again.  Not sure what could cause this.  The system 
>> is REH 3 with FDS 1.0.2.  Anyone else see this behavior?
>> -Jason
>
> Can you look in /opt/fedora-ds/admin-serv/logs/errors? The problem is 
> likely being logged there.
>
> rob
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

Jason Russler wrote:
> Crud - I was looking at the wrong logs.... At any rate here''s what
I
> see in the admin server''s error logs:
>
>
> [Mon Apr 24 15:28:34 2006] [notice] child pid 17051 exit signal 
> Segmentation fault (11)
> [Mon Apr 24 15:28:36 2006] [notice] [client x.x.x.x] 
> admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x
> [Mon Apr 24 15:28:37 2006] [notice] child pid 17151 exit signal 
> Segmentation fault (11)
> [Mon Apr 24 15:28:38 2006] [notice] [client x.x.x.x] 
> admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x
> [Mon Apr 24 15:28:39 2006] [notice] child pid 17226 exit signal 
> Segmentation fault (11)
> [Mon Apr 24 15:28:40 2006] [notice] [client x.x.x.x] 
> admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x
> [Mon Apr 24 15:28:41 2006] [notice] child pid 17298 exit signal 
> Segmentation fault (11)
> [Mon Apr 24 15:28:42 2006] [notice] [client x.x.x.x] 
> admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x
> [Mon Apr 24 15:28:43 2006] [notice] child pid 17374 exit signal 
> Segmentation fault (11)
Hmm - that''s not good at all.  What OS is this?  You mentioned that you
have an FC5 system running fine.  Is this from just the initial click on 
the DS Gateway link from the main admin server page?  Or do you actually 
get into the DS Gateway app?
> ...
>
> Where x.x.x.x is the ip of the client system (accessing the admin 
> server via a web browser).  "% host x.x.x.x" executed on the
server
> system returns the correct host name for the remote client.  Now, if I 
> turn off SSL for the admin server I get similar entries:
>
> ...
> [Mon Apr 24 16:01:27 2006] [notice] [client x.x.x.x] 
> admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x, 
> referer: 
>
http://this.here.host:49657/clients/dsgw/bin/csearch?context=dsgw&file=base
>
> [Mon Apr 24 16:01:27 2006] [notice] [client x.x.x.x] 
> admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x, 
> referer: 
>
http://this.here.host:49657/clients/dsgw/bin/csearch?context=dsgw&file=attr
>
> [Mon Apr 24 16:01:27 2006] [notice] [client x.x.x.x] 
> admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x, 
> referer: 
>
http://this.here.host:49657/clients/dsgw/bin/csearch?context=dsgw&file=match
>
> [Mon Apr 24 16:01:27 2006] [notice] [client x.x.x.x] 
> admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x, 
> referer: 
>
http://this.here.host:49657/clients/dsgw/bin/csearch?context=dsgw&file=string
>
> ...
>
> This is now without the segfault following every entry.   Everything 
> works fine, just over a unencrypted connection.
>
> The system in question here is on 3 networks and is on one of our 
> higher-end administrative systems (and the backup system when I get 
> this one working).  The /etc/hosts file entry for the system''s
"real"
> external IP address is not correct - the actual DNS name is associated 
> with a private internal interface - for a pile of reasons that I
won''t
> go into.   However DNS ("% host [system''s full name]")
resolves the
> system''s real external IP address just fine.  My wild guess is
that
> the discrepancy between the hosts file and DNS is causing trouble when 
> using SSL?  But it is filling the error logs with or without SSL 
> enabled.  I have a stand-alone test system with one interface (running 
> FC5) that works just fine over SSL - sucks for me that I have to get 
> it working on the more complicated system.
>
> -Jason
>
>
>
>
> Rob Crittenden wrote:
>> Jason Russler wrote:
>>> Hi all,
>>> After sorting out my SSL problems for the admin server
I''ve run into
>>> an odd issue.  The Directory server gateway runs very slowly and 
>>> misses page items (images, form fields, etc):  the
"Authentication"
>>> tab, for instance, shows only the top menu bar and nothing else - 
>>> the forms are left out.  "Advanced Search" shows only the
drop-down
>>> for "is, is not etc...".  If I turn SSL off for the admin
server and
>>> restart it, things go back to working great.  Turn it on, and it 
>>> slows and breaks again.  Not sure what could cause this.  The
system
>>> is REH 3 with FDS 1.0.2.  Anyone else see this behavior?
>>> -Jason
>>
>> Can you look in /opt/fedora-ds/admin-serv/logs/errors? The problem is 
>> likely being logged there.
>>
>> rob
>>
------------------------------------------------------------------------
>>
>> -- 
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>   
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

> Hmm - that''s not good at all.  What OS is this?  You mentioned
that
> you have an FC5 system running fine.  Is this from just the initial 
> click on the DS Gateway link from the main admin server page?  Or do 
> you actually get into the DS Gateway app?
>
This is a RedHat Enterprise 3 system (current update) on an x86 HP 
Proliant system.  This logs look like this from the link page on up.  
For instance, when SSL is enabled for the admin server, these are the 
entries for the root page ("Services for Users" at the top):

--
[Tue Apr 25 09:04:44 2006] [notice] [client x.x.x.x] 
admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x
[Tue Apr 25 09:04:45 2006] [notice] child pid 20951 exit signal 
Segmentation fault (11)
[Tue Apr 25 09:04:46 2006] [notice] [client x.x.x.x] 
admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x
[Tue Apr 25 09:04:47 2006] [notice] child pid 21018 exit signal 
Segmentation fault (11)
[Tue Apr 25 09:04:48 2006] [notice] [client x.x.x.x] 
admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x, 
referer: https://admin.server.host:49657/dist/download
[Tue Apr 25 09:04:48 2006] [notice] [client x.x.x.x] 
admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x, 
referer: https://admin.server.host:49657/dist/download
[Tue Apr 25 09:04:49 2006] [notice] child pid 21087 exit signal 
Segmentation fault (11)
--

Where x.x.x.x is the client system.  Funny thing is, I get that page - 
it''s just slow.  But if I go into the DS Gateway (and I can), only
parts
of the pages manage to get received by the client.   The "Fedora 
Administration Express 
<http://biowulf.nih.gov:49657/admin-serv/tasks/configuration/HTMLAdmin?op=index>"
section does the same.  Images, for instance, successfully get fetched 
at random and many parts of the forms never manage to get downloaded.  
The log output looks the same however: a "can''t resolve host"
line
followed by a "segfault" line for almost everything.  Here''s
a piece of
the "Directory Gateway" front page:

--
[Tue Apr 25 09:22:58 2006] [notice] child pid 24036 exit signal 
Segmentation fault (11)
[Tue Apr 25 09:22:59 2006] [notice] [client x.x.x.x] 
admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x, 
referer: 
https://admin.serv.host:49657/clients/dsgw/bin/lang?context=dsgw&file=maintitle.html
[Tue Apr 25 09:22:59 2006] [notice] [client x.x.x.x] 
admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x, 
referer: 
https://admin.serv.host:49657/clients/dsgw/bin/lang?context=dsgw&file=maintitle.html
[Tue Apr 25 09:23:00 2006] [notice] child pid 24107 exit signal 
Segmentation fault (11)
[Tue Apr 25 09:23:01 2006] [notice] [client x.x.x.x] 
admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x, 
referer: 
https://admin.serv.host:49657/clients/dsgw/bin/lang?context=dsgw&file=maintitle.html
[Tue Apr 25 09:23:01 2006] [notice] [client x.x.x.x] 
admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x, 
referer: 
https://admin.serv.host:49657/clients/dsgw/bin/lang?context=dsgw&file=maintitle.html
[Tue Apr 25 09:23:02 2006] [notice] child pid 24179 exit signal 
Segmentation fault (11)
[Tue Apr 25 09:23:03 2006] [notice] [client x.x.x.x] 
admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x, 
referer: 
https://admin.serv.host:49657/clients/dsgw/bin/lang?context=dsgw&file=maintitle.html
[Tue Apr 25 09:23:04 2006] [notice] child pid 24249 exit signal 
Segmentation fault (11)
[Tue Apr 25 09:23:05 2006] [notice] [client x.x.x.x] 
admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x, 
referer: 
https://admin.serv.host:49657/clients/dsgw/bin/lang?context=dsgw&file=maintitle.html
[Tue Apr 25 09:23:06 2006] [notice] child pid 24318 exit signal 
Segmentation fault (11)
--

Here''s the output when accessing via the Java console (which attaches 
via a different interface):

--
[Tue Apr 25 09:09:48 2006] [notice] [client 10.1.128.5] 
admserv_host_ip_check: ap_get_remote_host could not resolve 10.1.128.5
[Tue Apr 25 09:09:48 2006] [notice] [client 10.1.128.5] 
admserv_check_authz(): passing [/admin-serv/authenticate] to the 
userauth handler
[Tue Apr 25 09:09:50 2006] [notice] child pid 21154 exit signal 
Segmentation fault (11)
[Tue Apr 25 09:09:59 2006] [notice] [client 10.1.128.5] 
admserv_host_ip_check: ap_get_remote_host could not resolve 10.1.128.5
[Tue Apr 25 09:09:59 2006] [notice] child pid 21576 exit signal 
Segmentation fault (11)
[Tue Apr 25 09:10:00 2006] [notice] [client 10.1.128.5] 
admserv_host_ip_check: ap_get_remote_host could not resolve 10.1.128.5
[Tue Apr 25 09:10:01 2006] [notice] child pid 21650 exit signal 
Segmentation fault (11)
[Tue Apr 25 09:10:02 2006] [notice] [client 10.1.128.5] 
admserv_host_ip_check: ap_get_remote_host could not resolve 10.1.128.5
[Tue Apr 25 09:10:03 2006] [notice] child pid 21736 exit signal 
Segmentation fault (11)
--
The console appears to work, but I haven''t done a lot of testing.  It
is
what I use to turn SSL on and off.

If I turn SSL off, here''s the root (Services for User) page from a
browser:

--
[Tue Apr 25 09:12:40 2006] [notice] [client x.x.x.x] 
admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x
[Tue Apr 25 09:12:44 2006] [notice] [client x.x.x.x] 
admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x
[Tue Apr 25 09:12:44 2006] [notice] [client x.x.x.x] 
admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x, 
referer: http://admin.server.host:49657/dist/download
[Tue Apr 25 09:12:44 2006] [notice] [client x.x.x.x] 
admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x, 
referer: http://admin.server.host:49657/dist/download
--

With SSL off, everything works quickly and nicely with the exception of 
these log entries.

The client name/address and the system''s name/address, do resolve 
correctly via DNS.

The LDAP portion of the server works fine over SSL.