Working on a new install from RPM, have never installed before and it all installs without errors, but after I start httpd24-httpd. I try to connect from a remote system to the server on port 80 and I just get the default Apache page. The firewall and selinux is disabled and not running. I go and look at the Apache error log and I find this message.
[Mon Aug 24 08:49:59.853385 2020] [http2:warn] [pid 9865] AH10034: The mpm module (prefork.c) is not supported by mod_http2. The mpm determines how things are processed in your server. HTTP/2 has more demands in this regard and the currently selected mpm will just not do. This is an advisory warning. Your server will continue to work, but the HTTP/2 protocol will be inactive.
Is this my issue or is something else going on?
I did find this about Apache
Starting from Apache 2.4.27, the Apache MPM (Multi-Processing Module) prefork  no longer supports HTTP/2. This will be indicated in your Apache error log as follows:
AH10034: The mpm module (prefork.c) is not supported by mod_http2. The mpm determines how things are processed in your server. HTTP/2 has more demands in this regard and the currently selected mpm will just not do. This is an advisory warning. Your server will continue to work, but the HTTP/2 protocol will be inactive.
I have the error fixed buy editing /etc/httpd/conf.modules.d/00-mpm.conf thanks to redhat bug https://access.redhat.com/solutions/2063063. Disabled this line:
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
and enabled this line:
LoadModule mpm_worker_module modules/mod_mpm_worker.so
What does your /opt/rh/httpd24/root/etc/httpd/conf.d/ood-portal.conf look like? Also you could try deleting /opt/rh/httpd24/root/etc/httpd/conf.d/welcome.conf if present as that is what does the test page if I recall correctly.
Here is the error I get in the error file for Apache after that change and restart. I have x’ed out the hostname. Should I be able to see somethign running on port 5556? when I nmap the server I don’t see anything on that port.
Wed Aug 26 08:04:20.688996 2020] [auth_openidc:error] [pid 2125:tid 140330792888064] [client 140.209.3.6:1660] oidc_provider_static_config: could not retrieve metadata from url: http://XXXXXXXXXXXXX:5556/.well-known/openid-configuration
Is the ondemand-dex service running? That should needs to be started after running update_ood_portal as that command will also generate the Dex configuration file.
Rebuilt again from Scratch. It least I have gotten the Login Page to load. Here is how I built it. First step be sure your hostname is in DNS, then do this steps.
Just FYI, you don’t have to install httpd24, rh-ruby25 or rh-nodejs10. Those will get pulled in as dependencies when you install the ondemand package.
Also one step that is hidden by some changes we make to httpd24-httpd service is running /opt/ood/ood-portal-generator/sbin/update_ood_portal. That is what generates the Dex and Apache configuration for OnDemand. It’s run as a pre-start command for httpd24-httpd. If you enable SSL or make any other changes to /etc/ood/config/ood_portal.yml you can either run update_ood_portal manually or restart httpd24-httpd.
Found another issue. During SSL setup of ood. You have this document: https://osc.github.io/ood-documentation/master/installation/add-ssl.html
This ~ - ‘SSLCertificateChainFile “/etc/pki/tls/certs/ondemand.my_center.edu-interm.crt”’ ~ is no longer supported Since Apache 2.4.8, see this guide: https://httpd.apache.org/docs/current/mod/mod_ssl.html and look for SSLCertificateChainFile, It has een replaced by SSLCertificateFile. When I set this in my /etc/ood/config/ood_portal.yml like this example:
ssl:
and then run the command /opt/ood/ood-portal-generator/sbin/update_ood_portal, it rebuilds the files but httpd24-httpd.service no longer starts. Here is the Status of apache.
httpd24-httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd24-httpd.service; enabled; vendor preset: disabled)
Drop-In: /etc/systemd/system/httpd24-httpd.service.d
└─ood-portal.conf, ood.conf
Active: failed (Result: exit-code) since Wed 2020-08-26 12:50:47 CDT; 1min 10s ago
Process: 1971 ExecStop=/opt/rh/httpd24/root/usr/sbin/httpd-scl-wrapper $OPTIONS -k graceful-stop (code=exited, status=0/SUCCESS)
Process: 1999 ExecStart=/opt/rh/httpd24/root/usr/sbin/httpd-scl-wrapper $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
Process: 1973 ExecStartPre=/opt/ood/ood-portal-generator/sbin/update_ood_portal --rpm (code=exited, status=0/SUCCESS)
Main PID: 1999 (code=exited, status=1/FAILURE)
Status: “Reading configuration…”
Aug 26 12:50:47 ood1p.stthomas.edu update_ood_portal[1973]: cp -p /etc/pki/tls/private/star.stthomas.edu.key /etc/ood/dex/star.stthomas.edu.key
Aug 26 12:50:47 ood1p.stthomas.edu update_ood_portal[1973]: chown ondemand-dex:ondemand-dex /etc/ood/dex/star.stthomas.edu.key
Aug 26 12:50:47 ood1p.stthomas.edu update_ood_portal[1973]: cp -p /etc/pki/tls/certs/STAR_stthomas_edu.ca-bundle /etc/ood/dex/STAR_stthomas_edu.ca-bundle
Aug 26 12:50:47 ood1p.stthomas.edu update_ood_portal[1973]: chown ondemand-dex:ondemand-dex /etc/ood/dex/STAR_stthomas_edu.ca-bundle
Aug 26 12:50:47 ood1p.stthomas.edu update_ood_portal[1973]: No change in Apache config.
Aug 26 12:50:47 ood1p.stthomas.edu update_ood_portal[1973]: No change in the Dex config.
Aug 26 12:50:47 ood1p.stthomas.edu systemd[1]: httpd24-httpd.service: main process exited, code=exited, status=1/FAILURE
Aug 26 12:50:47 ood1p.stthomas.edu systemd[1]: Failed to start The Apache HTTP Server.
Aug 26 12:50:47 ood1p.stthomas.edu systemd[1]: Unit httpd24-httpd.service entered failed state.
Aug 26 12:50:47 ood1p.stthomas.edu systemd[1]: httpd24-httpd.service failed.
Is there a fix that has to happen for this to work? Or how can I import my SSLCertificateChainFile that should now be SSLCertificateFile that has the Cert authorities included.
It’s still valid with SCL Apache. We’ve had no issues using SSLCertitificateChainFile and we are on latest RHEL 7.8 release and latest SCL Apache. If you look at your configs you have duplicate SSLCertitificateFile so your Telling Apache that the ca-bundle is your host cert which isn’t correct. Switch it to be SSLCertificateChainFile /etc/pki/tls/certs/ca-bundle. If you do not want to use SSLCertificateChainFile then your SSLCertificateFile must contain both the host cert and the CA and intermdiates as a bundle, you do not specify SSLCertificateFile multiple times. We use InCommon certificates and when we get new certificates one of the options is a bundled X509 cert where the PEM file contains multiple certificates, one is for the host and the rest are intermediate and root CA, that’s what you’d use if you omit SSLCertificateChainFile.
Ok. I have put it back. But I still get this error in messages on the system.
ondemand-dex: http: TLS handshake error from xxx.xxx.xxx.xxx:53558: remote error: tls: unknown certificate authority.
I then also get a error in the ssl error log for apache.
[client xxx.xxx.xx.xx:37766] oidc_util_http_call: curl_easy_perform() failed on: https://xxxxxxxxxxx:5554/.well-known/openid-configuration (Peer’s Certificate issuer is not recognized.)
Must be something that need to be fixed for certs someplace.
That error can happen for one of two reason. One is the CA that signed the certificate is not trusted by the system. See here: Unknown certificate authority when using openondemand-dex. This appears to have happened already with someone using LetsEncrypt.
The other issue that can cause that error is if the URL you referenced is not valid for that certificate. The URL host used for Dex must either match the certificate CN or the Subject Alt Names.