Problem getting started

I installed OOD v2.0.31 on my RH8.7 system following the documentation at Installation — Open OnDemand 2.0.20 documentation
I will need to enable LDAP, but I started without it as a first step. I configured SSL with self-signed certificate and selected port 8443. Other than that, this is plain vanilla install. SELinux is not enabled.

Now, almost nothing works and I’m very confused. First, the port I selected isn’t honored:

$ wget localhost:8443/.well-known/openid-configuration
--2023-03-02 06:55:57--  http://localhost:8443/.well-known/openid-configuration
Resolving localhost (localhost)... ::1,
Connecting to localhost (localhost)|::1|:8443... failed: Connection refused.
Connecting to localhost (localhost)||:8443... failed: Connection refused.

however the default port is somewhat responding

$ wget localhost:5556/.well-known/openid-configuration
--2023-03-02 06:56:09--  http://localhost:5556/.well-known/openid-configuration
Resolving localhost (localhost)... ::1,
Connecting to localhost (localhost)|::1|:5556... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1146 (1.1K) [application/json]
Saving to: ‘openid-configuration’

openid-configuration                                100%[=================================================================================================================>]   1.12K  --.-KB/s    in 0s

2023-03-02 06:56:09 (311 MB/s) - ‘openid-configuration’ saved [1146/1146]

But almost everything (besides the openid-configuration) is a 404

$ wget localhost:5556
--2023-03-02 06:51:49--  http://localhost:5556/
Resolving localhost (localhost)... ::1,
Connecting to localhost (localhost)|::1|:5556... connected.
HTTP request sent, awaiting response... 404 Not Found
2023-03-02 06:51:49 ERROR 404: Not Found.

$ wget localhost:5556/pun/sys/dashboard
--2023-03-03 16:59:42--  http://localhost:5556/pun/sys/dashboard
Resolving localhost (localhost)... ::1,
Connecting to localhost (localhost)|::1|:5556... connected.
HTTP request sent, awaiting response... 404 Not Found
2023-03-03 16:59:42 ERROR 404: Not Found.

Again, this is out of the box install and system starting, with minimal changes to the default as follows

 grep -v '^#' /etc/ood/config/ood_portal.yml | grep -v '^ *$'
port: 8443
  - 'SSLCertificateFile "/etc/pki/tls/certs/localhost.crt"'
  - 'SSLCertificateKeyFile "/etc/pki/tls/private/localhost.key"'
  - 'AuthType Basic'
  - 'Require valid-user'

Any clues on what may be wrong? I triple checked everything and could not figure out anything that I did differently than what the documentation says.

Thanks a lot in advance!

I would try to get rid of your auth section in ood_portal.yml. You’ll also need to supply the servername as either the IP or the hostname of the machine (hostname is better). Whichever you use for servername you need to use that address in your webbrowser to, otherwise apache won’t route requests correctly. You’ll also need to supply listen_addr_port: 8443 when changing the ports from non-standard ports (that’s why you have the original connection refused).

After that I would go ahead and setup LDAP as best you can. At least get it to connect to your LDAP and attempt to pull records. This should at least get you to a point where you’re being redirected to Dex correctly even if it can’t pull records correctly.

When you have self signed certificates you’ll need be sure that Dex knows about the root certificate as well. That is be sure to copy the root certificate(s) into /etc/ood/dex.

Once you have that, you can check /var/log/httpd/*error* logs for any errors when you try to connect.

Thank you very much, really appreciated. That did not make a bit of a difference, though. I even tried to remove everything (but the IP number – the host does not have a DNS entry) for a test – no difference. I now suspect that everything is being ignored (yes, I’m running systemctl restart ondemand-dex.service && systemctl restart httpd after each change) because as you can see above the connection is established as HTTP not HTTPS and if I force wget to do HTTPS it will fail with An unexpected TLS packet was received

Are you saying that I should do that first? I wanted to see at least a login screen before diving into that… to make sure what I have so far is working.

Yeah, I had looked into there and the only think are warnings about that, but they are warnings, not failures. Nothing indicates something completely broken as it appears to be.

OK - scratch the LDAP stuff, here’s what you should need as a baseline to get this to work.

port: 8443
listen_addr_port: 8443
servername: 'some.ip.address'
  - 'SSLCertificateFile "/etc/pki/tls/certs/localhost.crt"'
  - 'SSLCertificateKeyFile "/etc/pki/tls/private/localhost.key"'

With this configuration directly - you should be able to connect to apache and get some errors around self signed certificates.

This is because apache won’t have any way to verify that Dex’s certificate isn’t from the same certification. You’ll need to generate a Certificate Authority and generate these keys & certificates from that certificate authority.

You can see how we do this in these containers here for an example (note that you likely want to avoid localhost - that’s needed for containers, but is actually very problematic for servers).

Thank you Jeff, that helped me getting going. However I had to really make a DNS entry for this server (which I wanted to avoid) because otherwise there were too many ways to fail.

In the end I was unable to make OOD working with a IP number and self-signed certificate. Perhaps there is a way to do that, but getting a name for the server has been my solution.

The only additional things I did (compared to what you say and what the documentation mentions) is running /opt/ood/ood-portal-generator/sbin/update_ood_portal right before (re)starting the services.

Now off to LDAP configuration!

1 Like