-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
gridsite (2.3.4) does not work with the shibboleth (2.6.1-3.2) #38
Comments
Dear Julia! |
Hi, actually shibboleth builds, in particular the many thanks for the help. regards, |
As I understand, CC 7.6 is pure CentOS 7.6, only with different We've checked the gridsite alone from EPEL (only with mod_ssl) works fine in CentOS 7.6. So the interesting part will be the combination with the shibboleth. |
Right, CC7.6 is just CERN CentOS 7.6 image with additional repos enabled by default. The problem is that the gridsite (2.3.4) does not work together with the shibboleth (2.6.1-3.2) at CentOS 7.6 while each package works well independently. Apache process simply fails with SIGSEGV error, below you can find an example of stack traces at the moment of failure. I also wrote detailed steps to reproduce the issue. regards, Back trace frames of the apache process failure: Program received signal SIGSEGV, Segmentation fault.
0x00007fea4bd0ef29 in CRYPTO_get_ex_data () from /lib64/libcrypto.so.10
(gdb) bt
#0 0x00007fea4bd0ef29 in CRYPTO_get_ex_data () from /lib64/libcrypto.so.10
#1 0x00007fea476f2d43 in GRST_callback_SSLVerify_wrapper () from /etc/httpd/modules/mod_gridsite.so
#2 0x00007fea4be02b85 in X509_verify_cert () from /lib64/libcrypto.so.10
#3 0x00007fea4c147be6 in ssl_verify_cert_chain () from /lib64/libssl.so.10
#4 0x00007fea4c11ecc6 in ssl3_get_client_certificate () from /lib64/libssl.so.10
#5 0x00007fea4c1203f8 in ssl3_accept () from /lib64/libssl.so.10
#6 0x00007fea4c12f4f8 in ssl23_accept () from /lib64/libssl.so.10
#7 0x00007fea4c387008 in ssl_io_filter_handshake () from /etc/httpd/modules/mod_ssl.so
#8 0x00007fea4c387d0d in ssl_io_filter_input () from /etc/httpd/modules/mod_ssl.so
#9 0x000055dc8bdcfe47 in ap_rgetline_core ()
#10 0x000055dc8bdd2a64 in ap_read_request ()
#11 0x000055dc8bdf8f1e in ap_process_http_connection ()
#12 0x000055dc8bdf0fc0 in ap_run_process_connection ()
#13 0x00007fea4e41e7af in child_main () from /etc/httpd/modules/mod_mpm_prefork.so
#14 0x00007fea4e41e9f5 in make_child () from /etc/httpd/modules/mod_mpm_prefork.so
#15 0x00007fea4e41ea56 in startup_children () from /etc/httpd/modules/mod_mpm_prefork.so
#16 0x00007fea4e41f760 in prefork_run () from /etc/httpd/modules/mod_mpm_prefork.so
#17 0x000055dc8bdcbffe in ap_run_mpm ()
#18 0x000055dc8bdc4d76 in main () Steps to reproduce the issue:
yum install mod_wsgi gridsite httpd
yum install emacs wget
## edit def apache settings to allow default index page listing: comment line "Options -Indexes"
emacs -nw /etc/httpd/conf.d/welcome.conf
# Options -Indexes
# enable SSL Verification: comment set "SSLVerifyClient" to require
emacs -nw /etc/httpd/conf.d/ssl.conf
SSLVerifyClient require
/sbin/service httpd restart
wget --no-check-certificate https://127.0.0.1/ --certificate /etc/pki/tls/certs/localhost.crt --private-key /etc/pki/tls/private/localhost.key
--2018-12-12 23:43:02-- https://127.0.0.1/
Connecting to 127.0.0.1:443... connected.
OpenSSL: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Unable to establish SSL connection. OK. we get expected behavior, request failed due to "unknown ca" => gridsite works well.
(Install shibboleth using instruction: http://linux.web.cern.ch/linux/centos7/docs/shibboleth.shtml) yum install shibboleth
emacs -nw /etc/sysconfig/selinux
# set SELINUX=enforcing
/usr/sbin/setenforce Permissive
wget http://linux.web.cern.ch/linux/centos7/docs/shibboleth/shibboleth2.xml -O /etc/shibboleth/shibboleth2.xml
wget http://linux.web.cern.ch/linux/centos7/docs/shibboleth/ADFS-metadata.xml -O /etc/shibboleth/ADFS-metadata.xml
wget http://linux.web.cern.ch/linux/centos7/docs/shibboleth/attribute-map.xml -O /etc/shibboleth/attribute-map.xml
wget http://linux.web.cern.ch/linux/centos7/docs/shibboleth/wsignout.gif -O /etc/shibboleth/wsignout.gif
## skip Shibb configuration with real hostname in /etc/shibboleth/shibboleth2.xml since it does not matter at given point.
yum install opensaml-schemas #### --- (this step is missing in the http://linux.web.cern.ch/linux/centos7/docs/shibboleth.shtml instruction by the way!)
/bin/systemctl start shibd
/bin/systemctl restart httpd
wget --no-check-certificate https://127.0.0.1/ --certificate /etc/pki/tls/certs/localhost.crt --private-key /etc/pki/tls/private/localhost.key
--2018-12-13 00:03:05-- https://127.0.0.1/
Connecting to 127.0.0.1:443... connected.
Unable to establish SSL connection. OK, we got unexpected tail /var/log/httpd/error_log
..
[Thu Dec 13 00:03:06.147577 2018] [core:notice] [pid 24561] AH00052: child pid 24566 exit signal Segmentation fault (11) Typical backtrace stack details shown above/below.
yum erase gridsite
# ensure that in /etc/httpd/conf.d/ssl.conf SSLVerifyClient=require, fix if need
/bin/systemctl restart httpd
wget --no-check-certificate https://127.0.0.1/ --certificate /etc/pki/tls/certs/localhost.crt --private-key /etc/pki/tls/private/localhost.key
--2018-12-13 00:49:39-- https://127.0.0.1/
Connecting to 127.0.0.1:443... connected.
OpenSSL: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Unable to establish SSL connection. It works as expected however with an error
Manually rebuild gridsite packages at CC7.6 test machine, also installing debug info for more detailed backtrace:
rpm -qa| grep gridsite
gridsite-debuginfo-2.3.4-1.el7.cern.x86_64
gridsite-2.3.4-1.el7.cern.x86_64
gridsite-libs-2.3.4-1.el7.cern.x86_64 Apache process failed with typical error: Program received signal SIGSEGV, Segmentation fault.
0x00007eff30d4df29 in CRYPTO_get_ex_data () from /usr/lib64/libcrypto.so.10
(gdb) bt
#0 0x00007eff30d4df29 in CRYPTO_get_ex_data () from /usr/lib64/libcrypto.so.10
#1 0x00007eff2e558ce3 in GRST_callback_SSLVerify_wrapper (ok=1, ctx=0x7fffecef8430) at canl_mod_gridsite.c:3489
#2 0x00007eff30e40589 in internal_verify () from /usr/lib64/libcrypto.so.10
#3 0x00007eff30e4248f in X509_verify_cert () from /usr/lib64/libcrypto.so.10
#4 0x00007eff3045fbe6 in ssl_verify_cert_chain () from /lib64/libssl.so.10
#5 0x00007eff30436cc6 in ssl3_get_client_certificate () from /lib64/libssl.so.10
#6 0x00007eff304383f8 in ssl3_accept () from /lib64/libssl.so.10
#7 0x00007eff3069f008 in ssl_io_filter_handshake () from /etc/httpd/modules/mod_ssl.so
#8 0x00007eff3069fd0d in ssl_io_filter_input () from /etc/httpd/modules/mod_ssl.so
#9 0x0000564cf1e75e47 in ap_rgetline_core ()
#10 0x0000564cf1e78a64 in ap_read_request ()
#11 0x0000564cf1e9ef1e in ap_process_http_connection ()
#12 0x0000564cf1e96fc0 in ap_run_process_connection ()
#13 0x00007eff352847af in child_main () from /etc/httpd/modules/mod_mpm_prefork.so
#14 0x00007eff352849f5 in make_child () from /etc/httpd/modules/mod_mpm_prefork.so
#15 0x00007eff35284a56 in startup_children () from /etc/httpd/modules/mod_mpm_prefork.so
#16 0x00007eff35285760 in prefork_run () from /etc/httpd/modules/mod_mpm_prefork.so
#17 0x0000564cf1e71ffe in ap_run_mpm ()
#18 0x0000564cf1e6ad76 in main () |
Hi, any updates and follow up of the issue? regards, |
Hi, any news on the issue? thanks. |
Dear supporters, |
I couldn't reproduce the problem. Have tried both SL 7.6 and CentOS 7.6 (clean OS with added CERN repositories). Package versions from CentOS 7.6:
One of the hypotheses so far: it could be about order of loading of the apache modules or something (application context data mismatch in X509_STORE_CTX?). |
Could you try explore the crash in gdb? We could get the confirmation, there is a problem with the data structures got from the contexts... Launching httpd in gdb:
Launch the wget. Explore data structures:
The last command should show reasonable data. My output (shorted):
|
After upgrade of the VM running at CERN to CC 7.6 one of the important WLCG services has issues due to failures with gridsite libraries.
The gridsite package (gridsite-2.3.4-1.el7.x86_64) fails to work at CC 7.6 , it simply results to "Segmentation fault" errors of apache processes. After investigation the assumption is that the problem caused by the incompatibility of gridsite (2.3.4) and shibboleth (2.6.1-3.2).
CERN support team adviced to open a ticket against gridsite.
It is an urgent and serious problem since it prevents automatic service deployment and update and requires manual manipulations. We will very much appreciate help in making gridsite working with shibboleth (2.6.1-3.2).
Thank you
Kind regards
Julia Andreeva on behalf of the WLCG Operations
RQF1188492_attachments.zip
The text was updated successfully, but these errors were encountered: