openstack-manuals

Instructions to enable HTTPS for Apache 2.4.7 don't work - Icehouse

Bug #1321660 reported by danieru
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openstack-manuals
Fix Released
High
Diane Fleming
openstack-manuals juno

Bug Description

Synopsis:

After following the instructions to enable HTTPS for dashboard in this section:

http://docs.openstack.org/icehouse/config-reference/content/configure-dashboard.html#dashboard-config-https

I'm seeing several errors in the logs, and when attempting to browse to the login page I'm getting 'Internal Server Error'.

My initial impression is that the instructions are adapted to an older version of Apache (possibly 2.2.x?) Whereas on Trusty we have:

# apache2 -v
Server version: Apache/2.4.7 (Ubuntu)
Server built: Apr 3 2014 12:20:28

suggest fix:

It would be useful to provide separate configuration tracks for the different apache versions (e.g. 2.2.x vs 2.4.x)

I unfortunately can't suggest corrections for the 2.4.7 track since I'm not overly familiar with apache and haven't yet found alternate configuration steps that work.

It also may be useful to mention that mod_ssl needs to be enabled (e.g. a2enmod ssl)

Some more details:

*On apache startup I get an error message in the log stating that the 'NameVirtualHost' directive is deprecated, is being ignored, and will be removed in the next release.

*Here is the error I get in the apache error.log when I attempt to browse to the site:

****begin error.log excerpt****
[Tue May 20 11:43:57.473929 2014] [:error] [pid 3666:tid 140146393478912] [client 2001:6b0:e:4a46:f183:4121:6a38:f18b:46843] mod_wsgi (pid=3666): Exception occurred processing WSGI script '/usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi'.
[Tue May 20 11:43:57.474026 2014] [:error] [pid 3666:tid 140146393478912] [client 2001:6b0:e:4a46:f183:4121:6a38:f18b:46843] Traceback (most recent call last):
[Tue May 20 11:43:57.474070 2014] [:error] [pid 3666:tid 140146393478912] [client 2001:6b0:e:4a46:f183:4121:6a38:f18b:46843] File "/usr/lib/python2.7/dist-packages/django/core/handlers/wsgi.py", line 187, in __call__
[Tue May 20 11:43:57.484104 2014] [:error] [pid 3666:tid 140146393478912] [client 2001:6b0:e:4a46:f183:4121:6a38:f18b:46843] self.load_middleware()
[Tue May 20 11:43:57.484137 2014] [:error] [pid 3666:tid 140146393478912] [client 2001:6b0:e:4a46:f183:4121:6a38:f18b:46843] File "/usr/lib/python2.7/dist-packages/django/core/handlers/base.py", line 44, in load_middleware
[Tue May 20 11:43:57.484659 2014] [:error] [pid 3666:tid 140146393478912] [client 2001:6b0:e:4a46:f183:4121:6a38:f18b:46843] for middleware_path in settings.MIDDLEWARE_CLASSES:
[Tue May 20 11:43:57.484685 2014] [:error] [pid 3666:tid 140146393478912] [client 2001:6b0:e:4a46:f183:4121:6a38:f18b:46843] File "/usr/lib/python2.7/dist-packages/django/conf/__init__.py", line 54, in __getattr__
[Tue May 20 11:43:57.491903 2014] [:error] [pid 3666:tid 140146393478912] [client 2001:6b0:e:4a46:f183:4121:6a38:f18b:46843] self._setup(name)
[Tue May 20 11:43:57.491939 2014] [:error] [pid 3666:tid 140146393478912] [client 2001:6b0:e:4a46:f183:4121:6a38:f18b:46843] File "/usr/lib/python2.7/dist-packages/django/conf/__init__.py", line 49, in _setup
[Tue May 20 11:43:57.491971 2014] [:error] [pid 3666:tid 140146393478912] [client 2001:6b0:e:4a46:f183:4121:6a38:f18b:46843] self._wrapped = Settings(settings_module)
[Tue May 20 11:43:57.491986 2014] [:error] [pid 3666:tid 140146393478912] [client 2001:6b0:e:4a46:f183:4121:6a38:f18b:46843] File "/usr/lib/python2.7/dist-packages/django/conf/__init__.py", line 128, in __init__
[Tue May 20 11:43:57.492008 2014] [:error] [pid 3666:tid 140146393478912] [client 2001:6b0:e:4a46:f183:4121:6a38:f18b:46843] mod = importlib.import_module(self.SETTINGS_MODULE)
[Tue May 20 11:43:57.492044 2014] [:error] [pid 3666:tid 140146393478912] [client 2001:6b0:e:4a46:f183:4121:6a38:f18b:46843] File "/usr/lib/python2.7/dist-packages/django/utils/importlib.py", line 40, in import_module
[Tue May 20 11:43:57.497834 2014] [:error] [pid 3666:tid 140146393478912] [client 2001:6b0:e:4a46:f183:4121:6a38:f18b:46843] __import__(name)
[Tue May 20 11:43:57.497862 2014] [:error] [pid 3666:tid 140146393478912] [client 2001:6b0:e:4a46:f183:4121:6a38:f18b:46843] File "/usr/share/openstack-dashboard/openstack_dashboard/wsgi/../../openstack_dashboard/settings.py", line 219, in <module>
[Tue May 20 11:43:57.498048 2014] [:error] [pid 3666:tid 140146393478912] [client 2001:6b0:e:4a46:f183:4121:6a38:f18b:46843] from local.local_settings import * # noqa
[Tue May 20 11:43:57.498071 2014] [:error] [pid 3666:tid 140146393478912] [client 2001:6b0:e:4a46:f183:4121:6a38:f18b:46843] File "/usr/share/openstack-dashboard/openstack_dashboard/wsgi/../../openstack_dashboard/local/local_settings.py", line 96, in <module>
[Tue May 20 11:43:57.498249 2014] [:error] [pid 3666:tid 140146393478912] [client 2001:6b0:e:4a46:f183:4121:6a38:f18b:46843] SECRET_KEY = secret_key.generate_or_read_from_file('/var/lib/openstack-dashboard/secret_key')
[Tue May 20 11:43:57.498275 2014] [:error] [pid 3666:tid 140146393478912] [client 2001:6b0:e:4a46:f183:4121:6a38:f18b:46843] File "/usr/lib/python2.7/dist-packages/horizon/utils/secret_key.py", line 55, in generate_or_read_from_file
[Tue May 20 11:43:57.498402 2014] [:error] [pid 3666:tid 140146393478912] [client 2001:6b0:e:4a46:f183:4121:6a38:f18b:46843] with lock:
[Tue May 20 11:43:57.498422 2014] [:error] [pid 3666:tid 140146393478912] [client 2001:6b0:e:4a46:f183:4121:6a38:f18b:46843] File "/usr/lib/python2.7/dist-packages/lockfile.py", line 223, in __enter__
[Tue May 20 11:43:57.504339 2014] [:error] [pid 3666:tid 140146393478912] [client 2001:6b0:e:4a46:f183:4121:6a38:f18b:46843] self.acquire()
[Tue May 20 11:43:57.504368 2014] [:error] [pid 3666:tid 140146393478912] [client 2001:6b0:e:4a46:f183:4121:6a38:f18b:46843] File "/usr/lib/python2.7/dist-packages/lockfile.py", line 239, in acquire
[Tue May 20 11:43:57.504397 2014] [:error] [pid 3666:tid 140146393478912] [client 2001:6b0:e:4a46:f183:4121:6a38:f18b:46843] raise LockFailed("failed to create %s" % self.unique_name)
[Tue May 20 11:43:57.504423 2014] [:error] [pid 3666:tid 140146393478912] [client 2001:6b0:e:4a46:f183:4121:6a38:f18b:46843] LockFailed: failed to create /var/lib/openstack-dashboard/<ourdashboardserver>.MainThread-3666
****end error.log excerpt****

-----------------------------------
Built: 2014-05-16T14:15:55 00:00
git SHA: ed92ea154f460d78c24ec7323da3a649591a801a
URL: http://docs.openstack.org/icehouse/config-reference/content/configure-dashboard.html

Revision history for this message
danieru (samuraidanieru) wrote :

I identified a configuration that works. In my case at least, the openstack-dashboard.conf file that the document suggests doesn't work for icehouse/trusty, but the one below does. I basically just compared the content of the originally installed conf file and inserted it into the example provided on the doc page (the WSGI lines, etc). Some notable changes are in the first few lines, such as alias path, credentials, etc.

***begin openstack-dashboard.conf***
<VirtualHost *:80>
ServerName dashboard.example.com
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</IfModule>
<IfModule !mod_rewrite.c>
RedirectPermanent / https://dashboard.example.com
</IfModule>
</VirtualHost>
<VirtualHost *:443>
ServerName dashboard.example.com
SSLEngine On
# Remember to replace certificates and keys with valid paths in your environment
SSLCertificateFile /etc/apache2/ssl/dashboard.crt
SSLCACertificateFile /etc/apache2/ssl/dashboardca.crt
SSLCertificateKeyFile /etc/apache2/ssl/dashboard.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

# HTTP Strict Transport Security (HSTS) enforces that all communications
# with a server go over SSL. This mitigates the threat from attacks such
# as SSL-Strip which replaces links on the wire, stripping away https prefixes
# and potentially allowing an attacker to view confidential information on the
# wire
Header add Strict-Transport-Security "max-age=15768000"

WSGIScriptAlias /horizon /usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi
WSGIDaemonProcess horizon user=horizon group=horizon processes=3 threads=10
WSGIProcessGroup horizon
Alias /static /usr/share/openstack-dashboard/openstack_dashboard/static/
<Directory /usr/share/openstack-dashboard/openstack_dashboard/wsgi>
  Order allow,deny
  Allow from all
</Directory>
</VirtualHost>
***end openstack-dashboard.conf***

Revision history for this message
Gauvain Pocentek (gpocentek) wrote :

Thanks for the report and the configuration sample!

The current config doesn't work for apache 2.4.

Changed in openstack-manuals:
status: New → Confirmed
importance: Undecided → High
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-manuals (master)

Fix proposed to branch: master
Review: https://review.openstack.org/102228

Changed in openstack-manuals:
assignee: nobody → Tom Fifield (fifieldt)
status: Confirmed → In Progress
Tom Fifield (fifieldt)
Changed in openstack-manuals:
milestone: none → juno
OpenStack Infra (hudson-openstack)
Changed in openstack-manuals:
assignee: Tom Fifield (fifieldt) → Diane Fleming (diane-fleming)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-manuals (master)

Reviewed: https://review.openstack.org/102228
Committed: https://git.openstack.org/cgit/openstack/openstack-manuals/commit/?id=3abec578e73dab6a7b0c25bb5f8d71276834104b
Submitter: Jenkins
Branch: master

commit 3abec578e73dab6a7b0c25bb5f8d71276834104b
Author: Tom Fifield <email address hidden>
Date: Tue Jun 24 21:24:39 2014 +0800

    Fix openstack-dashboard.conf in horizon SSL conf

    As reported by danieru, who also provided this fix, the
    openstack-dashboard.conf in the section on
    "Configure the dashboard for HTTPS" was incorrect, and did
    not work for versions of apache included in current
    distributions.

    Change-Id: I12d38945268589c0d988220460d8ab0a02c41354
    Closes-Bug: 1321660

Changed in openstack-manuals:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstack-manuals 15.0.0

This issue was fixed in the openstack/openstack-manuals 15.0.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.