Bug #1697634 “AH01630: client denied by server configuration” : Bugs : OpenStack Identity (keystone)

Revision history for this message

Kristi Nikolla (knikolla) wrote on 2017-06-14:

#1

It seems like an issue with your apache configuration. Can you provide more details like installation method and your apache configuration?

Revision history for this message

men (keyi) wrote on 2017-06-15:

#2

Download full text (3.7 KiB)

https://docs.openstack.org/newton/install-guide-rdo/keystone-install.html#install-and-configure-components

Hello, my installation steps are as follows

yum install openstack-keystone httpd mod_wsgi

[root@controller01 ~]# egrep -v "^#|^$|*#" /etc/httpd/conf/httpd.conf
ServerRoot "/etc/httpd"
Listen 172.16.21.5:80
Include conf.modules.d/*.conf
User apache
Group apache
ServerAdmin root@localhost
ServerName 172.16.21.5:80
<Directory />
    AllowOverride none
    Require all denied
</Directory>
DocumentRoot "/var/www/html"
<Directory "/var/www">
    AllowOverride None
    Require all granted
</Directory>
<Directory "/var/www/html">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>
<IfModule dir_module>
    DirectoryIndex index.html
</IfModule>
<Files ".ht*">
    Require all denied
</Files>
ErrorLog "logs/error_log"
LogLevel warn
<IfModule log_config_module>
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    <IfModule logio_module>
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>
    CustomLog "logs/access_log" combined
</IfModule>
<IfModule alias_module>
    ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
</IfModule>
<Directory "/var/www/cgi-bin">
    AllowOverride None
    Options None
    Require all granted
</Directory>
<IfModule mime_module>
    TypesConfig /etc/mime.types
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz
    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml
</IfModule>
AddDefaultCharset UTF-8
<IfModule mime_magic_module>
    MIMEMagicFile conf/magic
</IfModule>
EnableSendfile on
IncludeOptional conf.d/*.conf

[root@controller01 ~]# cat /etc/httpd/conf.d/wsgi-keystone.conf
Listen 172.16.21.5:5000
Listen 172.16.21.5:35357

<VirtualHost *:5000>
    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-public
    WSGIScriptAlias / /usr/bin/keystone-wsgi-public
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    LimitRequestBody 114688
    <IfVersion >= 2.4>
      ErrorLogFormat "%{cu}t %M"
    </IfVersion>
    ErrorLog /var/log/httpd/keystone.log
    CustomLog /var/log/httpd/keystone_access.log combined

    <Directory /usr/bin>
        <IfVersion >= 2.4>
            Require all granted
        </IfVersion>
        <IfVersion < 2.4>
            Order allow,deny
            Allow from all
        </IfVersion>
    </Directory>
</VirtualHost>

<VirtualHost *:35357>
    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-admin
    WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    LimitRequestBody 114688
    <IfVersion >= 2.4>
      ErrorLogFormat "%{cu}t %M"
    </IfVersion>
    ErrorLog /var/log/httpd/keystone.log
    CustomLog /var/log/httpd/keystone_access.log combined

    <Directory /usr/bin>
        <IfVersion >= 2.4>
            Require all gra...

https://docs.openstack.org/newton/install-guide-rdo/keystone-install.html#install-and-configure-components

Hello, my installation steps are as follows

yum install openstack-keystone httpd mod_wsgi

[root@controller01 ~]# egrep -v "^#|^$|*#" /etc/httpd/conf/httpd.conf 
ServerRoot "/etc/httpd"
Listen 172.16.21.5:80
Include conf.modules.d/*.conf
User apache
Group apache
ServerAdmin root@localhost
ServerName 172.16.21.5:80
<Directory />
    AllowOverride none
    Require all denied
</Directory>
DocumentRoot "/var/www/html"
<Directory "/var/www">
    AllowOverride None
    Require all granted
</Directory>
<Directory "/var/www/html">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>
<IfModule dir_module>
    DirectoryIndex index.html
</IfModule>
<Files ".ht*">
    Require all denied
</Files>
ErrorLog "logs/error_log"
LogLevel warn
<IfModule log_config_module>
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    <IfModule logio_module>
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>
    CustomLog "logs/access_log" combined
</IfModule>
<IfModule alias_module>
    ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
</IfModule>
<Directory "/var/www/cgi-bin">
    AllowOverride None
    Options None
    Require all granted
</Directory>
<IfModule mime_module>
    TypesConfig /etc/mime.types
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz
    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml
</IfModule>
AddDefaultCharset UTF-8
<IfModule mime_magic_module>
    MIMEMagicFile conf/magic
</IfModule>
EnableSendfile on
IncludeOptional conf.d/*.conf

[root@controller01 ~]# cat /etc/httpd/conf.d/wsgi-keystone.conf 
Listen 172.16.21.5:5000
Listen 172.16.21.5:35357

<VirtualHost *:5000>
    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-public
    WSGIScriptAlias / /usr/bin/keystone-wsgi-public
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    LimitRequestBody 114688
    <IfVersion >= 2.4>
      ErrorLogFormat "%{cu}t %M"
    </IfVersion>
    ErrorLog /var/log/httpd/keystone.log
    CustomLog /var/log/httpd/keystone_access.log combined

<Directory /usr/bin>
        <IfVersion >= 2.4>
            Require all granted
        </IfVersion>
        <IfVersion < 2.4>
            Order allow,deny
            Allow from all
        </IfVersion>
    </Directory>
</VirtualHost>

<VirtualHost *:35357>
    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-admin
    WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    LimitRequestBody 114688
    <IfVersion >= 2.4>
      ErrorLogFormat "%{cu}t %M"
    </IfVersion>
    ErrorLog /var/log/httpd/keystone.log
    CustomLog /var/log/httpd/keystone_access.log combined

<Directory /usr/bin>
        <IfVersion >= 2.4>
            Require all granted
        </IfVersion>
        <IfVersion < 2.4>
            Order allow,deny
            Allow from all
        </IfVersion>
    </Directory>
</VirtualHost>

Alias /identity /usr/bin/keystone-wsgi-public
<Location /identity>
    SetHandler wsgi-script
    Options +ExecCGI

WSGIProcessGroup keystone-public
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
</Location>

Alias /identity_admin /usr/bin/keystone-wsgi-admin
<Location /identity_admin>
    SetHandler wsgi-script
    Options +ExecCGI

WSGIProcessGroup keystone-admin
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
</Location>

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2017-06-16:

#3

Are you able to share any traces that may be available in your apache logs?

Lance Bragstad (lbragstad) on 2017-07-18

Changed in keystone:
status:	New → Incomplete

Revision history for this message

Launchpad Janitor (janitor) wrote on 2017-09-17:

#4

[Expired for OpenStack Identity (keystone) because there has been no activity for 60 days.]

Changed in keystone:
status:	Incomplete → Expired

Revision history for this message

changlimin (changlimin) wrote on 2020-07-06:

#5

Try add <Directory ...>

Alias /identity /usr/bin/keystone-wsgi-public
<Directory "/usr/bin">
Require all granted
</Directory>

Revision history for this message

Takehiko OGASAWARA (ogalush) wrote on 2020-08-02:

#6

Hello.
I also experienced a similar case at Ussuri on CentOS8.
It has been fixed by the following changes.
I recommend checking to your horizon's local_settings.
```
(1) ErrorLog
----
$ sudo grep 'AH01630' /var/log/httpd/error_log | tail -n 1
[Sun Aug 02 19:01:26.551032 2020] [authz_core:error] [pid 8331:tid 140194208229120] [client 192.168.3.200:35800] AH01630: client denied by server configuration: /usr/bin/keystone-wsgi-public
$
----

(2) Fix Config
----
/etc/openstack-dashboard/local_settings
OPENSTACK_HOST = "controller ip address."
- OPENSTACK_KEYSTONE_URL = "http://%s/identity/v3" % OPENSTACK_HOST
+ OPENSTACK_KEYSTONE_URL = "http://%s:5000/identity/v3" % OPENSTACK_HOST
----

(3) My Environment
CentOS 8 + Ussuri
----
$ cat /etc/redhat-release
CentOS Linux release 8.2.2004 (Core)
$ rpm -q openstack-dashboard
openstack-dashboard-18.3.2-1.el8.noarch
----
```
regards.

Revision history for this message

Helder Marques (hlourencomarques) wrote on 2020-12-16:

#7

Hello,

I also experienced a similar case at Victoria on Ubuntu.

The solution of Takehiko OGASAWARA (ogalush) worked for me too.

Edit /etc/openstack-dashboard/local_settings.py

- OPENSTACK_KEYSTONE_URL = "http://%s/identity/v3" % OPENSTACK_HOST
+ OPENSTACK_KEYSTONE_URL = "http://%s:5000/identity/v3" % OPENSTACK_HOST

Environment:
Ubuntu 20.04.1 LTS (focal)
OpenStack Victoria

Best Regards,

Helder Marques

OpenStack Identity (keystone)

AH01630: client denied by server configuration

Bug Description

Duplicates of this bug

Other bug subscribers

Remote bug watches