Project

General

Profile

Actions
Copy link

action #133403

closed

Login on o3 does not work

Added by mkittler 10 months ago. Updated 10 months ago.

Status:
Resolved
Priority:
High
Assignee:
mkittler
Category:
-
Target version:
openQA Project - Ready
Start date:
2023-07-26
Due date:
% Done:

0%

Estimated time:

Description

Observation

The problem is only reproducible on o3 (not on OSD).

Clicking on login takes very long. One might get eventually to the OpenID login page which then might complain that the session has already timed out. If the session has not already timed out one can get a little bit further. Eventually, if not timeouts happened in between, one gets the error "naive_verify_failed_return: Direct contact invalidated ID provider response." after being redirected back to openQA.

Related issues 1 (0 open1 closed)

Related to openQA Infrastructure - action #133358: Migration of o3 VM to PRG2 - Ensure IPv6 is fully workingResolvedokurz

Actions
Actions
Copy link
 #1

Updated by mkittler 10 months ago

It seemed to have worked at some point - at least the server logs show one successful login:

[2023-07-26T14:02:00.828535Z] [debug] Net::OpenID::Consumer: semantic info (https://www.opensuse.org/openid/user/mkittler) = openid2.provider => https://www.opensuse.org/openid/, openid.server => https://www.opensuse.org/openid/
[2023-07-26T14:02:00.828936Z] [debug] Net::OpenID::Consumer: Server is https://www.opensuse.org/openid/
[2023-07-26T14:02:00.829990Z] [debug] Net::OpenID::Consumer: verified_identity: assoc_handle: {HMAC-SHA1}{redacted}{b'redacted'}
[2023-07-26T14:02:00.830086Z] [debug] Net::OpenID::Consumer: handle_assoc: dumb mode: no_cache
[2023-07-26T14:02:00.830365Z] [debug] Net::OpenID::Consumer: verified_identity: verifying using HTTP (dumb mode)
…
[2023-07-26T14:02:04.921071Z] [debug] Net::OpenID::Consumer: Cache MISS for https://www.opensuse.org/openid/yadis/mkittler.xrds
…
[2023-07-26T14:03:47.361601Z] [debug] Net::OpenID::Consumer: verified identity! = https://www.opensuse.org/openid/user/mkittler

Supposedly it was in vain because the HTTP request had already timed out (on client or gateway level).

The error I mentioned in the ticket description is also visible in the server logs:

[2023-07-26T14:08:38.171657Z] [debug] Net::OpenID::Consumer: fail(naive_verify_failed_return) Direct contact invalidated ID provider response.
[2023-07-26T14:08:38.172022Z] [error] OpenID: naive_verify_failed_return: Direct contact invalidated ID provider response.
Actions
Copy link
 #2

Updated by mkittler 10 months ago

  • Priority changed from Normal to High
  • Target version set to Ready
Actions
Copy link
 #3

Updated by mkittler 10 months ago

It works after disabling IPv6 for the relevant IP addressed:

ip -6 r a to unreachable 2001:67c:2178:8::16
ip -6 r a to unreachable 2001:67c:2178:8::161
Actions
Copy link
 #4

Updated by mkittler 10 months ago

  • Status changed from In Progress to Feedback

So I guess this is basically just a symptom of #133358 not being implemented.

Actions
Copy link
 #5

Updated by mkittler 10 months ago

I disabled IPv6 in /etc/sysctl.conf for now with a reference to this ticket.

Actions
Copy link
 #6

Updated by mkittler 10 months ago

  • Status changed from Feedback to Resolved

With that workaround the login works again so I'm resolving this ticket after updating the suggestions of #133358.

Actions
Copy link
 #7

Updated by okurz 10 months ago

  • Related to action #133358: Migration of o3 VM to PRG2 - Ensure IPv6 is fully working added
Actions
Copy link

Also available in: Atom PDF