action #133403
closed
Login on o3 does not work
Added by mkittler over 1 year ago.
Updated over 1 year ago.
Description
Observation¶
The problem is only reproducible on o3 (not on OSD).
Clicking on login takes very long. One might get eventually to the OpenID login page which then might complain that the session has already timed out. If the session has not already timed out one can get a little bit further. Eventually, if not timeouts happened in between, one gets the error "naive_verify_failed_return: Direct contact invalidated ID provider response." after being redirected back to openQA.
It seemed to have worked at some point - at least the server logs show one successful login:
[2023-07-26T14:02:00.828535Z] [debug] Net::OpenID::Consumer: semantic info (https://www.opensuse.org/openid/user/mkittler) = openid2.provider => https://www.opensuse.org/openid/, openid.server => https://www.opensuse.org/openid/
[2023-07-26T14:02:00.828936Z] [debug] Net::OpenID::Consumer: Server is https://www.opensuse.org/openid/
[2023-07-26T14:02:00.829990Z] [debug] Net::OpenID::Consumer: verified_identity: assoc_handle: {HMAC-SHA1}{redacted}{b'redacted'}
[2023-07-26T14:02:00.830086Z] [debug] Net::OpenID::Consumer: handle_assoc: dumb mode: no_cache
[2023-07-26T14:02:00.830365Z] [debug] Net::OpenID::Consumer: verified_identity: verifying using HTTP (dumb mode)
…
[2023-07-26T14:02:04.921071Z] [debug] Net::OpenID::Consumer: Cache MISS for https://www.opensuse.org/openid/yadis/mkittler.xrds
…
[2023-07-26T14:03:47.361601Z] [debug] Net::OpenID::Consumer: verified identity! = https://www.opensuse.org/openid/user/mkittler
Supposedly it was in vain because the HTTP request had already timed out (on client or gateway level).
The error I mentioned in the ticket description is also visible in the server logs:
[2023-07-26T14:08:38.171657Z] [debug] Net::OpenID::Consumer: fail(naive_verify_failed_return) Direct contact invalidated ID provider response.
[2023-07-26T14:08:38.172022Z] [error] OpenID: naive_verify_failed_return: Direct contact invalidated ID provider response.
- Priority changed from Normal to High
- Target version set to Ready
It works after disabling IPv6 for the relevant IP addressed:
ip -6 r a to unreachable 2001:67c:2178:8::16
ip -6 r a to unreachable 2001:67c:2178:8::161
- Status changed from In Progress to Feedback
So I guess this is basically just a symptom of #133358 not being implemented.
I disabled IPv6 in /etc/sysctl.conf for now with a reference to this ticket.
- Status changed from Feedback to Resolved
With that workaround the login works again so I'm resolving this ticket after updating the suggestions of #133358.
- Related to action #133358: Migration of o3 VM to PRG2 - Ensure IPv6 is fully working added
Also available in: Atom
PDF