QA » openQA Project » openQA Infrastructure

Logged in sessions are still active so most of our users should not be affected unless they select to delete their session cookies or are inactive for long. I can also reproduce the issue in a private browser window reaching the "Forbidden" page. Login on o3 still works as well as on other instances so this is not a generic issue coming from the server but something about our instance. The "simple approach" of restarting just the webui daemon does not help.

I could not find anything obvious in neither the openQA logs e.g. using journalctl -u openqa-webui nor grep '$my_ip.*\(May 28\|28/May\)' /var/log/apache2/{openqa.access,access,error}_log. other servers are fine, restarting webui and apache2 does not help. To me this looks like a problem with the external openID provider by MF-IT . But as it is Thursday and we have the SUSE-IT maintenance window I guess we just need to wait 2h anyway before we raise the alarm.

OSD had an entry in /etc/hosts pointing www.opensuse.org to 130.57.66.6. With this I could finally reproduce the issue myself:

openssl s_client -showcerts -connect 130.57.66.6:443 -servername www.opensuse.org < /dev/null

I now removed that line now and login works again.

I doubt this is the same issue now as it concerns all openQA instances. Not sure why nicksinger set this ticket to "Feedback" but certainly the immediate issue was fixed last week with his mentioned changes. What seems to have happened now is that the upstream openID provider has been switched off completely. See #66703 for this

Let me update here. I doubt the very same issue reappeared but what was needed on top to fix the login for now is https://github.com/os-autoinst/openQA/pull/3167 to allow OpenID login via POST as well. This has been deployed to o3 and osd in the meantime after initially done as hotpatch.