Ood1.8 fresh install on Centos7.8 with Apache/2.4.34

Working on a new install from RPM, have never installed before and it all installs without errors, but after I start httpd24-httpd. I try to connect from a remote system to the server on port 80 and I just get the default Apache page. The firewall and selinux is disabled and not running. I go and look at the Apache error log and I find this message.

[Mon Aug 24 08:49:59.853385 2020] [http2:warn] [pid 9865] AH10034: The mpm module (prefork.c) is not supported by mod_http2. The mpm determines how things are processed in your server. HTTP/2 has more demands in this regard and the currently selected mpm will just not do. This is an advisory warning. Your server will continue to work, but the HTTP/2 protocol will be inactive.

Is this my issue or is something else going on?

I did find this about Apache
Starting from Apache 2.4.27, the Apache MPM (Multi-Processing Module) prefork  no longer supports HTTP/2. This will be indicated in your Apache error log as follows:

AH10034: The mpm module (prefork.c) is not supported by mod_http2. The mpm determines how things are processed in your server. HTTP/2 has more demands in this regard and the currently selected mpm will just not do. This is an advisory warning. Your server will continue to work, but the HTTP/2 protocol will be inactive.

Any help would be great.
Thanks Keith

I have the error fixed buy editing /etc/httpd/conf.modules.d/00-mpm.conf thanks to redhat bug https://access.redhat.com/solutions/2063063. Disabled this line:
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so

and enabled this line:
LoadModule mpm_worker_module modules/mod_mpm_worker.so

But still only get the default Apache Test Page.

What does your /opt/rh/httpd24/root/etc/httpd/conf.d/ood-portal.conf look like? Also you could try deleting /opt/rh/httpd24/root/etc/httpd/conf.d/welcome.conf if present as that is what does the test page if I recall correctly.

Looks like the install never created the ood-portal.conf. Anyone have a template for it, or command I can run to create it?

I Created one using this command. /opt/ood/ood-portal-generator/sbin/update_ood_portal

Looks like you ether have to have DNS for the IP/Address of the system or have it in your /etc/hosts file, then it will build the file.

Here is the error I get in the error file for Apache after that change and restart. I have x’ed out the hostname. Should I be able to see somethign running on port 5556? when I nmap the server I don’t see anything on that port.

Wed Aug 26 08:04:20.688996 2020] [auth_openidc:error] [pid 2125:tid 140330792888064] [client 140.209.3.6:1660] oidc_provider_static_config: could not retrieve metadata from url: http://XXXXXXXXXXXXX:5556/.well-known/openid-configuration

Is the ondemand-dex service running? That should needs to be started after running update_ood_portal as that command will also generate the Dex configuration file.

Rebuilt again from Scratch. It least I have gotten the Login Page to load. Here is how I built it. First step be sure your hostname is in DNS, then do this steps.

OS=CentOS7
yum update -y

vi /etc/selinux/config
SELINUX=disabled

systemctl disable firewalld
systemctl stop firewalld

yum install centos-release-scl
yum install httpd24
yum install rh-ruby25
yum install rh-nodejs10

yum install https://yum.osc.edu/ondemand/1.8/ondemand-release-web-1.8-1.noarch.rpm

yum install ondemand
yum install ondemand-dex

vi /opt/rh/httpd24/root/etc/httpd/conf/httpd.conf
ServerName XXXXXXXX (Replace with XXX not real hostname)

vi /opt/rh/httpd24/root/etc/httpd/conf.modules.d/00-mpm.conf
#LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
LoadModule mpm_worker_module modules/mod_mpm_worker.so

systemctl start httpd24-httpd
systemctl enable httpd24-httpd
systemctl start ondemand-dex
systemctl enable ondemand-dex

Hopefully this will help someone with a fresh install from RPM
Thanks for the Help. I will open new Help when I need it.

Just FYI, you don’t have to install httpd24, rh-ruby25 or rh-nodejs10. Those will get pulled in as dependencies when you install the ondemand package.

Also one step that is hidden by some changes we make to httpd24-httpd service is running /opt/ood/ood-portal-generator/sbin/update_ood_portal. That is what generates the Dex and Apache configuration for OnDemand. It’s run as a pre-start command for httpd24-httpd. If you enable SSL or make any other changes to /etc/ood/config/ood_portal.yml you can either run update_ood_portal manually or restart httpd24-httpd.

Found another issue. During SSL setup of ood. You have this document: https://osc.github.io/ood-documentation/master/installation/add-ssl.html
This ~ - ‘SSLCertificateChainFile “/etc/pki/tls/certs/ondemand.my_center.edu-interm.crt”’ ~ is no longer supported Since Apache 2.4.8, see this guide: https://httpd.apache.org/docs/current/mod/mod_ssl.html and look for SSLCertificateChainFile, It has een replaced by SSLCertificateFile. When I set this in my /etc/ood/config/ood_portal.yml like this example:
ssl:

  • ‘SSLCertificateFile “/etc/pki/tls/certs/cert.crt”’
  • ‘SSLCertificateKeyFile “/etc/pki/tls/private/key.key”’
  • ‘SSLCertificateFile “/etc/pki/tls/certs/ca-bundle”’

and then run the command /opt/ood/ood-portal-generator/sbin/update_ood_portal, it rebuilds the files but httpd24-httpd.service no longer starts. Here is the Status of apache.
httpd24-httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd24-httpd.service; enabled; vendor preset: disabled)
Drop-In: /etc/systemd/system/httpd24-httpd.service.d
└─ood-portal.conf, ood.conf
Active: failed (Result: exit-code) since Wed 2020-08-26 12:50:47 CDT; 1min 10s ago
Process: 1971 ExecStop=/opt/rh/httpd24/root/usr/sbin/httpd-scl-wrapper $OPTIONS -k graceful-stop (code=exited, status=0/SUCCESS)
Process: 1999 ExecStart=/opt/rh/httpd24/root/usr/sbin/httpd-scl-wrapper $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
Process: 1973 ExecStartPre=/opt/ood/ood-portal-generator/sbin/update_ood_portal --rpm (code=exited, status=0/SUCCESS)
Main PID: 1999 (code=exited, status=1/FAILURE)
Status: “Reading configuration…”

Aug 26 12:50:47 ood1p.stthomas.edu update_ood_portal[1973]: cp -p /etc/pki/tls/private/star.stthomas.edu.key /etc/ood/dex/star.stthomas.edu.key
Aug 26 12:50:47 ood1p.stthomas.edu update_ood_portal[1973]: chown ondemand-dex:ondemand-dex /etc/ood/dex/star.stthomas.edu.key
Aug 26 12:50:47 ood1p.stthomas.edu update_ood_portal[1973]: cp -p /etc/pki/tls/certs/STAR_stthomas_edu.ca-bundle /etc/ood/dex/STAR_stthomas_edu.ca-bundle
Aug 26 12:50:47 ood1p.stthomas.edu update_ood_portal[1973]: chown ondemand-dex:ondemand-dex /etc/ood/dex/STAR_stthomas_edu.ca-bundle
Aug 26 12:50:47 ood1p.stthomas.edu update_ood_portal[1973]: No change in Apache config.
Aug 26 12:50:47 ood1p.stthomas.edu update_ood_portal[1973]: No change in the Dex config.
Aug 26 12:50:47 ood1p.stthomas.edu systemd[1]: httpd24-httpd.service: main process exited, code=exited, status=1/FAILURE
Aug 26 12:50:47 ood1p.stthomas.edu systemd[1]: Failed to start The Apache HTTP Server.
Aug 26 12:50:47 ood1p.stthomas.edu systemd[1]: Unit httpd24-httpd.service entered failed state.
Aug 26 12:50:47 ood1p.stthomas.edu systemd[1]: httpd24-httpd.service failed.

Is there a fix that has to happen for this to work? Or how can I import my SSLCertificateChainFile that should now be SSLCertificateFile that has the Cert authorities included.

Use SSLCertificateChainFile, that’s what we use at OSC:

ssl:
- SSLCertificateFile /etc/pki/tls/certs/ondemand.osc.edu.crt
- SSLCertificateKeyFile /etc/pki/tls/private/ondemand.osc.edu.key
- SSLCertificateChainFile /etc/pki/tls/certs/ondemand.osc.edu-interm.crt

It’s still valid with SCL Apache. We’ve had no issues using SSLCertitificateChainFile and we are on latest RHEL 7.8 release and latest SCL Apache. If you look at your configs you have duplicate SSLCertitificateFile so your Telling Apache that the ca-bundle is your host cert which isn’t correct. Switch it to be SSLCertificateChainFile /etc/pki/tls/certs/ca-bundle. If you do not want to use SSLCertificateChainFile then your SSLCertificateFile must contain both the host cert and the CA and intermdiates as a bundle, you do not specify SSLCertificateFile multiple times. We use InCommon certificates and when we get new certificates one of the options is a bundled X509 cert where the PEM file contains multiple certificates, one is for the host and the rest are intermediate and root CA, that’s what you’d use if you omit SSLCertificateChainFile.

Ok. I have put it back. But I still get this error in messages on the system.
ondemand-dex: http: TLS handshake error from xxx.xxx.xxx.xxx:53558: remote error: tls: unknown certificate authority.
I then also get a error in the ssl error log for apache.
[client xxx.xxx.xx.xx:37766] oidc_util_http_call: curl_easy_perform() failed on: https://xxxxxxxxxxx:5554/.well-known/openid-configuration (Peer’s Certificate issuer is not recognized.)

Must be something that need to be fixed for certs someplace.

I have tried doing the curl -v https://xxx.xxx.xx.xx and it works as it should.

That error can happen for one of two reason. One is the CA that signed the certificate is not trusted by the system. See here: Unknown certificate authority when using openondemand-dex. This appears to have happened already with someone using LetsEncrypt.

The other issue that can cause that error is if the URL you referenced is not valid for that certificate. The URL host used for Dex must either match the certificate CN or the Subject Alt Names.

Fixed it, by adding my ca-bundle to /etc/pki/ca-trust/source/anchors/ and then doing update-ca-trust extract

Thanks