Skip to first unread message
Guillem TP
Jan 13, 2015, 8:26:12 AM1/13/15
to vcap...@cloudfoundry.org
Hi there,
Recently, we have deployed Cloud Foundry v2 on openStack based on cf-release v194.
When we do
We think that it's because the DNS "console.cf.ot" doesn't resolve correctly to the appropiate service. And the error captured in the login VM is:
The deploy (attached here) YML was generated with SPIFF and the dns console.cf.ot was autogenerated. We don't know where should resolve and we've modified to point to UAA job to test it. But it doesn't work. Where should it to point?
Thank you!
Recently, we have deployed Cloud Foundry v2 on openStack based on cf-release v194.
When we do
CF_TRACE=true /home/ubuntu/cf login -u admin -p admin
We get an error 500 on trace:REQUEST: [2015-01-13T11:18:28Z]
GET /login HTTP/1.1
Host: login.cf.ot:8080
Accept: application/json
Content-Type: application/json
User-Agent: go-cli 6.8.0-b15c536 / linux
RESPONSE: [2015-01-13T11:18:28Z]
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Cache-Control: no-cache
Cache-Control: no-store
Cache-Control: no-cache, no-store, max-age=0
Content-Language: en-US
Content-Type: application/json;charset=UTF-8
Date: Tue, 13 Jan 2015 11:18:28 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Pragma: no-cache
Server: Apache-Coyote/1.1
X-Frame-Options: DENY
20d
{"timestamp":"2014-11-14T23:30:29+0000","app":{"version":"1.9.1"},"idpDefinitions":[],"commit_id":"55a5ba4","prompts":{"username":["text","Email"],"password":["password","Password"],"passcode":["password","One Time Code (Get one at http://login.cf.ot/passcode)"]},"createAccountLink":"http://console.cf.ot:8080/register","links":{"register":"http://console.cf.ot:8080/register","passwd":"http://console.cf.ot:8080/password_resets/new","login":"http://login.cf.ot:8080","uaa":"http://uaa.cf.ot:8080"},"entityID":"login.cf.ot"}
0
Authenticating...
REQUEST: [2015-01-13T11:18:28Z]
POST /oauth/token HTTP/1.1
Host: login.cf.ot:8080
Accept: application/json
Authorization: [PRIVATE DATA HIDDEN]
Content-Type: application/x-www-form-urlencoded
User-Agent: go-cli 6.8.0-b15c536 / linux
grant_type=password&password=[PRIVATE DATA HIDDEN]&scope=&username=admin
RESPONSE: [2015-01-13T11:18:29Z]
HTTP/1.1 500 Internal Server Error
Connection: close
Transfer-Encoding: chunked
Cache-Control: no-cache, no-store, max-age=0
Content-Language: en-US
Content-Type: application/json;charset=UTF-8
Date: Tue, 13 Jan 2015 11:18:28 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Server: Apache-Coyote/1.1
6a
{"passwd":"http://console.cf.ot:8080/password_resets/new","register":"http://console.cf.ot:8080/register"}
0
GET /login HTTP/1.1
Host: login.cf.ot:8080
Accept: application/json
Content-Type: application/json
User-Agent: go-cli 6.8.0-b15c536 / linux
RESPONSE: [2015-01-13T11:18:28Z]
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Cache-Control: no-cache
Cache-Control: no-store
Cache-Control: no-cache, no-store, max-age=0
Content-Language: en-US
Content-Type: application/json;charset=UTF-8
Date: Tue, 13 Jan 2015 11:18:28 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Pragma: no-cache
Server: Apache-Coyote/1.1
X-Frame-Options: DENY
20d
{"timestamp":"2014-11-14T23:30:29+0000","app":{"version":"1.9.1"},"idpDefinitions":[],"commit_id":"55a5ba4","prompts":{"username":["text","Email"],"password":["password","Password"],"passcode":["password","One Time Code (Get one at http://login.cf.ot/passcode)"]},"createAccountLink":"http://console.cf.ot:8080/register","links":{"register":"http://console.cf.ot:8080/register","passwd":"http://console.cf.ot:8080/password_resets/new","login":"http://login.cf.ot:8080","uaa":"http://uaa.cf.ot:8080"},"entityID":"login.cf.ot"}
0
Authenticating...
REQUEST: [2015-01-13T11:18:28Z]
POST /oauth/token HTTP/1.1
Host: login.cf.ot:8080
Accept: application/json
Authorization: [PRIVATE DATA HIDDEN]
Content-Type: application/x-www-form-urlencoded
User-Agent: go-cli 6.8.0-b15c536 / linux
grant_type=password&password=[PRIVATE DATA HIDDEN]&scope=&username=admin
RESPONSE: [2015-01-13T11:18:29Z]
HTTP/1.1 500 Internal Server Error
Connection: close
Transfer-Encoding: chunked
Cache-Control: no-cache, no-store, max-age=0
Content-Language: en-US
Content-Type: application/json;charset=UTF-8
Date: Tue, 13 Jan 2015 11:18:28 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Server: Apache-Coyote/1.1
6a
{"passwd":"http://console.cf.ot:8080/password_resets/new","register":"http://console.cf.ot:8080/register"}
0
We think that it's because the DNS "console.cf.ot" doesn't resolve correctly to the appropiate service. And the error captured in the login VM is:
[2015-01-13 11:18:29.571] login - 8342 [http-bio-8080-exec-8] .... DEBUG --- RequestMappingHandlerMapping: Returning handler method [public java.lang.String org.cloudfoundry.identity.uaa.login.HomeController.error500(org.springframework.ui.Model,javax.servlet.http.HttpServletRequest)]
[2015-01-13 11:18:29.572] login - 8342 [http-bio-8080-exec-8] .... ERROR --- HomeController: Internal error
error="access_denied", error_description="Error requesting access token."
at org.springframework.security.oauth2.client.token.OAuth2AccessTokenSupport.retrieveToken(OAuth2AccessTokenSupport.java:144)
at org.springframework.security.oauth2.client.token.grant.client.ClientCredentialsAccessTokenProvider.obtainAccessToken(ClientCredentialsAccessTokenProvider.java:44)
at org.springframework.security.oauth2.client.token.AccessTokenProviderChain.obtainNewAccessTokenInternal(AccessTokenProviderChain.java:142)
at org.springframework.security.oauth2.client.token.AccessTokenProviderChain.obtainAccessToken(AccessTokenProviderChain.java:118)
[2015-01-13 11:18:29.572] login - 8342 [http-bio-8080-exec-8] .... ERROR --- HomeController: Internal error
error="access_denied", error_description="Error requesting access token."
at org.springframework.security.oauth2.client.token.OAuth2AccessTokenSupport.retrieveToken(OAuth2AccessTokenSupport.java:144)
at org.springframework.security.oauth2.client.token.grant.client.ClientCredentialsAccessTokenProvider.obtainAccessToken(ClientCredentialsAccessTokenProvider.java:44)
at org.springframework.security.oauth2.client.token.AccessTokenProviderChain.obtainNewAccessTokenInternal(AccessTokenProviderChain.java:142)
at org.springframework.security.oauth2.client.token.AccessTokenProviderChain.obtainAccessToken(AccessTokenProviderChain.java:118)
The deploy (attached here) YML was generated with SPIFF and the dns console.cf.ot was autogenerated. We don't know where should resolve and we've modified to point to UAA job to test it. But it doesn't work. Where should it to point?
Thank you!
Johannes Engelke
Jan 13, 2015, 8:50:28 AM1/13/15
to vcap...@cloudfoundry.org
Hi,
in general you should setup a wildcard domain pointing to your CF Loadbalancer (I guess it is something like HAProxy...). The router will take care about dispatching the requests to the right component.
So in your case *.cf.ot should point to your loadbalancer (172.100.0.50).
Johannes
Johannes Engelke
Jan 13, 2015, 8:58:32 AM1/13/15
to vcap...@cloudfoundry.org
Oh, sorry, now I read your post a second time and figured out, we are talking about different things. :-D
In general you don't need a consol. We have not deployed it at all. If you point to http://login.cf.ot and http://uaa.cf.ot you will be able to use a login form and check if the login is in general working. I expect the connection between uaa and login service is not working well. Maybe you have to setup some certificates but maybe someone a bit more experienced can tell a bit more about your issue.
Cheers
Johannes
James Bayer
Jan 13, 2015, 11:11:50 AM1/13/15
to vcap...@cloudfoundry.org
yes it appears that your uaa is not trusting the client, the login server, in this case.
error="access_denied", error_description="Error requesting access token."
those "console" references i believe are just links that would show up on the login server. i'm not sure how the UAA is configured to trust the login server normally via config. it looks like the spiff templates have a place where the UAA is told about the Login Server client, but i'm not sure how that same information is communicated to the Login Server config.
To view this discussion on the web visit https://groups.google.com/a/cloudfoundry.org/d/msgid/vcap-dev/08114c06-42fb-42d0-af60-9cb63d233e36%40cloudfoundry.org.--
You received this message because you are subscribed to the Google Groups "Cloud Foundry Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vcap-dev+u...@cloudfoundry.org.
Thank you,
James Bayer
Guillem TP
Jan 19, 2015, 2:36:12 AM1/19/15
to vcap...@cloudfoundry.org
Hi!
Yes, there was a problem with the RSA key in the UAA section.
The "console" DNS, as Johannes says, seems that is doesn't used, but now I can login.
Thank you.
El dimarts, 13 gener de 2015 17:11:50 UTC+1, jbayer va escriure:
Yes, there was a problem with the RSA key in the UAA section.
The "console" DNS, as Johannes says, seems that is doesn't used, but now I can login.
Thank you.
El dimarts, 13 gener de 2015 17:11:50 UTC+1, jbayer va escriure:
Reply all
Reply to author
Forward
0 new messages