5032 error captcha

[tortero...@gmail.com]

Hi

I have problems with the captcha after several registers the error 5032 appears

Any ideas what can cause this error?

Thanks

[Jason Rivard]

Sorry, that error is unreadable.  Please paste the text here.

[tortero...@gmail.com]

[2020-07-15 14:34:58] [info] 2020-07-15T14:34:58Z, ERROR, http.PwmResponse, {5E4Ka} 5032 ERROR_CAPTCHA_API_ERROR (unexpected error during reCaptcha API execution: 5057 ERROR_SERVICE_UNREACHABLE (error while making http request: www.recaptcha.net:443 failed to respond))

[Jason Rivard]

The PWM server can't reach www.recaptcha.net...   Probably a firewall or network issue.

[Paul Hodgdon]

My experience with Captcha and PWM:

1. You may need to import the Google Root (G2)/Intermediate certificates to your java keystore.

2. Make sure your domain is registered with  Captcha , if you can see the box and not an error in the UI then this is probably the case.

3. Make sure the Captcha version on Google is v2, I never could get v3 to work with PWM.

Paul Hodgdon
Principal Consultant | Identity Works LLC

--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pwm-general...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/95013580-b15a-46d1-a243-7a7ef9d29ab1o%40googlegroups.com.

[Andrés Pías]

Hi,

Victor and I have been trying to fix this issue following your suggestions, thanks for your answers.

Please let me explain a little more. First of all, the problem doesn't always happen.

Analyzing the code and logs (in Trace mode), we see that this happen when PWM (server side) tries to validate the captcha received by the user against www.recaptcha.net (siteverify). The PwmHttpClient class (which encapsulates a CloseableHttpClient), is used to send these requests to recaptcha service. To get a client instance the getPwmHttpClient method from HttpClientService class is called. So, we see the problem happens when this method decided to reuse some client (open) of the clients pool.

I'm talking about this code:

...
        final PwmHttpClient existingClient = threadLocal.get();
        if ( existingClient != null && !existingClient.isClosed() )
        {
            int numreusados = stats.get( StatsKey.reusedClients ).incrementAndGet();
            return existingClient;
        }
...

Client reuse is shown in Tomcat logs:

[2020-10-15 10:57:17] [info] 2020-10-15T10:57:17Z, TRACE, httpclient.PwmHttpClient, {f8Tjo} client #1 preparing to send HTTP POST request to https://www.recaptcha.net/recaptcha/api/siteverify using trust manager [defaultJava] id=2)  [*****]
[2020-10-15 10:57:17] [info] 2020-10-15T10:57:17Z, TRACE, httpclient.PwmHttpClient, {f8Tjo} client #1 received response (id=2) in 465ms: HTTP response status 200 OK id=2)  [*****]
[2020-10-15 11:05:09] [info] 2020-10-15T11:05:09Z, TRACE, httpclient.PwmHttpClient, {Um5Nf} client #1 preparing to send HTTP POST request to https://www.recaptcha.net/recaptcha/api/siteverify using trust manager [defaultJava] id=4)  [*****]

In this case, for the second resquest (last line above), no response was obtained from www.recaptcha.net.

Clearly, the clients pool is not working well in our server. This discussion seems to verify our hypothesis. Apparently some reused clients (not closed) remain in 'stale' state, they think the connection with www.recaptcha.net is still open, but the server has closed the socket already. Using tcpdump we verify that for the second request above, the client sent 3 packets to www.recaptcha.net, but none of them with the SYN flag (connection start).

The problem was solved when the code was modified as follows:

...
        final PwmHttpClient existingClient = threadLocal.get();
        if ( existingClient != null && !existingClient.isClosed() )
        {
            try
            {
                existingClient.close();
            }
            catch ( final Exception e )
            {
                LOGGER.debug( () -> "error closing pwmHttpClient instance: " + e.getMessage() );
            }
        }
...

I share this analysis hopping you can tell me if it's a known problem or not. Could this be a missing tomcat configuration? In any case, what Tomcat configuration is needed for the Http clients correct working?

Thanks,
Andrés.

[s.w.g...@gmail.com]

Was there ever a fix for this?  We see the same issue in our deployment

Scott

[victor torterola]

Hi

We made this change. https://github.com/UdelaRInterior/pwm/blob/a65c419216c3d467db79a06a5292cdac91a7de72/server/src/main/java/password/pwm/svc/httpclient/HttpClientService.java#L113

Victor

You received this message because you are subscribed to a topic in the Google Groups "pwm-general" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/pwm-general/hRddnGGEfrE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to pwm-general...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/1c1a2c52-805f-4c91-83a6-b9b0c19710fen%40googlegroups.com.

[Eduardo Pastrana]

Hi all, is there any solution to this matter from the PMW side? I'm facing the same problem but I'm not sure how to implement Victor's workaround.

Thanks a million

[Andrés Pías]

Hi Eduardo,

In case it is useful, to apply this workaround you have to edit the source code of server/src/main/java/password/pwm/svc/httpclient/HttpClientService.java as we did in this commit. Then you have to build the PWM .war by following this documentation.

A second option is to download our own PWM build (.war) with these corrections from here. Attention: we also made other modifications to the original PWM code to add new configuration parameters. This however, shouldn't cause you any problems.

Andrés.

To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/b89ff978-750a-43e3-85ad-35b1723547bdn%40googlegroups.com.

[Eduardo Pastrana]

Dear Andres, you make this forums really valuable!!

As I'm really bad at programming, it'd be better to use your war. Just some doubts:

* Which version of PWM is this war made from? 2.0?

* What'd happen if new versions or builds are create from Jason?...you'd have to build a new one with the fixes?

* The deployment of this war is the same as any other?

Appretiate your comments

[Eduardo Pastrana]

Dear @Andres Pias, did you have the chance to take a look to my message?

Dear @Jason, do you know if this will be solved soon?

Really thanks,

[Jason Rivard]

I haven't been able to reproduce this.  What steps will cause this error?

[Andrés Pías]

Hi Eduardo

Sorry for the late reply. I answer your questions:

* Which version of PWM is this war made from? 2.0?

It's PWM v2.0.0-SNAPSHOT b0 r0

* What'd happen if new versions or builds are create from Jason?...you'd have to build a new one with the fixes?

Yes, that's right, we'd have to build a new one each time. That's not the best at all.

* The deployment of this war is the same as any other?

Yes, with one exception. To correctly activate the New User Registration module, a new parameter must be completed from the Configuration Editor. You must set the "writeAttributesNull" parameter with an "empty action" (no LDAP Action and no Web Service Action)

Andrés.

To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/23998205-0baa-4b8c-8886-91402e3ee1d8n%40googlegroups.com.

[Eduardo Pastrana]

Thanks Andres and Jason.

Dear Jason, deep technical info are found on the thread. From my end, basically the capcha process throws and error and users cannot login. It seems to happen when an user validates the capcha several times in a period of time, for instance, it's happening to our help desk agents because I couldnt fix

the issue related to the timeout of this module (I have another post open with this :)), currently it's on 4 minutes.

Looking forward for your response.

[Jason Rivard]

I've looked through the thread and I see your hypothis, but not a cause.  As I said, I can't reproduce it locally, I suspect some type of network device is interfering with your outbound HTTP connections and causing issues.  If this is a bug in HttpClient it should be fixed in HttpClient, we regularly keep the HttpClient updated.  I'm unwilling to just disable HTTP connection reuse, this was added for specific high usage scenarios where reusing HTTP Connections is important...   I do have some medium-long term plans to rewrite the PwmHttpClient using the Java 11 built in Http Client, but I'm not sure when that will happen.  That would probably change the nature of the problem...   But until I can reproduce it I can't fix it.

[Eduardo Pastrana]

Jason, quite interesting answer...in fact, I'm using HAProxy to publish the app, probably there's something that I need to check there.

Thanks Jason and Andres for you unvaluable help.

Eduardo

[pa...@identityworksllc.com]

I see this code got refactored (https://github.com/pwm-project/pwm/commit/0e85726d5418b68b0dfc7bc6f727f6c5388f4eb2#diff-2aa5b37bab7ce2a1c17c566e9c089dd41dc2a598f90c36908e1d440ec7618394). Anyone else using recaptcha that is seeing similar behavior with code later than this commit?  Seeing consistent behavior where a POST to recaptcha for a particular http client does't come back with a success and immediate throws: www.recaptcha.net:443 failed to respond at java.lang.Throwable
    at password.pwm.svc.httpclient.ApachePwmHttpClient.makeRequest(ApachePwmHttpClient.java:349)

[Eloy Fernandez]

Same error here

[Jason Rivard]

In the current 2.1-SNAPSHOT branch there is an updated implementation which uses the built-in Java HTTP Client instead of the Apache HTTPClient.   This may or may not help this issue, and it may or may not cause other problems, but it's something to try.    To activate it use:

http.client.implementation=password.pwm.svc.httpclient.JavaPwmHttpClient

in the 'App Property Overrides' setting.  If you try this and it changes the behavior of this issue, please post here.

[Paul Hodgdon]

This did seem to help, but also seemed to cause an abnormal amount of threads to the point it would kill the app as it didn’t seem that connections were getting closed.

To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/0009ef09-5e25-4a3d-b0d4-7e46608ba4fcn%40googlegroups.com.

--

Paul Hodgdon
Principal Consultant | Identity Works LLC

Epping | New Hampshire 03042 | USA
+1 603 661 1508 (mobile) | +1 603 734 2681 (office)
www.identityworksllc.com

     

[Eduardo Pastrana]

Dear all, we still face this issue. Any updates or workarounds?

Ed

[Jason Rivard]

Are you using PWM v2.0.3?  This is most likely resolved in that version.

[Eduardo Pastrana]

Jason, Im in PWM Version 2.0.0. Gonna check the documentation to upgrade..thanks a million

[Eduardo Pastrana]

@jason can you tell me where I find the documentation to upgrade from 2.0 to 2.0.3? I took a look at https://github.com/pwm-project/pwm/wiki/Upgrading but the're nothing for

a Windows environment. I Also searched in the forums with no success.

Thanks,

Ed

[Eduardo Pastrana]

Dear Jason, have you had the chance to view this?

[Jason Rivard]

I don't know if there are any docs.  There's not much to it.  Just preserve your config file and optionally your localdb.  The details depend on how you installed it.