Webadm not working since todays update

[Tim]

I'm getting 

Checking server configurations... Failed

"Invalid file fingerprint for /opt/webadm/webapps/selfreg/bin/sendreq!"

since todays update and Webadm is not starting. This is reproducable on three machines with Ubuntu 24.04

Upgrade from 2.3.18-1 to 2.3.19-1

[Spyridon Gouliarmis (RCDevs)]

Yes, it's a mistake with the .19 release. Go back to .18 or just put the right MD5  hash in /opt/webadm/webapps/selfreg/selfreg.md5 if you really want to test out the new features.

Don't use it in production though, just in case. What was your setup before and how did you upgrade exactly (.rpm, .sh.gz, ...)? We're still trying to reproduce it.

[Tim]

That was just the apt update / upgrade process from Ubuntu with the following repository deb http://www.rcdevs.com/repos/debian/base. I have tried to switch back to stable repository but then I'm getting the information that webadm package is not available and need to be reinstalled. Seems to be openotp is also effected.

[Spyridon Gouliarmis (RCDevs)]

? If you use the stable repo, 2.3.14-6 is the latest one, anything above will indeed not be available. You can try apt install webadm=2.3.14-6 and see what it does. You may also want to downgrade all the other packages (openid, openotp, ...) from our repo to the latest version in stable, to avoid mismatches between webadm and them.

Alternatively, there should be a -2 patch now for .19, and at this point you can try apt update'ing to that one. We just removed the hashes for the offending files and released that as a new patch.

Snapshot your VMs before any change, no matter how benign, of course.

[Tim]

Hi, thanks for the update. The new version does fix that problem but causes another one - old version: Checking Cloud service access... Ok - new version = Checking Cloud service access... ERROR (from gateway: resource unauthorized while calling LOGIN:CR_LOGIN)

[Spyridon Gouliarmis (RCDevs)]

What's your license ID? So we can search the logs on our side.

[Simon Kaufman]

Hi, 

I had this issue earlier. I installed https://repos.rcdevs.com/redhat/base/webadm-2.3.19-2.x86_64.rpm 

then using dnf install selfreg-1.4.3-2.noarch

I was then able to start webadm again.

[Spyridon Gouliarmis (RCDevs)]

We've been testing this and so far this seems to affect only (but all) freeware licenses, which is why it unfortunately got past release candidate testing.

We'll keep you updated, but for now freeware licenses and .19 don't work together. You can downgrade to .18 (no need for a new license) in the meantime.

On Wednesday, July 24, 2024 at 1:52:23 PM UTC+2 Tim wrote:

[Spyridon Gouliarmis (RCDevs)]

To be clear, commercial and so-called trial licenses work fine. The developers just told me they expect a patch this afternoon (CEST).

[Spyridon Gouliarmis (RCDevs)]

You can try the current file offered in the downloads (or patch -3 in our repos), it should fix the license issue for .19 .

[Tim]

That helped, thanks

[Donald Muirhead]

I've also noticed that 2.3.19 also seems to have broken OpenID.  Is that related to this issue?  Does anyone know a fix to get OpenID to work with the new version?

[Spyridon Gouliarmis (RCDevs)]

What exactly do you see?

[Donald Muirhead]

Hello,

I’ve been using OpenID successfully with 2.3.18.  When I upgrade to 2.3.19, I get this error:

The log file says the following:

When I downgrade to 2.3.18, the problem goes away.  I too and using the freeware version.  Thank you.

--
You received this message because you are subscribed to the Google Groups "RCDevs Security" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rcdevs-technic...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rcdevs-technical/be55730c-11fd-426c-b4d1-2416dc9aa4c3n%40googlegroups.com.

[Spyridon Gouliarmis (RCDevs)]

Do you have "Redirection URLs" set in a Client-Policy-specific OpenID configuration? (Client Policy -> Enforced Settings -> OpenID & SAML Server)

Though I'm not sure why this would appear at the same time as a version update. Was there any other change?

[Donald Muirhead]

There was no other change except version update.  Also,  redirect urls works fine in version 2.3.18.  Here are my settings in the client policy:

To view this discussion on the web visit https://groups.google.com/d/msgid/rcdevs-technical/4487e9e4-a35d-48d3-ae94-25f518316624n%40googlegroups.com.

[Spyridon Gouliarmis (RCDevs)]

I am trying to replicate the issue, and am starting to wonder if this isn't about openid's version rather than webadm's.

How did you go back to .18? By restoring a snapshot, downgrading the version of package webadm (specifically and nothing else), ...?

[Donald Muirhead]

Interesting.  I’m running this on AWS so I just downgraded by replacing the VM running Webadm and OpenID with a backup VM that predated the upgrade.  My version of WAProxy (the actual OpenID endpoint) is up-to-date and runs on a different VM in a different network.  I didn’t need to downgrade WAProxy at all.

To view this discussion on the web visit https://groups.google.com/d/msgid/rcdevs-technical/cbfcc70f-0193-4a41-a2fd-e645fff84609n%40googlegroups.com.

[Spyridon Gouliarmis (RCDevs)]

We couldn't replicate your exact issue, but in the process did find a recently introduced bug. We released openid 1.6.6 with a fix for that one.

The build process for our appliance VMs and AMIs takes time, but you should be able to test the new code right now by using the latest available AMI and entering 'dnf update --refresh', which should offer you to update 'openid' to 1.6.6-1 (among others perhaps). Then you can try again with FileMaker.

[Donald Muirhead]

Thank you very much.  I will try this later today and let you know.

To view this discussion on the web visit https://groups.google.com/d/msgid/rcdevs-technical/bfb19bfe-cb6d-402f-9e8a-bf61d3dc6cf4n%40googlegroups.com.

[Donald Muirhead]

This fixed the problem.  Thank you very much!

To view this discussion on the web visit https://groups.google.com/d/msgid/rcdevs-technical/bfb19bfe-cb6d-402f-9e8a-bf61d3dc6cf4n%40googlegroups.com.

[Donald Muirhead]

Hello, I have just noticed that SAML does not seem to be working with the new version of Webadm.  When I attempt to use SAML to log into AWS, I get:

Response has expired (Service: AWSSecurityTokenV20111201; Status Code: 400; Error Code: ExpiredTokenException; Request ID: db95061b-bf7c-4e0e-9d7b-7f37c373a8cd; Proxy: null). Please try again.

The WebADM server log file says:

[2024-07-31 03:31:16] [172.32.135.70:47348] [OpenID:2HYEH1YU] Sent SAML login success response

I have check the time, NTP servers, etc. and it all seems fine (and OpenID is working now anyway)

As before, when I roll backwards to a previous version of Webadm (use an older VM), everything works perfectly, as it always has.  I am using Amazon Linux, which has worked without any trouble for the past couple of years.

Thank you for your help.

[Spyridon Gouliarmis (RCDevs)]

I would like to see the differences, if any, between the SAML response sent through your browser by our software to AWS with versions .18 and .19 .

You can go through the SAML flow with Chrome and the SAML Message Decoder extension installed, and the latter will show you the decoded SAMLResponses. In particular, can you check that the IssueInstant values are reasonable?

[Spyridon Gouliarmis (RCDevs)]

FYI we've replicated the issue, and, at least in our instance, we see a SessionNotOnOrAfter that's exactly the same as AuthnInstant, which probably isn't very valid. I'll add a response when we have a fixed release, if this was indeed the problem.

[Spyridon Gouliarmis (RCDevs)]

Donald, WebADM version 2.3.22-5 (with latest openid app), from a few days ago, fixes the problem I mentioned, which is quite possibly what you encountered. Worth a try.

[Donald Muirhead]

Thank you.  I will update and see if this works.

To view this discussion visit https://groups.google.com/d/msgid/rcdevs-technical/f21e05e4-3094-4e11-87cb-cf7c7f8fd98bn%40googlegroups.com.