Search Engine: Elastic

Article ID: 132182, created on Feb 1, 2018, last review on Feb 1, 2018

  • Applies to:
  • Operations Automation 6.0

Symptoms

After deployment of fresh webserver based on NG technology it was found that websites are not served from this node. Default content is always shown when existing website is opened. Also, no SSL certificate is served on default SSL host:

# openssl s_client -connect 127.0.0.1:443
CONNECTED(00000003)
error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

All services are working correctly, apache shows default page content, redis retrieves data from the master server, SSL certificates are shown there. No configuration file changes are introduced, all packages are installed and are passing RPM validation.

However, strace utility shows that apache could not access redis socket to start data exchange:

connect(19, {sa_family=AF_LOCAL, sun_path="/var/lib/redis/redis.sock"}, 110) = -1 EACCES (Permission denied) <0.000113>

Cause

Apache user was not included in group 'redis' which effectively blocked any communication with redis socket.

Cause of this appeared during deployment: 'redis' user already existed in LDAP, so redis package did not add the user. Since it is not possible to attach user to LDAP group locally, 'apache' was left without required permissions.

Resolution

Add user 'apache' into group 'redis'.

In case of existence of 'redis' user and group in LDAP, it is required to temporarily exclude sss (LDAP client sssd daemon) from search path in file /etc/nsswitch.conf:

passwd:     files ng
shadow:     files ng
group:      files

Then add redis group and user locally and add this group as 'additional' for 'apache':

# groupadd -r redis
# useradd -r -g redis -d /var/lib/redis -s /sbin/nologin -c 'Redis Server' redis
# usermod apache -G pemsrv,redis

Fix permissions:

# chown -R redis:redis /var/log/redis/
# chown -R redis:redis /var/lib/redis

Restart redis server and reload Apache service:

# service redis restart
# service httpd reload

You may restore nsswitch.conf content afterwards.

5356b422f65bdad1c3e9edca5d74a1ae caea8340e2d186a540518d08602aa065 e12cea1d47a3125d335d68e6d4e15e07 956c448bddc7e1f3585373687602379f 6f1456866eed87488c0f02b298a741c0

Email subscription for changes to this article
Save as PDF