Difference between revisions of "Non-ASL error messages"

From Atomicorp Wiki
Jump to: navigation, search
m (Problem with the SSL CA cert (path? access rights?))
m (sshd errors)
 
(8 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
This page is provided as a courtesy to our customers for errors with non-atomicorp products and potential solutions to these errors.
 
This page is provided as a courtesy to our customers for errors with non-atomicorp products and potential solutions to these errors.
 +
 +
= browser errors =
 +
 +
== This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox only connect to it securely. ==
 +
 +
If you get this error when you connect to the ASL gui, this means that you have not configured ASL to use the same SSL certificate you use for your website, and your have configured your website to prevent your browser from connecting to that hostname if the SSL certificate does not exactly match the same certificate your website uses. 
 +
 +
Solutions:
 +
 +
1) Change your ASL gui certificate to match your websites certificate.  See the link below for guidance:
 +
 +
http://wiki.atomicorp.com/wiki/index.php?title=Tortixd#SSL_certificates
 +
 +
2) Connect to the systems IP address
 +
 +
3) (not recommended) Disable HSTS for your website
 +
 +
 +
Clearing this from your browser: http://classically.me/blogs/how-clear-hsts-settings-major-browsers
 +
 +
= apache errors =
 +
 +
==module sed_module is already loaded, skipping ==
 +
 +
 +
This means you have a third party installation of mod_sed that is attempting load this module twice.  This message is benign and means apache has ignored this request.  You can safely ignore this error message.
 +
 +
 +
==module unique_id_module is already loaded, skipping==
 +
 +
This means you have a third party installation of mod_unique_id that is attempting load this module twice.  This message is benign and means apache has ignored this request.  You can safely ignore this error message.
 +
 +
 +
==  Syntax error on line 1 of /etc/httpd/conf.d/security2.conf: Cannot load /etc/httpd/modules/mod_security2.so into server: /etc/httpd/modules/mod_security2.so: cannot open shared object file: No such file or directory ==
 +
 +
This means you have a third party installation of modsecurity.  Remove and disable any third party modsecurity installations.
 +
 +
==  [warn] module security2_module is already loaded, skipping ==
 +
 +
This means you have a third party installation of modsecurity that is attempting load modsecurity twice, and is likely breaking your current modsecurity installation with multiple potentially conflicting configuration settings for modsecurity.  Remove and disable any third party modsecurity installations.
 +
 +
= mysql errors =
 +
 +
== Aborted connection 12345 to db: 'tortix' user: 'tortix' host: 'localhost' (Got an error reading communication packets) ==
 +
 +
When a client or application unable to connect to mysql, the mysql server increments the Aborted_connects status variable. Unsuccessful connection attempts can occur for the following reasons:
 +
 +
*ASL is attempting to connect to the tortix database, but has no privileges to access the database
 +
*ASL is configured to use the wrong password to log into its database
 +
*It takes more than connect_timeout seconds to obtain a connect packet.  (This is the most common cause)
 +
 +
This can also occur if the mysql connection is improperly disconnect or is terminated, in which case the mysql server increments the Aborted_clients status variable, and logs an Aborted connection message to the error log. The cause can be any of the following:
 +
 +
*The client connection to the mysql server has been sleeping more than wait_timeout or interactive_timeout seconds without issuing any requests to the server.
 +
*A component in ASL that writes to the database was abruptly terminated in the middle of a data transfer.
 +
*The max_allowed_packet variable value is too small or queries require more memory than you have allocated for mysqld.
 +
*Some Linux Ethernet drivers have a bug that can cause connections to abruptly close. You should test for this bug by transferring a huge file using FTP between the client and server machines. If a transfer goes in burst-pause-burst-pause mode, you are experiencing a Linux duplex syndrome. Switch the duplex mode for both your network card and hub/switch to either full duplex or to half duplex and test the results to determine the best setting.
 +
*A problem with the thread library that causes interrupts on reads.
 +
*Badly configured TCP/IP.
 +
*For remote mysql servers, this can also occur does to network problems, and bad hardware include but not limited to hubs, switches, cables, and so forth. This can be diagnosed properly only by replacing hardware.
 +
 +
 +
= sshd errors =
 +
 +
== Could not create SSH tunnel. Please make sure forwarding is enabled on the server ==
 +
 +
Check to ensure this setting is set to yes:
 +
 +
https://wiki.atomicorp.com/wiki/index.php/ASL_Configuration#SSH_ALLOWTCPFORWARDING
 +
 +
And if you are attempting to forward X to your desktop, you will need to enable this setting as well:
 +
 +
https://wiki.atomicorp.com/wiki/index.php/ASL_Configuration#SSH_X11FORWARDING
 +
 +
==Directive 'UseDNS' is not allowed within a Match block==
 +
 +
This occurs when sshd configuration has been modified to include Match blocks and the directive is not supported as part of the match.  There is no way to explicitly end Match blocks (note: see solution 2 below for one way to work around this). From the sshd_config manual page:
 +
 +
''If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file.''
 +
 +
Solution 1:
 +
 +
Match blocks need to be at the end of the sshd_config file, and all global configuration options must occur before these Match blocks.
 +
 +
Solution 2:
 +
 +
Another option is to have a line with nothing but Match on it, which effectively matches everything and therefore is the same as 'ending' the block.
  
 
= yum errors =
 
= yum errors =
Line 12: Line 99:
  
 
''yum --disablerepo="epel" reinstall ca-certificates''
 
''yum --disablerepo="epel" reinstall ca-certificates''
 +
 +
Note:  You may need to disable additional repos, if those repos use SSL to download updates.  yum will continue to fail as it tries to access repos that are accessed over SSL.  Therefore, you will need to disable any repos that use SSL.
  
 
On some systems this may also be caused by an interrupted install of nss package updates from the OS vendor.  Reinstallation of the nss packages may also be required:
 
On some systems this may also be caused by an interrupted install of nss package updates from the OS vendor.  Reinstallation of the nss packages may also be required:

Latest revision as of 09:15, 31 August 2017

This page is provided as a courtesy to our customers for errors with non-atomicorp products and potential solutions to these errors.

Contents

[edit] browser errors

[edit] This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox only connect to it securely.

If you get this error when you connect to the ASL gui, this means that you have not configured ASL to use the same SSL certificate you use for your website, and your have configured your website to prevent your browser from connecting to that hostname if the SSL certificate does not exactly match the same certificate your website uses.

Solutions:

1) Change your ASL gui certificate to match your websites certificate. See the link below for guidance:

http://wiki.atomicorp.com/wiki/index.php?title=Tortixd#SSL_certificates

2) Connect to the systems IP address

3) (not recommended) Disable HSTS for your website


Clearing this from your browser: http://classically.me/blogs/how-clear-hsts-settings-major-browsers

[edit] apache errors

[edit] module sed_module is already loaded, skipping

This means you have a third party installation of mod_sed that is attempting load this module twice. This message is benign and means apache has ignored this request. You can safely ignore this error message.


[edit] module unique_id_module is already loaded, skipping

This means you have a third party installation of mod_unique_id that is attempting load this module twice. This message is benign and means apache has ignored this request. You can safely ignore this error message.


[edit] Syntax error on line 1 of /etc/httpd/conf.d/security2.conf: Cannot load /etc/httpd/modules/mod_security2.so into server: /etc/httpd/modules/mod_security2.so: cannot open shared object file: No such file or directory

This means you have a third party installation of modsecurity. Remove and disable any third party modsecurity installations.

[edit] [warn] module security2_module is already loaded, skipping

This means you have a third party installation of modsecurity that is attempting load modsecurity twice, and is likely breaking your current modsecurity installation with multiple potentially conflicting configuration settings for modsecurity. Remove and disable any third party modsecurity installations.

[edit] mysql errors

[edit] Aborted connection 12345 to db: 'tortix' user: 'tortix' host: 'localhost' (Got an error reading communication packets)

When a client or application unable to connect to mysql, the mysql server increments the Aborted_connects status variable. Unsuccessful connection attempts can occur for the following reasons:

  • ASL is attempting to connect to the tortix database, but has no privileges to access the database
  • ASL is configured to use the wrong password to log into its database
  • It takes more than connect_timeout seconds to obtain a connect packet. (This is the most common cause)

This can also occur if the mysql connection is improperly disconnect or is terminated, in which case the mysql server increments the Aborted_clients status variable, and logs an Aborted connection message to the error log. The cause can be any of the following:

  • The client connection to the mysql server has been sleeping more than wait_timeout or interactive_timeout seconds without issuing any requests to the server.
  • A component in ASL that writes to the database was abruptly terminated in the middle of a data transfer.
  • The max_allowed_packet variable value is too small or queries require more memory than you have allocated for mysqld.
  • Some Linux Ethernet drivers have a bug that can cause connections to abruptly close. You should test for this bug by transferring a huge file using FTP between the client and server machines. If a transfer goes in burst-pause-burst-pause mode, you are experiencing a Linux duplex syndrome. Switch the duplex mode for both your network card and hub/switch to either full duplex or to half duplex and test the results to determine the best setting.
  • A problem with the thread library that causes interrupts on reads.
  • Badly configured TCP/IP.
  • For remote mysql servers, this can also occur does to network problems, and bad hardware include but not limited to hubs, switches, cables, and so forth. This can be diagnosed properly only by replacing hardware.


[edit] sshd errors

[edit] Could not create SSH tunnel. Please make sure forwarding is enabled on the server

Check to ensure this setting is set to yes:

https://wiki.atomicorp.com/wiki/index.php/ASL_Configuration#SSH_ALLOWTCPFORWARDING

And if you are attempting to forward X to your desktop, you will need to enable this setting as well:

https://wiki.atomicorp.com/wiki/index.php/ASL_Configuration#SSH_X11FORWARDING

[edit] Directive 'UseDNS' is not allowed within a Match block

This occurs when sshd configuration has been modified to include Match blocks and the directive is not supported as part of the match. There is no way to explicitly end Match blocks (note: see solution 2 below for one way to work around this). From the sshd_config manual page:

If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file.

Solution 1:

Match blocks need to be at the end of the sshd_config file, and all global configuration options must occur before these Match blocks.

Solution 2:

Another option is to have a line with nothing but Match on it, which effectively matches everything and therefore is the same as 'ending' the block.

[edit] yum errors

[edit] Problem with the SSL CA cert (path? access rights?)

That means someone/something has corrupted or replaced the root CA cerificates your operating system uses to verify SSL cerificates. That means it either cant find them, access them or they have been modified/corrupted so that some or all of the root CAs certificates are missing. When this happens, yum cant confirm that SSL connections are valid. While this is an operating system level error, and something we'd advise you discuss with your OS vendor and/or hosting company, the following is the standard command to tell your OS to reinstall its SSL root CAs:

yum reinstall ca-certificates

If you are using any third party repos, we advise you disable them in case they are the source of this error. For example, if you are using EPEL:

yum --disablerepo="epel" reinstall ca-certificates

Note: You may need to disable additional repos, if those repos use SSL to download updates. yum will continue to fail as it tries to access repos that are accessed over SSL. Therefore, you will need to disable any repos that use SSL.

On some systems this may also be caused by an interrupted install of nss package updates from the OS vendor. Reinstallation of the nss packages may also be required:

yum reinstall nss*

If you would like our assistance with this OS level issue, we'd be happy to help you with and put a quote together for these services. Please contact support for a quote.

Personal tools