X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/a6185778eb0dab6e34fe68cca9f05db353272948..2cb0bb432daa612d928de543e74927755094450d:/doc/plugins/openid/troubleshooting.mdwn?ds=sidebyside diff --git a/doc/plugins/openid/troubleshooting.mdwn b/doc/plugins/openid/troubleshooting.mdwn index c80d645eb..12cd9bedb 100644 --- a/doc/plugins/openid/troubleshooting.mdwn +++ b/doc/plugins/openid/troubleshooting.mdwn @@ -1,6 +1,6 @@ **TL;DR** -[[!toc levels=3]] +[[!toc levels=4]] # An odyssey through lots of things that have to be right before OpenID works @@ -74,6 +74,50 @@ like mine will blacklist it. > but malicious script authors will have no such qualms, so I would > argue that your provider's strategy is already doomed... --[[smcv]] +>> I agree, and I'll ask them to fix it (and probably refer them to this page). +>> One reason they still have my business is that their customer service has +>> been notably good; I always get a response from a human on the first try, +>> and on the first or second try from a human who understands what I'm saying +>> and is able to fix it. With a few exceptions over the years. I've dealt with organizations not like that.... +>> +>> But I included the note here because I'm sure if _they're_ doing it, there's +>> probably some nonzero number of other hosting providers where it's also +>> happening, so a person setting up OpenID and being baffled by this failure +>> needs to know to check for it. Also, while the world of user-agent strings +>> can't have anything but relatively luckier and unluckier choices, maybe +>> `libwww/perl` is an especially unlucky one? + +>>> Yippee! _My_ provider found their offending `mod_security` rule and took it out, +>>> so now [ikiwiki.info](/) accepts my OpenID. I'm still not sure it wouldn't be +>>> worthwhile to change the useragent default.... -- Chap + +#### culprit was an Atomicorp ModSecurity rule + +Further followup: my provider is using [ModSecurity](https://www.modsecurity.org/) +with a ruleset commercially supplied by [Atomicorp](https://www.atomicorp.com/products/modsecurity.html), +which seems to be where this rule came from. They've turned the rule off for _my account_. +I followed up on my ticket with them, suggesting they at least think about turning it off +more systemwide (without waiting for other customers to have bizarre problems that are +hard to troubleshoot), or opening a conversation with Atomicorp about whether such a rule +is really a good idea. Of course, while they were very responsive about turning it off +_for me_, it's much iffier whether they'll take my advice any farther than that. + +So, this may crop up for anybody with a provider that uses Atomicorp ModSecurity rules. + +The ruleset produces a log message saying "turn this rule off if you use libwww-perl", which +just goes to show whoever wrote that message wasn't thinking about what breaks what. It would +have to be "turn this rule off if any of _your_ customers might ever need to use or depend on +an app or service _hosted anywhere else_ that _could_ have been implemented using libwww-perl, +over which you and your customer have no knowledge or control." + +Sigh. -- Chap + +> Thanks for the pointer. It seems the open-source ruleset blacklists libwww-perl by default +> too... this seems very misguided but whatever. I've changed our default User-Agent to +> `ikiwiki/3.20141012` (or whatever the version is). If we get further UA-blacklisting +> problems I'm very tempted to go for `Mozilla/5.0 (but not really)` as the +> next try. --[[smcv]] + ## Error: OpenID failure: naive_verify_failed_network: Could not contact ID provider to verify response. Again, this could have various causes. It was helpful to bump the debug level @@ -124,6 +168,11 @@ module. > To be clear, these are patches to [[!cpan LWPx::ParanoidAgent]]. > Debian's `liblwpx-paranoidagent-perl (>= 1.10-3)` appears to > have those two patches. --[[smcv]] +> +> Irrelevant to this ikiwiki instance, perhaps relevant to others: +> I've added these patches to [pkgsrc](http://www.pkgsrc.org)'s +> [[!pkgsrc www/p5-LWPx-ParanoidAgent]] and they'll be included in the +> soon-to-be-cut 2014Q3 branch. --[[schmonz]] ## Still naive_verify_failed_network, new improved reason @@ -165,6 +214,12 @@ Then a recent `Net::SSLeay` perl module needs to be built and linked against it. > but equally it might be as bad as it seems at first glance. > "Let the buyer beware", I think... --[[smcv]] +>> As far as I can tell, this particular provider _is_ on Red Hat (EL 5). +>> I can't conclusively tell because I'm in what appears to be a CloudLinux container when I'm in, +>> and certain parts of the environment (like `rpm`) I can't see. But everything +>> I _can_ see is like several RHEL5 boxen I know and love. + + ### Local OpenSSL installation will need certs to trust Bear in mind that the OpenSSL distribution doesn't come with a collection @@ -195,6 +250,8 @@ yet. > Also in Debian's `liblwpx-paranoidagent-perl (>= 1.10-3)`, for the record. > --[[smcv]] +> +> And now in pkgsrc's `www/p5-LWPx-ParanoidAgent`, FWIW. --[[schmonz]] Only that still doesn't end the story, because that hand didn't know what [this hand](https://github.com/noxxi/p5-io-socket-ssl/commit/4f83a3cd85458bd2141f0a9f22f787174d51d587#diff-1) @@ -223,6 +280,13 @@ server name for SNI: > (which is where ikiwiki.info's supporting packages come from). > Please report it upstream too, if the Debian maintainer doesn't > get there first. --[[smcv]] +> +> Applied in pkgsrc. I haven't attempted to conduct before-and-after +> test odysseys, but here's hoping your travails save others some +> time and effort. --[[schmonz]] + +> Reported upstream as [LWPx-ParanoidAgent#14](https://github.com/csirtgadgets/LWPx-ParanoidAgent/issues/14) +> _and_ [IO-Socket-SSL#16](https://github.com/noxxi/p5-io-socket-ssl/issues/16). -- Chap # Success!!