X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/a6185778eb0dab6e34fe68cca9f05db353272948..3fbf9c875557f3cc50bbccbf3cf8f615fda62ee2:/doc/plugins/openid/troubleshooting.mdwn diff --git a/doc/plugins/openid/troubleshooting.mdwn b/doc/plugins/openid/troubleshooting.mdwn index c80d645eb..a0b251d61 100644 --- a/doc/plugins/openid/troubleshooting.mdwn +++ b/doc/plugins/openid/troubleshooting.mdwn @@ -74,6 +74,24 @@ like mine will blacklist it. > but malicious script authors will have no such qualms, so I would > argue that your provider's strategy is already doomed... --[[smcv]] +>> I agree, and I'll ask them to fix it (and probably refer them to this page). +>> One reason they still have my business is that their customer service has +>> been notably good; I always get a response from a human on the first try, +>> and on the first or second try from a human who understands what I'm saying +>> and is able to fix it. With a few exceptions over the years. I've dealt with organizations not like that.... +>> +>> But I included the note here because I'm sure if _they're_ doing it, there's +>> probably some nonzero number of other hosting providers where it's also +>> happening, so a person setting up OpenID and being baffled by this failure +>> needs to know to check for it. Also, while the world of user-agent strings +>> can't have anything but relatively luckier and unluckier choices, maybe +>> `libwww/perl` is an especially unlucky one? + +>>> Yippee! _My_ provider found their offending `mod_security` rule and took it out, +>>> so now [ikiwiki.info](/) accepts my OpenID. I'm still not sure it wouldn't be +>>> worthwhile to change the useragent default.... -- Chap + + ## Error: OpenID failure: naive_verify_failed_network: Could not contact ID provider to verify response. Again, this could have various causes. It was helpful to bump the debug level @@ -124,6 +142,11 @@ module. > To be clear, these are patches to [[!cpan LWPx::ParanoidAgent]]. > Debian's `liblwpx-paranoidagent-perl (>= 1.10-3)` appears to > have those two patches. --[[smcv]] +> +> Irrelevant to this ikiwiki instance, perhaps relevant to others: +> I've added these patches to [pkgsrc](http://www.pkgsrc.org)'s +> [[!pkgsrc www/p5-LWPx-ParanoidAgent]] and they'll be included in the +> soon-to-be-cut 2014Q3 branch. --[[schmonz]] ## Still naive_verify_failed_network, new improved reason @@ -165,6 +188,12 @@ Then a recent `Net::SSLeay` perl module needs to be built and linked against it. > but equally it might be as bad as it seems at first glance. > "Let the buyer beware", I think... --[[smcv]] +>> As far as I can tell, this particular provider _is_ on Red Hat (EL 5). +>> I can't conclusively tell because I'm in what appears to be a CloudLinux container when I'm in, +>> and certain parts of the environment (like `rpm`) I can't see. But everything +>> I _can_ see is like several RHEL5 boxen I know and love. + + ### Local OpenSSL installation will need certs to trust Bear in mind that the OpenSSL distribution doesn't come with a collection @@ -195,6 +224,8 @@ yet. > Also in Debian's `liblwpx-paranoidagent-perl (>= 1.10-3)`, for the record. > --[[smcv]] +> +> And now in pkgsrc's `www/p5-LWPx-ParanoidAgent`, FWIW. --[[schmonz]] Only that still doesn't end the story, because that hand didn't know what [this hand](https://github.com/noxxi/p5-io-socket-ssl/commit/4f83a3cd85458bd2141f0a9f22f787174d51d587#diff-1) @@ -223,6 +254,10 @@ server name for SNI: > (which is where ikiwiki.info's supporting packages come from). > Please report it upstream too, if the Debian maintainer doesn't > get there first. --[[smcv]] +> +> Applied in pkgsrc. I haven't attempted to conduct before-and-after +> test odysseys, but here's hoping your travails save others some +> time and effort. --[[schmonz]] # Success!!