Forum OpenACS Q&A: Re: New Cert The page isn't redirection properly

Collapse
6: Re: New Cert The page isn't redirection properly (response to 1)
Posted by Tyge Cawthon on 06/16/25 08:13 PM 
ns_param OCSPstapling   off  ;# off; activate OCSP stapling

did not solve the problem.

Looking at the logs I found this statement

"Warning: ignore untrusted host header field: 'www.celtic-arts.org'. Consider adding this value to 'whitelistedHosts' in the section 'ns/server/$server/acs' of your configuration file."

I found the /ns/server/$server/acs section but could not find "whitelistedHosts" so I added

ns_param whitelistedHosts {www.celtic-arts.org }

this cleaned up the above warning

However, before and after all the changes above these notices appeared repeatably many times:

[-conn:oacs-5-10-0:default:1:1-] Notice: security::validated_host_header: found celtic-arts.org in global virtual server configuration for https
[-conn:oacs-5-10-0:default:1:1-] Notice: rp_filter: aborted url register ''

Browser error

"The page isn’t redirecting properly
An error occurred during a connection to celtic-arts.org.
This problem can sometimes be caused by disabling or refusing to accept cookies."

Part of the error.log file to see if this can maybe help trouble shoot.

[-driver:https:0-] Notice: starting
[-driver:https:0-] Notice: https:0: listening on [192.168.4.214]:443
[-driver:https:0-] Notice: driver: accepting connections
[-writer1-] Notice: writer1: accepting connections
[-writer0-] Notice: writer0: accepting connections
[-driver:http:0-] Notice: starting
[-driver:http:0-] Notice: http:0: listening on [192.168.4.214]:80
[-driver:http:0-] Notice: driver: accepting connections
[-writer0-] Notice: writer0: accepting connections
[-driver:nssmtpd:0-] Notice: starting
[-driver:nssmtpd:0-] Notice: nssmtpd:0: listening on [127.0.0.1]:2525
[-driver:nssmtpd:0-] Notice: driver: accepting connections
[-main:oacs-5-10-0-] Notice: nsmain: NaviServer/4.99.31 (tar-4.99.31) running
[-main:oacs-5-10-0-] Notice: nsmain: security info: uid=1001, euid=1001, gid=1002, egid=1002
[-main:oacs-5-10-0-] Notice: smtpd::init: Relay Domains: localhost
[-main:oacs-5-10-0-] Notice: smtpd::init: Local Domains: 127.0.0.1/255.255.255.255 ::1/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
[-sched-] Notice: sched: starting
[-writer1-] Notice: writer1: accepting connections
[-conn:oacs-5-10-0:default:0:0-] Notice: start update interpreter oacs-5-10-0 to epoch 1, concurrent 2
[-conn:oacs-5-10-0:default:1:0-] Notice: start update interpreter oacs-5-10-0 to epoch 1, concurrent 2
[-conn:oacs-5-10-0:default:1:0-] Notice: update interpreter oacs-5-10-0 to epoch 1 done, trace none, time 0.216280 secs concurrent 2
[-conn:oacs-5-10-0:default:1:0-] Notice: thread initialized (0.226145 secs)
[-conn:oacs-5-10-0:default:0:0-] Notice: update interpreter oacs-5-10-0 to epoch 1 done, trace none, time 0.223233 secs concurrent 1
[-conn:oacs-5-10-0:default:0:0-] Notice: thread initialized (0.231519 secs)
[-conn:oacs-5-10-0:default:0:0-] Notice: -- creating per thread sequence table
[-conn:oacs-5-10-0:default:0:0-] Notice: random: generating 1 seed
[-conn:oacs-5-10-0:default:0:0-] Notice: security::validated_host_header: found celtic-arts.org in global virtual server configuration for https
[-conn:oacs-5-10-0:default:0:0-] Notice: rp_filter: aborted url weblog ''
[-tclthread-] Notice: start update interpreter oacs-5-10-0 to epoch 1, concurrent 1
[-tclthread-] Notice: update interpreter oacs-5-10-0 to epoch 1 done, trace none, time 0.202655 secs concurrent 1
[-conn:oacs-5-10-0:default:0:0-] Notice: ::throttle ::xotcl::THREAD->do: --created new persistent ::xotcl::THREAD as tid0x75b92e7fc6c0 pid=51847 (0ms)
[::throttle] Notice: dbdrv: opening database 'postgres:localhost::dbname=oacs-5-10-0'
[::throttle] Notice: nsdbpg(pool1): opening connection to db dbname=oacs-5-10-0 on localhost, port 
[::throttle] Notice: nsdbpg(pool1): opened connection to localhost::dbname=oacs-5-10-0.
[::throttle] Notice: ... AsyncLogFile uses NaviServer ns_asynclogfile
[::throttle] Warning: cannot determine package key from script '': ad_proc -private ::unmap_pool {
:        {-pool slow}
:        {-ms}
:        method
:        url
:      } {
:        Function within throttle monitor thread for registering pool
:        unmapping requests after a specified time. This function has to run
:        in this thread to be able to use "::after".
:      } {
:        if {![info exists ms]} {
:          set ms [::map-slow-pool-duration]
:        }
:        after $ms [list ::xo::unmap_pool -pool $pool $method $url]
:        ns_log notice "slow request: mapping of '$url' moved to '$pool' connection pool will be canceled in $ms ms"
:      } 
:        
:    
[::throttle] Notice: +++ request-monitor: initialize counters
[-nsproxy:reap-] Notice: starting
[::throttle] Warning: ExecPool: getting handle took  12ms (potential configuration issue)
[::throttle] Notice: request-monitor: ignore reload of value 0 for counter user_count_day-non-auth
[-conn:oacs-5-10-0:default:1:1-] Notice: dbdrv: opening database 'postgres:localhost::dbname=oacs-5-10-0'
[-conn:oacs-5-10-0:default:1:1-] Notice: nsdbpg(pool1): opening connection to db dbname=oacs-5-10-0 on localhost, port 
[-conn:oacs-5-10-0:default:1:1-] Notice: nsdbpg(pool1): opened connection to localhost::dbname=oacs-5-10-0.
[-conn:oacs-5-10-0:default:1:1-] Notice: -- creating per thread sequence table
[-conn:oacs-5-10-0:default:1:1-] Notice: security::validated_host_header: found celtic-arts.org in global virtual server configuration for https
[-conn:oacs-5-10-0:default:1:1-] Notice: rp_filter: aborted url register ''
Collapse
7: Re: New Cert The page isn't redirection properly (response to 6)
Posted by Gustaf Neumann on 06/17/25 11:53 AM
deactivating OCSP did not solve the problem.

I assume, this means that the OCSP errors are gone by now, but the redirecting issue is still there.

Concerning whitelisted host names. Since I assume, you have a single server instance running, all requests will be routed to the single server. btw, the standard way to define multiple domain names is to list these in the ".../servers" section of the driver module (see example in https://naviserver.sourceforge.io/5.0/manual/files/admin-config.html#subsection6). The white-listed hostnames are an OpenACS alternative for this, which might be necessary in containerized setups and older versions of NaviServer, which anyhow should work always.

I am still wondering about your setup, which I do not know: Is it the case that you have a single server configuration in your NaviServer configuration file, and you use for this server two domain names "celtic-arts.org" and "www.celtic-arts.org". And, you have OpenACS 5.10.1 installed, and no host-node maps etc. configured. Right?

Since you have a redirect loop, which seems to come from the /register call, the problem is in "ad_redirect_for_registration" or in "security::get_register_subsite". That hints, that you have probably subsites configured. I think to remember that also subsites might have different registration URLs and policies, maybe there is something wrong on your site.

But still, the mystery for me is, that you said that you have only updated the certificate. You did not answer to my earlier question about SANs in the old and new certificate.