- Revenera Community
- :
- FlexNet Publisher
- :
- FlexNet Publisher Forum
- :
- https to lmadmin web gui not working
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
I want to activate https on the web gui of lmadmin.
I switch on "Enable HTTPS" and set the "HTTPS port" to 443, leave "Redirect Non-Secure Web Access to Secure Web Access" off and restart lmadmin. I tried it with the default certificates `conf/server.crt` and `conf/server.key` that came with the installation, and also with our own, otherwise working Let's encrypt certificates. If something was wrong with the certificates, I'd expect the webgui to show some certificate error on port 443 and work normally on port 8090.
But after restarting lmadmin I cannot reach the webgui at all any more, also not on the http port 8090. lmadmin seems to run fine in the console (process running, no error message in console output). But what's different: there's no `logs/lmadmin.pid` file and the `logs/web.log` shows this:
[Mon Jan 01 21:34:27.090848 2024] [core:emerg] [pid 20073:tid 139786950010624] (22)Invalid argument: AH00024: Couldn't set permissions on the mpm-accept mutex; check User and Group directives
(22)Invalid argument: could not create accept mutex
Unable to open logs
instead of this while working:
[Mon Jan 01 21:41:48.274034 2024] [:notice] [pid 20606:tid 140525058942720] ModSecurity for Apache/2.9.5 (http://www.modsecurity.org/) configured.
[Mon Jan 01 21:41:48.274059 2024] [:notice] [pid 20606:tid 140525058942720] ModSecurity: APR compiled version="1.7.0"; loaded version="1.7.0"
[Mon Jan 01 21:41:48.274068 2024] [:notice] [pid 20606:tid 140525058942720] ModSecurity: PCRE compiled version="8.44 "; loaded version="8.44 2020-02-12"
[Mon Jan 01 21:41:48.274075 2024] [:notice] [pid 20606:tid 140525058942720] ModSecurity: LIBXML compiled version="2.9.12"
[Mon Jan 01 21:41:48.274082 2024] [:notice] [pid 20606:tid 140525058942720] ModSecurity: Status engine is currently disabled, enable it by set SecStatusEngine to On.
[Mon Jan 01 21:41:48.274577 2024] [ssl:warn] [pid 20606:tid 140525058942720] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache]
[Mon Jan 01 21:41:48.275658 2024] [unixd:alert] [pid 20606:tid 140525058942720] AH02155: getpwuid: couldn't determine user name from uid 4294967295, you probably need to modify the User directive
Seems some permissions problem, but I can't figure out on which directory / file. How can the apache "inside" lmadmin be configured? the file `conf/httpd.conf`gets overwritten on start of lmadmin. I also tried the installation with different users, also as root, but the problem persists.
I can recover my webgui to work in http-only again by setting `<webServer [...] securePort="0">` inside conf/server.xml and restart lmadmin.
Bu, how can I solve this problem and use https?
OS:
openSuse 15.5
FlexNet Licensing version v11.19.0.0 build 284597 x64_lsb (but experienced this since flexnet 11.16)
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Here are some hints which way to choose:
- CAP_NET_BIND_SERVICE:
doesn't work, because it inhibits loading neccesary libraries of lmadmin, see https://stackoverflow.com/questions/413807/is-there-a-way-for-non-root-processes-to-bind-to-privileged-ports-on-linux#414258
- I had a quick and easy success with authbind:
systemctl stop lmadmin
apt install authbind
touch /etc/authbind/byport/80
chown root:lmadmin /etc/authbind/byport/80
chmod g+x /etc/authbind/byport/80
touch /etc/authbind/byport/443
chown root:lmadmin /etc/authbind/byport/443
chmod g+x /etc/authbind/byport/443
put /usr/bin/authbind in front of the ExecStart line in /etc/systemd/system/lmadmin.service, so that it's like `ExecStart=/usr/bin/authbind /opt/local/FNPLicenseServerManager/lmadmin`
systemctl daemon-reload
start lmadmin
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
I found a small hint, how this _could_ be solved, If I had access to the httpd.conf. But is this possible to tweak it? Since to my knowledge, it gets overwritten by lmadmin on start. Any way around this or some other idea to try the mentioned setting from this thread (https://serverfault.com/questions/755823/permission-denied-couldn-t-grab-the-accept-mutex😞
AcceptMutex posixsemor
Mutex posixsem
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
I tried it shortly un my local ubuntu desktop machine, Astonishing, the installation worked (this time 11.19.5.0 build 292646), but same problem: Invalid argument: AH00024: Couldn't set permissions on the mpm-accept mutex; check User and Group directives... lmadmin doesn't really run when https enabled.
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Again some progress. I installed the newest version of Flexnet Publisher on a freshly installed debian 12 vm. This time I managed to do it as an lmadmin user with sudo rights. If I start lmadmin as root, I get the m,utex messag above, but as this user, I get a new error message:
(13)Permission denied: AH00072: make_sock: could not bind to address [::]:443
(13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:443
no listening sockets available, shutting down
Unable to open logs
So, according to my research, apache / lmadmin is not allowed to bind to ports below 1024 as a non-root-user.
Et Voilà , by choosing port 4430 (arbitrary chosen value), it works!
So, this is something that definately should go into the documentation of Flexnet Publisher! ("Don't take ports below 1024, because ..."). As searched now, it's only mentioned in conjunction with the licenseServerPort, not the webgui port. Even in the webgui itself where I can set the ports it should be mentioned.
No I want to find a way to use the standard port 443.
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Ok, in https://serverfault.com/questions/112795/how-to-run-a-server-on-port-80-as-a-normal-user-on-linux I found several ways to achieve that:
- putting up a proxy server
- putting up a iptables rule
- use CAP_NET_BIND_SERVICE capability
- use a program called authbind
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Here are some hints which way to choose:
- CAP_NET_BIND_SERVICE:
doesn't work, because it inhibits loading neccesary libraries of lmadmin, see https://stackoverflow.com/questions/413807/is-there-a-way-for-non-root-processes-to-bind-to-privileged-ports-on-linux#414258
- I had a quick and easy success with authbind:
systemctl stop lmadmin
apt install authbind
touch /etc/authbind/byport/80
chown root:lmadmin /etc/authbind/byport/80
chmod g+x /etc/authbind/byport/80
touch /etc/authbind/byport/443
chown root:lmadmin /etc/authbind/byport/443
chmod g+x /etc/authbind/byport/443
put /usr/bin/authbind in front of the ExecStart line in /etc/systemd/system/lmadmin.service, so that it's like `ExecStart=/usr/bin/authbind /opt/local/FNPLicenseServerManager/lmadmin`
systemctl daemon-reload
start lmadmin
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
@pkoevesdi Thanks for the details and solution, please also verify the support of OS in the Release notes.
Best Regards,
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
I didn't find a document named "Release Notes" for the current version. Where is this? I just saw the release history:
Which doesn't really narrow down which Linux is supported.
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Hi @pkoevesdi you have to log in to the product download centre where you download the FNP toolkit, and you will get all the documents.
Best Regards,
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Ah, thanks, but I don't have this right: "Unfortunately your account is unauthorized ". But no worry, I'm fine now.
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
@pkoevesdi Thanks.
