Topic: Forbidden 403 access to my Server

[pwgsc1]

Hi Folks,

I just noticed a couple of days ago that access to my server is non existent.  I haven't really done anything to cause it but it seems to be only the primary site that's down, Ibays I can get to and the webadmin console.

Main site is:  www.craigbursey.ca     to see the error

Ibay that works:   www.craigbursey.ca/gallery


One thing I did install around the same time was the backuppc contrib but I don't see how that would affect it.   I just tested Dungog's Joomla contrib and that's no longer working.

Hummm, maybe I'll uninstall backuppc to see if that fixes things.

Thanks for any hints,

Craig

[pwgsc1]

I did a complete ininstall of the Backuppc contrib and still no success.  I still get the Forbidden  You don't have permission to access / on this server.

Craig

[pwgsc1]

I think I got the problem narrowed down to these errors.  But I don't know how to interpret them, do you?

[Fri Feb 02 19:41:21 2007] [warn] RSA server certificate CommonName (CN) `newserver.www.craigbursey.ca' does NOT match server name!?
[Fri Feb 02 19:41:21 2007] [notice] Apache configured -- resuming normal operations
[Fri Feb 02 19:42:56 2007] [error] [client 192.168.10.100] (13)Permission denied: access to /index.htm denied
[Fri Feb 02 19:42:56 2007] [error] [client 192.168.10.100] (13)Permission denied: access to /index.html denied
[Fri Feb 02 19:42:56 2007] [error] [client 192.168.10.100] (13)Permission denied: access to /index.shtml denied
[Fri Feb 02 19:42:56 2007] [error] [client 192.168.10.100] (13)Permission denied: access to /index.cgi denied

[Fri Feb 02 21:48:36 2007] [warn] RSA server certificate CommonName (CN) `smehome.www.craigbursey.ca' does NOT match server name!?
[Fri Feb 02 21:48:36 2007] [warn] The Alias directive in /etc/httpd/conf/httpd.conf at line 1074 will probably never match because it overlaps an earlier Alias.
[Fri Feb 02 21:48:36 2007] [warn] The Alias directive in /etc/httpd/conf/httpd.conf at line 1116 will probably never match because it overlaps an earlier Alias.
[Fri Feb 02 21:48:36 2007] [warn] The Alias directive in /etc/httpd/conf/httpd.conf at line 1122 will probably never match because it overlaps an earlier Alias.
[Fri Feb 02 21:48:36 2007] [notice] Digest: generating secret for digest authentication ...
[Fri Feb 02 21:48:36 2007] [notice] Digest: done
[Fri Feb 02 21:48:41 2007] [warn] RSA server certificate CommonName (CN) `smehome.www.craigbursey.ca' does NOT match server name!?
[Fri Feb 02 21:48:41 2007] [notice] Apache configured -- resuming normal operations

Thanks,

Craig

[william_syd]

What output do you fet from running this command..

Code: [Select]

/sbin/e-smith/audittools/templates

[pwgsc1]

This is the output:

/etc/e-smith/templates-custom/etc/ddclient/ddclient.conf/10Headers: OWNED_BY_RPM, ADDITION
/etc/e-smith/templates-custom/etc/ddclient/ddclient.conf/20Declaration: OWNED_BY_RPM, ADDITION
/etc/e-smith/templates-custom/etc/ddclient/ddclient.conf/template-end: OWNED_BY_RPM, ADDITION
/etc/e-smith/templates-custom/etc/ddclient/ddclient.conf/template-begin: OWNED_BY_RPM, ADDITION
/etc/e-smith/templates-custom/etc/proftpd.conf/05Chroot: OWNED_BY_RPM, ADDITION
/etc/e-smith/templates-custom/etc/ppp/ip-up.local/45ddclient: OWNED_BY_RPM, ADDITION
/etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/86PhpmyadminmultiAlias: OWNED_BY_RPM, ADDITION
/etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/88Isoqlog: OWNED_BY_RPM, ADDITION
/etc/e-smith/templates-custom/etc/crontab/99isoqlog: OWNED_BY_RPM, ADDITION
/etc/e-smith/templates-custom/usr/local/etc/isoqlog.domains/template-end: OWNED_BY_RPM, ADDITION
/etc/e-smith/templates-custom/usr/local/etc/isoqlog.domains/template-begin: OWNED_BY_RPM, ADDITION
/etc/e-smith/templates-custom/usr/local/etc/isoqlog.domains/isoqlog: OWNED_BY_RPM, ADDITION
/etc/e-smith/templates-custom/usr/local/etc/isoqlog.conf/isoqlog: OWNED_BY_RPM, ADDITION
/etc/e-smith/templates/etc/atalk/papd.conf/20printers: MULTIPLE_RPM_OWNERS e-smith-netatalk-1.14.0-3.el4.sme, e-smith-LPRng-1.14.0-4.el4.sme

[william_syd]

Apart from a few Owned by RPM templates in templates-custom I don't see anything obvious.

Next step would be to look into /etc/httpd/conf/httpd.conf at the line numbers mentioned and see what they say.

[william_syd]

Could it be simpler...? or a combination of problems.

What permissions do you have set for index.html in /home/e-smith/files/ibays/Primary/html ?

[pwgsc1]

My  httpd.conf  shows this:

#------------------
# Joomla - Joomla CMS
#----------------
Alias  /  /opt/joomla
Alias  /joomla  /opt/joomla      ->  LINE 1074

<Direectory /opt/joomla>
...

This joomla is the contrib from Dungog.net and I don't have it setup to be my default homepage yet, you use have to go to   www.craigbursey.ca/joomla but now you get the message  "you don't have permission to access /joomla on this server"   I also checked above this entry and there are no others for joomla in this file.

-------------------------------

Alias /wpad.dat /etc/httpd/conf/proxy/proxy.pac       ->  LINE 1116
<location /wpad.dat>
...
--------------------------------------

Alias /wpad.dat /etc/httpd/conf/proxy/proxy.pac       ->  LINE 1122
<location /wpad.dat>
...

Have no idea what these last two entries are.  But under Proxy Settings in the webconsole both HTTP and SMTP are enabled.



The rights set for my index.htm file  in the  ../ibayPrimary/html  folder are -rwxr-----

Thanks,

Craig

[william_syd]

You may want to delete or copy httpd.conf somewhere safe and  then recreate with..

Code: [Select]

expand-template /etc/httpd/conf/httpd.conf
/etc/rc.d/rc7.d/S86httpd-e-smith restart

Also look in /etc/e-smith/templates/etc/httpd/conf/httpd.conf for a file with joomla in the name and post the contents.

[davibou]

Humm do you have .htaccess in your i-bay ??

If you have a .htaccess files with rewrite rules it's maybe the problem !!

Check that too

[pwgsc1]

Checked.  There is no .htaccess file.

[pfloor]

My  httpd.conf  shows this:

#------------------
# Joomla - Joomla CMS
#----------------
Alias  /  /opt/joomla

This is pointing the root directory of all your domains to /opt/joomla
IOW /home/e-emith/ibays/<everyibayibay>/html -> /opt/joomla
I don't think you want to do this.

Comment that line out and restart httpd and see if your problem goes away.  If so, remove the contrib and please report this to the author of the contrib.

[pwgsc1]

Thanks for pointing that out,

I fixed that problem so that it points to www.craigbursey.ca/joomla  not just  /.  

It did fix the problems that I was seeing on bootup but the logs are still showing this error for the Primary ibay.


[Sat Feb 03 15:09:14 2007] [warn] RSA server certificate CommonName (CN) `smehome.www.craigbursey.ca' does NOT match server name!?
[Sat Feb 03 15:09:14 2007] [notice] Apache configured -- resuming normal operations
[Sat Feb 03 15:17:51 2007] [warn] RSA server certificate CommonName (CN) `smehome.www.craigbursey.ca' does NOT match server name!?
[Sat Feb 03 15:17:52 2007] [notice] Digest: generating secret for digest authentication ...
[Sat Feb 03 15:17:52 2007] [notice] Digest: done
[Sat Feb 03 15:17:56 2007] [warn] RSA server certificate CommonName (CN) `smehome.www.craigbursey.ca' does NOT match server name!?
[Sat Feb 03 15:17:56 2007] [notice] Apache configured -- resuming normal operations
[Sat Feb 03 15:18:34 2007] [error] [client 192.168.10.100] (13)Permission denied: access to /index.htm denied
[Sat Feb 03 15:18:34 2007] [error] [client 192.168.10.100] (13)Permission denied: access to /index.html denied
[Sat Feb 03 15:18:34 2007] [error] [client 192.168.10.100] (13)Permission denied: access to /index.shtml denied
[Sat Feb 03 15:18:34 2007] [error] [client 192.168.10.100] (13)Permission denied: access to /index.cgi denied

I think if I can fix th RSA error then that will solve my problem.   But I don't know how to  either fix or reset my servers RSA key, if that is indeed possbile.

Thanks for the help, it did fix part of the problem and I appreciate it.

Craig

[william_syd]

Well, smehome.www.craigbursey.ca is interesting.

Did you set your domain as www.craigbursey.ca and host name as smehome in the server console?

Go back to the server-console and make your domain craigbursey.ca and hostname smehome. This should regenerate your certificates.

If you still have joomla installed what does

Code: [Select]

config show joomla give you?

[pwgsc1]

Hey William,

Primary Domain Name is:  www.craigbursey.ca
Unique System Name is:  smehome.     (it was newserver, I changed it to smehome to see if it made a diff)

config show joomla gives:

joomla=service
    DbPassword=*****  (changed)
    Name=Joomla CMS
    PublicAccess=global
    URL=

Thanks,

C

[william_syd]

I believe you added the URL property and combined with a iffy joomla template caused your problem.

Delete the URL property completely and that part will be good to go (still raise a bug for the contrib author).

Code: [Select]

db configuration delprop joomla URL
expand-template /etc/httpd/conf/httpd.conf
/etc/rc.d/rc7.d/S86httpd-e-smith restart

Don't be too fixed on www.

Primary Domain Name: craigbursey.ca
System Name: smehome


Your certificate will then be for smehome.craigbursey.ca

[pwgsc1]

Did as you said.

Tried to access www.craigbursey.ca/joomla and I didn't get the "cannot access error" but I never got the page.

THe Message log says this:

Feb  3 19:50:52 smehome httpd-e-smith: Restarting httpd-e-smith succeeded
Feb  3 18:33:55 smehome ntpd: logging to file /dev/stdout
Feb  3 19:51:11 smehome httpd: PHP Warning:  main(/opt/joomla/templates/techblue/index.php): failed to open stream: Permission denied in /opt/joomla/index.php on line 242
Feb  3 19:51:11 smehome httpd: PHP Fatal error:  main(): Failed opening required '/opt/joomla/templates/techblue/index.php' (include_path='.:/usr/share/pear-addons:/usr/share/pear') in /opt/joomla/index.php on line 242
Feb  3 19:51:16 smehome httpd: PHP Warning:  main(/opt/joomla/templates/techblue/index.php): failed to open stream: Permission denied in /opt/joomla/index.php on line 242
Feb  3 19:51:16 smehome httpd: PHP Fatal error:  main(): Failed opening required '/opt/joomla/templates/techblue/index.php' (include_path='.:/usr/share/pear-addons:/usr/share/pear') in /opt/joomla/index.php on line 242
Feb  3 19:51:18 smehome httpd: PHP Warning:  main(/opt/joomla/templates/techblue/index.php): failed to open stream: Permission denied in /opt/joomla/index.php on line 242
Feb  3 19:51:18 smehome httpd: PHP Fatal error:  main(): Failed opening required '/opt/joomla/templates/techblue/index.php' (include_path='.:/usr/share/pear-addons:/usr/share/pear') in /opt/joomla/index.php on line 242
Feb  3 19:51:21 smehome httpd: PHP Warning:  main(/opt/joomla/templates/techblue/index.php): failed to open stream: Permission denied in /opt/joomla/index.php on line 242
Feb  3 19:51:21 smehome httpd: PHP Fatal error:  main(): Failed opening required '/opt/joomla/templates/techblue/index.php' (include_path='.:/usr/share/pear-addons:/usr/share/pear') in /opt/joomla/index.php on line 242

It appears to me like I have a big rights issue.  dammm   I didn't do anything...honest.

Thanks for your help

[william_syd]

It would be nice to find the cause but it's looking like the quickest solution is to remove the joomla contribs and start again.

[pwgsc1]

William,

Thanks for all your help, I do appreciate it.  And with that I'd like to give yousome good news.   Part of the problem is fixed.  Out of curiosity I went into Joomla admin and started sniffing around to double check I had not screwed something up.   With that when i went into Template Admin, the TechBlue template I had added....was not to be found, I selected another temple and now it's working, obviously a corrupted a template.

The bad news is that my Primary site is still not working.  Still get the forbidden error on that.  I'm going to change my domain to craigbursey.ca to see if that recreates my RSA keys and solves that problem.    

I'll keep you updated.

Thanks again,

Craig

[pwgsc1]

Did the domain name change from  www.craigbursey.ca  to  craigbursey.ca and the keys did regenreate but i still have no access to the Primary.

Still getting this error in the Httpd_log file.

[Sat Feb 03 21:00:11 2007] [warn] RSA server certificate CommonName (CN) `smehome.craigbursey.ca' does NOT match server name!?
[Sat Feb 03 21:00:11 2007] [notice] Apache configured -- resuming normal operations
[Sat Feb 03 21:00:52 2007] [error] [client 192.168.10.100] (13)Permission denied: access to /index.htm denied
[Sat Feb 03 21:00:52 2007] [error] [client 192.168.10.100] (13)Permission denied: access to /index.html denied
[Sat Feb 03 21:00:52 2007] [error] [client 192.168.10.100] (13)Permission denied: access to /index.shtml denied
[Sat Feb 03 21:00:52 2007] [error] [client 192.168.10.100] (13)Permission denied: access to /index.cgi denied
[Sat Feb 03 21:00:52 2007] [error] [client 192.168.10.100] (13)Permission denied: access to /index.htm denied
[Sat Feb 03 21:00:52 2007] [error] [client 192.168.10.100] (13)Permission denied: access to /index.html denied
[Sat Feb 03 21:00:52 2007] [error] [client 192.168.10.100] (13)Permission denied: access to /index.shtml denied
[Sat Feb 03 21:00:52 2007] [error] [client 192.168.10.100] (13)Permission denied: access to /index.cgi denied
[Sat Feb 03 21:00:52 2007] [error] [client 192.168.10.100] (13)Permission denied: access to /index.php denied
[Sat Feb 03 21:00:52 2007] [error] [client 192.168.10.100] (13)Permission denied: access to /index.php3 denied
[Sat Feb 03 21:00:52 2007] [error] [client 192.168.10.100] (13)Permission denied: access to /index.phtml denied

[william_syd]

Email me your complete httpd.conf. There shouldn't be any private information in it.

[pwgsc1]

Problem solved by Ray.  

The solution was:

signal-event post-upgrade
reboot

Thanks again Ray and William for your help.

Craig