Problem with a new RT installation

mgreason · October 21, 2017, 5:02pm

Good afternoon,

I’ve a new installation of RT 4.4.2 (my first interaction with this software) and I’m running into a problem that is a show-stopper. I’ve installed it twice now, the second time keeping things as vanilla as possible (all I’ve done is change the root password). Each time, when attempting to search the ticket database, I get the following error:

Forbidden
You don’t have permission to access /Search/Results.html on this server.

I’m using a web server that provides other services, so I hung RT off of port 8443 in my Apache 2.4 server. I’ve tried both mod_fcgid and mod_perl, getting the same error. I’ve also tried using port 443 with a WebPath set to ‘/rt/’ and get almost the same error, replacing the string ‘/rt/Search/Results.html’ for ‘/Search/Results.html’. I’ve also seen this message thrown when trying to edit a search, replacing ‘Results.html’ with ‘Edit.html’.

File permissions in the rt4/share/html directory tree appear to be fine. My Apache service runs as user apache; I’ve tried changing ownership of the entire rt4 tree to apache:apache to no effect.

I put one ticket in the system, thinking that an empty database might be the problem…but no joy.

Here is my latest RT_SiteConfig.pm file:
Set($rtname, ‘gs670-utility.ndc.nasa.gov’);
Set($Organization, “gs670-utility.ndc.nasa.gov”);
Set($CorrespondAddress, ‘michael.r.greason@nasa.gov’);
Set($CommentAddress, ‘michael.r.greason@nasa.gov’);
Set($WebDomain, “gs670-utility.ndc.nasa.gov”);
Set($WebPort, 8443);
#Set($WebPath, “”);
Set($DatabasePassword, “”);

My Apache mod_perl configuration:
Listen 8443

<VirtualHost *:8443>
ServerName gs670-utility.ndc.nasa.gov
DocumentRoot “/system/web/htdocs”
ErrorLog /var/log/apache/error_rt_log
CustomLog /var/log/apache/access_rt_log combined
SSLEngine on
<Files ~ “.(cgi|shtml|php3|php|cfm)$”>
SSLOptions +StdEnvVars

<Directory “/web/”>
SSLOptions +StdEnvVars

SetEnvIf User-Agent “.MSIE.”
nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0
AddDefaultCharset UTF-8

<Location />
  Order allow,deny
  Require all granted
  Allow from all
  SetHandler modperl
  PerlResponseHandler Plack::Handler::Apache2
  PerlSetVar psgi_app /usr/local/rt4/sbin/rt-server
</Location>
<Perl>
  use Plack::Handler::Apache2;
  Plack::Handler::Apache2->preload("/usr/local/rt4/sbin/rt-server");
</Perl>

and my mod_fcgid configuration
Listen 8443

<VirtualHost *:8443>
ServerName gs670-utility.ndc.nasa.gov
DocumentRoot “/system/web/htdocs”
ScriptAlias “/” “/usr/local/rt4/sbin/rt-server.fcgi/”
ErrorLog /var/log/apache/error_rt_log
CustomLog /var/log/apache/access_rt_log combined
SSLEngine on
<Files ~ “.(cgi|shtml|php3|php|cfm)$”>
SSLOptions +StdEnvVars

<Directory “/web/”>
SSLOptions +StdEnvVars

SetEnvIf User-Agent “.MSIE.”
nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0
AddDefaultCharset UTF-8

Order allow,deny
Require all granted
Allow from all
Options +ExecCGI
AddHandler fcgid-script fcgi

<Location /REST/1.0/NoAuth/mail-gateway>
Order allow,deny
Require local

Any pointers would be most welcome.
Michael Greason

mgreason · November 10, 2017, 12:20am

Has no one seen this problem? I just tried a completely vanilla installation. Logging into RT as root, I click on the link
"10 highest priority tickets I own"
before doing ANYTHING else and get an error 403 Forbidden notice. I see nothing in the Apache or the RT logs (after setting the RT log to debug and writing it to a file) to indicate what the problem might be.

Cena_Stephen_ext_300 · November 10, 2017, 8:08pm

Is the 2nd vanilla install you did using default port 80, or still 8443? In your RT_SiteConfig.pm, do you have debugging turned on?

Set($LogToFile, debug);
Set($LogDir, ‘/opt/rt4/var/log’);
Set($LogToFileNamed, “rt.log”);

mgreason · November 10, 2017, 9:15pm

Yes, to the second question—I saw nothing in the log file created. I tried both 8443 and 443 but not 80—I’m not allowed to use unencrypted HTTP at this facility.

Cena_Stephen_ext_300 · November 13, 2017, 1:36pm

This is the Apache config I have for my server. I’ve been using it since 3.8.x since I launched our site. Now granted, I’m not doing what you are (alternate install folder, alternate ports, etc.) but perhaps starting with this & making subtle changes may help? I’m running on Ubuntu Server 14.04LTS and I did not use the repository version for RT Ubuntu has. I downloaded the source and build it from scratch.

<VirtualHost IP_ADDRESS_REDACTED:80>
              ServerName SERVER_NAME_REDACTED
              AddDefaultCharset UTF-8
              DocumentRoot "/opt/rt4/share/html"

              <Location />
                  Require all granted

                  SetHandler modperl
                  PerlResponseHandler Plack::Handler::Apache2
                  PerlSetVar psgi_app /opt/rt4/sbin/rt-server
              </Location>
              <Perl>
                  use Plack::Handler::Apache2;
                  Plack::Handler::Apache2->preload("/opt/rt4/sbin/rt-server");
              </Perl>
</VirtualHost>

mgreason · January 30, 2019, 7:02pm

This has now been solved. The problem was a conflict with a URL test with SiteMinder’s Web Agent (required by the Agency that owns this server); SiteMinder saw characters in the URL that it didn’t like. Unfortunately this wasn’t logged in the Apache logs and so was difficult to chase down.