Rt-mailgate httpd error 400

RT Users
1

Hello everyone,
I am new to this forum, first time user.

I am working on upgading our RT installation from 4.4.2 to 5.0.1 ( at new install of 5.0.1 in a different sever ). I installed 5.0.1 fresh, uploaded the database backup from 4.4.2 ( to 5.0.1 ). I can login to the GUI just fine. I can see all the customizations, ticket history , etc. , in the new installation.

When I try to use the mail-gateway , I run into the following problem. I am not sure where this is coming from.

Here is the error message:

procmail: Notified comsat: "fetchmail@:/opt/RT/5.0.1/bin/rt-mailgate --url https://rcicrequest.rcic.uci.edu/rt --no-verify-ssl --queue General --action correspond --debug"
procmail: Executing "/opt/RT/5.0.1/bin/rt-mailgate,--url,https://rcicrequest.rcic.uci.edu/rt,--no-verify-ssl,--queue,General,--action,correspond,--debug"
From fetchmail  Wed Sep 15 10:32:20 2021
 Subject: Test ticket RT5 testing #8
  Folder: /opt/RT/5.0.1/bin/rt-mailgate --url https://rcicrequest.rcic     6998
/opt/RT/5.0.1/bin/rt-mailgate: temp file is '/tmp/GUTZ4OGsaD/ibAt5DnUel'
/opt/RT/5.0.1/bin/rt-mailgate: connecting to https://rcicrequest.rcic.uci.edu/rt/REST/1.0/NoAuth/mail-gateway
HTTP request failed: 400 400. Your webserver logs may have more information or there may be a network problem.

Here is my ssl.conf:

> DocumentRoot "/opt/RT/5.0.1/share/html"
> <Location /rt>
>    <IfVersion >= 2.4>
>        AuthType shibboleth
>        ShibRequestSetting requireSession 1
>        Require shibboleth
>        ShibUseHeaders On
>        ShibBasicHijack On
>        RequestHeader set X-Remote-User %{REMOTE_USER}s
>    </IfVersion>
>    Options +ExecCGI
>    AddHandler fcgid-script fcgi html
> </Location>
> #--------------------------------#
> <Location /REST/1.0/NoAuth/mail-gateway>
>   Satisfy Any
>   Allow from all
>   AuthType None
>   Require all granted
> </Location>
> #--------------------------------#
> <Directory /opt/RT/5.0.1/share/html>
>    <IfVersion >= 2.4>
>       Satisfy Any  
>       Allow from all  
>       AuthType None  
>       Require all granted
>    </IfVersion>
> </Directory>

I am not sure from where that httpd 400 error is coming from.

Can you please help shed some light into this? I did not have this trouble setting RT 4.4.2 up.

thank you all!

2

Is there anything in the webserver logs? From the machine running Fetchmail can you connect to the URL that mailgate is attempting to connect to?

3

This is what I see in the web server log.

128.200.49.194 - - [15/Sep/2021:10:34:06 -0700] "GET /rt/static/css/fonts/inter/Inter-Regular.woff2 HTTP/1.1" 302 800
128.200.49.194 - - [15/Sep/2021:10:34:06 -0700] "GET /rt/static/css/fonts/inter/Inter-Regular.woff HTTP/1.1" 302 806
128.195.216.156 - - [15/Sep/2021:11:32:15 -0700] "GET /rt/REST/1.0/NoAuth/mail-gateway HTTP/1.1" 302 804
128.195.216.156 - - [15/Sep/2021:11:32:28 -0700] "GET /rt/REST/1.0/NoAuth/mail-gateway HTTP/1.1" 302 802

I am not sure what you meant my connecting to the mailgate. I did this:

[root@rcic-rt ~]# curl https://rcicrequest.rcic.uci.edu/rt/REST/1.0/NoAuth/mail-gateway
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://shib.nacs.uci.edu/idp/profile/SAML2/Redirect/SSO?SAMLRequest=hZJdT4MwFIb%2FCun9KB%2Bbm80gwe3CJdORgV54Y0o5kybQYk%2Fx498LY%2Bq8mXdN%2Bp7n7XnSJfKmblnS2Urt4bUDtM5HUytkx4uIdEYxzVEiU7wBZFawLLnbssD1WGu01ULXxEkQwVip1Uor7BowGZg3KeBhv41IZW2LjFIjpDBjhzuc3U5IF8qOZpUsCl2DrVxETQd%2BQNNdlhNn3Yel4gP6F4R93lVc4A9Bli3tX3OQNZzG91BKA8LSLNsRZ7OOyHPIvWLuTT248sLZgYfTsBSzRejNpwAQlmUfQ%2Bxgo9ByZSMSeIE%2F8a4n%2Fiz3FywMWLB4Ik56WvpGqlKql8uGijGE7DbP08m40iMYPK7TB0i8HDyzY7E5M38Zy791k%2Fhfufgjd0nPusbilt338M061bUUn05S1%2Fp9ZYBbiIhPaDyO%2FP0f8Rc%3D&amp;RelayState=ss%3Amem%3A530275e41434eafe0d09fca57e32ff37782d7c8f3068fb3eb86b4bc9548e0202">here</a>.</p>
</body></html>

Is that what you meant by connecting to the mailgate?

I tried connecting to the URL ( https://rcicrequest.rcic.uci.edu/rt/REST/1.0/NoAuth/mail-gateway ) via a browser. When I do that, it prompts me for authentication.

If you notice in the ssl.conf, I have excluded the mail-gate area for any authentication. But, not sure why it prompts me for authentication.

thanks for your help!

4

Yeah my thoughts are the Location directives for Apache aren’t doing what we think since it looks like that curl request hit SAML, if I recall they may have been changed in recent versions of Apache. Is this the same machine that RT 4 was on or a new server?

5

No, servers are physically 2 different VM’s. One running 4.4.2 and the new one running 5.0.1.

Can you think of anything that might allow no shibboleth authentication for the mailgate part?

Thanks!

6

Do you need a /rt in front of the /REST in the second Location config?

7

Not sure, I can try that. But with the same config, my 4.4.2 RT server is working OK.

8

What’s the version of Apache on the 4.4 server vs 5.0 server?

9

RT5.0.1 server – httpd-2.4.6-93.el7.centos.x86_64

RT4.4.2 server – httpd-2.4.6-67.el7.centos.6.x86_64
thanks

10

I am a little stumped, can you try putting the mailgate location directive before the SAML location directive?

11

I think I might have tried that before, I will do that again, and let you know.

Yeah, this one is an interesting one for me too.

is there a way to allow mailgate to pull mails from something like, http://localhost:8080/REST/1.0/xyz … type setup?

Since the RT install and database instance are running from the same server, I wish there should have been an option to pull mails through fetchmail without any URL reference( just locally).

12

I think I was able to resolve it with the following:

<Location ~ "/REST/1.0/NoAuth/(mail-gateway)">
  <IfVersion >= 2.4>
      Satisfy Any
      Allow from all
      AuthType None
      Require all granted
  </IfVersion>
</Location>

mailgate was getting caught up with SAML redirect prompting for 2FA.

Thank you everyone for your heart warming help and support. Your questions/comments led me to get the bottom of it.

1 Like