How to configure apache to run privacyidea

jeffchua · June 25, 2019, 4:38pm

I’ve read and followed on how to configure privacyidea to run with apache but can’t get it to work.

git downloaded from privacyidea.git to “/v6/pidea” …

Here’s what I did …

cd /v6/pidea
pi-manage createdb
pi-manage create_enckey
pi-manage create_audit_keys
pi-manage admin add admin1 --password 123
virtualenv venv
source venv/bin/activate
pip3 install -r requirements.txt
python3 setup.py install --force
./tools/privacyidea-create-certificate -f /local/apache2/conf/pidea.conf

cp deploy/pi.cfg /etc/privacyidea/
cp /v6/pidea/deploy/apache/privacyideaapp.wsgi /etc/pidea/privacyideaapp.wsgi
cp /v6/pidea/deploy/apache/sites-available/privacyidea.conf /local/apache2/conf/pidea.conf

this works

pi-manage runserver -h 0.0.0.0 -p 443 --ssl-crt /var/local/pidea/server.pem --ssl-key /var/local/pidea/server.key

Restarted apache but doesn’t work …
I get as far as entering username/password at login and screen never login.

Got this error … … what am I doing wrong?

[Wed Jun 26 00:33:20.931544 2019] [wsgi:error] [pid 30985:tid 140551390676736] The configuration name is: production
[Wed Jun 26 00:33:20.931585 2019] [wsgi:error] [pid 30985:tid 140551390676736] Additional configuration can be read from the file /etc/pidea/pi.cfg
[Wed Jun 26 00:33:20.948735 2019] [wsgi:error] [pid 30985:tid 140551390676736] init() takes from 2 to 7 positional arguments but 22 were given
[Wed Jun 26 00:33:20.948749 2019] [wsgi:error] [pid 30985:tid 140551390676736] Could not use PI_LOGCONFIG. Using PI_LOGLEVEL and PI_LOGFILE.
[Wed Jun 26 00:33:20.948758 2019] [wsgi:error] [pid 30985:tid 140551390676736] Using PI_LOGLEVEL 10.
[Wed Jun 26 00:33:20.948761 2019] [wsgi:error] [pid 30985:tid 140551390676736] Using PI_LOGFILE /stmp/pidea/pidea.
[Wed Jun 26 00:33:21.052665 2019] [wsgi:error] [pid 30755:tid 140551365498624] [client 127.0.0.1:15492] Truncated or oversized response headers received from daemon process ‘privacyidea’: /etc/privacyidea/privacyideaapp.wsgi, referer: https://localhost:5001/
[Wed Jun 26 00:33:21.981664 2019] [wsgi:info] [pid 31205:tid 140551422760512] mod_wsgi (pid=31205): Attach interpreter ‘’.

portion of the apache privacyidea include file …

Listen 5001
WSGIPythonHome /v6/pidea/venv

ServerAdmin webmaster@localhost
ServerName localhost
DocumentRoot /v6/pidea/venv
<Directory /v6/pidea/deploy>
Require all granted
Options FollowSymLinks
AllowOverride None

WSGIScriptAlias / /etc/privacyidea/privacyideaapp.wsgi
WSGIDaemonProcess privacyidea processes=1 threads=15 display-name=%{GROUP} user=privacyidea python-home=/v6/pidea/venv/
WSGIProcessGroup privacyidea
WSGIPassAuthorization On
…

My best,
Jeff

cornelinux · June 26, 2019, 5:32pm

Hello Jeff,

welcome to the privacyIDEA-Community! Maybe you will be a great help to others one day!

I totally do not understand what you are trying to do there.
Why run apache on a strange port? Why run pi-manage runserver and apache?
Why is your apache in a strange location?

If you want to derivate from the standards, you should know what you are doing and know which logfiles to consult.
I would recommend you go with a simple ubuntu installation for starters. This works out of the box.

Kind regards
Cornelius

jeffchua · June 27, 2019, 3:20pm

Hi Cornelius,

Why run apache on a strange port?

It was never my intent to deviate from standard. I had linotp running and it was running on port 5001. I tried 443 too but it didn’t work either.

Why run pi-manage runserver and apache?

pi-manage runs fine, but I had apache server that had linotp before and now and I wanted to replace linotp with privacyidea and run it the same using apache.

Why is your apache in a strange location?

It was installed from source and ran fine from apache1 that and upgraded to apache2 that went to /local/apache2 … that was according to apache install.

I’m running a slackware+redhat distribution and everything else is running fine, and again linotp runs as well. The reason for the upgrade to privacyidea is because linotp doesn’t run with python3, and privacyidea does, and thank you for that!

If you want to derivate from the standards, you should know what you are doing and know which logfiles to consult.

I’ve checked all the logs and none seems to point to any errror other than the “Truncated or oversized response headers received”.

I would recommend you go with a simple ubuntu installation for starters. This works out of the box.

Any chance of posting the apache configurations? I don’t have access to that, or documentation that works for the git install (it seems to different from those I could find out there for the path to the config files and directories).

Thank you!

Jeff

cornelinux · June 27, 2019, 3:45pm

Hi Jeff,

the truncated response header could be caused by trying to do https or an http connection or vice versa.
This is the problem with mixed up ports.

You can find apache configs roughly everywhere:

https://privacyidea.readthedocs.io/en/latest/installation/debian.html#running-privacyidea-with-apache2-and-mysql

github.com

privacyidea/privacyidea/blob/master/deploy/apache/sites-available/privacyidea.conf

<VirtualHost _default_:443>
	ServerAdmin webmaster@localhost
	# You might want to change this
	ServerName localhost

	DocumentRoot /var/www
	<Directory />
		# For Apache 2.4 you need to set this:
		Require all granted
		Options FollowSymLinks
		AllowOverride None
	</Directory>

        # Yubico servers use /wsapi/2.0/verify as the path in the
        # validation URL. Some tools (e.g. Kolab 2fa) let the 
        # user/admin change the api host, but not the rest of
        # the URL. Uncomment the following two lines to reroute 
        # the api URL internally to privacyideas /ttype/yubikey.
        #RewriteEngine  on
        #RewriteRule    "^/wsapi/2.0/verify"  "/ttype/yubikey" [PT]

This file has been truncated. show original

Regards
Cornelius