Dear PrivacyIdea Community,
I am genuinely grateful for any assistance that you can provide and I have spent most of yesterday looking at this issue with no success.
I am trying to install privacyIdea within a Python 3.8.12 virtual environment sat on top of a Red Hat 8.4 operating system.
I have followed the documentation and successfully installed the application using pip as well as the requirements, created the MySQL database, configured the ‘pi’ db user and corresponding permissions, configured the ‘PEPPER’ & ‘SECRET’ values, created the tables and admin user.
So far, so good and almost there!
I then installed http(apache2) and configured the ‘/etc/privacyidea/pi.cfg’ and attempted to start the httpd service and received the following errors:
Aug 07 09:15:09 otp-i0b7e78298bae47504 systemd[1]: Starting The Apache HTTP Server...
Aug 07 09:15:09 otp-i0b7e78298bae47504 httpd[274527]: AH00526: Syntax error on line 23 of /etc/httpd/conf.d/privacyidea.conf:
Aug 07 09:15:09 otp-i0b7e78298bae47504 httpd[274527]: Invalid command 'WSGIScriptAlias', perhaps misspelled or defined by a module not included in the server configuration
Aug 07 09:15:09 otp-i0b7e78298bae47504 systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
Aug 07 09:15:09 otp-i0b7e78298bae47504 systemd[1]: httpd.service: Failed with result 'exit-code'.
Aug 07 09:15:09 otp-i0b7e78298bae47504 systemd[1]: Failed to start The Apache HTTP Server.
It appears to suggest that a module, possibly ‘wsgi’, could be missing…?
Here’s my ‘/etc/httpd/conf.d/privacyidea.conf’ file:
(privacyidea) [root@otp-i0b7e78298bae47504 conf.d]# cat privacyidea.conf
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
# You might want to change this
ServerName localhost
DocumentRoot /var/www
<Directory />
# For Apache 2.4 you need to set this:
Require all granted
Options FollowSymLinks
AllowOverride None
</Directory>
# Yubico servers use /wsapi/2.0/verify as the path in the
# validation URL. Some tools (e.g. Kolab 2fa) let the
# user/admin change the api host, but not the rest of
# the URL. Uncomment the following two lines to reroute
# the api URL internally to privacyideas /ttype/yubikey.
#RewriteEngine on
#RewriteRule "^/wsapi/2.0/verify" "/ttype/yubikey" [PT]
# We can run several instances on different paths with different configurations
WSGIScriptAlias / /etc/privacyidea/privacyideaapp.wsgi
#WSGIScriptAlias /instance1 /home/cornelius/src/privacyidea/deploy/privacyideaapp1.wsgi
#WSGIScriptAlias /instance2 /home/cornelius/src/privacyidea/deploy/privacyideaapp2.wsgi
#WSGIScriptAlias /instance3 /home/cornelius/src/privacyidea/deploy/privacyideaapp3.wsgi
#
# The daemon is running as user 'privacyidea'
# This user should have access to the encKey database encryption file
WSGIDaemonProcess privacyidea processes=1 threads=15 display-name=%{GROUP} user=privacyidea
WSGIProcessGroup privacyidea
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLog /var/log/apache2/error.log
LogLevel warn
# Do not use %q! This will reveal all parameters, including setting PINs and Keys!
# Using SSL_CLINET_S_DN_CN will show you, which administrator did what task
LogFormat "%h %l %u %t %>s \"%m %U %H\" %b \"%{Referer}i\" \"%{User-agent}i\"" privacyIDEA
CustomLog /var/log/apache2/ssl_access.log privacyIDEA
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLCompression off
SSLSessionTickets off
# You can turn on HSTS. But as long as you have no valid certificate, this can cause
# some trouble
# HSTS (mod_headers is required) (1209600 seconds = 2 weeks)
# Header always set Strict-Transport-Security "max-age=1209600"
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
SSLCertificateFile /etc/ssl/certs/privacyideaserver.pem
SSLCertificateKeyFile /etc/ssl/private/privacyideaserver.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>
# If you want to forward http request to https enable the
# following virtual host.
<VirtualHost _default_:80>
# This will enable the Rewrite capabilities
RewriteEngine On
# This checks to make sure the connection is not already HTTPS
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
Here’s a pip list from my virtual enviroment:
(privacyidea) [root@otp-i0b7e78298bae47504 privacyidea]# pip list
Package Version
-------------------- ------------------
alembic 1.7.7
argon2-cffi 21.3.0
argon2-cffi-bindings 21.2.0
async-timeout 4.0.2
Babel 2.10.1
bcrypt 3.2.2
beautifulsoup4 4.11.1
cachetools 5.0.0
cbor2 5.4.3
certifi 2022.12.7
cffi 1.15.0
charset-normalizer 2.0.12
click 7.1.2
configobj 5.0.6
croniter 1.3.4
cryptography 38.0.3
defusedxml 0.7.1
Deprecated 1.2.13
Flask 1.1.4
Flask-Babel 2.0.0
Flask-Migrate 2.7.0
Flask-Script 2.0.6
Flask-SQLAlchemy 2.5.1
Flask-Versioned 0.9.4.post20101221
google-auth 2.6.6
grpcio 1.46.0
grpcio-tools 1.46.0
huey 2.4.3
idna 3.3
importlib-metadata 4.11.3
importlib-resources 6.0.0
itsdangerous 1.1.0
Jinja2 2.11.3
ldap3 2.8.1
lxml 4.9.1
Mako 1.2.2
MarkupSafe 2.0.1
mod-wsgi 4.9.4
mysqlclient 2.2.0
netaddr 0.8.0
packaging 21.3
passlib 1.7.4
pip 23.2.1
privacyIDEA 3.8.1
protobuf 3.20.2
pyasn1 0.4.8
pyasn1-modules 0.2.8
pycparser 2.21
pydash 5.1.0
PyJWT 2.4.0
PyMySQL 1.0.2
pyOpenSSL 22.0.0
pyparsing 3.0.8
pyrad 2.4
python-dateutil 2.8.2
python-gnupg 0.4.8
pytz 2022.1
PyYAML 6.0
redis 4.2.2
requests 2.27.1
rsa 4.8
segno 1.5.2
setuptools 41.6.0
six 1.16.0
smpplib 2.2.1
soupsieve 2.3.2.post1
SQLAlchemy 1.3.24
sqlsoup 0.9.1
typing_extensions 4.7.1
urllib3 1.26.9
Werkzeug 1.0.1
wrapt 1.14.1
zipp 3.8.0
Here’s my redacted ‘/etc/privacyidea/privacyideaapp.wsgi’ file:
(privacyidea) [root@otp-i0b7e78298bae47504 privacyidea]# cat privacyideaapp.wsgi
import sys
sys.stdout = sys.stderr
from privacyidea.app import create_app
# Now we can select the config file:
application = create_app(config_name="production", config_file="/etc/privacyidea/pi.cfg")
Here’s my redacted ‘/etc/privacyidea/pi.cfg’ file:
(privacyidea) [root@otp-i0b7e78298bae47504 privacyidea]# cat pi.cfg
# The realm, where users are allowed to login as administrators
#SUPERUSER_REALM = ['super', 'administrators']
# Your database
SQLALCHEMY_DATABASE_URI = 'mysql://pi:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.rds.amazonaws.com:3310/pi'
# Set maximum identifier length to 128
# SQLALCHEMY_ENGINE_OPTIONS = {"max_identifier_length": 128}
# This is used to encrypt the auth_token
SECRET_KEY = 'xxxxxxxxxxxxxxxxxxxxxx'
# This is used to encrypt the admin passwords
PI_PEPPER = "xxxxxxxxxxxxxxxxxxxxxx"
# This is used to encrypt the token data and token passwords
PI_ENCFILE = '/etc/privacyidea/enckey'
# This is used to sign the audit log
PI_AUDIT_KEY_PRIVATE = '/etc/privacyidea/private.pem'
PI_AUDIT_KEY_PUBLIC = '/etc/privacyidea/public.pem'
# PI_AUDIT_MODULE = <python audit module>
# PI_AUDIT_SQL_URI = <special audit log DB uri>
# Options passed to the Audit DB engine (supersedes SQLALCHEMY_ENGINE_OPTIONS)
# PI_AUDIT_SQL_OPTIONS = {}
# Truncate Audit entries to fit into DB columns
PI_AUDIT_SQL_TRUNCATE = True
PI_LOGFILE = '/var/log/privacyidea/privacyidea.log'
PI_LOGLEVEL = 20
# PI_INIT_CHECK_HOOK = 'your.module.function'
# PI_CSS = '/location/of/theme.css'
# PI_UI_DEACTIVATED = True
I feel as though I am very close to completing the installation just lacking a little knowledge around the WSGI(Web Server Gateway Interface) that sits between apache2 and the privacyIdea application. The pip listing above suggests that the module mod-wsgi(4.9.4) is installed but Im not sure if this installation, which is within the virtual environment, is not accessible to apache process?
A yum listing of all installed packages, searching for entries with the text ‘wsgi’ yields no results:
(privacyidea) [root@otp-i0b7e78298bae47504 privacyidea]# yum list --installed | grep -i wsgi
(privacyidea) [root@otp-i0b7e78298bae47504 privacyidea]#
However, a listing of available packages, yields multiple potential ‘wsgi’ packages.
(privacyidea) [root@otp-i0b7e78298bae47504 privacyidea]# yum list | grep -i wsgi
python2-WSGIProxy2.noarch 0.4.1-14.el8 epel_mirror
python2-WSGIProxy2.noarch 0.4.1-14.el8 epel8
python3-WSGIProxy2.noarch 0.4.1-14.el8 epel_mirror
python3-WSGIProxy2.noarch 0.4.1-14.el8 epel8
python3-mod_wsgi.x86_64 4.6.4-4.el8 rhel-8-appstream-rhui-rpms
python3-uwsgidecorators.x86_64 2.0.20-1.el8 epel8
python38-mod_wsgi.x86_64 4.6.8-3.module+el8.4.0+8888+89bc7e79 rhel-8-appstream-rhui-rpms
python39-mod_wsgi.x86_64 4.7.1-4.module+el8.4.0+9822+20bf1249 rhel-8-appstream-rhui-rpms
uwsgi.x86_64 2.0.20-1.el8 epel8
uwsgi-alarm-curl.x86_64 2.0.20-1.el8 epel8
uwsgi-alarm-xmpp.x86_64 2.0.20-1.el8 epel8
uwsgi-devel.x86_64 2.0.20-1.el8 epel8
uwsgi-docs.x86_64 2.0.20-1.el8 epel8
uwsgi-log-encoder-msgpack.x86_64 2.0.20-1.el8 epel8
uwsgi-logger-crypto.x86_64 2.0.20-1.el8 epel8
uwsgi-logger-file.x86_64 2.0.20-1.el8 epel8
uwsgi-logger-graylog2.x86_64 2.0.20-1.el8 epel8
uwsgi-logger-pipe.x86_64 2.0.20-1.el8 epel8
uwsgi-logger-redis.x86_64 2.0.20-1.el8 epel8
uwsgi-logger-rsyslog.x86_64 2.0.20-1.el8 epel8
uwsgi-logger-socket.x86_64 2.0.20-1.el8 epel8
uwsgi-logger-syslog.x86_64 2.0.20-1.el8 epel8
uwsgi-logger-systemd.x86_64 2.0.20-1.el8 epel8
uwsgi-logger-zeromq.x86_64 2.0.20-1.el8 epel8
uwsgi-plugin-airbrake.x86_64 2.0.20-1.el8 epel8
uwsgi-plugin-cache.x86_64 2.0.20-1.el8 epel8
uwsgi-plugin-carbon.x86_64 2.0.20-1.el8 epel8
uwsgi-plugin-cheaper-busyness.x86_64 2.0.20-1.el8 epel8
uwsgi-plugin-common.x86_64 2.0.20-1.el8 epel8
uwsgi-plugin-coroae.x86_64 2.0.20-1.el8 epel8
uwsgi-plugin-cplusplus.x86_64 2.0.20-1.el8 epel8
uwsgi-plugin-curl-cron.x86_64 2.0.20-1.el8 epel8
uwsgi-plugin-dumbloop.x86_64 2.0.20-1.el8 epel8
uwsgi-plugin-dummy.x86_64 2.0.20-1.el8 epel8
uwsgi-plugin-fiber.x86_64 2.0.20-1.el8 epel8
uwsgi-plugin-gccgo.x86_64 2.0.20-1.el8 epel8
uwsgi-plugin-geoip.x86_64 2.0.20-1.el8 epel8
uwsgi-plugin-glusterfs.x86_64 2.0.20-1.el8 epel8
uwsgi-plugin-ldap.x86_64 2.0.20-1.el8 epel8
uwsgi-plugin-lua.x86_64 2.0.20-1.el8 epel8
uwsgi-plugin-mongrel2.x86_64 2.0.20-1.el8 epel8
uwsgi-plugin-mono.x86_64 2.0.20-1.el8 epel8
uwsgi-plugin-nagios.x86_64 2.0.20-1.el8 epel8
uwsgi-plugin-notfound.x86_64 2.0.20-1.el8 epel8
uwsgi-plugin-pam.x86_64 2.0.20-1.el8 epel8
uwsgi-plugin-php.x86_64 2.0.20-1.el8 epel8
uwsgi-plugin-psgi.x86_64 2.0.20-1.el8 epel8
uwsgi-plugin-pty.x86_64 2.0.20-1.el8 epel8
uwsgi-plugin-python3.x86_64 2.0.20-1.el8 epel8
uwsgi-plugin-python3-gevent.x86_64 2.0.20-1.el8 epel8
uwsgi-plugin-python3-greenlet.x86_64 2.0.20-1.el8 epel8
uwsgi-plugin-python3-tornado.x86_64 2.0.20-1.el8 epel8
uwsgi-plugin-rack.x86_64 2.0.20-1.el8 epel8
uwsgi-plugin-rbthreads.x86_64 2.0.20-1.el8 epel8
uwsgi-plugin-rpc.x86_64 2.0.20-1.el8 epel8
uwsgi-plugin-rrdtool.x86_64 2.0.20-1.el8 epel8
uwsgi-plugin-ruby.x86_64 2.0.20-1.el8 epel8
uwsgi-plugin-spooler.x86_64 2.0.20-1.el8 epel8
uwsgi-plugin-sqlite3.x86_64 2.0.20-1.el8 epel8
uwsgi-plugin-ssi.x86_64 2.0.20-1.el8 epel8
uwsgi-plugin-ugreen.x86_64 2.0.20-1.el8 epel8
uwsgi-plugin-webdav.x86_64 2.0.20-1.el8 epel8
uwsgi-plugin-xattr.x86_64 2.0.20-1.el8 epel8
uwsgi-plugin-xslt.x86_64 2.0.20-1.el8 epel8
uwsgi-plugin-zergpool.x86_64 2.0.20-1.el8 epel8
uwsgi-router-basicauth.x86_64 2.0.20-1.el8 epel8
uwsgi-router-cache.x86_64 2.0.20-1.el8 epel8
uwsgi-router-expires.x86_64 2.0.20-1.el8 epel8
uwsgi-router-fast.x86_64 2.0.20-1.el8 epel8
uwsgi-router-forkpty.x86_64 2.0.20-1.el8 epel8
uwsgi-router-hash.x86_64 2.0.20-1.el8 epel8
uwsgi-router-http.x86_64 2.0.20-1.el8 epel8
uwsgi-router-memcached.x86_64 2.0.20-1.el8 epel8
uwsgi-router-metrics.x86_64 2.0.20-1.el8 epel8
uwsgi-router-radius.x86_64 2.0.20-1.el8 epel8
uwsgi-router-raw.x86_64 2.0.20-1.el8 epel8
uwsgi-router-redirect.x86_64 2.0.20-1.el8 epel8
uwsgi-router-redis.x86_64 2.0.20-1.el8 epel8
uwsgi-router-rewrite.x86_64 2.0.20-1.el8 epel8
uwsgi-router-spnego.x86_64 2.0.20-1.el8 epel8
uwsgi-router-ssl.x86_64 2.0.20-1.el8 epel8
uwsgi-router-static.x86_64 2.0.20-1.el8 epel8
uwsgi-router-tuntap.x86_64 2.0.20-1.el8 epel8
uwsgi-router-uwsgi.x86_64 2.0.20-1.el8 epel8
uwsgi-router-xmldir.x86_64 2.0.20-1.el8 epel8
uwsgi-stats-pusher-file.x86_64 2.0.20-1.el8 epel8
uwsgi-stats-pusher-socket.x86_64 2.0.20-1.el8 epel8
uwsgi-stats-pusher-statsd.x86_64 2.0.20-1.el8 epel8
uwsgi-stats-pusher-zabbix.x86_64 2.0.20-1.el8 epel8
uwsgi-transformation-chunked.x86_64 2.0.20-1.el8 epel8
uwsgi-transformation-gzip.x86_64 2.0.20-1.el8 epel8
uwsgi-transformation-offload.x86_64 2.0.20-1.el8 epel8
uwsgi-transformation-template.x86_64 2.0.20-1.el8 epel8
uwsgi-transformation-tofile.x86_64 2.0.20-1.el8 epel8
uwsgi-transformation-toupper.x86_64 2.0.20-1.el8 epel8
Any advice that you can provide on this matter/issue would be greatly appreciated.
Thank you.
Cossy