FIXED: Upgrade from 2.1.0p29 to 2.2.0p2 breaks login

CMK version:
2.2.0p2
OS version:
ubuntu 22.04

Error message:
no error message, when I try to login it stays in the login form

no error messages in apache/error.log, login.py redirects (302) to index.py and then back to login.py

192.168.0.1 - - [13/Jun/2023:09:29:15 +0200] "POST /g/check_mk/login.py HTTP/1.1" 302 203 "https://cmk/g/check_mk/login.py?_origtarget=index.py" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"
192.168.0.1 - - [13/Jun/2023:09:29:16 +0200] "GET /g/check_mk/index.py HTTP/1.1" 302 277 "https://cmk/g/check_mk/login.py?_origtarget=index.py" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"
192.168.0.1 - - [13/Jun/2023:09:29:16 +0200] "GET /g/check_mk/login.py?_origtarget=index.py HTTP/1.1" 200 2115 "https://cmk/g/check_mk/login.py?_origtarget=index.py" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"

nothing in var/log/web.log

please help to find the problem and fix it!
regards
manfred

do you use Basic Auth via htacces in parallel to your login?

yes, I have activated basic-auth as a pre-login to the checkmk website

I had this problem too. https://forum.checkmk.com/t/restrict-access-to-web-interface-by-ip-or-authtype-basic-via-htacess-using-check-mk-2-2-0/39060/1

I ended up deactivating Basic Auth.
It seems to me that CheckMK cant handle to type of authentication headers.

so then this seems to be a bug in 2.2.0 - with 2.1.0 those two authentication headers were no problem! :disappointed_relieved:

With the Upgrade to 2.2.0 the API of checkmk changed and I think its a side effect and not a bug.

for one it is a side effect for the other a bug, depends on the expectations :slight_smile:

Hey,

do you use different credentials for your Apache BasicAuth and for Checkmk?
My guess is you do and when Checkmk sees that header it tries to uses it and the authentication fails. There was some refactoring done in 2.2, not sure if that got a Werk though.

My suggestion would be to remove the Authorization header from the request within Apache.

While trying to reproduce this issue I added the following to my system Apache config:

<Location "/cmk/">
  AuthType Basic
  AuthName "Private Login"
  AuthUserFile /etc/htpasswd
  Require valid-user
  RequestHeader unset Authorization # Removing the Authorization header to not confuse Checkmk
</Location>

With the RequestHeader I was able to login again. This required me to enable the headers mod via a2enmod headers.
Can you check if that helps?

Thanks
Max

1 Like

Thank you @Maximilian that “RequestHeader unsert Authorization” did the job, my checkmk is online again! :grinning:
You saved my day! :+1: :+1: :+1:

Hello Manfred!

If Max’s reply solved your question, please consider marking it as a solution – it is an option under the reply. That way you will be able to both say thank you, and also show everyone that the question is solved :slight_smile:

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.