Arcanist 404 when installing certificate
Closed, ResolvedPublic
Actions

Asked by gracicot on Aug 26 2016, 12:12 PM.

Details

I recently tried to configure arcanist on my machine. When I tried to connect it to my phabricator server, I got this error:

$ arc install-certificate

CONNECT  Connecting to "http://my.phabserver.com:8080/api/"...
Usage Exception: Failed to connect to server (http://my.phabserver.com:8080/api/): [HTTP/404] Not Found
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
         "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
 <head>
  <title>404 - Not Found</title>
 </head>
 <body>
  <h1>404 - Not Found</h1>
 </body>
</html>

However, when I go to http://my.phabserver.com:8080/ on my web browser, everything seems fine.
Did I missed something in my phabricator installation?

EDIT: Added the port, since it can be valuable information.

This is my host section of my lighttpd.conf file:

$HTTP["host"] =~ "my.phabserver.com:8080" {
  server.document-root = "/srv/http/phabricator/webroot"
  url.rewrite-once = (
    "^(/rsrc/.*)$" => "$1",
    "^(/favicon.ico)$" => "$1",
    # This simulates QSA (query string append) mode in Apache
    "^(/[^?]*)\?(.*)" => "/index.php?__path__=$1&$2",
    "^(/.*)$" => "/index.php?__path__=$1",
  )
}

Event Timeline

That doesn't look like a Phabricator 404 page.

When I type http://myphabserver.com/api/ in the browser, I get the phabricator 404, but I assume that you shouldn't try to request the api in the browser directly.

Ah, true. A correct connection looks like this:

chad@phac-dev:/var/www/html/dev/phabricator$ arc install-certificate
 CONNECT  Connecting to "https://secure.phabricator.com/api/"...
LOGIN TO PHABRICATOR
Open this page in your browser and login to Phabricator if necessary:

https://secure.phabricator.com/conduit/login/

Then paste the API Token on that page below.

    Paste API Token from that page:

I edited the question to add my configuration of lighttpd. I also changed the address to reflect more the real one.

What version of arcanist are you running?
If you manually put in the URI, does it work then?

arc install-certificate 'phab.yourhost.com:8080/'

I installed the latest arcanist through aur: https://aur.archlinux.org/packages/arcanist-git/

When I manually put the url the result is the same. I typed arc install-certificate 'http://my.phabricator.com:8080'

We don't maintain or provide any third party packages / installers. They are frequently not kept up to date. Can you install arcanist from our repositories?

arc upgrade might also bring you up to date.

(the same goes for Phabricator)

https://secure.phabricator.com/book/phabricator/article/arcanist_quick_start/ is our guide, it's just cloning two repositorys and a PATH command, so installation should be simple. No magic.

Also, if you want you can try to install a cert from this server, or from a free instance on Phacility. Just to make sure it's not a server side issue.

The aur package actually clone from your git, so versioning should not be a problem.

Anyway, I reinstalled arcanist in the recommended way. However, I still got a 404 not found from my server. From https://secure.phabricator.com/ it works. So it seems to be a server problem.

Sorry for the delay.

Btw, pacaur -S arcanist-git seems more simple to me than cloning gits and changing the path, but it's only my opinion.

See T4200 for more details if you’re curious why we don’t currently support
OS packaging / install scripts.

I see. Good to know.

I noticed that my host regex matcher differs from the configuration tutorial found here: https://secure.phabricator.com/book/phabricator/article/configuration_guide/#webserver-configuring-li

My http regex is "my.phabserver.com:8080"and the one in the tutorial is "phabricator(\.example\.com)?"

Do you think it might be related? I don't have a lot of experience in regex and http configuration.

Server side routing would be my next guess. We regex all urls and map them to controllers internally. Though we should raise a setup warning if they're not set up correctly.

can you add --trace to arc, to see exactly what's failing? /api/ is 404ing for good installs too, so I'm guessing it's actually hitting a different uri.

Here's my output for arc install-certificate --trace:

 ARGV  '/home/master/build/arcanist/bin/../scripts/arcanist.php' 'install-certificate' '--trace'
 LOAD  Loaded "phutil" from "/home/master/build/libphutil/src".
 LOAD  Loaded "arcanist" from "/home/master/build/arcanist/src".
Config: Did not find user configuration at "/home/master/.arcrc".
Config: Did not find system configuration at "/etc/arcconfig".
Working Copy: Reading .arcconfig from "/home/master/prog/myproject/.arcconfig".
Working Copy: Path "/home/master/prog/myproject" is part of `git` working copy "/home/master/prog/myproject".
Working Copy: Project root is at "/home/master/prog/myproject".
Config: Did not find local configuration at "/home/master/prog/myproject/.git/arc/config".
 CONNECT  Connecting to "http://my.phabricator.com:8080/api/"...
>>> [0] <conduit> conduit.ping() <bytes = 39>
>>> [1] <http> http://my.phabricator.com:8080/api/conduit.ping
<<< [1] <http> 71,707 us
<<< [0] <conduit> 72,471 us
Usage Exception: Failed to connect to server (http://my.phabricator.com:8080/api/): [HTTP/404] Not Found
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
         "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
 <head>
  <title>404 - Not Found</title>
 </head>
 <body>
  <h1>404 - Not Found</h1>
 </body>
</html>

[2016-08-26 22:10:53] EXCEPTION: (ArcanistUsageException) Failed to connect to server (http://my.phabricator.com:8080/api/): [HTTP/404] Not Found
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
         "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
 <head>
  <title>404 - Not Found</title>
 </head>
 <body>
  <h1>404 - Not Found</h1>
 </body>
</html> at [<arcanist>/src/workflow/ArcanistInstallCertificateWorkflow.php:69]
arcanist(head=master, ref.master=9e82ef979e81), phutil(head=master, ref.master=5fd1af8b4f2b)
  #0 ArcanistInstallCertificateWorkflow::run() called at [<arcanist>/scripts/arcanist.php:394]

/api/conduit.ping here returns a json; Does it work for your install from the browser?

Yes, from my browser it shows {"result":"someservername","error_code":null,"error_info":null} when I typed http://my.phabricator.com:8080/api/conduit.ping.

How about from the terminal? curl -i http://my.phabricator.com:8080/api/conduit.ping ?

Not really up on lighttpd, but this line looks like it should be ==, not =~ ?

$HTTP["host"] =~ "my.phabserver.com:8080" {

It shows this:

HTTP/1.1 200 OK
X-Powered-By: PHP/5.6.25
Set-Cookie: phsid=A%2F72hqw6cmi3przavtmn3rayh57g5yo5utgibbrwza; expires=Wed, 25-Aug-2021 22:37:37 GMT; Max-Age=157680000; path=/; domain=my.phabricator.com; httponly
X-Frame-Options: Deny
Content-Type: application/json
Cache-Control: no-store
Expires: Sat, 01 Jan 2000 00:00:00 GMT
X-Content-Type-Options: nosniff
Content-Length: 61
Date: Fri, 26 Aug 2016 22:37:37 GMT
Server: lighttpd/1.4.41

Do you have any kind of proxy/vpn configured?

Does it work when you try to arc install-certificate https://secure.phabricator.com/api/ ?

No. No proxy and no vpn.

Yes, arc install-certificate https://secure.phabricator.com/api/ is working. Does it has to do with my custom port 8080 or it should be supported?

It's supposed to work; Does that 404 page looks like it's coming from the wrong port?

I don't think, with my current configuration, the port 80 is not accessible (limitation from my ISP), so I highly doubt I went through the wrong port.

I'd start maybe here:

https://secure.phabricator.com/diffusion/ARC/browse/master/src/workflow/ArcanistInstallCertificateWorkflow.php;9e82ef979e8148c43b9b8439025d505b1219e213$209

With some manual debugging, maybe var_dump both $uri and $uri_object

I tried the address http://my.phabricator.com:8080/api/conduit.connect and it returned me a json that look like this:
{"result":null,"error_code":"ERR-INVALID-USER","error_info":"The username you are attempting to authenticate with is not valid."}

So there is no 404 either. I will try manual debugging.

Okay, so var_dump($uri) shows me that:
string(32) "http://my.phabserver.com:8080/api/"

And var_dump($uri_object) shows:

object(PhutilURI)#45 (9) {
  ["protocol":"PhutilURI":private]=>
  string(4) "http"
  ["user":"PhutilURI":private]=>
  string(0) ""
  ["pass":"PhutilURI":private]=>
  string(0) ""
  ["domain":"PhutilURI":private]=>
  string(15) "my.phabserver.com"
  ["port":"PhutilURI":private]=>
  string(4) "8080"
  ["path":"PhutilURI":private]=>
  string(5) "/api/"
  ["query":"PhutilURI":private]=>
  array(0) {
  }
  ["fragment":"PhutilURI":private]=>
  string(0) ""
  ["type":"PhutilURI":private]=>
  string(3) "uri"
}

I tried a couple of things, it seems it fails when trying to ping the server. This line $conduit->callMethodSynchronous('conduit.ping', array()); will throw the error, even though it clearly worked with curl.

Maybe run php -v from command line, what system is this? But then again it works to secure...

Maybe install Charles if you can and see what's happening at the packet level?

I'm pretty stumped here; Server seems OK, and client seems OK. Maybe test a completely different computer?

This is my php -v output... Does it have to do with the fact that I run PHP 7? But even so, like you said, it worked on secure.

PHP 7.0.10 (cli) (built: Aug 21 2016 07:35:18) ( NTS )
Copyright (c) 1997-2016 The PHP Group
Zend Engine v3.0.0, Copyright (c) 1998-2016 Zend Technologies

It's on arch linux, fully updated from today. My server is arch linux too, but I installed PHP 5.6 on it.

I will have access to my desktop computer in about a week. If I can do any other debugging with my current computer, I will gladly do it. I you need the real address of my server for more extensive debugging, I can send it to you in private message.

We don't expect to officially look into supporting PHP7 until 7.1. We've gotten a number of random issues from it we hope to be resolved in that release.

It's worth a swap to 5.6 if it's not a lot of trouble.

I still got the 404 error even with php 5.6. Here's my php -v output:

PHP 5.6.25 (cli) (built: Aug 26 2016 20:28:05) 
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies

I even removed php7 from my machine.
I got exactly the same error as before...

do you happen to be using a dns name that you populated using your /etc/hosts file?

No, it's a DNS name from https://freedns.afraid.org/

Can you var_dump($core_future) at https://secure.phabricator.com/diffusion/PHU/browse/master/src/conduit/ConduitClient.php;5fd1af8b4f2b9631e2ceb06bd88d21f2416123c2$146 and $domain at https://secure.phabricator.com/diffusion/PHU/browse/master/src/future/http/HTTPSFuture.php;5fd1af8b4f2b9631e2ceb06bd88d21f2416123c2$175 ?

for domain:

domain
string(15) "my.phabserver.com"

For core_future:

object(HTTPSFuture)#88 (19) {
  ["handle":"HTTPSFuture":private]=>
  NULL
  ["profilerCallID":"HTTPSFuture":private]=>
  NULL
  ["cabundle":"HTTPSFuture":private]=>
  NULL
  ["followLocation":"HTTPSFuture":private]=>
  bool(true)
  ["responseBuffer":"HTTPSFuture":private]=>
  string(0) ""
  ["responseBufferPos":"HTTPSFuture":private]=>
  NULL
  ["files":"HTTPSFuture":private]=>
  array(0) {
  }
  ["temporaryFiles":"HTTPSFuture":private]=>
  array(0) {
  }
  ["rawBody":"HTTPSFuture":private]=>
  NULL
  ["rawBodyPos":"HTTPSFuture":private]=>
  int(0)
  ["fileHandle":"HTTPSFuture":private]=>
  NULL
  ["method":"BaseHTTPFuture":private]=>
  string(3) "GET"
  ["timeout":"BaseHTTPFuture":private]=>
  float(300)
  ["headers":"BaseHTTPFuture":private]=>
  array(0) {
  }
  ["uri":"BaseHTTPFuture":private]=>
  string(44) "http://my.phabserver.com:8080/api/conduit.ping"
  ["data":"BaseHTTPFuture":private]=>
  array(3) {
    ["params"]=>
    string(2) "[]"
    ["output"]=>
    string(4) "json"
    ["__conduit__"]=>
    bool(true)
  }
  ["expect":"BaseHTTPFuture":private]=>
  NULL
  ["result":protected]=>
  NULL
  ["exception":protected]=>
  NULL
}

I don't have https enabled on my phabricator instance. Could it be related to my problem?

no, HTTPSFuture also knows http; My dev instance is http://127.0.0.1:8080/api/, and it works fine.

That request should be identical to this request:

curl -v -XPOST -d'params=[]&output=json&__conduit__=1' "http://my.phabserver.com:8080/api/conduit.ping"

(It's setting POST and some other stuff later in that file). Does this work?

Yes, I got that output:

Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying 11.22.33.44...
* Connected to my.phabserver.com (11.22.33.44) port 8080 (#0)
> POST /api/conduit.ping HTTP/1.1
> Host: my.phabserver.com:8080
> User-Agent: curl/7.50.1
> Accept: */*
> Content-Length: 35
> Content-Type: application/x-www-form-urlencoded
> 
* upload completely sent off: 35 out of 35 bytes
< HTTP/1.1 200 OK
< X-Powered-By: PHP/5.6.25
< Set-Cookie: phsid=A%2Fx3d7s2ghnuyafelgkpilokjdmu3lw2rxvnkwcpcm; expires=Thu, 26-Aug-2021 04:37:41 GMT; Max-Age=157680000; path=/; domain=my.phabserver.com; httponly
< X-Frame-Options: Deny
< Content-Type: application/json
< Cache-Control: no-store
< Expires: Sat, 01 Jan 2000 00:00:00 GMT
< X-Content-Type-Options: nosniff
< Content-Length: 61
< Date: Sat, 27 Aug 2016 04:37:41 GMT
< Server: lighttpd/1.4.41
< 
* Connection #0 to host my.phabserver.com left intact
{"result":"someserver","error_code":null,"error_info":null}

ok.

I suspect that your computer is possessed.

Okay, I think I'm into something. I logged the requests to see the differences between the one with curl command line that works, and the one from arcanist that fials.

This is the log for the command curl -v -XPOST -d'params=[]&output=json&__conduit__=1' "http://my.phabserver.com:8080/api/conduit.ping":

2016-08-27 12:22:22: (request.c.436) fd: 6 request-len: 170 \nPOST /api/conduit.ping HTTP/1.1\r\nHost: my.phabserver.com:8080\r\nUser-Agent: curl/7.50.1\r\nAccept: */*\r\nContent-Length: 35\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\n

This is the log for arc install-certificate 'http://my.phabserver.com:8080/api/':

2016-08-27 12:22:43: (request.c.436) fd: 6 request-len: 140 \nPOST /api/conduit.ping HTTP/1.1\r\nHost: my.phabserver.com\r\nAccept: */*\r\nContent-Length: 39\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\n

As you can see, the host section is different between the two: one has the port 8080 and work, and the other has not the port and fail.

Answers

michaeljs1990
Updated 2,798 Days Ago
Actions

This was bothering me. I dug into the conduit api and found this.

HTTPSFuture.php

// cURL sends an "Expect" header by default for certain requests. While
// there is some reasoning behind this, it causes a practical problem
// in that lighttpd servers reject these requests with a 417. Both sides
// are locked in an eternal struggle (lighttpd has introduced a
// 'server.reject-expect-100-with-417' option to deal with this case).
//
// The ostensibly correct way to suppress this behavior on the cURL side
// is to add an empty "Expect:" header. If we haven't seen some other
// explicit "Expect:" header, do so.
//
// See here, for example, although this issue is fairly widespread:
//   http://curl.haxx.se/mail/archive-2009-07/0008.html

if you comment out this line $headers[] = 'Expect:'; in HTTPSFuture.php arc will work for you however it looks like you need to configure lighttpd properly for use with phabricator.

A small side note on security. You leaked your public IP in the logs above and have a webserver serving all files including your config.json.

@epriestley this one is a bit strange to me and i'm not sure I completely understand the comment correctly. It seems that curl historically adds Expect 100 so this is turning it off. However new versions of lighttpd return 404 when this header is included. However I haven't been able to find any reports of this specific 404 error. In this case it seems completely removing the expect header is the fix but I'm not sure if that will cause issues elsewhere.

Steps to reproduce

Obtain a fresh copy of ubuntu server 14.04 / 16.06 will likely work exactly the same outside of going through a different install process for php5.
sudo apt-get install lighttpd git php5 php5-cgi php5-fpm php5-mysql
mkdir /srv/httpd & cd /srv/httpd
clone arc, libphutil, phab into this directory
modify /etc/lighttpd/lighttpd.conf with the output provided
service lighttpd restart && service lighttpd force-reload
add lightphab.dev to the /etc/hosts file of the computer you want to run arc from.

# lighttpd.conf file

server.modules = (
	"mod_access",
	"mod_alias",
	"mod_compress",
 	"mod_redirect",
        "mod_rewrite",
)

server.document-root        = "/srv/httpd"
server.upload-dirs          = ( "/var/cache/lighttpd/uploads" )
server.errorlog             = "/var/log/lighttpd/error.log"
server.pid-file             = "/var/run/lighttpd.pid"
server.username             = "www-data"
server.groupname            = "www-data"
server.port                 = 8080


index-file.names            = ( "index.php", "index.html", "index.lighttpd.html" )
url.access-deny             = ( "~", ".inc" )
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )

compress.cache-dir          = "/var/cache/lighttpd/compress/"
compress.filetype           = ( "application/javascript", "text/css", "text/html", "text/plain" )

# default listening port for IPv6 falls back to the IPv4 port
## Use ipv6 if available
#include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port
include_shell "/usr/share/lighttpd/create-mime.assign.pl"
include_shell "/usr/share/lighttpd/include-conf-enabled.pl"

$HTTP["host"] =~ "lightphab.dev:8080" {
  server.document-root = "/srv/httpd/phabricator/webroot"
  url.rewrite-once = (
    "^(/rsrc/.*)$" => "$1",
    "^(/favicon.ico)$" => "$1",
    # This simulates QSA (query string append) mode in Apache
    "^(/[^?]*)\?(.*)" => "/index.php?__path__=$1&$2",
    "^(/.*)$" => "/index.php?__path__=$1",
  )
}

Now you can try to install a cert from this server that is reachable from the browser which will give you the following.

arc install-cert http://lightphab.dev:8080
 CONNECT  Connecting to "http://lightphab.dev:8080/api/"...
Usage Exception: Failed to connect to server (http://lightphab.dev:8080/api/): [HTTP/404] Not Found
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
         "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
 <head>
  <title>404 - Not Found</title>
 </head>
 <body>
  <h1>404 - Not Found</h1>
 </body>
</html>

You can now edit one line in HTTPSFuture.php which should be 282 $headers[] = 'Expect:'; just comment it out.

and the above is wrong...... I am finding out as I try to type up the rest of this... I'll be posting a diff in a second to fix this issue.

gracicot
Updated 2,798 Days Ago
Actions

I FINALLY FIXED IT!! But be aware that it's a huge patch and I suspect a bug in libphutil.

I changed my host configuration of lighttpd from

$HTTP["host"] =~ "my.phabserver.com:8080" {
  server.document-root = "/srv/http/phabricator/webroot"
  url.rewrite-once = (
    "^(/rsrc/.*)$" => "$1",
    "^(/favicon.ico)$" => "$1",
    # This simulates QSA (query string append) mode in Apache
    "^(/[^?]*)\?(.*)" => "/index.php?__path__=$1&$2",
    "^(/.*)$" => "/index.php?__path__=$1",
  )
}

# You can use the regex or just put 'my.phabserver.com'
$HTTP["host"] =~ "(^|\.)my\.phabserver\.com(\:[0-9]*)?$" {
  server.document-root = "/srv/http/phabricator/webroot"
  url.rewrite-once = (
    "^(/rsrc/.*)$" => "$1",
    "^(/favicon.ico)$" => "$1",
    # This simulates QSA (query string append) mode in Apache
    "^(/[^?]*)\?(.*)" => "/index.php?__path__=$1&$2",
    "^(/.*)$" => "/index.php?__path__=$1",
  )
}

Now both the web and arcanist are working great.
Morale of this story: Don't add the port in the host regex of lighttpd, or arcanist won't work.

Thanks for all your support! I would not have found all this without all of you!
I wonder if this worth a bug report? Seems I found quite of a corner case. Maybe add a warning in the documentation for the moment?

EDIT: For those new here, here's how I found the origin of this error.
This is the log for the command curl -v -XPOST -d'params=[]&output=json&__conduit__=1' "http://my.phabserver.com:8080/api/conduit.ping":

2016-08-27 12:22:22: (request.c.436) fd: 6 request-len: 170 \nPOST /api/conduit.ping HTTP/1.1\r\nHost: my.phabserver.com:8080\r\nUser-Agent: curl/7.50.1\r\nAccept: */*\r\nContent-Length: 35\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\n

This is the log for arc install-certificate 'http://my.phabserver.com:8080/api/':

2016-08-27 12:22:43: (request.c.436) fd: 6 request-len: 140 \nPOST /api/conduit.ping HTTP/1.1\r\nHost: my.phabserver.com\r\nAccept: */*\r\nContent-Length: 39\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\n

As you can see, the host section is different between the two: one has the port 8080 and work, and the other has not the port and fail.

New Answer

Answer

This question has been marked as closed, but you can still leave a new answer.

Arcanist 404 when installing certificateClosed, ResolvedPublicActions

Details

Event Timeline

Answers

michaeljs1990Updated 2,798 Days AgoActions

Steps to reproduce

Event Timeline

gracicotUpdated 2,798 Days AgoActions

Event Timeline

New Answer

Answer

Arcanist 404 when installing certificate
Closed, ResolvedPublic
Actions

michaeljs1990
Updated 2,798 Days Ago
Actions

gracicot
Updated 2,798 Days Ago
Actions