Hey Gary, Could you provide us the log `/opt/gluu/jetty/identity/logs/oxtrust.log` and `/opt/gluu/jetty/oxauth/logs/oxauth.log` inside the Gluu Server chroot? Also note that, [according to the documentation](https://gluu.org/docs/ce/3.1.2/installation-guide/#amazon-aws), you're supposed to use the **Private IP address**, which can be found in your EC2 dashboard.

Hi Chris, Yes, I followed the instructions for installation and used private IP for IP and put check.gluu.org for the host name. Here are the installation parameters I put: IP 10.229.26.222 hostname . check.gluu.org I will take a look at log files you mentioned and let you know

Here is from the oxtrust.log file : 2018-04-24 16:48:09,137 ERROR [Thread-1086] [org.gluu.oxtrust.ldap.service.StatusCheckerTimer] (StatusCheckerTimer.java:217) - Can not download ssl certificate java.net.UnknownHostException: check.gluu.org at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:184) ~[?:1.8.0_112] at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) ~[?:1.8.0_112] at java.net.Socket.connect(Socket.java:589) ~[?:1.8.0_112] at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668) ~[?:1.8.0_112] at sun.security.ssl.BaseSSLSocketImpl.connect(BaseSSLSocketImpl.java:173) ~[?:1.8.0_112] at sun.net.NetworkClient.doConnect(NetworkClient.java:180) ~[?:1.8.0_112] oxauth.log has no error, just couple warnings: 2018-04-24 15:05:44,215 WARN [main] [org.jboss.resteasy.spi.metadata.ResourceBuilder$ResourceMethodBuilder] (ResourceBuilder.java:581) - RESTEASY002141: MediaType application/xml on get() lacks charset. Consider setting charset or turning on context parameter resteasy.add.charset 2018-04-24 15:05:44,217 WARN [main] [org.jboss.resteasy.spi.metadata.ResourceBuilder$ResourceMethodBuilder] (ResourceBuilder.java:581) - RESTEASY002141: MediaType application/xml on get() lacks charset. Consider setting charset or turning on context parameter resteasy.add.charset

Gary, Can you show me what the `/etc/hosts` file inside your chroot looks like? This error is showing that it's unresolvable: ``` 2018-04-24 16:48:09,137 ERROR [Thread-1086] [org.gluu.oxtrust.ldap.service.StatusCheckerTimer] (StatusCheckerTimer.java:217) - Can not download ssl certificate java.net.UnknownHostException: check.gluu.org ```

Chris, This was one of my question. After installation /etc/hosts file was not modified automatically and i understand that it must have the entry like: ip check.gluu.org I was not sure which IP I should put. I tried to put the private IP address of the EC2 instance, which is 10.229.26.222, but it is still not working. Still same error: 2018-04-24 19:06:10,377 ERROR [Thread-24] [org.gluu.oxtrust.ldap.service.StatusCheckerTimer] (StatusCheckerTimer.java:217) - Can not download ssl certificate java.net.UnknownHostException: check.gluu.org at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:184) ~[?:1.8.0_112] at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) ~[?:1.8.0_112] at java.net.Socket.connect(Socket.java:589) ~[?:1.8.0_112] at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668) ~[?:1.8.0_112] at sun.security.ssl.BaseSSLSocketImpl.connect(BaseSSLSocketImpl.java:173) ~[?:1.8.0_112] Here is how /etc/hosts file looks like: 127.0.0.1 localhost 10.229.26.222 check.gluu.org # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts

the file was auto formated after I submit the post. Here it is one more time: 127.0.0.1 localhost 10.229.26.222 check.gluu.org ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts

The video I mentioned above shows that 443 port configuration in iptable. Maybe the same should be done on Ubuntu 16.4 (something similar to iptable like it was in version 14)? The Gluu installation documentation does not tell that I have to manually add IP and host in the /etc/hosts file. Is it a bug in installation package? What is the work around? How I can fix it manually? Please help Thanks, Gary

Gary, It's definitely a bug in regards to the host name inside the chroot not being modified. Are port 80 and 443 accessible from your machine? You might need to adjust the EC2 settings to allow these to be accessible.

Chris, I have adjusted Security Group on EC2 instance to allow to connect on HTTP (80) or HTTPS (443) Here is how it look like now: HTTP TCP 80 0.0.0.0/0 HTTP TCP 80 ::/0 Custom TCP Rule TCP 443 0.0.0.0/0 Custom TCP Rule TCP 443 ::/0 But still did not help. I am still having the same error: 2018-04-24 22:03:20,944 ERROR [Thread-131] [org.gluu.oxtrust.ldap.service.StatusCheckerTimer] (StatusCheckerTimer.java:217) - Can not download ssl certificate java.net.UnknownHostException: check.gluu.org at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:184) ~[?:1.8.0_112] at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) ~[?:1.8.0_112]

I also was trying to tunneling using this: ssh -i key.pem ubuntu@10.229.26.222 -L 443:check.gluu.org:443 But got the error: Privileged ports can only be forwarded by root

Gary, A couple things: It still seems like oxTrust can't access oxAuth. Please run the following command: ``` curl -kL https://check.gluu.org/oxauth ``` If nothing comes back, you're still having trouble with routing Did you modify the `/etc/hosts` *inside* the chroot, or outside? If only outside the chroot, i.e. without running `service gluu-server-3.1.2 login` before modifying the file, you're chroot instance won't be able to access that modification. Also, these instructions in the video are for installing CentOS 6. Not sure if you followed them to the t. It's using Gluu Server 3.0.1 as well.

Gary, Here is my two cents on AWS instance... - You don't need to worry about ip_address when you install Gluu Server; just hit enter... setup script automatically take suitable IP address. - Make sure you open 443 incoming from internet from AWS control panel for this instance. - If you want to 'access' this hostname from internet / browser; you need to map "EXTERNAL_IP hostname_of_Gluu_Server" in your computer's /etc/hosts file.

Chris, Yes, I modified /etc/hosts file after login to Gluu server. I ran curl -kL https://check.gluu.org/oxauth and it works fine. It returns the following: { "issuer": "https://check.gluu.org", "authorization_endpoint": "https://check.gluu.org/oxauth/restv1/authorize", "token_endpoint": "https://check.gluu.org/oxauth/restv1/token", "userinfo_endpoint": "https://check.gluu.org/oxauth/restv1/userinfo", "clientinfo_endpoint": "https://check.gluu.org/oxauth/restv1/clientinfo", "check_session_iframe": "https://check.gluu.org/oxauth/opiframe", "end_session_endpoint": "https://check.gluu.org/oxauth/restv1/end_session", "jwks_uri": "https://check.gluu.org/oxauth/restv1/jwks", "registration_endpoint": "https://check.gluu.org/oxauth/restv1/register", ... I think maybe the error: Can not download ssl certificate java.net.UnknownHostException: check.gluu.org at can happens due to AWS does not have the SSL certificate installed. I will try self-signed certificate and let you know. Thanks, Gary

@Mohib : yes, I have the following row in my laptop's /etc/hosts file: 10.229.26.222 check.gluu.org Here 10.229.26.222 is the IP of the EC2 instance machine where I installed Gluu Server. It seems to me it must be a different IP which Gluu Server is using after installation in EC2 box. How can I determine the EXTERNAL_IP hostname_of_Gluu_Server ? Thanks, Gary

Chris, Apache2 site-file /etc/apache2/sites-enabled/https_gluu.conf contains SSL certificat information: SSLCertificateFile /etc/certs/httpd.crt SSLCertificateKeyFile /etc/certs/httpd.key I can copy .pem file to my machine and add it to Chrome browser. Just need to make sure that it is the right .pem file. I found it here /etc/certs/saml.pem Please let me know if it is the right one. Thanks, Gary

>> How can I determine the EXTERNAL_IP hostname_of_Gluu_Server ? That's available in your AWS control panel. Log into AWS admin panel --> EC2 --> select that instance.

Mohit, yes I know how to see the IP of the EC2 instance, I was just not sure if it is the same IP I have to use in /etc/hosts Thanks, Gary

Chris, I copied /opt/gluu-server-3.1.2/etc/certs/saml.pem cert file to my local machine where I use Chrome browser to open https://check.gluu.org and I imported this cert to Chrome browser. Unfortunately, it did not fix the problem - still the same error in the log. Looks like it is not the certificate issue. Please advice the next steps for troubleshooting Thanks, Gary

Hi Chris, What do you think I can try next to troubleshoot the issue? I have one idea: what if disable HSTS headers in Apache HTTP server config. This will prevent Chrome browser from enforcing HTTPS and will allow to click “Advanced → proceed to your.url (unsafe)”. It will allow the check.gluu.org to be publicly viewed over HTTP and/or insecure HTTPS connection. Please let me know what do you think. Thanks, Gary

Gary, > 10.229.26.222 Is this the internal IP address or the external IP address you're mapping to your laptops `/etc/hosts`. It looks like an internal address. > I copied /opt/gluu-server-3.1.2/etc/certs/saml.pem cert file to my local machine I don't think your issue is related to your local browser, as you can curl oxauth on 443. Try to curl identity/oxtrust: ``` curl -kL https://check.gluu.org/identity ``` Also can you send your entire oxtrust and oxauth logs so I can review it.

Chris, Yes, it is private IP address of the AWS EC2 instance. Should I use external IP address in /etc/hosts file? After I did sudo service gluu-server-3.1.2 login, I opened a new terminal window on my laptop and tried curl command: curl -kL https://check.gluu.org/identity I got the following response: <html><head><meta http-equiv="Refresh" content="0; URL=home.htm"/></head></html> I downloaded 2 log files you asked, but I don't know how to attached them here. Any idea? Thanks, Gary

Chris, I used private IP as we are in the same corp network and AWS EC2 instance in in VPC. So the private IP must be visible. I don't see public IPv6 IP in EC2 instance configuration. Thanks, Gary

Gary, There's an `Attachment` button on the bottom of the form, where I'm typing right now. > I used private IP as we are in the same corp network and AWS EC2 instance in in VPC. So the private IP must be visible. I don't see public IPv6 IP in EC2 instance configuration. Locally you should use the external ip address as you can't access the internal ip addresses of Amazon from your laptop. Most of your issues are related to networking in EC2 instances. Have you considered trying Digital Ocean?

> Have you considered trying Digital Ocean? What is this? Can you give me more details. > There's an Attachment button on the bottom of the form I still can't see it. There are only 2 buttons there: Post and Post & Close in the end of the form. There are also 2 more fields there: Link URL and Send Copy to. No Attachment button. I am using Chrome on Mac, I also tried on Safari on Mac - still I don't see Attachment button. Could you please provide me youe email address and i will send these 2 log files to you? Thanks, Gary

Chris, Looks like I need a DNS entry and a public ip. For now I don't have neither on AWS EC2 as we use VPC. I will speak with our devops team to see what we can do. Any advise from your side will be helpful as well Thanks, Gary

Gary, Please reopen the ticket if required.

Hi Chris, I spoke with our DevOps team and they configured elastic IP address for the box. So, now I have Public IP and public DNS. I re-installed Gluu Server 3.1.2 and specified those IP and host name during running setup.py. After all configuration was completed, I tried to access the host: https://<host> on a browser and I got the following error: HTTP ERROR: 503 Problem accessing /identity/. Reason: Service Unavailable I double checked and the service is up and running. And I don't see any errors in the log files /opt/gluu/jetty/oxauth/logs/oxauth.log : 2018-05-09 23:17:32,532 INFO [main] [org.jboss.weld.environment.servlet.EnhancedListener] (EnhancedListener.java:58) - WELD-ENV-001008: Initialize Weld using ServletContainerInitializer 2018-05-09 23:17:32,802 INFO [main] [org.jboss.weld.bootstrap.WeldStartup] (WeldStartup.java:146) - WELD-000900: 3.0.0 (Final) 2018-05-09 23:17:33,118 WARN [main] [org.jboss.weld.xml.BeansXmlHandler] (BeansXmlHandler.java:397) - WELD-001208: Error when validating file:/opt/jetty-9.3/temp/jetty-localhost-8081-oxauth.war-_oxauth-any-5040382597978508932.dir/webapp/WEB-INF/classes/META-INF/beans.xml@6 against xsd. cvc-complex-type.4: Attribute 'bean-discovery-mode' must appear on element 'beans'. 2018-05-09 23:17:33,175 WARN [main] [org.jboss.weld.xml.BeansXmlHandler] (BeansXmlHandler.java:397) - WELD-001208: Error when validating jar:file:/opt/jetty-9.3/temp/jetty-localhost-8081-oxauth.war-_oxauth-any-5040382597978508932.dir/webapp/WEB-INF/lib/oxcore-server-3.1.2.Final.jar!/META-INF/beans.xml@6 against xsd. cvc-complex-type.4: Attribute 'bean-discovery-mode' must appear on element 'beans'. 2018-05-09 23:17:33,195 WARN [main] [org.jboss.weld.xml.BeansXmlHandler] (BeansXmlHandler.java:397) - WELD-001208: Error when validating jar:file:/opt/jetty-9.3/temp/jetty-localhost-8081-oxauth.war-_oxauth-any-5040382597978508932.dir/webapp/WEB-INF/lib/oxcore-jsf-util-3.1.2.Final.jar!/META-INF/beans.xml@6 against xsd. cvc-complex-type.4: Attribute 'bean-discovery-mode' must appear on element 'beans'. 2018-05-09 23:17:33,215 WARN [main] [org.jboss.weld.xml.BeansXmlHandler] (BeansXmlHandler.java:397) - WELD-001208: Error when validating jar:file:/opt/jetty-9.3/temp/jetty-localhost-8081-oxauth.war-_oxauth-any-5040382597978508932.dir/webapp/WEB-INF/lib/oxcore-service-3.1.2.Final.jar!/META-INF/beans.xml@6 against xsd. cvc-complex-type.4: Attribute 'bean-discovery-mode' must appear on element 'beans'. 2018-05-09 23:17:33,240 WARN [main] [org.jboss.weld.xml.BeansXmlHandler] (BeansXmlHandler.java:397) - WELD-001208: Error when validating file:/opt/jetty-9.3/temp/jetty-localhost-8081-oxauth.war-_oxauth-any-5040382597978508932.dir/webapp/WEB-INF/classes/META-INF/beans.xml@6 against xsd. cvc-complex-type.4: Attribute 'bean-discovery-mode' must appear on element 'beans'. 2018-05-09 23:17:33,395 INFO [main] [org.jboss.weld.bootstrap.WeldStartup] (WeldStartup.java:220) - WELD-000101: Transactional services not available. Injection of @Inject UserTransaction not available. Transactional observers will be invoked synchronously. 2018-05-09 23:17:33,633 INFO [main] [org.jboss.weld.event.ExtensionObserverMethodImpl] (ExtensionObserverMethodImpl.java:86) - WELD-000411: Observer method [BackedAnnotatedMethod] public org.xdi.service.security.SecurityExtension.processAnnotatedType(@Observes ProcessAnnotatedType<X>) receives events for all annotated types. Consider restricting events using @WithAnnotations or a generic type with bounds. 2018-05-09 23:17:33,667 WARN [main] [org.jboss.weld.bootstrap.events.BeforeBeanDiscoveryImpl] (BeforeBeanDiscoveryImpl.java:118) - WELD-000146: BeforeBeanDiscovery.addAnnotatedType(AnnotatedType<?>) used for class com.sun.faces.flow.FlowDiscoveryCDIHelper is deprecated from CDI 1.1! 2018-05-09 23:17:33,685 WARN [main] [org.jboss.weld.bootstrap.events.BeforeBeanDiscoveryImpl] (BeforeBeanDiscoveryImpl.java:118) - WELD-000146: BeforeBeanDiscovery.addAnnotatedType(AnnotatedType<?>) used for class org.hibernate.validator.internal.cdi.interceptor.ValidationInterceptor is deprecated from CDI 1.1! 2018-05-09 23:17:34,656 WARN [main] [org.jboss.weld.annotated.AnnotatedTypeValidator] (AnnotatedTypeValidator.java:82) - WELD-001116: AnnotatedType ([BackedAnnotatedType] static class org.xdi.service.metric.LdapEntryReporter$1) without a constructor 2018-05-09 23:17:34,784 WARN [main] [org.jboss.weld.annotated.AnnotatedTypeValidator] (AnnotatedTypeValidator.java:82) - WELD-001116: AnnotatedType ([BackedAnnotatedType] static class org.xdi.service.cache.RedisProviderFactory$1) without a constructor 2018-05-09 23:17:34,830 WARN [main] [org.jboss.weld.annotated.AnnotatedTypeValidator] (AnnotatedTypeValidator.java:82) - WELD-001116: AnnotatedType ([BackedAnnotatedType] static class org.xdi.service.cache.CacheProviderFactory$1) without a constructor 2018-05-09 23:17:34,831 WARN [main] [org.jboss.weld.annotated.AnnotatedTypeValidator] (AnnotatedTypeValidator.java:82) - WELD-001116: AnnotatedType ([BackedAnnotatedType] static class org.xdi.service.PythonService$1) without a constructor 2018-05-09 23:17:35,172 WARN [main] [org.jboss.weld.annotated.AnnotatedTypeValidator] (AnnotatedTypeValidator.java:82) - WELD-001116: AnnotatedType ([BackedAnnotatedType] static class org.xdi.oxauth.model.token.TokenParamsValidator$1) without a constructor 2018-05-09 23:17:35,221 WARN [main] [org.jboss.weld.annotated.AnnotatedTypeValidator] (AnnotatedTypeValidator.java:82) - WELD-001116: AnnotatedType ([BackedAnnotatedType] static class org.xdi.oxauth.service.SessionIdService$1) without a constructor 2018-05-09 23:17:35,251 WARN [main] [org.jboss.weld.annotated.AnnotatedTypeValidator] (AnnotatedTypeValidator.java:82) - WELD-001116: AnnotatedType ([BackedAnnotatedType] static class org.xdi.oxauth.model.common.AuthorizationGrantList$1) without a constructor 2018-05-09 23:17:35,283 WARN [main] [org.jboss.weld.annotated.AnnotatedTypeValidator] (AnnotatedTypeValidator.java:82) - WELD-001116: AnnotatedType ([BackedAnnotatedType] static class org.xdi.oxauth.idgen.ws.rs.InumGenerator$1) without a constructor 2018-05-09 23:17:35,291 WARN [main] [org.jboss.weld.annotated.AnnotatedTypeValidator] (AnnotatedTypeValidator.java:82) - WELD-001116: AnnotatedType ([BackedAnnotatedType] static class org.xdi.oxauth.uma.service.UmaValidationService$2) without a constructor 2018-05-09 23:17:35,344 WARN [main] [org.jboss.weld.annotated.AnnotatedTypeValidator] (AnnotatedTypeValidator.java:82) - WELD-001116: AnnotatedType ([BackedAnnotatedType] static class org.xdi.oxauth.model.registration.RegisterParamsValidator$1) without a constructor 2018-05-09 23:17:35,985 WARN [main] [org.jboss.weld.annotated.AnnotatedTypeValidator] (AnnotatedTypeValidator.java:82) - WELD-001116: AnnotatedType ([BackedAnnotatedType] static class org.xdi.oxauth.model.authorize.ClaimValue$1) without a constructor 2018-05-09 23:17:35,998 WARN [main] [org.jboss.weld.annotated.AnnotatedTypeValidator] (AnnotatedTypeValidator.java:82) - WELD-001116: AnnotatedType ([BackedAnnotatedType] static class org.xdi.oxauth.audit.debug.wrapper.RequestWrapper$1) without a constructor 2018-05-09 23:17:36,009 WARN [main] [org.jboss.weld.annotated.AnnotatedTypeValidator] (AnnotatedTypeValidator.java:82) - WELD-001116: AnnotatedType ([BackedAnnotatedType] static class org.xdi.oxauth.service.GrantService$4) without a constructor 2018-05-09 23:17:36,031 WARN [main] [org.jboss.weld.annotated.AnnotatedTypeValidator] (AnnotatedTypeValidator.java:82) - WELD-001116: AnnotatedType ([BackedAnnotatedType] static class org.gluu.oxserver.filters.AbstractCorsFilter$1) without a constructor 2018-05-09 23:17:36,058 INFO [main] [org.jboss.weld.environment.jetty.JettyContainer] (JettyContainer.java:77) - WELD-ENV-001200: Jetty 7.2+ detected, CDI injection will be available in Servlets and Filters. Injection into Listeners should work on Jetty 9.1.1 and newer. 2018-05-09 23:17:37,460 WARN [weld-worker-2] [org.jboss.weld.bootstrap.Validator] (Validator.java:443) - WELD-001440: Scope type @javax.enterprise.context.ApplicationScoped() used on injection point [UnbackedAnnotatedField] @Inject @ApplicationScoped private org.xdi.service.cache.CacheProviderFactory.instance at org.xdi.service.cache.CacheProviderFactory.instance(CacheProviderFactory.java:0) StackTrace 2018-05-09 23:17:38,012 INFO [main] [org.xdi.oxauth.model.util.SecurityProviderUtility] (SecurityProviderUtility.java:23) - Adding Bouncy Castle Provider /opt/gluu/jetty/identity/logs/oxtrust.log : 2018-05-09 23:18:28,050 INFO [main] [org.gluu.oxtrust.util.BuildVersion] (BuildVersion.java:82) - Root element :beans 2018-05-09 23:18:28,196 INFO [main] [org.xdi.oxauth.model.util.SecurityProviderUtility] (SecurityProviderUtility.java:23) - Adding Bouncy Castle Provider 2018-05-09 23:18:28,296 INFO [main] [org.gluu.oxtrust.ldap.service.AppInitializer] (AppInitializer.java:275) - Build date 2018-01-18 09:51. Code revision 9de781cd23764ec11b234af65cd055d159a83877 on ${git.commit.time}. Build 1492 2018-05-09 23:18:28,309 INFO [main] [org.gluu.oxtrust.config.ConfigurationFactory] (ConfigurationFactory.java:134) - Creating oxTrustConfiguration 2018-05-09 23:18:28,310 INFO [main] [org.gluu.oxtrust.config.ConfigurationFactory] (ConfigurationFactory.java:420) - ########## ldapFileName = /etc/gluu/conf/ox-ldap.properties Please advise. Thanks, Gary

Hi, I am following up regarding my latest post. Please give me some update. Thanks Gary