...
Where possible its best to use an Private/Incognito session to preform the oAuth flow. As there could be issues with cached logins with SSO , or the wrong SSO id being prompted and causing the oAuth to fail with change of UserID midsession.
Troubleshooting Connectivity
The Web browser you use needs to be able to get access to webex (internet) and yarnman , for the oauth flow to work correctly.
DNS
Below shows the yarnman server not able to resolve DNS
| Code Block |
|---|
yarnman@ym-ph4-wxc-glen [ ~ ]$ curl "https://webexapis.com" -I
curl: (6) Could not resolve host: webexapis.com
yarnman@ym-ph4-wxc-glen [ ~ ]$ |
Check DNS servers used by the yarnman server (do not edit this file)
| Code Block |
|---|
yarnman@ym-ph4-wxc-glen [ ~ ]$ cat /run/systemd/resolve/resolv.conf
# This is /run/systemd/resolve/resolv.conf managed by man:systemd-resolved(8).
# Do not edit.
#
# This file might be symlinked as /etc/resolv.conf. If you're looking at
# /etc/resolv.conf and seeing this text, you have followed the symlink.
#
# This is a dynamic resolv.conf file for connecting local clients directly to
# all known uplink DNS servers. This file lists all configured search domains.
#
# Third party programs should typically not access this file directly, but only
# through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a
# different way, replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.
nameserver 10.0.0.1
search lab.yarnlab.io |
to change the dns servers, in this example we are adding replacing the single dns server with multiple dns servers
You will need to first login as the root user to modify system settings, using su . exit out from root when you are done
| Code Block |
|---|
yarnman@ym-ph4-wxc-glen [ ~ ]$ su
Password:
root@ym-ph4-wxc-glen [ /var/home/yarnman ]# netmgr dns_servers --set --mode static --servers 8.8.8.8,8.8.4.4
root@ym-ph4-wxc-glen [ /var/home/yarnman ]# exit |
| Code Block |
|---|
yarnman@ym-ph4-wxc-glen [ ~ ]$ cat /run/systemd/resolve/resolv.conf
# This is /run/systemd/resolve/resolv.conf managed by man:systemd-resolved(8).
# Do not edit.
#
# This file might be symlinked as /etc/resolv.conf. If you're looking at
# /etc/resolv.conf and seeing this text, you have followed the symlink.
#
# This is a dynamic resolv.conf file for connecting local clients directly to
# all known uplink DNS servers. This file lists all configured search domains.
#
# Third party programs should typically not access this file directly, but only
# through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a
# different way, replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.
nameserver 8.8.8.8
nameserver 8.8.4.4
search lab.yarnlab.io |
Test to validate yarnman can reach webexapis.com , note 401 error as we are trying to browse without any credentials
Test Direct Access
| Code Block |
|---|
yarnman@ym-ph4-wxc-glen [ ~ ]$ curl "https://webexapis.com" -I
HTTP/1.1 401 Unauthorized
x-content-type-options: nosniff
trackingid: ROUTERGW_5fdd5b92-b77f-40af-9f46-ceae729d74ba
vary: accept-encoding
content-type: application/json
date: Wed, 13 Mar 2024 03:22:59 GMT
server: istio-envoy
x-envoy-upstream-service-time: 1
transfer-encoding: chunked
|
Proxy
Depending on your environment, yarnman may also need to be able to resolve the proxy if a FQDN is required to the proxy server
You can verify yarnman can reach the proxy using curl, the http1.1 200 connection established shows the connection to the proxy was successful
Proxy without Auth
| Code Block |
|---|
yarnman@ym-ph4-wxc-glen [ ~ ]$ curl --proxy "http://10.101.10.87:3130" "https://webexapis.com/" -I
HTTP/1.1 200 Connection established
HTTP/1.1 401 Unauthorized
x-content-type-options: nosniff
trackingid: ROUTERGW_2c5c1133-6586-42d2-a9cd-afaca8842baa
vary: accept-encoding
content-type: application/json
date: Wed, 13 Mar 2024 03:25:18 GMT
server: istio-envoy
x-envoy-upstream-service-time: 2
transfer-encoding: chunked |
Proxy showing user/pass is required
Proxy server requires a user/pass to connect, with the 407 error
| Code Block |
|---|
yarnman@ym-ph4-wxc-glen [ ~ ]$ curl --proxy "http://10.101.10.87:3129" "https://webexapis.com/" -I
HTTP/1.1 407 Proxy Authentication Required
Server: squid/4.13
Mime-Version: 1.0
Date: Wed, 13 Mar 2024 03:26:32 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3519
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en
Proxy-Authenticate: Basic realm="Squid"
X-Cache: MISS from 18a6e4fa9a26
X-Cache-Lookup: NONE from 18a6e4fa9a26:3129
Via: 1.1 18a6e4fa9a26 (squid/4.13)
Connection: keep-alive
curl: (56) CONNECT tunnel failed, response 407 |
Proxy showing user/pass to the proxy
the first 407 tells curl to try again with user:pass, 200 connect is successful to the proxy followed by the 401 to webex as expected.
| Code Block |
|---|
yarnman@ym-ph4-wxc-glen [ ~ ]$ curl --proxy-anyauth -x http://basicuser:basicuser123@10.101.10.87:3129 -4 "https://webexapis.com/" -I
HTTP/1.1 407 Proxy Authentication Required
Server: squid/4.13
Mime-Version: 1.0
Date: Wed, 13 Mar 2024 03:38:10 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3519
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en
Proxy-Authenticate: Basic realm="Squid"
X-Cache: MISS from 18a6e4fa9a26
X-Cache-Lookup: NONE from 18a6e4fa9a26:3129
Via: 1.1 18a6e4fa9a26 (squid/4.13)
Connection: keep-alive
HTTP/1.1 200 Connection established
HTTP/1.1 401 Unauthorized
x-content-type-options: nosniff
trackingid: ROUTERGW_cc737ef5-1e1d-4e2f-8a1e-840dd944250f
vary: accept-encoding
content-type: application/json
date: Wed, 13 Mar 2024 03:38:11 GMT
server: istio-envoy
x-envoy-upstream-service-time: 3
transfer-encoding: chunked |