Running iPrint on OES 2023 - getting error 403 accessing IPP page

Good day, 

When attempting to access the IPP page, https://[server IP address]/IPP the page responds with 

Forbidden
You don't have permission to access this resource.

Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

I have tried multiple web browsers, but each one has a similar error. Pale Moon, Google Chrome, and Edge. I have checked the services for the Driver Store and Print Manager were dead, but I have restarted them, and the Apache along with Tomcat services as I was just trying anything at this point to try to get this working again. I do have plans to move the printing over to the OES 23.4 server shortly, but any help would be appreciated. 

Thank you, 

-DS

  • The apache and Tomcat logs would be where I look next, might be a good clue there.

    Bets are there is a file without the correct ownership or rights, and hopefully the logs will point you to them.

    ________________________

    Andy of KonecnyConsulting.ca in Toronto
    Please use the "Like" and/or "Verified Answers" as appropriate as that helps us all.

  • [Thu Nov 30 09:34:36.173552 2023] [ssl:warn] [pid 28213] AH01909: 1xx.1xx.1.xx:631:0 server certificate does NOT include an ID which matches the server name
    [Thu Nov 30 09:34:36.221187 2023] [so:warn] [pid 28213] AH01574: module headers_module is already loaded, skipping
    [Thu Nov 30 09:34:36.224988 2023] [ssl:error] [pid 28213] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: CN=zational CA / serial: 6BCB58356AAE8CE13C5855B91D790AAFA5B2A0AC / notbefore: Mar 2 14:41:21 2023 GMT / notafter: Mar 1 14:41:21 2025 GMT]
    [Thu Nov 30 09:34:36.225030 2023] [ssl:error] [pid 28213] AH02604: Unable to configure certificate Sxxxxx04.hxxx.sxxx:443:0 for stapling
    [Thu Nov 30 09:34:36.225592 2023] [ssl:warn] [pid 28213] AH01909: 1xx.1xx.1.xx:631:0 server certificate does NOT include an ID which matches the server name
    [Thu Nov 30 09:34:36.275308 2023] [mpm_prefork:notice] [pid 28213] AH00163: Apache/2.4.51 (Linux/SUSE) OpenSSL/1.1.1l PHP/8.0.10 ipp_module/$Revision $ configured -- resuming normal operations
    [Thu Nov 30 09:34:36.275396 2023] [core:notice] [pid 28213] AH00094: Command line: '/usr/sbin/httpd-prefork -D SYSCONFIG -D SSL -C PidFile /run/httpd.pid -C Include /etc/apache2/sysconfig.d//loadmodule.conf -C Include /etc/apache2/sysconfig.d//global.conf -f /etc/apache2/httpd.conf -c Include /etc/apache2/sysconfig.d//include.conf -D SYSTEMD -D FOREGROUND'
    [Thu Nov 30 09:34:49.114696 2023] [core:error] [pid 28224] (13)Permission denied: [client 1xx.1xx.1.xx:51425] AH00035: access to /ippdocs/pcontrol.htm denied (filesystem path '/media/nss/IPRINT') because search permissions are missing on a component of the path, referer: http://1xx.1xx.1.xx/
    [Thu Nov 30 09:35:16.350155 2023] [core:error] [pid 28307] (13)Permission denied: [client 1xx.1xx.1.xx:51602] AH00035: access to /ippdocs/pcontrol.htm denied (filesystem path '/media/nss/IPRINT') because search permissions are missing on a component of the path, referer: http://1xx.1xx.1.xx/

    I tried to mask the name and IP address but there does appear to be some issues with Apache attempting to read the certificate from itself (I mean the server in question) I know that a few months back I had to recreate the certificate for my main eDirectory server but I believe the IPP has been available recently. The above was from the Apache log, I didn't think that Tomcat really played a hand in the operations of the iPrint environment. 

  • Clearly you are going to have to look at the cert apache is using.

    If you haven't done anything beyond defaults,  check this server's cert with iManager, Roles and Tasks, NetIQ Certificate Access,  Server Certificates, select the iPrint server, then each of the certs showing, and press Validate.
    I am guessing there is a problem there, and you may well just have to reissue them.

    ________________________

    Andy of KonecnyConsulting.ca in Toronto
    Please use the "Like" and/or "Verified Answers" as appropriate as that helps us all.

  • Suggested Answer

    Thu Nov 30 09:34:49.114696 2023] [core:error] [pid 28224] (13)Permission denied: [client 1xx.1xx.1.xx:51425] AH00035: access to /ippdocs/pcontrol.htm denied (filesystem path '/media/nss/IPRINT') because search permissions are missing on a component of the path, referer: http://1xx.1xx.1.xx/

    That was a know issue when running iprint in mixed cluster node, oes2018sp3 /oes2023. The oes2023 node uses apache local user and not the lum enable user. This is fixed on oes2023 update 5:

    zypper info  -t patch oes2023-2023-35

    Defects Fixed:
    ------------------------

    OCTCR52A632157 Issues with iPrint LUM on mixed cluster nodes, OES 2023 and OES 2018SP3.