Adding Project to a Task = Barf

Hi all,

As of yesterday afternoon, we have noticed that if we create a new task and do not add the Project to it, all works fine, but as soon as we edit that task and add a Project, the screen goes gray and we cannot do anything new with it.

If I create a new task and work through the fields tabbing down and filling them in, as soon as I get to the Project one and select a Project, same thing, I get a grayed out screen and cannot proceed further.

Has anyone else experienced this and is there a fix?

Hi anomaly0617

Have you a traceback you can post?

Do any logs point to the problem?

frappe@erpnext:~/frappe-bench$ ls -alt logs

Hi ClarkeJ,

So far the only thing I’m seeing is in node-socketio.log:

{ Error: unable to verify the first certificate
at Error (native)
at TLSSocket. (_tls_wrap.js:1092:38)
at emitNone (events.js:86:13)
at TLSSocket.emit (events.js:185:7)
at TLSSocket._finishInit (_tls_wrap.js:610:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:440:38) code: ‘UNABLE_TO_VERIFY_LEAF_SIGNATURE’, response: undefined }
{ Error: unable to verify the first certificate
at Error (native)
at TLSSocket. (_tls_wrap.js:1092:38)
at emitNone (events.js:86:13)
at TLSSocket.emit (events.js:185:7)
at TLSSocket._finishInit (_tls_wrap.js:610:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:440:38) code: ‘UNABLE_TO_VERIFY_LEAF_SIGNATURE’, response: undefined }

That’s not likely the problem - tls and ssl may be a call to check for email?

Maybe check your browser web console for clues?

can you check your server on https://www.ssllabs.com/ssltest/ or sslchecker.com if everything is configured right?

1 Like

SSL Checker shows that our certificate chain is intact, but I’ve come up with something very interesting:

We run a reverse proxy server using squid on our firewall to route inbound traffic to the appropriate places. Both the proxy server SSL certificate chain and the internal server certificate chains are valid. However:

From inside the office (which bypasses the reverse proxy server and routes the traffic direct from the workstaiton to the ERP server) it works fine.

From outside the office (which goes through the reverse proxy server) we see the grayed out behavior and I find the following errors in Chrome’s debug log:

Request URL:https://[Erp.OurDomain.com]/socket.io/?EIO=3&transport=polling&t=LzQ8tBM&sid=cNgyaeL0BlmKlfrKAAAS
Request Method:GET
Status Code:500 Internal Server Error
Remote Address:[OurIP]:443
Referrer Policy:no-referrer-when-downgrade
Response Headers
view source
Connection:keep-alive
Date:Thu, 26 Oct 2017 19:23:13 GMT
Server:nginx/1.10.3 (Ubuntu)
Transfer-Encoding:chunked
Via:1.1 fw (squid)
X-Cache:MISS from fw
X-Cache-Lookup:MISS from fw:3128
Request Headers
view source
Accept:/
Accept-Encoding:gzip, deflate, br
Accept-Language:en-US,en;q=0.8
Connection:keep-alive
Cookie:_ga=GA1.2.695144829.1441679973; __utma=105448863.695144829.1441679973.1507683581.1508004875.81; __utmz=105448863.1502374336.77.11.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); io=cNgyaeL0BlmKlfrKAAAS; sid=5e6018f67b74a7ad04cdb7e75e515cf9112778b2e77581491d5fb919
Host:[Erp.OurDomain.com]
Referer:https://[Erp.OurDomain.com]/desk
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36
Query String Parameters
view source
view URL encoded
EIO:3
transport:polling
t:LzQ8tBM
sid:cNgyaeL0BlmKlfrKAAAS

So ultimately, the question is what changed between ERPNext 2-3 months ago and today that isn’t happy passing through a reverse-proxy server?

In May a sockeio upgrade? ERR_CONNECTION_REFUSED : Socketio

Or a closed port?

port 443 is for email autodiscover…
https://answers.microsoft.com/en-us/msoffice/forum/msoffice_outlook-mso_windows8/need-to-open-port-443-for-outlook-autodiscover/8dd38bbd-6417-4689-ae64-5173c03c2dd1?auth=1

Hi John,

Actually, 443 is for HTTPS, which can be used for autodiscover, but is most often used for secure, encrypted transactions between a browser and a web server. For instance, we use it to encrypt the information between our service techs and the system at our office so our customers information is not exposed. Banks use it for secure banking transactions, hospitals use it to stay in compiance with HIPAA, etc… So it’s not just used for Exchange’s autodiscover, it’s used for anything that should be secured and encrypted with a purchased encryption certificate from a trusted vendor. In our case, that’s Comodo, but it could also be a variety of other SSL Certificate providers out there.

Thanks very much for your response and explanation Paul.

So since ssllabs ok’ed your cert infrastructure, then ‘Error: unable to verify the first certificate’ is say an old log message?

I wonder which end of your reverse proxy plumbing this occurs on

Request Method:GET
Status Code:500 Internal Server Error
Remote Address:[OurIP]:443

What’s left is your socketio code and actual cert tokens as the problem source, or presumably the ssllabs exercised and approved that!?

Other ideas - clear your Chrome cache and/or try Firefox or IE/Edge from outside your office to eliminate browser as problem source…

Hi John,

Actually, I found a “solution” to this problem, but it’s not really a solution. We have a block of 13 usable static IP addresses at our office from our ISP, and we use about 7 of them for various services. I just grabbed the next one in the list and set up a NAT rule on the firewall to forward 443 traffic direct to the ERP server. That solved the problem for outside use since those folks were the only ones having the problem – it worked fine from inside the office. So the issue has something to do with the reverse proxy server solution being between the remote browser and the ERP server. At the moment I’m experimenting with another reverse proxy / load balancer solution to see if it’s specific to squid or if the problem persists across other reverse proxy solutions such as apache and nginx.

-Paul

Addendum: I should also mention that I updated our external DNS records to route the traffic through the new external IP address instead of through the reverse proxy solution. :wink:

2 Likes

Two other ideas, reinstall socketio

ERPNext Install Errors

That runs on nodejs so another option is to reinstall that:

Can not save with "500 Internal Server Error" error