webmeetings & ipad/iphone

fbartels

Hi @strippe96,

can you share some details about your environment?

• What os are you using?
• How have you installed Konnect?
• How are you running it?

strippe96

@fbartels
It´s an UCS 4.4.4 System.
Konnect has been installed during Kopano Meet install.
Then I have applied your way to enable “Guest access” for Kopano Meet.
At this point the error raised.

Is there a way to clear the whole config of Konnect & Kopano Meet?

fbartels

@strippe96 said in webmeetings & ipad/iphone:

Then I have applied your way to enable “Guest access” for Kopano Meet.

Can you elaborate on that?

Which version of the app are you using?

The log line looks a bit like konnect was started through systemd, while with the meet app on ucs everything is running on Docker containers.

I have previously created https://wiki.z-hub.io/display/K4U/Debugging+Kopano+on+Univention#DebuggingKopanoonUnivention-Containerisedapps the collect commands that help troubleshooting ucs installations.

strippe96

@fbartels OK.

root@ucs-9130:~# univention-app info
UCS: 4.4-4 errata499
Installed: cups=2.2.1 dhcp-server=12.0 kopano-webapp=3.5.5.2276 letsencrypt=1.2.2-8 samba4=4.10 self-service=4.0 z-push-kopano=2.4.5 4.3/kopano-meet=2.1.0_0 4.3/openid-connect-provider=1.1-konnect-0.23.3
Upgradable:
root@ucs-9130:~# ucr dump | grep kopano/docker | grep -v PASSWORD
kopano/docker/FQDN_MEET: webmail.ncus.de
kopano/docker/FQDN_SSO: ucs-sso.ncus.intranet
kopano/docker/GRID_WEBAPP: yes
kopano/docker/INSECURE: no
kopano/docker/MEET_GUEST_ALLOW: yes
kopano/docker/MEET_GUEST_REGEXP: ^group/public/.*
kopano/docker/TURN_USER: KST0204-094I00DWQ3
root@ucs-9130:~# curl $(ucr get oidc/konnectd/issuer_identifier)/.well-known/openid-configuration
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>503 Service Unavailable</title>
</head><body>
<h1>Service Unavailable</h1>
<p>The server is temporarily unable to service your
request due to maintenance downtime or capacity
problems. Please try again later.</p>
<hr>
<address>Apache/2.4.25 (Univention) Server at ucs-sso.ncus.intranet Port 443</address>
</body></html>
root@ucs-9130:~# grep -v 'secret\|"d"\|"x"\|"y"' /etc/kopano/docker/konnectd-identifier-registration.yaml
{
  "authorities": [
    {
      "name": "ucs-konnect",
      "default": true,
      "iss": "https://ucs-sso.ncus.intranet",
      "client_id": "kopano-meet",
      "authority_type": "oidc",
      "response_type": "id_token",
      "scopes": [
        "openid",
        "profile",
        "email"
      ]
    }
  ],
  "clients": [
    {
      "id": "kpop-https://ucs-9130.ncus.intranet/meet/",
      "name": "Kopano Meet",
      "application_type": "web",
      "trusted": true,
      "redirect_uris": [
        "https://ucs-9130.ncus.intranet/meet/"
      ],
      "trusted_scopes": [
        "konnect/guestok",
        "kopano/kwm"
      ],
      "jwks": {
        "keys": [
          {
            "kty": "EC",
            "use": "sig",
            "crv": "P-256",
            "kid": "meet-kwmserver",
          }
        ]
      },
      "request_object_signing_alg": "ES256"
    }
  ]
}
root@ucs-9130:~# cd /var/lib/univention-appcenter/apps/kopano-meet/compose
root@ucs-9130:/var/lib/univention-appcenter/apps/kopano-meet/compose# docker-compose ps
      Name                    Command                  State                        Ports
----------------------------------------------------------------------------------------------------------
kopano_grapi       /usr/bin/dumb-init -- /kop ...   Up (healthy)
kopano_kapi        /usr/bin/dumb-init -- /kop ...   Up (healthy)
kopano_konnect     wrapper.sh                       Up (healthy)   6777/tcp, 8777/tcp
kopano_kwmserver   docker-entrypoint.sh wrapp ...   Up (healthy)   6778/tcp, 8778/tcp
kopano_meet        /kopano/start-service.sh         Up (healthy)
kopano_ssl         /start.sh                        Exit 0
kopano_web         docker-entrypoint.sh wrapp ...   Up (healthy)   0.0.0.0:2015->2015/tcp, 443/tcp, 80/tcp

kopano_konnect is threwing errors:

kopano_konnect      | time="2020-03-25T15:28:29Z" level=error msg="error while oidc provider update: oidc provider error: failed to fetch jwks: failed to fetch JSON (status: 503)" id=ucs-konnect type=oidc
kopano_konnect      | time="2020-03-25T15:28:31Z" level=error msg="error while oidc provider update: oidc provider error: failed to fetch discover document: failed to fetch JSON (status: 503)" id=ucs-konnect type=oidc

longsleep

@strippe96 said in webmeetings & ipad/iphone:

kopano-konnectd[22833]: Error: failed to create client registry: yaml: line 19: did not find expected key

Konnect fails to start, thus you get the 503 later.

@strippe96 said in webmeetings & ipad/iphone:

root@ucs-9130:~# grep -v ‘secret|“d”|“x”|“y”’ /etc/kopano/docker/konnectd-identifier-registration.yaml
{
“authorities”: [

This seems strange as the .yaml file contains JSON. That is most likely the reason for the error above. As of how it came to be that way i cannot say. Make sure the identifier registration file actually contains YAML and it will probably just work.

fbartels

@longsleep said in webmeetings & ipad/iphone:

Konnect fails to start, thus you get the 503 later. […] That is most likely the reason for the error above.

While the first part is true, the second conclusion in the context of ucs is wrong. This is why I asked:

@fbartels said in webmeetings & ipad/iphone:

Then I have applied your way to enable “Guest access” for Kopano Meet.

Can you elaborate on that?

The Konnect that is installed as the “OpenID Connect Provider” app is failing, the Konnect that is part of the Meet app is ok (its listed as “healthy” in the ps output).

Yaml is a superset of Json, so what can process YAML almost always can process Json. Konnect most definitely can for the identifier registry.

My theory is that you added the guest registration by hand to the file (and picked the wrong one). To enable the Meet guest mode you only need to say so in the Meet app settings. No manual file editing is necessary.

strippe96

@fbartels
I changed the config as described @ https://documentation.kopano.io/kopano_meet_manual/KopanoMeet.pdf chapter 3.2.
That resulted in the error shown.

I have found a solution. I deinstalled kopano-meet and OpenID and removed the config files.
After reinstalling both the error has gone.

Now I can use kopano-meet using Edge/Mozilla/Opera on a Windows PC.
Using an iPhone/iPad will result in a screen with the kopano-meet logo and a button with “Anmelden” without any function. No fields for credentials is shown.
IN both ways guest access will result in: Failed to create guest session" after entering a nickname.

strippe96

@strippe96
I have solved all issues by myself.
1.) Turn all settings in /etc/kopano/docker/konnectd-identifier-registration.yaml from private to public URL´s
2.) Change in “/etc/kopano/konnectd.cfg”: allow_client_guests=yes

Thanks for any help and stay healthy!

fbartels

@strippe96 you don’t seem to be reading what I am writing at all. The linked manual does not apply to the univention app. All you need to do there is go into the app settings in the app center and change a few fields.

There everything is already prepared for you. You can toggle a switch to enable guests and have fields to change the domain name.

strippe96

@fbartels Dear Felix, sorry for the trouble I have produced yesterday! It has become a worst endig. We have got the information that my wife and me has become a covit-19 infection. Better I have left my server untouched…

Sorry again and stay healthy.

Again, thank you !

fbartels

@strippe96 then i sincerely hope the both of you are getting better soon.

While the german health system feels quite broken at time, from am outside view it seems to perform quite well at the moment.