Kopano Meet with UCS after "Login" 404 not found

Jochen77

Hi,

today i tried to install meet on my UCS server. The installation run well and when i start the Meet app the “C” appears and the “Anmelde” button is shown. But after pushing the button i got a 404 Not Found error.

The system is on the latest version, i can reach my server with the url and the ssl certificates are valid. The ucs-sso.domain.intranet is reachable.

I’m not sure where to search for the solution. Can you give me a hint?

Kind regards

Jochen

fbartels

Hi @Jochen77,

I have collected general debugging steps at https://wiki.z-hub.io/display/K4U/Debugging+Kopano+on+Univention#DebuggingKopanoonUnivention-Containerisedapps

Generally it sounds like the redirect url in the Univention OpenID provider is wrong (and therefore you get redirected to the wrong url in the end). Which url is it exactly that gives the 404?

Jochen77

Hi Felix,

sorry for replying so late. The 404 error points to:

https://ucs.“external domain”.de
https://ucs.“external domain”.de/meetid/favicon.ico

Hera are the output lines from the commands in your debugging page:

univention-app info
UCS: 4.4-6 errata767
Installed: fetchmail=6.3.26 kopano-meet=2.2.3_0-1 letsencrypt=1.2.2-8 mailserver=12.0 nagios=4.3 nextcloud=19.0.3-0 openid-connect-provider=2.1-konnect-0.33.8 samba4=4.10
Upgradable:

ucr search --brief oidc/konnectd/issuer_identifier
oidc/konnectd/issuer_identifier: https://ucs-sso.url.intranet

curl $(ucr get oidc/konnectd/issuer_identifier)/.well-known/openid-configuration
curl: (51) SSL: no alternative certificate subject name matches target host name 'ucs-sso.url.intranet'

curl $(ucr get oidc/konnectd/issuer_identifier)/signin/v1/welcome
curl: (51) SSL: no alternative certificate subject name matches target host name 'ucs-sso.jh-edvservice.intranet'

curl https://$(ucr get kopano/docker/FQDN_SSO)/signin/v1/welcome
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.25 (Univention) Server at ucs."External domain.de Port 443</address>
</body></html>

grep -v 'secret\|"d"\|"x"\|"y"' /etc/kopano/docker/konnectd-identifier-registration.yaml
clients:
- id: kpop-https://ucs.internal.intranet/meet/
  name: Kopano Meet
  application_type: web
  trusted: true
  redirect_uris:
  - https://ucs.internal.intranet/meet/
  trusted_scopes:
  - konnect/guestok
  - kopano/kwm
  jwks:
    keys:
    - kty: EC
      use: sig
      crv: P-256
      d: i6w6Wc7LuzU7yI7C0Bs6zRj7FKdswBjCK82BkjtCFjA
      kid: meet-kwmserver
      x: jbw5qu8ZNeLfw3JXAA9WQM7iHEXNUW0kwT44PzZZR5A
      y: 4tjyNIgibeohsEFqPj4VgiuPQQ1kgcmBAAEJOtgwc7s
  request_object_signing_alg: ES256
- id: kpop-https://ucs.external.de/meet/
  name: Kopano Meet
  application_type: web
  trusted: true
  redirect_uris:
  - https://ucs.external.de/meet/
  trusted_scopes:
  - konnect/guestok
  - kopano/kwm
  jwks:
    keys:
    - kty: EC
      use: sig
      crv: P-256
      d: i6w6Wc7LuzU7yI7C0Bs6zRj7FKdswBjCK82BkjtCFjA
      kid: meet-kwmserver
      x: jbw5qu8ZNeLfw3JXAA9WQM7iHEXNUW0kwT44PzZZR5A
      y: 4tjyNIgibeohsEFqPj4VgiuPQQ1kgcmBAAEJOtgwc7s
  request_object_signing_alg: ES256
authorities:
- name: ucs-konnect
  default: true
  iss: https://ucs.external.de
  client_id: kopano-meet
  authority_type: oidc
  response_type: id_token
  scopes:
  - openid
  - profile
  - email
  trusted: true
  end_session_enabled: true

Kind regards

Jochen

fbartels

@Jochen77 said in Kopano Meet with UCS after "Login" 404 not found:

and the ssl certificates are valid.

curl does disagree with you:

curl $(ucr get oidc/konnectd/issuer_identifier)/.well-known/openid-configuration
curl: (51) SSL: no alternative certificate subject name matches target host name 'ucs-sso.url.intranet'

curl $(ucr get oidc/konnectd/issuer_identifier)/signin/v1/welcome
curl: (51) SSL: no alternative certificate subject name matches target host name 'ucs-sso.jh-edvservice.intranet'

Its also strange that this complains about two different domains not being part of the domain. as in the ucr variable has a different domain stored each time you request it. Is that a system with multiple ucs nodes?

@Jochen77 said in Kopano Meet with UCS after "Login" 404 not found:

curl https://$(ucr get kopano/docker/FQDN_SSO)/signin/v1/welcome
[..]
<address>Apache/2.4.25 (Univention) Server at ucs."External domain.de Port 443</address>

This (that its an Apache error) indicates that the univention openid provider is not configured properly (which has to be done manually when changing the domain name). Normally it should proxy that url to a Docker container, but that proxy seems to be missing in your case.