Webapp - Certificate auth fails

fbartels

at some point in the last releases we introduced a more strict hostname checking for ssl certs. does you certificate have a valid chain? i’d then recommend to use the actual hostname in the default_server field.

Stril

@fbartels said in Webapp - Certificate auth fails:

n the last releases we introduced a more strict hostname checking for ssl certs. does you certificate have a valid chain? i’d then recommend to use the actual hostname in the default_serv

Hi!

That could be the problem… As I connect to “localhost”, I thought, that the chain cannot be 100% valid. Do I need to create a server certificate with the “servername” and https://servername:237/kopano as DEFAULT_SERVER?

Regards

Stril

Hi!

I tried to change this, but the connect is not possible.

Webapp shows:
Unknown MAPI Error: MAPI_E_INVALID_PARAMETER

Apache error log:
PHP Warning: mapi_logon_zarafa(): Unable to setup service for provider in …class.mapisession.php on line 91

Is there any possibility to get more verbosity of the problem?

Regards,
Stril

fbartels

I cannot say for the webapp, but in the server you can set log_level = 6 to see message about the ssl verification.

@marty do you know of any setting in webapp to make the error more verbose?

Stril

@fbartels said in Webapp - Certificate auth fails:

@marty do you know of any setting in webapp to make the error more verbose?

Hi!

server.cfg is already set to log_level = 6

In Webapp, I have set:

error_reporting(E_ALL);

…but there is not a single line in server.log about certificate issues…

Regards,
Stil

fbartels

@Stril if the server is already running on loglevel 6, it seems the ssl connection never reaches the server.

Stril

@fbartels said in Webapp - Certificate auth fails:

@Stril if the server is already running on loglevel 6, it seems the ssl connection never reaches the server.

Hi!

Thats strange. kopano-spooler does connect through https and does not produce “log-output”, too.

I do not see any log entries - no matter, if I connect to localhost:237 or servername:237

Regards

fbartels

@Stril which version are you running?

Stril

Hi!

I am running the latest version:
Kopano 8.4.0.1103
Webapp 3.4.0.764-0+517.1

Thank you for your help!!!

Regards,
Stril

Stril

Do you have any idea, what I could try?

Regards
Stril

fbartels

Hi @Stril ,

did not yet have any further time to look into this. will probably do so over the course of the next week.

Stril

@fbartels said in Webapp - Certificate auth fails:

did not yet have any further time to look into this. will probably do so over the course of the next week.

That would be great. Thank you for your help.

Stril

Hi Felix!

Did you take a look at this? That would be great!

Regads,
Stril

fbartels

Hi @Stril ,

no, no time yet but this is still on my list. If you’d want higher priority and have a subscription I’d recommend to open up a support case. Paying customer always go first.

Stril

Hi!

I opened a support case (paid customer).
The “trust” is working. Webapp disables authentication, if https-connection is set up (great), BUT: If I user apache-auth, webapp does not work anymore:

Start webapp in browser
Basic-Auth on apache2
Webapp shows “loading-circle” endlessly

To be sure about the working trust, I disabled Basic-Auth

Start webapp in browser
Webapp-Login appears
Login with user and WRONG password is possible (as in webaccess)
–> Trust is working

Regards,
Stril

fbartels

Hi @Stril ,

works for me.

make the following changes to config.php of webapp

        define("DEFAULT_SERVER", "https://felix-KS-38462.lxd01.zarafa.lan:237/kopano");

        // When using a single-signon system on your webserver, but Kopano Core is on another server
        // you can use https to access the Kopano server, and authenticate using an SSL certificate.
        define("SSLCERT_FILE", "/etc/kopano/ssl/admin-felix-KS-38462.pem");
        define("SSLCERT_PASS", NULL);

test if certificate overrides auth by loging in through webapp and giving wrong password
-> works
adapt apache vhost
instead of setting up basic auth, I just hardcoded remote_user the following way SetEnv REMOTE_USER "user1"
test if loging still succeeds
-> it does and webapp loads completely.

WebApp:
3.4.0.790-0+526.1
Kopano Core:
8.4.90

If it weren’t for the fact that you can succesfully login without the basic auth I would say that there is a json parsing error in your users settings. The one way to make sure that this is not the case would be to create a new blank user and try to login with that user.
You should be able to see if it is indeed a parsing error by looking into the javascript console and maybe additionally the responses in the network tab in the developer tools of chrome.

Stril

Hi!

Sorry for the late answer. I did not see your post.

@fbartels said in Webapp - Certificate auth fails:

make the following changes to config.php of webapp

        define("DEFAULT_SERVER", "https://felix-KS-38462.lxd01.zarafa.lan:237/kopano");

        // When using a single-signon system on your webserver, but Kopano Core is on another server
        // you can use https to access the Kopano server, and authenticate using an SSL certificate.
        define("SSLCERT_FILE", "/etc/kopano/ssl/admin-felix-KS-38462.pem");
        define("SSLCERT_PASS", NULL);

test if certificate overrides auth by loging in through webapp and giving wrong password
-> works

–> Yes, it is working.

adapt apache vhost
instead of setting up basic auth, I just hardcoded remote_user the following way SetEnv REMOTE_USER "user1"

–> I did the same test. Login with user “user1” is working. There is no “Login-window”.

test if loging still succeeds
-> it does and webapp loads completely.

–> Same for me.

If it weren’t for the fact that you can succesfully login without the basic auth I would say that there is a json parsing error in your users settings. The one way to make sure that this is not the case would be to create a new blank user and try to login with that user.
You should be able to see if it is indeed a parsing error by looking into the javascript console and maybe additionally the responses in the network tab in the developer tools of chrome.

I created a new user “user1” and tried to login with basic auth. The only error, I can see in the browser console is a 401 error for:
http://10.0.49.229/webapphttps/zarafa.php?subsystem=webapp_1502960818098

Javascriptconsole does not show anything in Chrome.

Do you have any idea, why there is the “401”-error?

Thank you for your help!!!

Regards,
Stril

fbartels

Hi @stril ,

so login is now working for you?

Stril

Hi!

No! The problem still exists!

I am not able to get the authentication fully working.
If it was not clear: After the “401” error in the console, zarafa-webapp stays in the picture of the “loading-circle”.

I really Need help.

Regards,
Stril

fbartels

Hi @stril ,

I have seen occasional 401 errors in the logging, when utilizing SSO. In the past this never interfered with the functionality (its rather an internal function that tries to reuse the user password, which is now not available).

Since you already have a support ticket open I would recommend to pursue this further with our support.