webmeetings & ipad/iphone
-
@fbartels
It´s an UCS 4.4.4 System.
Konnect has been installed during Kopano Meet install.
Then I have applied your way to enable “Guest access” for Kopano Meet.
At this point the error raised.Is there a way to clear the whole config of Konnect & Kopano Meet?
-
@strippe96 said in webmeetings & ipad/iphone:
Then I have applied your way to enable “Guest access” for Kopano Meet.
Can you elaborate on that?
Which version of the app are you using?
The log line looks a bit like konnect was started through systemd, while with the meet app on ucs everything is running on Docker containers.
I have previously created https://wiki.z-hub.io/display/K4U/Debugging+Kopano+on+Univention#DebuggingKopanoonUnivention-Containerisedapps the collect commands that help troubleshooting ucs installations.
-
@fbartels OK.
root@ucs-9130:~# univention-app info UCS: 4.4-4 errata499 Installed: cups=2.2.1 dhcp-server=12.0 kopano-webapp=3.5.5.2276 letsencrypt=1.2.2-8 samba4=4.10 self-service=4.0 z-push-kopano=2.4.5 4.3/kopano-meet=2.1.0_0 4.3/openid-connect-provider=1.1-konnect-0.23.3 Upgradable: root@ucs-9130:~# ucr dump | grep kopano/docker | grep -v PASSWORD kopano/docker/FQDN_MEET: webmail.ncus.de kopano/docker/FQDN_SSO: ucs-sso.ncus.intranet kopano/docker/GRID_WEBAPP: yes kopano/docker/INSECURE: no kopano/docker/MEET_GUEST_ALLOW: yes kopano/docker/MEET_GUEST_REGEXP: ^group/public/.* kopano/docker/TURN_USER: KST0204-094I00DWQ3 root@ucs-9130:~# curl $(ucr get oidc/konnectd/issuer_identifier)/.well-known/openid-configuration <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>503 Service Unavailable</title> </head><body> <h1>Service Unavailable</h1> <p>The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.</p> <hr> <address>Apache/2.4.25 (Univention) Server at ucs-sso.ncus.intranet Port 443</address> </body></html> root@ucs-9130:~# grep -v 'secret\|"d"\|"x"\|"y"' /etc/kopano/docker/konnectd-identifier-registration.yaml { "authorities": [ { "name": "ucs-konnect", "default": true, "iss": "https://ucs-sso.ncus.intranet", "client_id": "kopano-meet", "authority_type": "oidc", "response_type": "id_token", "scopes": [ "openid", "profile", "email" ] } ], "clients": [ { "id": "kpop-https://ucs-9130.ncus.intranet/meet/", "name": "Kopano Meet", "application_type": "web", "trusted": true, "redirect_uris": [ "https://ucs-9130.ncus.intranet/meet/" ], "trusted_scopes": [ "konnect/guestok", "kopano/kwm" ], "jwks": { "keys": [ { "kty": "EC", "use": "sig", "crv": "P-256", "kid": "meet-kwmserver", } ] }, "request_object_signing_alg": "ES256" } ] } root@ucs-9130:~# cd /var/lib/univention-appcenter/apps/kopano-meet/compose root@ucs-9130:/var/lib/univention-appcenter/apps/kopano-meet/compose# docker-compose ps Name Command State Ports ---------------------------------------------------------------------------------------------------------- kopano_grapi /usr/bin/dumb-init -- /kop ... Up (healthy) kopano_kapi /usr/bin/dumb-init -- /kop ... Up (healthy) kopano_konnect wrapper.sh Up (healthy) 6777/tcp, 8777/tcp kopano_kwmserver docker-entrypoint.sh wrapp ... Up (healthy) 6778/tcp, 8778/tcp kopano_meet /kopano/start-service.sh Up (healthy) kopano_ssl /start.sh Exit 0 kopano_web docker-entrypoint.sh wrapp ... Up (healthy) 0.0.0.0:2015->2015/tcp, 443/tcp, 80/tcp
kopano_konnect is threwing errors:
kopano_konnect | time="2020-03-25T15:28:29Z" level=error msg="error while oidc provider update: oidc provider error: failed to fetch jwks: failed to fetch JSON (status: 503)" id=ucs-konnect type=oidc kopano_konnect | time="2020-03-25T15:28:31Z" level=error msg="error while oidc provider update: oidc provider error: failed to fetch discover document: failed to fetch JSON (status: 503)" id=ucs-konnect type=oidc
-
@strippe96 said in webmeetings & ipad/iphone:
kopano-konnectd[22833]: Error: failed to create client registry: yaml: line 19: did not find expected key
Konnect fails to start, thus you get the 503 later.
@strippe96 said in webmeetings & ipad/iphone:
root@ucs-9130:~# grep -v ‘secret|“d”|“x”|“y”’ /etc/kopano/docker/konnectd-identifier-registration.yaml
{
“authorities”: [This seems strange as the .yaml file contains JSON. That is most likely the reason for the error above. As of how it came to be that way i cannot say. Make sure the identifier registration file actually contains YAML and it will probably just work.
-
@longsleep said in webmeetings & ipad/iphone:
Konnect fails to start, thus you get the 503 later. […] That is most likely the reason for the error above.
While the first part is true, the second conclusion in the context of ucs is wrong. This is why I asked:
@fbartels said in webmeetings & ipad/iphone:
Then I have applied your way to enable “Guest access” for Kopano Meet.
Can you elaborate on that?
The Konnect that is installed as the “OpenID Connect Provider” app is failing, the Konnect that is part of the Meet app is ok (its listed as “healthy” in the
ps
output).Yaml is a superset of Json, so what can process YAML almost always can process Json. Konnect most definitely can for the identifier registry.
My theory is that you added the guest registration by hand to the file (and picked the wrong one). To enable the Meet guest mode you only need to say so in the Meet app settings. No manual file editing is necessary.
-
@fbartels
I changed the config as described @ https://documentation.kopano.io/kopano_meet_manual/KopanoMeet.pdf chapter 3.2.
That resulted in the error shown.I have found a solution. I deinstalled kopano-meet and OpenID and removed the config files.
After reinstalling both the error has gone.Now I can use kopano-meet using Edge/Mozilla/Opera on a Windows PC.
Using an iPhone/iPad will result in a screen with the kopano-meet logo and a button with “Anmelden” without any function. No fields for credentials is shown.
IN both ways guest access will result in: Failed to create guest session" after entering a nickname. -
@strippe96
I have solved all issues by myself.
1.) Turn all settings in /etc/kopano/docker/konnectd-identifier-registration.yaml from private to public URL´s
2.) Change in “/etc/kopano/konnectd.cfg”: allow_client_guests=yesThanks for any help and stay healthy!
-
@strippe96 you don’t seem to be reading what I am writing at all. The linked manual does not apply to the univention app. All you need to do there is go into the app settings in the app center and change a few fields.
There everything is already prepared for you. You can toggle a switch to enable guests and have fields to change the domain name.
-
@fbartels Dear Felix, sorry for the trouble I have produced yesterday! It has become a worst endig. We have got the information that my wife and me has become a covit-19 infection. Better I have left my server untouched…
Sorry again and stay healthy.
Again, thank you !
-
@strippe96 then i sincerely hope the both of you are getting better soon.
While the german health system feels quite broken at time, from am outside view it seems to perform quite well at the moment.