[SOLVED] how to debug Meet on UCS?

onex.de

Hello,

I’ve installed Kopano Meet 2.1.0_0-1 on our UCS 4.4-3.499 an when I click on the login-button

I get an error URL-redirect to the login-page again.
temporary unavailable, identifier failed to authenticate

https://fqdn/meet/#oidc-callback?error=temporarily_unavailable&error_description=identifier failed to authenticate&state=cd38c351ada94bf49b15a73f10d1ccf3

How can I debug and fix this issue?

Thanks in advanced.
Christian.

fbartels

Hi @onex-de,

I have collected commands that produce output to inspect at https://wiki.z-hub.io/display/K4U/Debugging+Kopano+on+Univention#DebuggingKopanoonUnivention-Containerisedapps

onex.de

ok, here we go … :(

root@master:~# ucr search --brief oidc/konnectd/issuer_identifier
oidc/konnectd/issuer_identifier: https://[fqdn]
root@master:~# curl $(ucr get oidc/konnectd/issuer_identifier)/.well-known/openid-configuration
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.25 (Univention) Server at [fqdn] Port 443</address>
</body></html>

fbartels

@onex-de hmm… what would you make of that?

onex.de

@fbartels idk if this will help, but am I “allowed” to edit /etc/kopano/docker/konnectd-identifier-registration.yaml because it has different dns entries for the server.
e.g. "iss": "https://ucs-sso.domain.local", instead of our external FQDN and "id": "kpop-https://master.domain.local/meet/", and

"redirect_uris": [
        "https://master.domain.local/meet/"

fbartels

@onex-de I don’t know how modifying the identifier registration could be connected the 404 you see from Apache above.

onex.de

@fbartels nevermind … what a dumb error …
I needed to a2enconf openid-connect-provider and systemctl reload apache2 to fix it …
I don’t know why this wasn’t enabled by default …?

Thanks for getting me on the right track, especially with the debug-link in your second post!

fbartels

@onex-de said in [SOLVED] how to debug Meet on UCS?:

I don’t know why this wasn’t enabled by default …?

That totally depends on the rest of your configuration (which you haven’t shared).

In the default configuration the openid provider is installed to the ucs-sso subdomain. There is documentation at Univention that says that if you change the domain in their app, you need to take care of Apache configuration yourself.

For the app appliance I had a similar challenge. To spare people from managing two domain names I moved the openid provider to the main domain. This can be easily scripted (as it needed to be for the appliance). The script can be found at https://stash.z-hub.io/projects/K4U/repos/kopano-apps/browse/kopano-meet/appliance_hook.