kopano-kwebd running but failing while obtaining bundled SAN cert

mcdaniels

Hi,
anyone had the issue, that kopano-kwebd crashes, if you try to open the URL?

I ve configured kwebd to answer HTTPS requests on port 9443. It seems like that kwebd crashes after some time, while it tries to obtain bundled SAN certificate.

 kopano-kwebd.service - Kopano Web Daemon
   Loaded: loaded (/lib/systemd/system/kopano-kwebd.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2020-04-03 15:48:43 CEST; 4s ago
  Process: 28481 ExecStartPre=/usr/sbin/kopano-kwebd setup (code=exited, status=0/SUCCESS)
 Main PID: 28484 (kwebd)
    Tasks: 11 (limit: 4915)
   CGroup: /system.slice/kopano-kwebd.service
           └─28484 /usr/libexec/kopano/kwebd serve --host=meet.mydomain.at --email=hostmaster@mydomain.at --agree --ca=https://acme-v02.api.letsencrypt.org/directory --root=/usr/share/kopano-kweb/www --http-port=

Apr 03 15:48:43 mail3.mydomain.at systemd[1]: Started Kopano Web Daemon.
Apr 03 15:48:43 mail3.mydomain.at kopano-kwebd[28484]: [DEV NOTICE] Registered directive 'alias' at end of list
Apr 03 15:48:43 mail3.mydomain.at kopano-kwebd[28484]: [DEV NOTICE] Registered directive 'configjson' at end of list
Apr 03 15:48:43 mail3.mydomain.at kopano-kwebd[28484]: [DEV NOTICE] Registered directive 'fastcgi2' before 'fastcgi'
Apr 03 15:48:43 mail3.mydomain.at kopano-kwebd[28484]: [DEV NOTICE] Registered directive 'folderish' before 'redir'
Apr 03 15:48:43 mail3.mydomain.at kopano-kwebd[28484]: [DEV NOTICE] Registered directive 'staticpwa' at end of list
Apr 03 15:48:44 mail3.mydomain.at kopano-kwebd[28484]: Activating privacy features... 2020/04/03 15:48:44 [INFO] [meet.mydomain.at] acme: Obtaining bundled SAN certificate
Apr 03 15:48:45 mail3.mydomain.at kopano-kwebd[28484]: 2020/04/03 15:48:45 [INFO] [meet.mydomain.at] acme: Obtaining bundled SAN certificate
Apr 03 15:48:47 mail3.mydomain.at kopano-kwebd[28484]: 2020/04/03 15:48:47 [INFO] [meet.mydomain.at] acme: Obtaining bundled SAN certificate
Apr 03 15:48:48 mail3.mydomain.at kopano-kwebd[28484]: 2020/04/03 15:48:48 [INFO] [meet.mydomain.at] acme: Obtaining bundled SAN certificate
root@mail3:/etc/kopano# systemctl status kopano-kwebd
● kopano-kwebd.service - Kopano Web Daemon
   Loaded: loaded (/lib/systemd/system/kopano-kwebd.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Fri 2020-04-03 15:48:52 CEST; 9s ago
  Process: 28484 ExecStart=/usr/sbin/kopano-kwebd serve (code=exited, status=1/FAILURE)
  Process: 28481 ExecStartPre=/usr/sbin/kopano-kwebd setup (code=exited, status=0/SUCCESS)
 Main PID: 28484 (code=exited, status=1/FAILURE)

Apr 03 15:48:43 mail3.mydomain.at kopano-kwebd[28484]: [DEV NOTICE] Registered directive 'staticpwa' at end of list
Apr 03 15:48:44 mail3.mydomain.at kopano-kwebd[28484]: Activating privacy features... 2020/04/03 15:48:44 [INFO] [meet.mydomain.at] acme: Obtaining bundled SAN certificate
Apr 03 15:48:45 mail3.mydomain.at kopano-kwebd[28484]: 2020/04/03 15:48:45 [INFO] [meet.mydomain.at] acme: Obtaining bundled SAN certificate
Apr 03 15:48:47 mail3.mydomain.at kopano-kwebd[28484]: 2020/04/03 15:48:47 [INFO] [meet.mydomain.at] acme: Obtaining bundled SAN certificate
Apr 03 15:48:48 mail3.mydomain.at kopano-kwebd[28484]: 2020/04/03 15:48:48 [INFO] [meet.mydomain.at] acme: Obtaining bundled SAN certificate
Apr 03 15:48:49 mail3.mydomain.at kopano-kwebd[28484]: 2020/04/03 15:48:49 [INFO] [meet.mydomain.at] acme: Obtaining bundled SAN certificate
Apr 03 15:48:51 mail3.mydomain.at kopano-kwebd[28484]: 2020/04/03 15:48:51 [INFO] [meet.mydomain.at] acme: Obtaining bundled SAN certificate
Apr 03 15:48:52 mail3.mydomain.at systemd[1]: kopano-kwebd.service: Main process exited, code=exited, status=1/FAILURE
Apr 03 15:48:52 mail3.mydomain.at systemd[1]: kopano-kwebd.service: Unit entered failed state.
Apr 03 15:48:52 mail3.mydomain.at systemd[1]: kopano-kwebd.service: Failed with result 'exit-code'.

I also have got an Apache-Server running on this machine (for the Webapp). I switched the Apacheserver “off” for testing Meet. But it still does not work.

Finally I also have got a question concerning: legacy_reverse_proxy

Will I have to use this option, to run Meet at a server were Kopano & Apache is installed, or is it possible to “push” kwebd to some higher port, so that it does not interfere with Apache?

longsleep

@mcdaniels said in kopano-kwebd running but failing while obtaining bundled SAN cert:

Obtaining bundled SAN certificate

Do you use automatic certificates (ACME via Let’s Encrypt for examplle?). If so,

Let’s encrypt just offers

• HTTP-01, which works on port 80
• TLS-SNI-01, which works on port 443
• DNS-01, which does not require any open ports but rather works via a special TXT record you need to create for your domain.

Kweb built in configuration only can do HTTP-01 and TLS-SNI-01 as of now.

I suggest to use the same certificate/key which Apache is using.

mcdaniels

@longsleep said in kopano-kwebd running but failing while obtaining bundled SAN cert:

Do you use automatic certificates (ACME via Let’s Encrypt for examplle?).

Yes I do use ACME for my domain which is mail3.mydomain.com. Thought of using meet1.mydomain.com for kopano meet, but this does not seem to work. If I read your lines, it is clear to me that it cannot work. On the other handside, I completely shutdown apache and used the standardports for kweb. This also does not work.

The thing is (as far as I understood right): I have to set up a separate virtualhost + DNS entry for kopano-meet. Lets say meet1.mydomain.com.
If so, I will need a separate ssl-certificate for meet (or use a wildcard-cert for *.mydomain.com. I cannot use the ssl-cert (certbot) which I use for mail3.mydomain.com.

So hm do you mean I should completly switch to apache (Kopano Webapp & Meet)?

longsleep

@mcdaniels said in kopano-kwebd running but failing while obtaining bundled SAN cert:

@longsleep said in kopano-kwebd running but failing while obtaining bundled SAN cert:

Do you use automatic certificates (ACME via Let’s Encrypt for examplle?).

Yes I do use ACME for my domain which is mail3.mydomain.com. Thought of using meet1.mydomain.com for kopano meet, but this does not seem to work. If I read your lines, it is clear to me that it cannot work. On the other handside, I completely shutdown apache and used the standardports for kweb. This also does not work.

Well it should work when kweb can use port 80. Otherwise something with your Let’s Encrypt account is wrong. Maybe try another email.

mcdaniels

Thanks for your answer. It may be that I have not fully understood how Meet works. But shouldn’t it give me a webinterface if I call http://meet1.mydomain.com ?

I tried it via port 80 before and it gave me a 404 - not found. (this message came from kweb)

Edit: Oh man… sorry… perhaps I should have tried: http(s)://meet1.mydomain.com/meet

SORRY!