UCS Kopano meet cannot login - openid-connect error



  • Hi,
    just installed an UCS to use kopano meet in productive environment. (I am completely new to this). I set up an official IP with an FQDN meet.mydomain.at, which is reachable from outside my network. Additionally I joined my AD-Domain with the UCS and set up needed rules on my hardwarefirewall. The UCS is sitting in the DMZ of my network.

    The UCS in the DMZ is reachable from my LAN and from the WAN. Additionally the UCS is able to connect to the AD-Server, to geht users and groups.

    So internally the FQDN is meet.mydomain.local
    Externally -as said- FQDN is meet.mydomain.at

    Everything went well, but I am unable to log in to kopano meet. I am able to go to the URL, but i seems like there is a loop when trying to login to Meet.

    oidc-callback / identifier failed to authenticate / temporarily unavailable

    In the adminbackend of UCS the following settings were made:

    Openid-Connect-provider:
    https://meet.mydomain.at

    Meet:
    FQDN from which Meet should be accessible (without https:// or /meet).
    meet.mydomain.at

    But it is not working (error as said above).

    If I set the Openid-Conncect-Provider to: https://meet.mydomain.local and Meet to: meet.mydomain.local it works internally (LAN), but not from the WAN (which is clear).

    Cannot find the error.

    The UCS serverdiagnostics run through without issues.

     univention-app info
    UCS: 4.4-4 errata589
    Installed: adconnector=12.0 samba-memberserver=4.7 4.3/kopano-meet=2.1.0_0-3 4.3/openid-connect-provider=1.1-konnect-0.23.3
    Upgradable:
    
    
    
    Running pre-joinscripts hook(s):                           done
    Running 01univention-ldap-server-init.inst                 skipped (already executed)
    Running 02univention-directory-notifier.inst               skipped (already executed)
    Running 03univention-directory-listener.inst               skipped (already executed)
    Running 04univention-ldap-client.inst                      skipped (already executed)
    Running 05univention-bind.inst                             skipped (already executed)
    Running 08univention-apache.inst                           skipped (already executed)
    Running 10univention-ldap-server.inst                      skipped (already executed)
    Running 11univention-heimdal-init.inst                     skipped (already executed)
    Running 11univention-pam.inst                              skipped (already executed)
    Running 15univention-directory-notifier-post.inst          skipped (already executed)
    Running 15univention-heimdal-kdc.inst                      skipped (already executed)
    Running 18python-univention-directory-manager.inst         skipped (already executed)
    Running 20univention-directory-policy.inst                 skipped (already executed)
    Running 20univention-join.inst                             skipped (already executed)
    Running 20univention-ldap-config-master.inst               skipped (already executed)
    Running 22univention-directory-manager-rest.inst           skipped (already executed)
    Running 26univention-nagios-common.inst                    skipped (already executed)
    Running 26univention-samba.inst                            skipped (already executed)
    Running 30univention-appcenter.inst                        skipped (already executed)
    Running 30univention-nagios-client.inst                    skipped (already executed)
    Running 31univention-nagios-ad-connector.inst              skipped (already executed)
    Running 33univention-portal.inst                           skipped (already executed)
    Running 34univention-management-console-server.inst        skipped (already executed)
    Running 35univention-appcenter-docker.inst                 skipped (already executed)
    Running 35univention-management-console-module-adconnector.skipped (already executed)
    Running 35univention-management-console-module-appcenter.inskipped (already executed)
    Running 35univention-management-console-module-diagnostic.iskipped (already executed)
    Running 35univention-management-console-module-ipchange.insskipped (already executed)
    Running 35univention-management-console-module-join.inst   skipped (already executed)
    Running 35univention-management-console-module-lib.inst    skipped (already executed)
    Running 35univention-management-console-module-mrtg.inst   skipped (already executed)
    Running 35univention-management-console-module-quota.inst  skipped (already executed)
    Running 35univention-management-console-module-reboot.inst skipped (already executed)
    Running 35univention-management-console-module-services.insskipped (already executed)
    Running 35univention-management-console-module-setup.inst  skipped (already executed)
    Running 35univention-management-console-module-sysinfo.instskipped (already executed)
    Running 35univention-management-console-module-top.inst    skipped (already executed)
    Running 35univention-management-console-module-ucr.inst    skipped (already executed)
    Running 35univention-management-console-module-udm.inst    skipped (already executed)
    Running 35univention-management-console-module-updater.instskipped (already executed)
    Running 35univention-server-overview.inst                  skipped (already executed)
    Running 36univention-management-console-module-apps.inst   skipped (already executed)
    Running 40univention-virtual-machine-manager-schema.inst   skipped (already executed)
    Running 50kopano-meet.inst                                 skipped (already executed)
    Running 50openid-connect-provider.inst                     skipped (already executed)
    Running 81univention-ad-connector.inst                     skipped (already executed)
    Running 81univention-nfs-server.inst                       skipped (already executed)
    Running 90univention-bind-post.inst                        skipped (already executed)
    Running 91univention-saml.inst                             skipped (already executed)
    Running 92univention-management-console-web-server.inst    skipped (already executed)
    Running 98univention-pkgdb-tools.inst                      skipped (already executed)
    Running post-joinscripts hook(s):                          done
    
    
    kopano/docker/FQDN_MEET: meet.mydomain.at
    kopano/docker/FQDN_SSO: meet.mydomain.at
    kopano/docker/GRID_WEBAPP: no
    kopano/docker/INSECURE: no
    kopano/docker/MEET_GUEST_ALLOW: yes
    kopano/docker/MEET_GUEST_REGEXP: ^group/public/.*
    kopano/docker/TURN_SERVICE_URL: https://ucs-turn.kopano.com/turnserverauth/
    kopano/docker/TURN_USER: <censored> (no typo, but removed for the forumpost)
    
    
    oidc/konnectd/issuer_identifier: https://meet.mydomain.at
    
    
    curl $(ucr get oidc/konnectd/issuer_identifier)/.well-known/openid-configuration
    curl: (51) SSL: no alternative certificate subject name matches target host name 'meet.mydomain.at'
    
    
    curl $(ucr get oidc/konnectd/issuer_identifier)/signin/v1/welcome
    curl: (51) SSL: no alternative certificate subject name matches target host name 'meet.mydomain.at'
    
    
    curl https://$(ucr get kopano/docker/FQDN_SSO)/signin/v1/welcome
    <!DOCTYPE html><html lang="en"><head data-kopano-build="0.0.0-dev-env"><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name="theme-color" content="#ffffff"><link rel="shortcut icon" href="./static/favicon.ico" type="image/x-icon"><meta property="csp-nonce" content="zt8tfyNU_U7MRsgIVdIv5fkk6kHGG3DaKfQwgVMygTQ="><title>Univention Login</title><link href="./static/css/main.a11c89db.css" rel="stylesheet"></head><body><noscript>You need to enable JavaScript to run this app.</noscript><div id="bg"></div><div id="header"><div id="logo"></div></div><div id="root"></div><div id="font-preloader"><span>aA</span>Bb</div><script type="text/javascript" src="./static/js/main.a23d13c1.js"></script></body></html>root@meet:/var/log/univention#
    
    
    root@meet:/var/log/univention# grep -v 'secret\|"d"\|"x"\|"y"' /etc/kopano/docker/konnectd-identifier-registration.yaml
    clients:
    - id: kpop-https://meet.mydomain.local/meet/
      name: Kopano Meet
      application_type: web
      trusted: true
      redirect_uris:
      - https://meet.mydomain.local/meet/
      trusted_scopes:
      - konnect/guestok
      - kopano/kwm
      jwks:
        keys:
        - kty: EC
          use: sig
          crv: P-256
          d: mWxxx-GdaJxzXtaaaaULcubAMCcUhGvabceJRM
          kid: meet-kwmserver
          x: j2Sxxx20aegRlXOjcd1U_82wGGf8Jcda2znDYjH0
          y: PTxxxHuFH4encKISBqMaKRT6D6U3M6q3adf0hhpNn5bs
      request_object_signing_alg: ES256
    - id: kpop-https://meet.mydomain.at/meet/
      name: Kopano Meet
      application_type: web
      trusted: true
      redirect_uris:
      - https://meet.mydomain.at/meet/
      trusted_scopes:
      - konnect/guestok
      - kopano/kwm
      jwks:
        keys:
        - kty: EC
          use: sig
          crv: P-256
          d: mWxxx-GdaJxzXtaaaaULcubAMCcUhGvabceJRM
          kid: meet-kwmserver
          x: j2Sxxx20aegRlXOjcd1U_82wGGf8Jcda2znDYjH0
          y: PTxxxHuFH4encKISBqMaKRT6D6U3M6q3adf0hhpNn5bs
      request_object_signing_alg: ES256
    authorities:
    - name: ucs-konnect
      default: true
      iss: https://meet.mydomain.at
      client_id: kopano-meet
      authority_type: oidc
      response_type: id_token
      scopes:
      - openid
      - profile
      - email
      trusted: true
      end_session_enabled: true
    

    I am out of ideas…



  • Hi,
    I was able to solve the problem by installing official SSL certs for my Domain. After that Kconnect said:

    kopano_konnect      | time="2020-05-07T17:35:32Z" level=info msg="authority is now ready" id=ucs-konnect type=oidc
    

    Before this, I got lots of errormessages concerning a wrong certificate, which was issued for meet.mydomain.local instead of meet.mydomain.at.

    Also the curlcommands from my first post said that there is something not right with my certs.

    Used the manual from: https://help.univention.com/t/using-your-own-ssl-certificates/38


  • Kopano

    Hi @mcdaniels,

    yes when running Meet in “secure” mode (which should only be turned off for debugging) you have to make sure that all certificates can be verified.


Log in to reply