UCS Kopano meet cannot login - openid-connect error

mcdaniels

Hi,
just installed an UCS to use kopano meet in productive environment. (I am completely new to this). I set up an official IP with an FQDN meet.mydomain.at, which is reachable from outside my network. Additionally I joined my AD-Domain with the UCS and set up needed rules on my hardwarefirewall. The UCS is sitting in the DMZ of my network.

The UCS in the DMZ is reachable from my LAN and from the WAN. Additionally the UCS is able to connect to the AD-Server, to geht users and groups.

So internally the FQDN is meet.mydomain.local
Externally -as said- FQDN is meet.mydomain.at

Everything went well, but I am unable to log in to kopano meet. I am able to go to the URL, but i seems like there is a loop when trying to login to Meet.

oidc-callback / identifier failed to authenticate / temporarily unavailable

In the adminbackend of UCS the following settings were made:

Openid-Connect-provider:
https://meet.mydomain.at

Meet:
FQDN from which Meet should be accessible (without https:// or /meet).
meet.mydomain.at

But it is not working (error as said above).

If I set the Openid-Conncect-Provider to: https://meet.mydomain.local and Meet to: meet.mydomain.local it works internally (LAN), but not from the WAN (which is clear).

Cannot find the error.

The UCS serverdiagnostics run through without issues.

 univention-app info
UCS: 4.4-4 errata589
Installed: adconnector=12.0 samba-memberserver=4.7 4.3/kopano-meet=2.1.0_0-3 4.3/openid-connect-provider=1.1-konnect-0.23.3
Upgradable:

Running pre-joinscripts hook(s):                           done
Running 01univention-ldap-server-init.inst                 skipped (already executed)
Running 02univention-directory-notifier.inst               skipped (already executed)
Running 03univention-directory-listener.inst               skipped (already executed)
Running 04univention-ldap-client.inst                      skipped (already executed)
Running 05univention-bind.inst                             skipped (already executed)
Running 08univention-apache.inst                           skipped (already executed)
Running 10univention-ldap-server.inst                      skipped (already executed)
Running 11univention-heimdal-init.inst                     skipped (already executed)
Running 11univention-pam.inst                              skipped (already executed)
Running 15univention-directory-notifier-post.inst          skipped (already executed)
Running 15univention-heimdal-kdc.inst                      skipped (already executed)
Running 18python-univention-directory-manager.inst         skipped (already executed)
Running 20univention-directory-policy.inst                 skipped (already executed)
Running 20univention-join.inst                             skipped (already executed)
Running 20univention-ldap-config-master.inst               skipped (already executed)
Running 22univention-directory-manager-rest.inst           skipped (already executed)
Running 26univention-nagios-common.inst                    skipped (already executed)
Running 26univention-samba.inst                            skipped (already executed)
Running 30univention-appcenter.inst                        skipped (already executed)
Running 30univention-nagios-client.inst                    skipped (already executed)
Running 31univention-nagios-ad-connector.inst              skipped (already executed)
Running 33univention-portal.inst                           skipped (already executed)
Running 34univention-management-console-server.inst        skipped (already executed)
Running 35univention-appcenter-docker.inst                 skipped (already executed)
Running 35univention-management-console-module-adconnector.skipped (already executed)
Running 35univention-management-console-module-appcenter.inskipped (already executed)
Running 35univention-management-console-module-diagnostic.iskipped (already executed)
Running 35univention-management-console-module-ipchange.insskipped (already executed)
Running 35univention-management-console-module-join.inst   skipped (already executed)
Running 35univention-management-console-module-lib.inst    skipped (already executed)
Running 35univention-management-console-module-mrtg.inst   skipped (already executed)
Running 35univention-management-console-module-quota.inst  skipped (already executed)
Running 35univention-management-console-module-reboot.inst skipped (already executed)
Running 35univention-management-console-module-services.insskipped (already executed)
Running 35univention-management-console-module-setup.inst  skipped (already executed)
Running 35univention-management-console-module-sysinfo.instskipped (already executed)
Running 35univention-management-console-module-top.inst    skipped (already executed)
Running 35univention-management-console-module-ucr.inst    skipped (already executed)
Running 35univention-management-console-module-udm.inst    skipped (already executed)
Running 35univention-management-console-module-updater.instskipped (already executed)
Running 35univention-server-overview.inst                  skipped (already executed)
Running 36univention-management-console-module-apps.inst   skipped (already executed)
Running 40univention-virtual-machine-manager-schema.inst   skipped (already executed)
Running 50kopano-meet.inst                                 skipped (already executed)
Running 50openid-connect-provider.inst                     skipped (already executed)
Running 81univention-ad-connector.inst                     skipped (already executed)
Running 81univention-nfs-server.inst                       skipped (already executed)
Running 90univention-bind-post.inst                        skipped (already executed)
Running 91univention-saml.inst                             skipped (already executed)
Running 92univention-management-console-web-server.inst    skipped (already executed)
Running 98univention-pkgdb-tools.inst                      skipped (already executed)
Running post-joinscripts hook(s):                          done

kopano/docker/FQDN_MEET: meet.mydomain.at
kopano/docker/FQDN_SSO: meet.mydomain.at
kopano/docker/GRID_WEBAPP: no
kopano/docker/INSECURE: no
kopano/docker/MEET_GUEST_ALLOW: yes
kopano/docker/MEET_GUEST_REGEXP: ^group/public/.*
kopano/docker/TURN_SERVICE_URL: https://ucs-turn.kopano.com/turnserverauth/
kopano/docker/TURN_USER: <censored> (no typo, but removed for the forumpost)

oidc/konnectd/issuer_identifier: https://meet.mydomain.at

curl $(ucr get oidc/konnectd/issuer_identifier)/.well-known/openid-configuration
curl: (51) SSL: no alternative certificate subject name matches target host name 'meet.mydomain.at'

curl $(ucr get oidc/konnectd/issuer_identifier)/signin/v1/welcome
curl: (51) SSL: no alternative certificate subject name matches target host name 'meet.mydomain.at'

curl https://$(ucr get kopano/docker/FQDN_SSO)/signin/v1/welcome
<!DOCTYPE html><html lang="en"><head data-kopano-build="0.0.0-dev-env"><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name="theme-color" content="#ffffff"><link rel="shortcut icon" href="./static/favicon.ico" type="image/x-icon"><meta property="csp-nonce" content="zt8tfyNU_U7MRsgIVdIv5fkk6kHGG3DaKfQwgVMygTQ="><title>Univention Login</title><link href="./static/css/main.a11c89db.css" rel="stylesheet"></head><body><noscript>You need to enable JavaScript to run this app.</noscript><div id="bg"></div><div id="header"><div id="logo"></div></div><div id="root"></div><div id="font-preloader"><span>aA</span>Bb</div><script type="text/javascript" src="./static/js/main.a23d13c1.js"></script></body></html>root@meet:/var/log/univention#

root@meet:/var/log/univention# grep -v 'secret\|"d"\|"x"\|"y"' /etc/kopano/docker/konnectd-identifier-registration.yaml
clients:
- id: kpop-https://meet.mydomain.local/meet/
  name: Kopano Meet
  application_type: web
  trusted: true
  redirect_uris:
  - https://meet.mydomain.local/meet/
  trusted_scopes:
  - konnect/guestok
  - kopano/kwm
  jwks:
    keys:
    - kty: EC
      use: sig
      crv: P-256
      d: mWxxx-GdaJxzXtaaaaULcubAMCcUhGvabceJRM
      kid: meet-kwmserver
      x: j2Sxxx20aegRlXOjcd1U_82wGGf8Jcda2znDYjH0
      y: PTxxxHuFH4encKISBqMaKRT6D6U3M6q3adf0hhpNn5bs
  request_object_signing_alg: ES256
- id: kpop-https://meet.mydomain.at/meet/
  name: Kopano Meet
  application_type: web
  trusted: true
  redirect_uris:
  - https://meet.mydomain.at/meet/
  trusted_scopes:
  - konnect/guestok
  - kopano/kwm
  jwks:
    keys:
    - kty: EC
      use: sig
      crv: P-256
      d: mWxxx-GdaJxzXtaaaaULcubAMCcUhGvabceJRM
      kid: meet-kwmserver
      x: j2Sxxx20aegRlXOjcd1U_82wGGf8Jcda2znDYjH0
      y: PTxxxHuFH4encKISBqMaKRT6D6U3M6q3adf0hhpNn5bs
  request_object_signing_alg: ES256
authorities:
- name: ucs-konnect
  default: true
  iss: https://meet.mydomain.at
  client_id: kopano-meet
  authority_type: oidc
  response_type: id_token
  scopes:
  - openid
  - profile
  - email
  trusted: true
  end_session_enabled: true

I am out of ideas…

mcdaniels

Hi,
I was able to solve the problem by installing official SSL certs for my Domain. After that Kconnect said:

kopano_konnect      | time="2020-05-07T17:35:32Z" level=info msg="authority is now ready" id=ucs-konnect type=oidc

Before this, I got lots of errormessages concerning a wrong certificate, which was issued for meet.mydomain.local instead of meet.mydomain.at.

Also the curlcommands from my first post said that there is something not right with my certs.

Used the manual from: https://help.univention.com/t/using-your-own-ssl-certificates/38

fbartels

Hi @mcdaniels,

yes when running Meet in “secure” mode (which should only be turned off for debugging) you have to make sure that all certificates can be verified.