Kopano Meet with UCS after "Login" 404 not found


  • Hi,

    today i tried to install meet on my UCS server. The installation run well and when i start the Meet app the “C” appears and the “Anmelde” button is shown. But after pushing the button i got a 404 Not Found error.

    The system is on the latest version, i can reach my server with the url and the ssl certificates are valid. The ucs-sso.domain.intranet is reachable.

    I’m not sure where to search for the solution. Can you give me a hint?

    Kind regards

    Jochen

  • Kopano

    Hi @Jochen77,

    I have collected general debugging steps at https://wiki.z-hub.io/display/K4U/Debugging+Kopano+on+Univention#DebuggingKopanoonUnivention-Containerisedapps

    Generally it sounds like the redirect url in the Univention OpenID provider is wrong (and therefore you get redirected to the wrong url in the end). Which url is it exactly that gives the 404?


  • Hi Felix,

    sorry for replying so late. The 404 error points to:

    https://ucs.“external domain”.de
    https://ucs.“external domain”.de/meetid/favicon.ico

    Hera are the output lines from the commands in your debugging page:

    univention-app info
    UCS: 4.4-6 errata767
    Installed: fetchmail=6.3.26 kopano-meet=2.2.3_0-1 letsencrypt=1.2.2-8 mailserver=12.0 nagios=4.3 nextcloud=19.0.3-0 openid-connect-provider=2.1-konnect-0.33.8 samba4=4.10
    Upgradable:
    
    ucr search --brief oidc/konnectd/issuer_identifier
    oidc/konnectd/issuer_identifier: https://ucs-sso.url.intranet
    
    curl $(ucr get oidc/konnectd/issuer_identifier)/.well-known/openid-configuration
    curl: (51) SSL: no alternative certificate subject name matches target host name 'ucs-sso.url.intranet'
    
    curl $(ucr get oidc/konnectd/issuer_identifier)/signin/v1/welcome
    curl: (51) SSL: no alternative certificate subject name matches target host name 'ucs-sso.jh-edvservice.intranet'
    
    curl https://$(ucr get kopano/docker/FQDN_SSO)/signin/v1/welcome
    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>404 Not Found</title>
    </head><body>
    <h1>Not Found</h1>
    <p>The requested URL was not found on this server.</p>
    <hr>
    <address>Apache/2.4.25 (Univention) Server at ucs."External domain.de Port 443</address>
    </body></html>
    
    grep -v 'secret\|"d"\|"x"\|"y"' /etc/kopano/docker/konnectd-identifier-registration.yaml
    clients:
    - id: kpop-https://ucs.internal.intranet/meet/
      name: Kopano Meet
      application_type: web
      trusted: true
      redirect_uris:
      - https://ucs.internal.intranet/meet/
      trusted_scopes:
      - konnect/guestok
      - kopano/kwm
      jwks:
        keys:
        - kty: EC
          use: sig
          crv: P-256
          d: i6w6Wc7LuzU7yI7C0Bs6zRj7FKdswBjCK82BkjtCFjA
          kid: meet-kwmserver
          x: jbw5qu8ZNeLfw3JXAA9WQM7iHEXNUW0kwT44PzZZR5A
          y: 4tjyNIgibeohsEFqPj4VgiuPQQ1kgcmBAAEJOtgwc7s
      request_object_signing_alg: ES256
    - id: kpop-https://ucs.external.de/meet/
      name: Kopano Meet
      application_type: web
      trusted: true
      redirect_uris:
      - https://ucs.external.de/meet/
      trusted_scopes:
      - konnect/guestok
      - kopano/kwm
      jwks:
        keys:
        - kty: EC
          use: sig
          crv: P-256
          d: i6w6Wc7LuzU7yI7C0Bs6zRj7FKdswBjCK82BkjtCFjA
          kid: meet-kwmserver
          x: jbw5qu8ZNeLfw3JXAA9WQM7iHEXNUW0kwT44PzZZR5A
          y: 4tjyNIgibeohsEFqPj4VgiuPQQ1kgcmBAAEJOtgwc7s
      request_object_signing_alg: ES256
    authorities:
    - name: ucs-konnect
      default: true
      iss: https://ucs.external.de
      client_id: kopano-meet
      authority_type: oidc
      response_type: id_token
      scopes:
      - openid
      - profile
      - email
      trusted: true
      end_session_enabled: true
    

    Kind regards

    Jochen

  • Kopano

    @Jochen77 said in Kopano Meet with UCS after "Login" 404 not found:

    and the ssl certificates are valid.

    curl does disagree with you:

    curl $(ucr get oidc/konnectd/issuer_identifier)/.well-known/openid-configuration
    curl: (51) SSL: no alternative certificate subject name matches target host name 'ucs-sso.url.intranet'
    
    curl $(ucr get oidc/konnectd/issuer_identifier)/signin/v1/welcome
    curl: (51) SSL: no alternative certificate subject name matches target host name 'ucs-sso.jh-edvservice.intranet'
    

    Its also strange that this complains about two different domains not being part of the domain. as in the ucr variable has a different domain stored each time you request it. Is that a system with multiple ucs nodes?

    @Jochen77 said in Kopano Meet with UCS after "Login" 404 not found:

    curl https://$(ucr get kopano/docker/FQDN_SSO)/signin/v1/welcome
    [..]
    <address>Apache/2.4.25 (Univention) Server at ucs."External domain.de Port 443</address>
    

    This (that its an Apache error) indicates that the univention openid provider is not configured properly (which has to be done manually when changing the domain name). Normally it should proxy that url to a Docker container, but that proxy seems to be missing in your case.