Webapp - Certificate auth fails

Hi!

I am just trying to setup Certificate Trust between Webapp, Spooler and Kopano Core.

I created some certificates. Spooller seems to talk to Kopano Core as it should through port 237 https:

# Login to the storage server using this SSL Key
sslkey_file = /etc/kopano/ssl/webapphttps.pem

# The password of the SSL Key
sslkey_pass = XXXXXXXX

Now, I tried the same with webapp:

define("DEFAULT_SERVER", "https://localhost:237/kopano");
define("SSLCERT_FILE", '/etc/kopano/ssl/webapphttps.pem');
define("SSLCERT_PASS", 'XXXXX');

…but Webapp cannot connect to Kopano Core:

PHP Warning:  mapi_logon_zarafa(): Unable to setup service for provider in class.mapisession.php on line 91, referer: .....

Can you give me a hint, what to do?
I double checked permissions, but www-data can read the .pem-File and the .pem-File is working (tested with Spooler).

Thank you and best wishes
Stril

Hi!

Some additional info:

There seems to be ANY communication. I tried to set:

define("DEFAULT_SERVER","https://localhost:237/kopano");
define("SSLCERT_FILE", "webapphttps.pem");

Now, I am getting two different errors:

If I use a wrong password:
Logon failed, another session already exists.

If I use the right password:
Cannot connect to Kopano Core.

Do you have any idea, why?

Regards,
Stril

Hi @Stril ,

at some point in the last releases we introduced a more strict hostname checking for ssl certs. does you certificate have a valid chain? i’d then recommend to use the actual hostname in the default_server field.

@fbartels said in Webapp - Certificate auth fails:

n the last releases we introduced a more strict hostname checking for ssl certs. does you certificate have a valid chain? i’d then recommend to use the actual hostname in the default_serv

Hi!

That could be the problem… As I connect to “localhost”, I thought, that the chain cannot be 100% valid. Do I need to create a server certificate with the “servername” and https://servername:237/kopano as DEFAULT_SERVER?

Regards

Hi!

I tried to change this, but the connect is not possible.

Webapp shows:
Unknown MAPI Error: MAPI_E_INVALID_PARAMETER

Apache error log:
PHP Warning: mapi_logon_zarafa(): Unable to setup service for provider in …class.mapisession.php on line 91

Is there any possibility to get more verbosity of the problem?

Regards,
Stril

I cannot say for the webapp, but in the server you can set log_level = 6 to see message about the ssl verification.

@marty do you know of any setting in webapp to make the error more verbose?

@fbartels said in Webapp - Certificate auth fails:

@marty do you know of any setting in webapp to make the error more verbose?

Hi!

server.cfg is already set to log_level = 6

In Webapp, I have set:

error_reporting(E_ALL);

…but there is not a single line in server.log about certificate issues…

Regards,
Stil

@Stril if the server is already running on loglevel 6, it seems the ssl connection never reaches the server.

@fbartels said in Webapp - Certificate auth fails:

@Stril if the server is already running on loglevel 6, it seems the ssl connection never reaches the server.

Hi!

Thats strange. kopano-spooler does connect through https and does not produce “log-output”, too.

I do not see any log entries - no matter, if I connect to localhost:237 or servername:237

Regards

@Stril which version are you running?

Hi!

I am running the latest version:
Kopano 8.4.0.1103
Webapp 3.4.0.764-0+517.1

Thank you for your help!!!

Regards,
Stril

Do you have any idea, what I could try?

Regards
Stril

Hi @Stril ,

did not yet have any further time to look into this. will probably do so over the course of the next week.

@fbartels said in Webapp - Certificate auth fails:

did not yet have any further time to look into this. will probably do so over the course of the next week.

That would be great. Thank you for your help.

Hi Felix!

Did you take a look at this? That would be great!

Regads,
Stril

Hi @Stril ,

no, no time yet but this is still on my list. If you’d want higher priority and have a subscription I’d recommend to open up a support case. Paying customer always go first.

Hi!

I opened a support case (paid customer).
The “trust” is working. Webapp disables authentication, if https-connection is set up (great), BUT: If I user apache-auth, webapp does not work anymore:

  • Start webapp in browser
  • Basic-Auth on apache2
  • Webapp shows “loading-circle” endlessly

To be sure about the working trust, I disabled Basic-Auth

  • Start webapp in browser
  • Webapp-Login appears
  • Login with user and WRONG password is possible (as in webaccess)
    –> Trust is working

Regards,
Stril

Hi @Stril ,

works for me.

  1. make the following changes to config.php of webapp
        define("DEFAULT_SERVER", "https://felix-KS-38462.lxd01.zarafa.lan:237/kopano");

        // When using a single-signon system on your webserver, but Kopano Core is on another server
        // you can use https to access the Kopano server, and authenticate using an SSL certificate.
        define("SSLCERT_FILE", "/etc/kopano/ssl/admin-felix-KS-38462.pem");
        define("SSLCERT_PASS", NULL);
  1. test if certificate overrides auth by loging in through webapp and giving wrong password
    -> works

  2. adapt apache vhost
    instead of setting up basic auth, I just hardcoded remote_user the following way SetEnv REMOTE_USER "user1"

  3. test if loging still succeeds
    -> it does and webapp loads completely.

WebApp:
3.4.0.790-0+526.1
Kopano Core:
8.4.90

If it weren’t for the fact that you can succesfully login without the basic auth I would say that there is a json parsing error in your users settings. The one way to make sure that this is not the case would be to create a new blank user and try to login with that user.
You should be able to see if it is indeed a parsing error by looking into the javascript console and maybe additionally the responses in the network tab in the developer tools of chrome.

Hi!

Sorry for the late answer. I did not see your post.

@fbartels said in Webapp - Certificate auth fails:

  1. make the following changes to config.php of webapp
        define("DEFAULT_SERVER", "https://felix-KS-38462.lxd01.zarafa.lan:237/kopano");

        // When using a single-signon system on your webserver, but Kopano Core is on another server
        // you can use https to access the Kopano server, and authenticate using an SSL certificate.
        define("SSLCERT_FILE", "/etc/kopano/ssl/admin-felix-KS-38462.pem");
        define("SSLCERT_PASS", NULL);
  1. test if certificate overrides auth by loging in through webapp and giving wrong password
    -> works

–> Yes, it is working.

  1. adapt apache vhost
    instead of setting up basic auth, I just hardcoded remote_user the following way SetEnv REMOTE_USER "user1"

–> I did the same test. Login with user “user1” is working. There is no “Login-window”.

  1. test if loging still succeeds
    -> it does and webapp loads completely.

–> Same for me.

If it weren’t for the fact that you can succesfully login without the basic auth I would say that there is a json parsing error in your users settings. The one way to make sure that this is not the case would be to create a new blank user and try to login with that user.
You should be able to see if it is indeed a parsing error by looking into the javascript console and maybe additionally the responses in the network tab in the developer tools of chrome.

I created a new user “user1” and tried to login with basic auth. The only error, I can see in the browser console is a 401 error for:
http://10.0.49.229/webapphttps/zarafa.php?subsystem=webapp_1502960818098

Javascriptconsole does not show anything in Chrome.

Do you have any idea, why there is the “401”-error?

Thank you for your help!!!

Regards,
Stril

Hi @stril ,

so login is now working for you?