Kopano Meet not working

Hi,

after installing OpenID Connect Provider and Kopano Meet I can’t get access to Meet.

At first I’ve linked the openid-connect-provider.conf into /etc/apache2/ucs-sites.conf.d as described in UCS SSO and LetsEncrypt but that did not solve the problem. Typing https://my-domain.de/meet in the browser result in https://server1.my-domain.intranet/meet//meet and “site not found” in the browser. I’ve tried Opera and Firefox. Same result with clicking on the “Open” button in UMC on the site Kopano Meet under “Use this App”.

Next I changed some rewrite rules in /etc/apache2/ucs-sites.conf.d/kopano-meet.conf. Now Opera correctly redirects to https://my-domain.de/meet/ and I get a site with the “C”-logo and:
App start failed with error
TypeError: Failed to fetch
Das ist ein schwerwiegender Fehler und die App must neu geladen werden.

In Firefox the message is:
Fehler: Umleitungsfehler
Beim Verbinden mit my-domain.de trat ein Fehler auf.

Same result in both browsers with clicking on the open button in UMC here too.

Seems there is something wrong in the configuration. Meantime I deinstalled Kopano Meet and reinstalled it again with no change.

Any ideas?

Uwe

Yes, the rewrite rules are a bit too eager, but once Meet is loaded it rewrites the path anyway to meet/r/call so I have kept it like this so far. If you want to contribute your updated rewrite rules through a pull request or patch you can find the project source at https://stash.z-hub.io/projects/K4U/repos/kopano-apps/browse/kopano-meet/preinst.

Is that an Apache error page or just a white page with the text?

Modern web applications are very sensitive to the url they are called with (for loading additional resources and to avoid csp issues). So when Meet originally wanted to redirect to https://server1.my-domain.intranet/meet/, then this could be the reason why https://my-domain.intranet/meet/ does not work.

The rewrite rules I have now changed into my external domain. After changing the rewrite rules the “site not found” error no longer occurs. The overeagerness is probably no longer a problem, too.

Now I get to the site with the login button. When clicking the button the address line briefly displays https://my-domain.de/meet/#oicd-callback&error=temporarily_unavailable&error_description=identifier failed to authenticate&state=... and after that switched back to the login page.

It looks like a step ahead, doesn’t it?

So long as you external domain isn’t server1.my-domain.intranet it will still not work. This is the domain the app uses to configure the openid app. Like I said modern web applications are very sensitive about the domain they are called with.

More information to debug could be found in the javascript console or the network tab of your browser. https://birdeatsbug.com/ is a nice browser extension that could be useful to debug further if you are indeed using server1.my-domain.intranet.

Hi @UweP,

in the test appcenter you can now find a version 1.2.1_0-2 which brings the possibility to configure the domain you are running Meet below (the domain itself must already work with e.g. the UMC).

I would be happy if you could gives this a try to see if it works for you.

Hi Frank,

thanks for the new version in the test appcenter. I quickly tried it out in a test environment (without correctly issued certificates). It seems to be working, of course in this test at least on the internal network. Meet can be started from the appcenter as expected and after successful registration I get to the main window from where I could invite other participants.

Next, I would maybe do another test in a production environment to test whether connections from / to external can be established. In the settings there is “Hostname where the OpenID Provider App is running”. Does the internal or external address have to be entered there?

Would this extension be available in a subsequent official version of meet?

I would also like to know if meet might have problems if the participants are connected to a company network via a VPN connection?

Uwe

Thats not my name :wink:

It needs to be a hostname that can be resolved by users that are supposed to login (guest are not logging in so don’t need to resolve it). But most importantly it needs to be the hostname that the openid provider app is configured for.

Yes, these changes will be included in the next app update (if it turns out to be working as expected). I am not 100% happy with the fact that the join scripts needs to be manually run, I am currently waiting for app review maybe there comes a better way out of it.

Very restrictive firewall rules could of course be a problem, but usually a properly configured turn service should provide enough of a remedy for this.

Hello Felix,

sorry, actually I already know that your name is not Frank …

Is there any idea when this version will be released?

I didn’t notice or realize that join scripts had to be run manually. After installation, Meet ran out of the box for me, except for the necessary linking of openid-connect-provider.conf.

Uwe

No problem at all. Just felt the need to mention since it was a wrong name. In fact you do not need to give a name at all.

That sounds like Meet and the OpenID provider are now running on the same domain. If they share the same domain there is an implicit trust that does not require updating the identifier registration (which is what the join script would do).

The app update with configurable domains has been released yesterday: https://www.univention.com/univention-app-center-en/2020/01/kopano-meet-updated-in-app-center/

Hi,

today I have deployed Meet from the UCS Appcenter on my test-machine (with self-signed certificate) and installation went trough without any errors.

Now I am facing the situation that I cant get over the meet logon-screen - looks like a kind of deadlock situtaion :frowning:

When I open https://test-server.test-domain.intranet/meet/ in my browser I get the Meet logon-screen. After hitting the logon-button I will be redirected to https://ucs-sso.test-domain.intranet/signin/v1/
After inserting my credentials there and hitting next I will be redirect to the Meet logon-screen again.

Any idea or recommendation how to troubleshoot this would be great and much appreciated!

Hi @tpfann,

that sounds like there was still an authorisation error. Did the join script run through? How is your (web-)domain setup? Are the self signed certs really self signed or the ones from the UCS CA?

To get further input why auth failed you could look at the authorisation requests in the network tab in your browser. Further hints could be found in the container output of kwmserver and konnect.

@Christian_Voelker can you move this into its own topic?

Hi fbartels,

thanks for your support and reply on this topic.

In my understanding yes:

RUNNING 50kopano-meet.inst
2020-01-30 16:31:54.204792427+01:00 (in joinscript_init)
Object removed: cn=kopano-meet,cn=oidc,cn=univention,dc=test-domain,dc=intranet
Object created: cn=kopano-meet,cn=oidc,cn=univention,dc=test-domain,dc=intranet
kopano_grapi is up-to-date
Starting kopano_ssl ...
kopano_web is up-to-date
kopano_kwmserver is up-to-date
kopano_kapi is up-to-date
kopano_meet is up-to-date
e[1Ae[2K Starting kopano_ssl ... e[32mdonee[0m e[1Bkopano_konnect is up-to-date
2020-01-30 16:31:57.756068079+01:00 (in joinscript_save_current_version)
EXITCODE=0
univention-join-hooks: looking for hook type "join/post-joinscripts" on test-server.test-domain.intranet
Found hooks:


Do 30. Jan 16:31:59 CET 2020
univention-run-join-scripts finished

Not sure what you mean?
Kopano Meet was deployed on a virtual machines that is running in a dedicated (isolated) test-domain. Adress resolution from outside this machine is done via a host file. Other services like Kopano Webapp, ownCloud or Wordpress are runing without problems on this setup.

The one that was automatically deployed during the UCS installation process (UCS CA)

Inspecting the browser-tab shows me 2 errors:

Error during service worker registration: DOMException: Failed to register a ServiceWorker for scope ('https://test-server.test-domain/meet/') with script ('https://test-server.test-domain/meet/service-worker.js'): An SSL certificate error occurred when fetching the script.
(anonymous) @ index.js:121

and

oidc failed to complete authentication ErrorResponse: unknown client_id: kpop-https://test-server.test-domain.intranet/meet/
    at new e (7.12ebb414.chunk.js:1)
    at t._processSigninParams (7.12ebb414.chunk.js:1)
    at t.validateSigninResponse (7.12ebb414.chunk.js:1)
    at 7.12ebb414.chunk.js:1
(anonymous) @ 7.12ebb414.chunk.js:1

kwmserver log:

2020/02/01 10:25:34 Waiting for https://test-server.test-domain.intranet/kopanoid/.well-known/openid-configuration: unexpected HTTP status code: 502.
2020/02/01 10:26:05 Ready: https://test-server.test-domain/kopanoid/.well-known/openid-configuration.
2020/02/01 10:26:05 Ready: file:///var/lib/dbus/machine-id.
2020/02/01 10:26:05 Ready: file:///etc/machine-id.
time="2020-02-01T10:26:05Z" level=info msg="serve start"
time="2020-02-01T10:26:05Z" level=info msg="using external TURN service: https://turnauth.kopano.com/turnserverauth/"
time="2020-02-01T10:26:05Z" level=info msg="serve started"
time="2020-02-01T10:26:05Z" level=warning msg="admin: using random admin tokens singing key - API endpoint admin disabled"
time="2020-02-01T10:26:05Z" level=info msg="pattern ^group/public/.* public guest rooms enabled" manager=guest
time="2020-02-01T10:26:05Z" level=info msg="guest: API endpoint enabled"
time="2020-02-01T10:26:05Z" level=info msg="rtm: API endpoint enabled"
time="2020-02-01T10:26:05Z" level=info msg="starting http listener" listenAddr="0.0.0.0:8778"
time="2020-02-01T10:26:05Z" level=info msg="ready to handle requests"

konnect log:

2020/02/01 10:25:41 Waiting for: file:///etc/machine-id
2020/02/01 10:25:41 Waiting for: file:///var/lib/dbus/machine-id
2020/02/01 10:25:42 File file:///etc/machine-id had been generated
2020/02/01 10:25:42 File file:///var/lib/dbus/machine-id had been generated
time="2020-02-01T10:25:42Z" level=info msg="serve start"
time="2020-02-01T10:25:42Z" level=info msg="client controlled guests are enabled"
time="2020-02-01T10:25:42Z" level=info msg="loading encryption secret from file" file=/kopano/ssl/konnectd-encryption.key
time="2020-02-01T10:25:42Z" level=info msg="loading signing key" path=/kopano/ssl/konnectd-tokens-signing-key.pem
time="2020-02-01T10:25:42Z" level=warning msg="skipped as signer with same kid already loaded" kid=konnectd-tokens-signing-key path=/kopano/ssl/konnectd-tokens-signing-key.pem
time="2020-02-01T10:25:42Z" level=info msg="encryption set up with 32 key size"
time="2020-02-01T10:25:42Z" level=warning msg="authority has no id, using name" id=ucs-konnect
time="2020-02-01T10:25:42Z" level=info msg="using external default authority" id=ucs-konnect
time="2020-02-01T10:25:42Z" level=info msg="ldap server identifier backend set up" ldap="ldap://test-server.test-domain.intranet:7389 "
time="2020-02-01T10:25:42Z" level=info msg="identifier set up" security="A256GCM:A256GCMKW"
time="2020-02-01T10:25:42Z" level=info msg="using identifier backed identity manager"
time="2020-02-01T10:25:42Z" level=info msg="identity manager set up" claims="[name family_name given_name email email_verified]" name=ldap scopes="[offline_access konnect/raw_sub kopano/gc kopano/kwm kopano/kvs kopano/pubs profile email konnect/uuid]"
time="2020-02-01T10:25:42Z" level=info msg="identity guest manager set up"
time="2020-02-01T10:25:42Z" level=info msg="set provider signing alg" alg=PS256
time="2020-02-01T10:25:42Z" level=info msg="set provider signing key" id=konnectd-tokens-signing-key method="*jwt.SigningMethodRSAPSS" type="*rsa.PrivateKey"
time="2020-02-01T10:25:42Z" level=info msg="set provider validation key" id=konnectd-tokens-signing-key type="*rsa.PublicKey"
time="2020-02-01T10:25:42Z" level=info msg="set provider validation key" id=default type="*rsa.PublicKey"
time="2020-02-01T10:25:42Z" level=info msg="oidc token signing default set up" alg=PS256 id=konnectd-tokens-signing-key method="*jwt.SigningMethodRSAPSS"
time="2020-02-01T10:25:42Z" level=info msg="serve started"
time="2020-02-01T10:25:42Z" level=info msg="starting http listener" listenAddr="0.0.0.0:8777"
time="2020-02-01T10:25:42Z" level=info msg="ready to handle requests"
time="2020-02-01T10:25:43Z" level=error msg="error while oidc provider update: oidc provider error: failed to fetch discover document: failed to fetch JSON (status: 503)" id=ucs-konnect type=oidc
time="2020-02-01T10:25:46Z" level=error msg="error while oidc provider update: oidc provider error: failed to fetch discover document: failed to fetch JSON (status: 503)" id=ucs-konnect type=oidc
time="2020-02-01T10:25:49Z" level=error msg="error while oidc provider update: oidc provider error: failed to fetch discover document: failed to fetch JSON (status: 503)" id=ucs-konnect type=oidc
time="2020-02-01T10:25:52Z" level=error msg="error while oidc provider update: oidc provider error: failed to fetch discover document: failed to fetch JSON (status: 503)" id=ucs-konnect type=oidc
time="2020-02-01T10:25:55Z" level=error msg="error while oidc provider update: oidc provider error: failed to fetch discover document: failed to fetch JSON (status: 503)" id=ucs-konnect type=oidc
time="2020-02-01T10:25:58Z" level=error msg="error while oidc provider update: oidc provider error: failed to fetch discover document: failed to fetch JSON (status: 503)" id=ucs-konnect type=oidc
time="2020-02-01T10:26:01Z" level=error msg="error while oidc provider update: oidc provider error: failed to fetch discover document: failed to fetch JSON (status: 503)" id=ucs-konnect type=oidc
time="2020-02-01T10:26:04Z" level=error msg="error while oidc provider update: oidc provider error: failed to fetch discover document: failed to fetch JSON (status: 503)" id=ucs-konnect type=oidc
time="2020-02-01T10:26:07Z" level=error msg="error while oidc provider update: oidc provider error: failed to fetch discover document: failed to fetch JSON (status: 503)" id=ucs-konnect type=oidc
time="2020-02-01T10:26:10Z" level=error msg="error while oidc provider update: oidc provider error: failed to fetch discover document: failed to fetch JSON (status: 503)" id=ucs-konnect type=oidc
time="2020-02-01T10:26:13Z" level=error msg="error while oidc provider update: oidc provider error: failed to fetch discover document: failed to fetch JSON (status: 503)" id=ucs-konnect type=oidc
time="2020-02-01T10:26:16Z" level=error msg="error while oidc provider update: oidc provider error: failed to fetch discover document: failed to fetch JSON (status: 502)" id=ucs-konnect type=oidc
time="2020-02-01T10:26:19Z" level=info msg="authority is now ready" id=ucs-konnect type=oidc

Seems something is broken with oidc, I really don’t know how to further troubleshoot or fix this :frowning:

There seems to be a problem with the client_id. Can you post the following:

univention-app info
ucr dump | grep -e 'kopano/docker\|oidc/konnectd/issuer_identifier' | grep -v PASSWORD
univention-ldapsearch cn=kopano-meet
cat /etc/kopano/docker/konnectd-identifier-registration.yaml 

Sure :wink:

univention-app info:
UCS: 4.4-3 errata433
Installed: bareos=17.2.6 fetchmail=6.3.26 kde=5.8 kopano-core=8.7.1.0-1 kopano-w ebapp=3.5.5.2276 nagios=4.3 self-service=4.0 wordpress=5.2.3 z-push-kopano=2.4.5 4.3/kopano-meet=1.2.1_0-2 4.3/openid-connect-provider=1.1-konnect-0.23.3 4.3/ow ncloud=10.3.2
Upgradable:

ucr dump | grep -e ‘kopano/docker|oidc/konnectd/issuer_identifier’ | grep -v PASSWORD:
kopano/docker/FQDN_MEET: test-server.test-domain.intranet
kopano/docker/FQDN_SSO: ucs-sso.test-domain.intranet
kopano/docker/GRID_WEBAPP: yes
kopano/docker/INSECURE: yes
kopano/docker/MEET_GUEST_ALLOW: yes
kopano/docker/MEET_GUEST_REGEXP: ^group/public/.*
oidc/konnectd/issuer_identifier: https://ucs-sso.test-domain.intranet

univention-ldapsearch cn=kopano-meet:

# extended LDIF
#
# LDAPv3
# base <dc=test-domain,dc=intranet> (default) with scope subtree
# filter: cn=kopano-meet
# requesting: ALL
#

# kopano-meet, apps, univention, test-domain.intranet
dn: cn=kopano-meet,cn=apps,cn=univention,dc=test-domain,dc=intranet
objectClass: top
objectClass: organizationalRole
objectClass: univentionObject
univentionObjectType: container/cn
cn: kopano-meet

# kopano-meet, portal, univention, test-domain.intranet
dn: cn=kopano-meet,cn=portal,cn=univention,dc=test-domain,dc=intranet
univentionPortalEntryDisplayName: en_US Kopano Meet
univentionPortalEntryDisplayName: de_DE Kopano Meet
cn: kopano-meet
univentionPortalEntryCategory: service
objectClass: top
objectClass: univentionPortalEntry
objectClass: univentionObject
univentionObjectType: settings/portal_entry
univentionPortalEntryLinkTarget: useportaldefault
univentionPortalEntryActivate: TRUE
univentionPortalEntryPortal: cn=domain,cn=portal,cn=univention,dc=test-domain,dc=intranet
univentionPortalEntryDescription:: ZGVfREUgRGllIHNpY2hlcmUgT3BlbiBTb3VyY2UgVmlkZW9rb25mZXJlbnpsw7ZzdW5nIGbDvHIgZGVuIHByb2Zlc3Npb25lbGxlbiBFaW5zYXR6
univentionPortalEntryDescription: en_US The secure and open source videoconferencing solution for professionals
univentionPortalEntryIcon: PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4NCjwhLS0gR2VuZXJhdG9yOiBBZG9iZSBJbGx1c3RyYXRvciAyMi4xLjAsIFNWRyBFeHBvcnQgUGx1Zy1JbiAuIFNWRyBWZXJzaW9uOiA2LjAwIEJ1aWxkIDApICAtLT4NCjxzdmcgdmVyc2lvbj0iMS4xIiBpZD0iTGF5ZXJfMSIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxuczp4bGluaz0iaHR0cDovL3d3dy53My5vcmcvMTk5OS94bGluayIgeD0iMHB4IiB5PSIwcHgiDQoJIHZpZXdCb3g9IjAgMCAyNCAyNCIgc3R5bGU9ImVuYWJsZS1iYWNrZ3JvdW5kOm5ldyAwIDAgMjQgMjQ7IiB4bWw6c3BhY2U9InByZXNlcnZlIj4NCjxnPg0KCTxnPg0KCQk8cGF0aCBzdHlsZT0iZmlsbDojNDE0MTQxOyIgZD0iTTE0LjksMThDMTQsMTguNCwxMywxOC42LDEyLDE4LjZjLTMuNywwLTYuNy0zLTYuNy02LjZjMC0zLjcsMy02LjYsNi43LTYuNmMxLDAsMiwwLjIsMi45LDAuNw0KCQkJbDMuMy0xLjlDMTYuNSwyLjgsMTQuMywyLDEyLDJDNi41LDIsMiw2LjUsMiwxMnM0LjUsMTAsMTAsMTBjMi4zLDAsNC41LTAuOCw2LjItMi4xTDE0LjksMTh6Ii8+DQoJPC9nPg0KCTxwYXRoIHN0eWxlPSJmaWxsOiM4Q0M1NDA7IiBkPSJNMjQsMTguNXYtMTNjMC0wLjQtMC40LTAuNi0wLjgtMC40bC03LjksNC42djQuN2w3LjksNC42QzIzLjYsMTkuMSwyNCwxOC45LDI0LDE4LjV6Ii8+DQo8L2c+DQo8L3N2Zz4NCg==
univentionPortalEntryLink: https://192.168.0.8/meet
univentionPortalEntryLink: http://192.168.0.8/meet
univentionPortalEntryLink: http://test-server.test-domain.intranet/meet
univentionPortalEntryLink: https://test-server.test-domain.intranet/meet
univentionPortalEntryAuthRestriction: anonymous

# kopano-meet, oidc, univention, test-domain.intranet
dn: cn=kopano-meet,cn=oidc,cn=univention,dc=test-domain,dc=intranet
clientsecret: TVolLEDVi7jVQ3M9ZwYzbKfoD7kSFh22
cn: kopano-meet
objectClass: top
objectClass: univentionOIDCService
objectClass: univentionObject
univentionObjectType: oidc/rpservice
clientid: kopano-meet
applicationType: web
redirectURI: https://test-server.test-domain.intranet/kopanoid/signin/v1/identifier/oauth2/cb
trusted: yes

# search result
search: 3
result: 0 Success

# numResponses: 4
# numEntries: 3

cat /etc/kopano/docker/konnectd-identifier-registration.yaml:

clients: null
authorities:
- name: ucs-konnect
  default: true
  iss: https://ucs-sso.test-domain.intranet
  client_id: kopano-meet
  client_secret: TVolLEDVi7jVQ3M9ZwYzbKfoD7kSFh22
  authority_type: oidc
  response_type: id_token
  scopes:
  - openid
  - profile
  - email

From a quick glance I cannot really spot an error in your files.

One thing though:

This option is really only there for development and when using untrusted certificates, but you do not need this when using the Univention CA as this is mounted into the container and therefore trusted.

If you have a subscription I recommend to reach out to our support so that someone can have a direct look at your system.

Hi,

changed the value of “kopano/docker/INSECURE” to no but the problem remains.
Anyway, thanks alot for your support!

Hello Felix,

now I have installed meet and configured my domain in the settings. First I set the FQND for meet to my external domain and the FQND for OpenID Provider App to the internal domain. I logged in to meet with an local account and created a public group. With the invitation link I then get to the login screen when I use an external network. When trying to login I get the oicd-callback error as seen in december.

Next I changed the FQDN for OpenID Provider App to the external domain, too. Than I get to the login screen from external network as before. Login is now possible but I have to use an existing account. I thought guests could log in without using an account? I can’t do that. Did I misunderstand something?

When I log in with an account the connection is established but without picture and sound. Is that the thing with the missing turn server when one is in different networks?

If I log in from the same network I can establish a connection with picture and sound in both directions. However, I have to use an existing account for the login of a guest anyway. The created group is public, I’m sure.

Uwe

Yes, they can. Maybe you shared the wrong link with the guest? https://documentation.kopano.io/kopano_meet_manual/user.html#inviting-users-and-guests-to-a-group

Yes, that sounds like you are missing a turn service.

Even if I do it again according to the documentation I cannot log in without registration whether I share the link or send it by mail. I am directed to a login page with the request “Choose an account to sign in to Kopano”. I think something else is wrong here. The link is https://my-domain.de/meet/r/group/public/xxx Isn’t that right?

The TURN server is only accessible by subscription, is that correct? In the description of Meet in the UCS Appcenter it reads as like you only need to request access to the service. The link in the Appcenter leads to page “Try Meet Free Community Package”. It’s a bit confusing that you first log in and then get a mail informing you that the TURN server is only available to users with subscription. Could you please make this clearer in the Appcenter?

Uwe