Kopano Meet SSO Loop

aashutosh · September 10, 2020, 2:49pm

Hi,

I have followed instructions in configure-saml-single-sign-on-as-single-server-solution/6681 to configure the SSO for my domain and changed it to digital.quadridge.com.

I installed Kopano-Meet Plugin which allows Integration of Kopano Meet into Webapp Interface. When I login the the page simplesamlphp saml2 idp SSOService.php opens and goes in loop by changing values of Relaystate and SAML request.

Here’s my output of univention-app logs openid-connect-provider
time=“2020-09-10T19:38:05+05:30” level=debug msg=“SAML2 provider meta data loaded and initialized” id=univention issuer="/simplesamlphp/saml2/idp/metadata.php" signing_certs=1 type=saml2
time=“2020-09-10T19:39:08+05:30” level=debug msg=“saml2 attributeStatement” FriendlyName= Name=uid NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:basic” Values="[aashutosh]"
time=“2020-09-10T19:39:08+05:30” level=debug msg=“saml2 authnStatement” SessionIndex=_b05a8dcb266212d3a03c6aa619e32a08c3a170d569 SessionNotOnOrAfter=“2020-09-11 02:09:08 +0000 UTC”
time=“2020-09-10T19:39:08+05:30” level=debug msg=“saml2 attributeStatement” FriendlyName= Name=uid NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:basic” Values="[aashutosh]"
(ABOVE LINE REPEATS)

Here is my syslog for SAML
ep 10 19:39:08 digital simplesamlphp[10382]: 5 STAT [062d814fab] User ‘aashutosh’ successfully authenticated from 1.22.109.194
Sep 10 19:39:08 digital simplesamlphp[10382]: 5 STAT [062d814fab] saml20-idp-SSO-first openid-connect-provider digital.quadridge.com/simplesamlphp/saml2/idp/metadata.php NA
(ABOVE LINE REPEATS)

fbartels · September 11, 2020, 6:53am

Hi @aashutosh,

that sound a bit like the configured domains do not really match up. It could be interesting to see what is logged in the Konnect instance of Meet.

General steps for debugging Meet on UCS can be found at https://wiki.z-hub.io/display/K4U/Debugging+Kopano+on+Univention#DebuggingKopanoonUnivention-Containerisedapps

aashutosh · September 11, 2020, 7:28am

Hi,
I checked those debugging steps - reproducing the tail log for your perusal.

UCS: 4.4-5 errata737
Installed: kopano-core=8.7.1.0-1 kopano-meet=2.2.3_0-1 kopano-webapp=3.5.14.2539-2 letsencrypt=1.2.2-8 z-push-kopano=2.4.5 4.3/openid-connect-provider=2.0-konnect-0.33.3
Upgradable:

ucr search --brief oidc/konnectd/issuer_identifier
oidc/konnectd/issuer_identifier: https://digital.quadridge.com

{
  "issuer": "https://digital.quadridge.com",
  "authorization_endpoint": "https://digital.quadridge.com/signin/v1/identifier/_/authorize",
  "token_endpoint": "https://digital.quadridge.com/konnect/v1/token",
  "userinfo_endpoint": "https://digital.quadridge.com/konnect/v1/userinfo",
  "end_session_endpoint": "https://digital.quadridge.com/signin/v1/identifier/_/endsession",
  "check_session_iframe": "https://digital.quadridge.com/konnect/v1/session/check-session.html",
  "jwks_uri": "https://digital.quadridge.com/konnect/v1/jwks.json",
  "scopes_supported": [
    "openid",
    "offline_access",
    "profile",
    "email",
    "konnect/uuid",
    "konnect/raw_sub"
  ],
  "response_types_supported": [
    "id_token token",
    "id_token",
    "code id_token",
    "code id_token token"
  ],
  "subject_types_supported": [
    "public"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256",
    "RS384",
    "RS512",
    "PS256",
    "PS384",
    "PS512"
  ],
  "userinfo_signing_alg_values_supported": [
    "RS256",
    "RS384",
    "RS512",
    "PS256",
    "PS384",
    "PS512"
  ],
  "request_object_signing_alg_values_supported": [
    "ES256",
    "ES384",
    "ES512",
    "RS256",
    "RS384",
    "RS512",
    "PS256",
    "PS384",
    "PS512",
    "none",
    "EdDSA"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_basic",
    "none"
  ],
  "token_endpoint_auth_signing_alg_values_supported": [
    "RS256",
    "RS384",
    "RS512",
    "PS256",
    "PS384",
    "PS512"
  ],
  "claims_parameter_supported": true,
  "claims_supported": [
    "iss",
    "sub",
    "aud",
    "exp",
    "iat",
    "name",
    "family_name",
    "given_name",
    "email",
    "email_verified"
  ],
  "request_parameter_supported": true,
  "request_uri_parameter_supported": false
}

kopano_meet         | [DEV NOTICE] Registered directive 'alias' at end of list
kopano_meet         | [DEV NOTICE] Registered directive 'configjson' at end of list
kopano_meet         | [DEV NOTICE] Registered directive 'fastcgi2' before 'fastcgi'
kopano_meet         | [DEV NOTICE] Registered directive 'folderish' before 'redir'
kopano_meet         | [DEV NOTICE] Registered directive 'staticpwa' at end of list
kopano_meet         | Activating privacy features... done.
kopano_meet         |
kopano_meet         | Serving HTTP on port 9080
kopano_meet         | http://0.0.0.0:9080
kopano_meet         |
kopano_kapi         | level=debug msg="pubs: initialize with 512 bits HMAC-SHA256 key" broadcast="9i_DZV5hUOKCUCiZkDXFRNHe1cme1txxGEyUSXP3tpc="
kopano_kapi         | level=debug msg="kv: database version: 1 dirty: false"
kopano_kapi         | level=debug msg="kvs: store initialize complete"
kopano_kapi         | level=debug msg="OIDC provider initialized" iss="https://digital.quadridge.com/meetid"
kopano_kapi         | level=info msg="starting http listener" listenAddr="0.0.0.0:8039"
kopano_kapi         | level=info msg="ready to handle requests"
kopano_kapi         | level=debug msg="grapi: found 8 rest*.sock upstream proxy workers"
kopano_kapi         | level=debug msg="grapi: enabled default api proxy"
kopano_kapi         | level=debug msg="grapi: found 8 notify*.sock upstream proxy workers"
kopano_kapi         | level=debug msg="grapi: enabled subscription proxy"
kopano_web          | 172.20.0.1 - - [11/Sep/2020:07:22:19 +0000] "GET /meetid/signin/v1/identifier/_/authorize?client_id=kpop-https%3A%2F%2Fdigital.quadridge.com%2Fmeet%2F&redirect_uri=https%3A%2F%2Fdigital.quadridge.com%2Fmeet%2F%23oidc-silent-refresh&response_type=code&scope=openid%20profile%20email%20kopano%2Fkwm%20kopano%2Fgc%20kopano%2Fkvs&state=5e0cee6bf8614a7e919b5c16d5f41a52&code_challenge=VAaQDpzn6W27wb9I9ykCRhSdCRpZhpYIZ2ibVxQaw6s&code_challenge_method=S256&prompt=none&response_mode=fragment&claims=%7B%22id_token%22%3A%7B%22name%22%3Anull%7D%7D HTTP/1.1" 302 23
kopano_web          | 172.20.0.1 - - [11/Sep/2020:07:22:21 +0000] "GET /meet/service-worker.js HTTP/1.1" 304 0
kopano_web          | 172.20.0.1 - - [11/Sep/2020:07:22:22 +0000] "POST /api/kwm/v2/guest/logon HTTP/1.1" 400 43
kopano_web          | 172.20.0.1 - - [11/Sep/2020:07:22:22 +0000] "GET /meetid/konnect/v1/session/check-session.html HTTP/1.1" 200 3029
kopano_web          | 172.20.0.1 - - [11/Sep/2020:07:22:22 +0000] "GET /meetid/signin/v1/identifier/_/authorize?client_id=kpop-https%3A%2F%2Fdigital.quadridge.com%2Fmeet%2F&redirect_uri=https%3A%2F%2Fdigital.quadridge.com%2Fmeet%2F%23oidc-popup-callback&response_type=code&scope=openid%20profile%20email%20kopano%2Fkwm%20kopano%2Fgc%20kopano%2Fkvs&state=5cf91c30c6cb442280a2412e559df56f&code_challenge=gT_eQpRKk-R2quMRLpyBv2pGVEMkhApB2YwuJ4ypv9w&code_challenge_method=S256&prompt=select_account&display=popup&response_mode=fragment&claims=%7B%22id_token%22%3A%7B%22name%22%3Anull%7D%7D HTTP/1.1" 302 23
kopano_web          | 172.20.0.1 - - [11/Sep/2020:07:22:22 +0000] "GET /meetid/signin/v1/identifier?claims=%7B%22id_token%22%3A%7B%22name%22%3Anull%7D%7D&client_id=kpop-https%3A%2F%2Fdigital.quadridge.com%2Fmeet%2F&code_challenge=gT_eQpRKk-R2quMRLpyBv2pGVEMkhApB2YwuJ4ypv9w&code_challenge_method=S256&display=popup&flow=oidc&prompt=select_account&redirect_uri=https%3A%2F%2Fdigital.quadridge.com%2Fmeet%2F%23oidc-popup-callback&response_mode=fragment&response_type=code&scope=openid+profile+email+kopano%2Fkwm+kopano%2Fgc+kopano%2Fkvs&state=5cf91c30c6cb442280a2412e559df56f HTTP/1.1" 302 23
kopano_web          | 172.20.0.1 - - [11/Sep/2020:07:22:30 +0000] "GET /.well-known/openid-configuration HTTP/1.1" 200 531
kopano_web          | 172.20.0.1 - - [11/Sep/2020:07:22:30 +0000] "GET /meetid/konnect/v1/jwks.json HTTP/1.1" 200 699
kopano_web          | 172.20.0.1 - - [11/Sep/2020:07:22:31 +0000] "GET /.well-known/openid-configuration HTTP/1.1" 200 531
kopano_web          | 172.20.0.1 - - [11/Sep/2020:07:22:31 +0000] "GET /meetid/konnect/v1/jwks.json HTTP/1.1" 200 701
kopano_grapi        | Notice: Container is run read-only, skipping package installation.
kopano_grapi        | If you want to have additional packages installed in the container either:
kopano_grapi        | - build your own image with the packages already included
kopano_grapi        | - switch the container to 'read_only: false'
kopano_grapi        | Sep 11 09:10:58 Configure core service 'grapi'
kopano_grapi        | Using Kopano Groupware Core: 10.0.5.169.76699329d-0+148.1
kopano_grapi        | 2020/09/11 09:10:59 Ready: file:///var/lib/dbus/machine-id.
kopano_grapi        | 2020/09/11 09:10:59 Ready: file:///etc/machine-id.
kopano_grapi        | Using Kopano Grapi: 10.4.3+0.c8f4d9b-0+36.1
kopano_grapi        | 2020-09-11 09:10:59,687 master    [    6] INFO     starting kopano-mfr
kopano_ssl          | -rw-r--r--    1 nobody   nobody         227 Sep 10 13:36 /kopano/ssl/meet-kwmserver.pem
kopano_ssl          | Client public keys:
kopano_ssl          | -rw-r--r--    1 root     root           451 Sep  9 13:02 /kopano/ssl/clients/admin-public.pem
kopano_ssl          | -rw-r--r--    1 root     root           451 Sep  9 13:02 /kopano/ssl/clients/kopano_dagent-public.pem
kopano_ssl          | -rw-r--r--    1 root     root           451 Sep  9 13:02 /kopano/ssl/clients/kopano_monitor-public.pem
kopano_ssl          | -rw-r--r--    1 root     root           451 Sep  9 13:02 /kopano/ssl/clients/kopano_search-public.pem
kopano_ssl          | -rw-r--r--    1 root     root           451 Sep  9 13:02 /kopano/ssl/clients/kopano_server-public.pem
kopano_ssl          | -rw-r--r--    1 root     root           451 Sep  9 13:02 /kopano/ssl/clients/kopano_server_2-public.pem
kopano_ssl          | -rw-r--r--    1 root     root           451 Sep  9 13:02 /kopano/ssl/clients/kopano_spooler-public.pem
kopano_ssl          | -rw-r--r--    1 root     root           451 Sep  9 13:02 /kopano/ssl/clients/kopano_webapp-public.pem
kopano_ssl exited with code 0
kopano_web          | 172.20.0.1 - - [11/Sep/2020:07:23:30 +0000] "GET /.well-known/openid-configuration HTTP/1.1" 200 531
kopano_web          | 172.20.0.1 - - [11/Sep/2020:07:23:30 +0000] "GET /meetid/konnect/v1/jwks.json HTTP/1.1" 200 701
kopano_web          | 172.20.0.1 - - [11/Sep/2020:07:23:31 +0000] "GET /.well-known/openid-configuration HTTP/1.1" 200 531
kopano_web          | 172.20.0.1 - - [11/Sep/2020:07:23:31 +0000] "GET /meetid/konnect/v1/jwks.json HTTP/1.1" 200 699
kopano_web          | 172.20.0.1 - - [11/Sep/2020:07:24:30 +0000] "GET /.well-known/openid-configuration HTTP/1.1" 200 531
kopano_web          | 172.20.0.1 - - [11/Sep/2020:07:24:30 +0000] "GET /meetid/konnect/v1/jwks.json HTTP/1.1" 200 701
kopano_web          | 172.20.0.1 - - [11/Sep/2020:07:24:31 +0000] "GET /.well-known/openid-configuration HTTP/1.1" 200 531
kopano_web          | 172.20.0.1 - - [11/Sep/2020:07:24:31 +0000] "GET /meetid/konnect/v1/jwks.json HTTP/1.1" 200 701

fbartels · September 11, 2020, 9:24am

Hi @aashutosh,

you output does not include logging from the Konnect instance. It would be best if you include the output of all of the commands from the page I linked you to (on top of the logging from the kopano_konnect container).

aashutosh · September 11, 2020, 9:33am

My bad, I missed it. Kopano connect is throwing error. Please refer the trail. How do I resolve it?

docker-compose logs -f --tail=10 web
Attaching to kopano_web
kopano_web          | 172.20.0.1 - - [11/Sep/2020:09:27:33 +0000] "GET /meet/static/media/roboto-latin-700italic.010c1aee.woff2?__WB_REVISION__=010c1aeee3c6d1cbb1d5761d80353823 HTTP/1.1" 200 16572
kopano_web          | 172.20.0.1 - - [11/Sep/2020:09:27:33 +0000] "GET /meet/index.html?__WB_REVISION__=3c4f6a0f79bcc8f180d5d3c905e27d0c HTTP/1.1" 200 666
kopano_web          | 172.20.0.1 - - [11/Sep/2020:09:28:07 +0000] "GET /meetid/konnect/v1/jwks.json HTTP/1.1" 200 701
kopano_web          | 172.20.0.1 - - [11/Sep/2020:09:28:14 +0000] "GET /.well-known/openid-configuration HTTP/1.1" 200 531
kopano_web          | 172.20.0.1 - - [11/Sep/2020:09:28:14 +0000] "GET /meetid/konnect/v1/jwks.json HTTP/1.1" 200 701
kopano_web          | 172.20.0.1 - - [11/Sep/2020:09:28:19 +0000] "GET /.well-known/openid-configuration HTTP/1.1" 200 531
kopano_web          | 172.20.0.1 - - [11/Sep/2020:09:28:35 +0000] "GET /meetid/konnect/v1/session/check-session.html HTTP/1.1" 200 3031
kopano_web          | 172.20.0.1 - - [11/Sep/2020:09:28:35 +0000] "POST /api/kwm/v2/guest/logon HTTP/1.1" 400 43
kopano_web          | 172.20.0.1 - - [11/Sep/2020:09:28:35 +0000] "GET /meetid/signin/v1/identifier/_/authorize?client_id=kpop-https%3A%2F%2Fdigital.quadridge.com%2Fmeet%2F&redirect_uri=https%3A%2F%2Fdigital.quadridge.com%2Fmeet%2F%23oidc-popup-callback&response_type=code&scope=openid%20profile%20email%20kopano%2Fkwm%20kopano%2Fgc%20kopano%2Fkvs&state=f887c8d361784ef8811e7e6f75215565&code_challenge=ofSv-1yBorP8xOChjxTFyiokyMeKP2LDqIDrCJ2SxP8&code_challenge_method=S256&prompt=select_account&display=popup&response_mode=fragment&claims=%7B%22id_token%22%3A%7B%22name%22%3Anull%7D%7D HTTP/1.1" 302 23
kopano_web          | 172.20.0.1 - - [11/Sep/2020:09:28:35 +0000] "GET /meetid/signin/v1/identifier?claims=%7B%22id_token%22%3A%7B%22name%22%3Anull%7D%7D&client_id=kpop-https%3A%2F%2Fdigital.quadridge.com%2Fmeet%2F&code_challenge=ofSv-1yBorP8xOChjxTFyiokyMeKP2LDqIDrCJ2SxP8&code_challenge_method=S256&display=popup&flow=oidc&prompt=select_account&redirect_uri=https%3A%2F%2Fdigital.quadridge.com%2Fmeet%2F%23oidc-popup-callback&response_mode=fragment&response_type=code&scope=openid+profile+email+kopano%2Fkwm+kopano%2Fgc+kopano%2Fkvs&state=f887c8d361784ef8811e7e6f75215565 HTTP/1.1" 302 23

kopano_konnect      | time="2020-09-11T07:11:10Z" level=info msg="set provider signing alg" alg=PS256
kopano_konnect      | time="2020-09-11T07:11:10Z" level=info msg="set provider signing key" id=konnectd-tokens-signing-key method="*jwt.SigningMethodRSAPSS" type="*rsa.PrivateKey"
kopano_konnect      | time="2020-09-11T07:11:10Z" level=info msg="set provider validation key" id=konnectd-tokens-signing-key type="*rsa.PublicKey"
kopano_konnect      | time="2020-09-11T07:11:10Z" level=info msg="set provider validation key" id=default type="*rsa.PublicKey"
kopano_konnect      | time="2020-09-11T07:11:10Z" level=info msg="oidc token signing default set up" alg=PS256 id=konnectd-tokens-signing-key method="*jwt.SigningMethodRSAPSS"
kopano_konnect      | time="2020-09-11T07:11:10Z" level=info msg="serve started"
kopano_konnect      | time="2020-09-11T07:11:10Z" level=info msg="starting http listener" listenAddr="0.0.0.0:8777"
kopano_konnect      | time="2020-09-11T07:11:10Z" level=info msg="ready to handle requests"
kopano_konnect      | time="2020-09-11T07:11:10Z" level=info msg="authority is now ready" id=ucs-konnect type=oidc
kopano_konnect      | time="2020-09-11T09:22:39Z" level=error msg="error while oidc provider update: oidc provider error: failed to fetch discover document: failed to fetch JSON: Get \"https://digital.quadridge.com/.well-known/openid-configuration\": context deadline exceeded (Client.Timeout exceeded while awaiting headers)" id=ucs-konnect type=oidc

kopano/docker/FQDN_MEET: digital.quadridge.com
kopano/docker/FQDN_SSO: digital.quadridge.com
kopano/docker/GRID_WEBAPP: no
kopano/docker/INSECURE: no
kopano/docker/MEET_GUEST_ALLOW: yes
kopano/docker/MEET_GUEST_REGEXP: ^group/public/.*
kopano/docker/TURN_SERVICE_URL: https://ucs-turn.kopano.com/turnserverauth/
kopano/docker/TURN_USER: xxxxxxxxxxxx

curl $(ucr get oidc/konnectd/issuer_identifier)/signin/v1/welcome
<!doctype html><html lang="en"><head data-kopano-build="0.33.3"><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name="theme-color" content="#ffffff"><link rel="shortcut icon" href="./static/favicon.ico" type="image/x-icon"><meta property="csp-nonce" content="ZmDav8HoFhUK-AwR9ELKCm_7sr_useG8rP_iTQLipB0="><title>Kopano Sign in</title><link href="./static/css/main.1c108bb6.chunk.css" rel="stylesheet"></head><body><noscript>You need to enable JavaScript to run this app.</noscript><div id="bg"><div id="bg-thumb"></div><div id="bg-enhanced"></div></div><div id="root" data-path-prefix="/signin/v1"></div><div id="font-preloader"><span>aA</span>Bb</div><script src="./static/js/runtime-main.be062ff5.js"></script><script src="./static/js/main.55b1b7f2.chunk.js"></script></body></html>

curl https://$(ucr get kopano/docker/FQDN_SSO)/signin/v1/welcome
<!doctype html><html lang="en"><head data-kopano-build="0.33.3"><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name="theme-color" content="#ffffff"><link rel="shortcut icon" href="./static/favicon.ico" type="image/x-icon"><meta property="csp-nonce" content="8btZvqtPttd6WlEOCmRg2uUn8uXaxnJW412GmIueJuU="><title>Kopano Sign in</title><link href="./static/css/main.1c108bb6.chunk.css" rel="stylesheet"></head><body><noscript>You need to enable JavaScript to run this app.</noscript><div id="bg"><div id="bg-thumb"></div><div id="bg-enhanced"></div></div><div id="root" data-path-prefix="/signin/v1"></div><div id="font-preloader"><span>aA</span>Bb</div><script src="./static/js/runtime-main.be062ff5.js"></script><script src="./static/js/main.55b1b7f2.chunk.js"></script></body></html>

 /etc/kopano/docker/konnectd-identifier-registration.yaml
clients:
- id: kpop-https://digital.quadridge.com/meet/
  name: Kopano Meet
  application_type: web
  trusted: true
  redirect_uris:
  - https://digital.quadridge.com/meet/
  trusted_scopes:
  - konnect/guestok
  - kopano/kwm
  jwks:
    keys:
    - kty: EC
      use: sig
      crv: P-256
      d: sdfsdf
      kid: meet-kwmserver
      x: sdfsdf
      y: sdfsdfsd
  request_object_signing_alg: ES256
authorities:
- name: ucs-konnect
  default: true
  iss: https://digital.quadridge.com
  client_id: kopano-meet
  authority_type: oidc
  response_type: id_token
  scopes:
  - openid
  - profile
  - email
  trusted: true
  end_session_enabled: true

curl $(ucr get oidc/konnectd/issuer_identifier)/.well-known/openid-configuration
{
  "issuer": "https://digital.quadridge.com",
  "authorization_endpoint": "https://digital.quadridge.com/signin/v1/identifier/_/authorize",
  "token_endpoint": "https://digital.quadridge.com/konnect/v1/token",
  "userinfo_endpoint": "https://digital.quadridge.com/konnect/v1/userinfo",
  "end_session_endpoint": "https://digital.quadridge.com/signin/v1/identifier/_/endsession",
  "check_session_iframe": "https://digital.quadridge.com/konnect/v1/session/check-session.html",
  "jwks_uri": "https://digital.quadridge.com/konnect/v1/jwks.json",
  "scopes_supported": [
    "openid",
    "offline_access",
    "profile",
    "email",
    "konnect/uuid",
    "konnect/raw_sub"
  ],
  "response_types_supported": [
    "id_token token",
    "id_token",
    "code id_token",
    "code id_token token"
  ],
  "subject_types_supported": [
    "public"
  ],
  "id_token_signing_alg_values_supported": [
    "RS512",
    "PS256",
    "PS384",
    "PS512",
    "RS256",
    "RS384"
  ],
  "userinfo_signing_alg_values_supported": [
    "RS512",
    "PS256",
    "PS384",
    "PS512",
    "RS256",
    "RS384"
  ],
  "request_object_signing_alg_values_supported": [
    "ES256",
    "ES384",
    "ES512",
    "RS256",
    "RS384",
    "RS512",
    "PS256",
    "PS384",
    "PS512",
    "none",
    "EdDSA"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_basic",
    "none"
  ],
  "token_endpoint_auth_signing_alg_values_supported": [
    "RS512",
    "PS256",
    "PS384",
    "PS512",
    "RS256",
    "RS384"
  ],
  "claims_parameter_supported": true,
  "claims_supported": [
    "iss",
    "sub",
    "aud",
    "exp",
    "iat",
    "name",
    "family_name",
    "given_name",
    "email",
    "email_verified"
  ],
  "request_parameter_supported": true,
  "request_uri_parameter_supported": false
}

fbartels · September 11, 2020, 9:48am

Please see

this means from within the Konnect container the domain name cannot be resolved.

aashutosh · September 11, 2020, 9:59am

Hi, I restarted the dockers, now that error is gone, we have a different error now.
kopano_kwmserver unexpected HTTP status code: 502.

Also refer the 400 Errors in Developer Console. What does it mean?

docker-compose logs -f --tail=20
Attaching to kopano_meet, kopano_konnect, kopano_kapi, kopano_ssl, kopano_grapi, kopano_kwmserver, kopano_web
kopano_konnect      | time="2020-09-11T09:52:36Z" level=info msg="loading encryption secret from file" file=/kopano/ssl/konnectd-encryption.key
kopano_konnect      | time="2020-09-11T09:52:36Z" level=info msg="loading signing key" path=/kopano/ssl/konnectd-tokens-signing-key.pem
kopano_konnect      | time="2020-09-11T09:52:36Z" level=warning msg="skipped as signer with same kid already loaded" kid=konnectd-tokens-signing-key path=/kopano/ssl/konnectd-tokens-signing-key.pem
kopano_konnect      | time="2020-09-11T09:52:36Z" level=info msg="encryption set up with 32 key size"
kopano_konnect      | time="2020-09-11T09:52:36Z" level=warning msg="authority has no id, using name" id=ucs-konnect
kopano_konnect      | time="2020-09-11T09:52:36Z" level=info msg="using external default authority" id=ucs-konnect
kopano_konnect      | time="2020-09-11T09:52:36Z" level=info msg="ldap server identifier backend set up" ldap="ldap://digital.quadridge.com:7389 "
kopano_konnect      | time="2020-09-11T09:52:36Z" level=info msg="identifier set up" security="A256GCM:A256GCMKW"
kopano_konnect      | time="2020-09-11T09:52:36Z" level=info msg="using identifier backed identity manager"
kopano_konnect      | time="2020-09-11T09:52:36Z" level=info msg="identity manager set up" claims="[name family_name given_name email email_verified]" name=ldap scopes="[offline_access kopano/pubs kopano/gc kopano/kwm kopano/kvs profile email konnect/uuid konnect/raw_sub]"
kopano_konnect      | time="2020-09-11T09:52:36Z" level=info msg="identity guest manager set up"
kopano_konnect      | time="2020-09-11T09:52:36Z" level=info msg="set provider signing alg" alg=PS256
kopano_konnect      | time="2020-09-11T09:52:36Z" level=info msg="set provider signing key" id=konnectd-tokens-signing-key method="*jwt.SigningMethodRSAPSS" type="*rsa.PrivateKey"
kopano_konnect      | time="2020-09-11T09:52:36Z" level=info msg="set provider validation key" id=konnectd-tokens-signing-key type="*rsa.PublicKey"
kopano_konnect      | time="2020-09-11T09:52:36Z" level=info msg="set provider validation key" id=default type="*rsa.PublicKey"
kopano_konnect      | time="2020-09-11T09:52:36Z" level=info msg="oidc token signing default set up" alg=PS256 id=konnectd-tokens-signing-key method="*jwt.SigningMethodRSAPSS"
kopano_konnect      | time="2020-09-11T09:52:36Z" level=info msg="serve started"
kopano_konnect      | time="2020-09-11T09:52:36Z" level=info msg="starting http listener" listenAddr="0.0.0.0:8777"
kopano_konnect      | time="2020-09-11T09:52:36Z" level=info msg="ready to handle requests"
kopano_konnect      | time="2020-09-11T09:52:36Z" level=info msg="authority is now ready" id=ucs-konnect type=oidc
kopano_kapi         | level=info msg="plugin registered" plugin=pubs
kopano_kapi         | level=info msg="serve started"
kopano_kapi         | level=debug msg="grapi: initialize"
kopano_kapi         | level=info msg="grapi: access requirements set up" required_scopes="[profile email kopano/gc]"
kopano_kapi         | level=debug msg="grapi: looking for proxy rest*.sock files in /var/run/kopano/grapi"
kopano_kapi         | level=debug msg="grapi: looking for proxy notify*.sock files in /var/run/kopano/grapi"
kopano_kapi         | level=info msg="kvs: access requirements set up" required_scopes="[kopano/kvs]"
kopano_kapi         | level=debug msg="kvs: initialize"
kopano_kapi         | level=debug msg="kv: database version: 1 dirty: false"
kopano_kapi         | level=debug msg="kvs: store initialize complete"
kopano_kapi         | level=warning msg="pubs: using random secret key"
kopano_kapi         | level=info msg="pubs: access requirements set up" required_scopes="[kopano/pubs]"
kopano_kapi         | level=debug msg="pubs: initialize with 512 bits HMAC-SHA256 key" broadcast="13ENzdvw--EHlXe8lHxJjNjHE_UOnqRi3cP6e2fl0Rg="
kopano_kapi         | level=debug msg="OIDC provider initialized" iss="https://digital.quadridge.com/meetid"
kopano_kapi         | level=info msg="starting http listener" listenAddr="0.0.0.0:8039"
kopano_kapi         | level=info msg="ready to handle requests"
kopano_kapi         | level=debug msg="grapi: found 8 notify*.sock upstream proxy workers"
kopano_kapi         | level=debug msg="grapi: enabled subscription proxy"
kopano_kapi         | level=debug msg="grapi: found 8 rest*.sock upstream proxy workers"
kopano_kapi         | level=debug msg="grapi: enabled default api proxy"
kopano_ssl          | -rw-r--r--    1 root     root            32 Sep  9 13:02 /kopano/ssl/konnectd-encryption.key
kopano_ssl          | -rw-r--r--    1 nobody   nobody         808 Sep 11 09:52 /kopano/ssl/konnectd-identifier-registration.yaml
kopano_ssl          | -rw-r--r--    1 root     root          3272 Sep  9 13:02 /kopano/ssl/konnectd-tokens-signing-key.pem
kopano_ssl          | -rw-r--r--    1 root     root          3099 Sep  9 13:02 /kopano/ssl/kopano_dagent.pem
kopano_ssl          | -rw-r--r--    1 root     root          3107 Sep  9 13:02 /kopano/ssl/kopano_monitor.pem
kopano_ssl          | -rw-r--r--    1 root     root          3103 Sep  9 13:02 /kopano/ssl/kopano_search.pem
kopano_ssl          | -rw-r--r--    1 root     root          3099 Sep  9 13:02 /kopano/ssl/kopano_server.pem
kopano_ssl          | -rw-r--r--    1 root     root          3107 Sep  9 13:02 /kopano/ssl/kopano_server_2.pem
kopano_ssl          | -rw-r--r--    1 root     root          3107 Sep  9 13:02 /kopano/ssl/kopano_spooler.pem
kopano_ssl          | -rw-r--r--    1 root     root          3103 Sep  9 13:02 /kopano/ssl/kopano_webapp.pem
kopano_ssl          | -rw-r--r--    1 nobody   nobody         227 Sep 11 09:52 /kopano/ssl/meet-kwmserver.pem
kopano_ssl          | Client public keys:
kopano_ssl          | -rw-r--r--    1 root     root           451 Sep  9 13:02 /kopano/ssl/clients/admin-public.pem
kopano_ssl          | -rw-r--r--    1 root     root           451 Sep  9 13:02 /kopano/ssl/clients/kopano_dagent-public.pem
kopano_ssl          | -rw-r--r--    1 root     root           451 Sep  9 13:02 /kopano/ssl/clients/kopano_monitor-public.pem
kopano_ssl          | -rw-r--r--    1 root     root           451 Sep  9 13:02 /kopano/ssl/clients/kopano_search-public.pem
kopano_ssl          | -rw-r--r--    1 root     root           451 Sep  9 13:02 /kopano/ssl/clients/kopano_server-public.pem
kopano_ssl          | -rw-r--r--    1 root     root           451 Sep  9 13:02 /kopano/ssl/clients/kopano_server_2-public.pem
kopano_ssl          | -rw-r--r--    1 root     root           451 Sep  9 13:02 /kopano/ssl/clients/kopano_spooler-public.pem
kopano_ssl          | -rw-r--r--    1 root     root           451 Sep  9 13:02 /kopano/ssl/clients/kopano_webapp-public.pem
kopano_meet         | Applying cfg changes from env
kopano_meet         | Using Kopano Meet: 2.2.3-0+8.1
kopano_meet         | Updating /tmp/meet.json
kopano_meet         | 2020/09/11 09:52:33 Ready: file:///var/lib/dbus/machine-id.
kopano_meet         | 2020/09/11 09:52:33 Ready: file:///etc/machine-id.
kopano_meet         | [DEV NOTICE] Registered directive 'alias' at end of list
kopano_meet         | [DEV NOTICE] Registered directive 'configjson' at end of list
kopano_meet         | [DEV NOTICE] Registered directive 'fastcgi2' before 'fastcgi'
kopano_meet         | [DEV NOTICE] Registered directive 'folderish' before 'redir'
kopano_meet         | [DEV NOTICE] Registered directive 'staticpwa' at end of list
kopano_meet         | Activating privacy features... done.
kopano_meet         |
kopano_meet         | Serving HTTP on port 9080
kopano_meet         | http://0.0.0.0:9080
kopano_meet         |
kopano_kwmserver    | 2020/09/11 09:52:31 Waiting for https://digital.quadridge.com/meetid/.well-known/openid-configuration: unexpected HTTP status code: 502.
kopano_kwmserver    | 2020/09/11 09:53:02 Ready: https://digital.quadridge.com/meetid/.well-known/openid-configuration.
kopano_kwmserver    | 2020/09/11 09:53:02 Ready: file:///var/lib/dbus/machine-id.
kopano_kwmserver    | 2020/09/11 09:53:02 Ready: file:///etc/machine-id.
kopano_kwmserver    | time="2020-09-11T09:53:02Z" level=info msg="serve start"
kopano_kwmserver    | time="2020-09-11T09:53:02Z" level=info msg="using external TURN service: https://ucs-turn.kopano.com/turnserverauth/"
kopano_kwmserver    | time="2020-09-11T09:53:02Z" level=info msg="serve started"
kopano_kwmserver    | time="2020-09-11T09:53:03Z" level=warning msg="admin: using random admin tokens singing key - API endpoint admin disabled"
kopano_kwmserver    | time="2020-09-11T09:53:03Z" level=info msg="pattern ^group/public/.* public guest rooms enabled" manager=guest
kopano_kwmserver    | time="2020-09-11T09:53:03Z" level=info msg="guest: API endpoint enabled"
kopano_kwmserver    | time="2020-09-11T09:53:03Z" level=info msg="pattern @conference/.* forced pipline channels enabled" manager=rtm
kopano_kwmserver    | time="2020-09-11T09:53:03Z" level=info msg="rtm: API endpoint enabled"
kopano_kwmserver    | time="2020-09-11T09:53:03Z" level=info msg="starting http listener" listenAddr="0.0.0.0:8778"
kopano_kwmserver    | time="2020-09-11T09:53:03Z" level=info msg="ready to handle requests"
kopano_ssl exited with code 0
kopano_grapi        | Notice: Container is run read-only, skipping package installation.
kopano_grapi        | If you want to have additional packages installed in the container either:
kopano_grapi        | - build your own image with the packages already included
kopano_grapi        | - switch the container to 'read_only: false'
kopano_grapi        | Sep 11 11:52:31 Configure core service 'grapi'
kopano_grapi        | Using Kopano Groupware Core: 10.0.5.169.76699329d-0+148.1
kopano_grapi        | 2020/09/11 11:52:31 Ready: file:///var/lib/dbus/machine-id.
kopano_grapi        | 2020/09/11 11:52:31 Ready: file:///etc/machine-id.
kopano_grapi        | Using Kopano Grapi: 10.4.3+0.c8f4d9b-0+36.1
kopano_grapi        | 2020-09-11 11:52:32,316 master    [    9] INFO     starting kopano-mfr
kopano_web          | 172.20.0.1 - - [11/Sep/2020:09:57:03 +0000] "GET /meet/static/js/main.28f7a8b6.chunk.js HTTP/1.1" 200 520
kopano_web          | 172.20.0.1 - - [11/Sep/2020:09:57:03 +0000] "GET /meet/static/media/kopano-meet-icon.0dbbd822.svg HTTP/1.1" 200 473
kopano_web          | 172.20.0.1 - - [11/Sep/2020:09:57:03 +0000] "GET /meet/static/media/roboto-latin-400.5d4aeb4e.woff2 HTTP/1.1" 200 15344
kopano_web          | 172.20.0.1 - - [11/Sep/2020:09:57:04 +0000] "GET /meet/static/js/9.fbc51b2f.chunk.js HTTP/1.1" 200 103110
kopano_web          | 172.20.0.1 - - [11/Sep/2020:09:57:04 +0000] "GET /meet/static/media/roboto-latin-500.28546717.woff2 HTTP/1.1" 200 15552
kopano_web          | 172.20.0.1 - - [11/Sep/2020:09:57:04 +0000] "GET /meet/static/js/meet-app.414d1f5d.chunk.js HTTP/1.1" 200 32533
kopano_web          | 172.20.0.1 - - [11/Sep/2020:09:57:04 +0000] "GET /meet/static/js/10.3ae40bb7.chunk.js HTTP/1.1" 200 179619
kopano_web          | 172.20.0.1 - - [11/Sep/2020:09:57:04 +0000] "GET /meet/static/js/meet-main.71768a64.chunk.js HTTP/1.1" 200 10494
kopano_web          | 172.20.0.1 - - [11/Sep/2020:09:57:04 +0000] "GET /meet/static/js/11.cb261176.chunk.js HTTP/1.1" 200 80396
kopano_web          | 172.20.0.1 - - [11/Sep/2020:09:57:04 +0000] "GET /api/config/v1/kopano/meet/config.json HTTP/1.1" 200 272
kopano_web          | 172.20.0.1 - - [11/Sep/2020:09:57:04 +0000] "GET /meet/static/media/sprite1.081d5140.ogg HTTP/1.1" 200 84126
kopano_web          | 172.20.0.1 - - [11/Sep/2020:09:57:04 +0000] "GET /.well-known/openid-configuration HTTP/1.1" 200 535
kopano_web          | 172.20.0.1 - - [11/Sep/2020:09:57:04 +0000] "POST /api/kwm/v2/guest/logon HTTP/1.1" 400 43
kopano_web          | 172.20.0.1 - - [11/Sep/2020:09:57:04 +0000] "GET /meetid/signin/v1/identifier/_/authorize?client_id=kpop-https%3A%2F%2Fdigital.quadridge.com%2Fmeet%2F&redirect_uri=https%3A%2F%2Fdigital.quadridge.com%2Fmeet%2F%23oidc-silent-refresh&response_type=code&scope=openid%20profile%20email%20kopano%2Fkwm%20kopano%2Fgc%20kopano%2Fkvs&state=3f502435fda34272b0241e4aeba0a17e&code_challenge=wMXMWkzCaCHQOjAERI8k0OCuxoZQ0k4v94Jn0jk9_kE&code_challenge_method=S256&prompt=none&response_mode=fragment&claims=%7B%22id_token%22%3A%7B%22name%22%3Anull%7D%7D HTTP/1.1" 302 23
kopano_web          | 172.20.0.1 - - [11/Sep/2020:09:57:04 +0000] "GET /meet/ HTTP/1.1" 200 665
kopano_web          | 172.20.0.1 - - [11/Sep/2020:09:57:05 +0000] "GET /meet/static/js/kpop-oidc-callbacks.e50bbda1.chunk.js HTTP/1.1" 200 340
kopano_web          | 172.20.0.1 - - [11/Sep/2020:09:57:12 +0000] "GET /meetid/konnect/v1/session/check-session.html HTTP/1.1" 200 3034
kopano_web          | 172.20.0.1 - - [11/Sep/2020:09:57:12 +0000] "POST /api/kwm/v2/guest/logon HTTP/1.1" 400 43
kopano_web          | 172.20.0.1 - - [11/Sep/2020:09:57:12 +0000] "GET /meetid/signin/v1/identifier/_/authorize?client_id=kpop-https%3A%2F%2Fdigital.quadridge.com%2Fmeet%2F&redirect_uri=https%3A%2F%2Fdigital.quadridge.com%2Fmeet%2F%23oidc-popup-callback&response_type=code&scope=openid%20profile%20email%20kopano%2Fkwm%20kopano%2Fgc%20kopano%2Fkvs&state=54906902969140b1a5c3d10751719818&code_challenge=T3xVvsGG0pE9C0TcdJKvvWmjfErAcMo2E1jcS_MRBpg&code_challenge_method=S256&prompt=select_account&display=popup&response_mode=fragment&claims=%7B%22id_token%22%3A%7B%22name%22%3Anull%7D%7D HTTP/1.1" 302 23
kopano_web          | 172.20.0.1 - - [11/Sep/2020:09:57:12 +0000] "GET /meetid/signin/v1/identifier?claims=%7B%22id_token%22%3A%7B%22name%22%3Anull%7D%7D&client_id=kpop-https%3A%2F%2Fdigital.quadridge.com%2Fmeet%2F&code_challenge=T3xVvsGG0pE9C0TcdJKvvWmjfErAcMo2E1jcS_MRBpg&code_challenge_method=S256&display=popup&flow=oidc&prompt=select_account&redirect_uri=https%3A%2F%2Fdigital.quadridge.com%2Fmeet%2F%23oidc-popup-callback&response_mode=fragment&response_type=code&scope=openid+profile+email+kopano%2Fkwm+kopano%2Fgc+kopano%2Fkvs&state=54906902969140b1a5c3d10751719818 HTTP/1.1" 302 23
kopano_web          | 172.20.0.1 - - [11/Sep/2020:09:58:03 +0000] "GET /.well-known/openid-configuration HTTP/1.1" 200 535
kopano_web          | 172.20.0.1 - - [11/Sep/2020:09:58:03 +0000] "GET /meetid/konnect/v1/jwks.json HTTP/1.1" 200 701
kopano_web          | 172.20.0.1 - - [11/Sep/2020:09:58:03 +0000] "GET /.well-known/openid-configuration HTTP/1.1" 200 535
kopano_web          | 172.20.0.1 - - [11/Sep/2020:09:58:03 +0000] "GET /meetid/konnect/v1/jwks.json HTTP/1.1" 200 701

console 400 400 Error

fbartels · September 11, 2020, 10:42am

aashutosh:

kopano_kwmserver    | 2020/09/11 09:52:31 Waiting for https://digital.quadridge.com/meetid/.well-known/openid-configuration: unexpected HTTP status code: 502.
kopano_kwmserver    | 2020/09/11 09:53:02 Ready: https://digital.quadridge.com/meetid/.well-known/openid-configuration.

That can be ignored. There is tooling in that container in place to wait for some other endpoints to become available. As you can see in the line below the url could be resolved later on. 502 btw is the code for “bad gateway”, https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/502

Why exactly kwmserver responds with a bad request to the guest login is not clear from your logging. You would need to increase the logging of kwmserver.

aashutosh · September 11, 2020, 10:45am

Alright. How do we resolve the looping issue? It still exists.

fbartels · September 11, 2020, 11:22am

But I am getting the feeling that it could be easier if you directly open up a ticket with our support so that someone can have a direct look at your system. More info at https://kopano.com/support-info/

aashutosh · September 11, 2020, 1:25pm

Hi,

May be this is root cause of the problem -
/usr/local/bin/wrapper.sh - Line 17 and 31 - Can’t Create : Permission Denied?

docker-compose logs -f kopano_konnect
Attaching to kopano_konnect
kopano_konnect      | /usr/local/bin/wrapper.sh: line 17: can't create /kopano/ssl/konnectd-tokens-signing-key.pem: Permission denied
kopano_konnect      | 2020/09/11 09:52:32 Waiting for: file:///kopano/ssl/konnectd-tokens-signing-key.pem
kopano_konnect      | 2020/09/11 09:52:33 File file:///kopano/ssl/konnectd-tokens-signing-key.pem had been generated
kopano_konnect      | /usr/local/bin/wrapper.sh: line 37: can't create /kopano/ssl/konnectd-encryption.key: Permission denied
kopano_konnect      | 2020/09/11 09:52:33 Waiting for: file:///kopano/ssl/konnectd-encryption.key
kopano_konnect      | 2020/09/11 09:52:34 File file:///kopano/ssl/konnectd-encryption.key had been generated
kopano_konnect      | Entrypoint: Skipping guest mode configuration, as it is already configured.
kopano_konnect      | Patching identifier registration for external OIDC provider
kopano_konnect      | Checking if external OIDC provider is reachable
kopano_konnect      | 2020/09/11 09:52:35 Waiting for: https://digital.quadridge.com/.well-known/openid-configuration
kopano_konnect      | 2020/09/11 09:52:35 Received 200 from https://digital.quadridge.com/.well-known/openid-configuration
kopano_konnect      | Entrypoint: Issuer url (--iss): https://digital.quadridge.com/meetid
kopano_konnect      | Entrypoint: Allowing guest login
kopano_konnect      | Entrypoint: Setting base-path to /meetid
kopano_konnect      | 2020/09/11 09:52:35 Waiting for: file:///etc/machine-id
kopano_konnect      | 2020/09/11 09:52:35 Waiting for: file:///var/lib/dbus/machine-id
kopano_konnect      | 2020/09/11 09:52:36 File file:///var/lib/dbus/machine-id had been generated
kopano_konnect      | 2020/09/11 09:52:36 File file:///etc/machine-id had been generated
kopano_konnect      | time="2020-09-11T09:52:36Z" level=info msg="serve start"
kopano_konnect      | time="2020-09-11T09:52:36Z" level=info msg="client controlled guests are enabled"
kopano_konnect      | time="2020-09-11T09:52:36Z" level=info msg="loading encryption secret from file" file=/kopano/ssl/konnectd-encryption.key
kopano_konnect      | time="2020-09-11T09:52:36Z" level=info msg="loading signing key" path=/kopano/ssl/konnectd-tokens-signing-key.pem
kopano_konnect      | time="2020-09-11T09:52:36Z" level=warning msg="skipped as signer with same kid already loaded" kid=konnectd-tokens-signing-key path=/kopano/ssl/konnectd-tokens-signing-key.pem
kopano_konnect      | time="2020-09-11T09:52:36Z" level=info msg="encryption set up with 32 key size"
kopano_konnect      | time="2020-09-11T09:52:36Z" level=warning msg="authority has no id, using name" id=ucs-konnect
kopano_konnect      | time="2020-09-11T09:52:36Z" level=info msg="using external default authority" id=ucs-konnect
kopano_konnect      | time="2020-09-11T09:52:36Z" level=info msg="ldap server identifier backend set up" ldap="ldap://digital.quadridge.com:7389 "
kopano_konnect      | time="2020-09-11T09:52:36Z" level=info msg="identifier set up" security="A256GCM:A256GCMKW"
kopano_konnect      | time="2020-09-11T09:52:36Z" level=info msg="using identifier backed identity manager"
kopano_konnect      | time="2020-09-11T09:52:36Z" level=info msg="identity manager set up" claims="[name family_name given_name email email_verified]" name=ldap scopes="[offline_access kopano/pubs kopano/gc kopano/kwm kopano/kvs profile email konnect/uuid konnect/raw_sub]"
kopano_konnect      | time="2020-09-11T09:52:36Z" level=info msg="identity guest manager set up"
kopano_konnect      | time="2020-09-11T09:52:36Z" level=info msg="set provider signing alg" alg=PS256
kopano_konnect      | time="2020-09-11T09:52:36Z" level=info msg="set provider signing key" id=konnectd-tokens-signing-key method="*jwt.SigningMethodRSAPSS" type="*rsa.PrivateKey"
kopano_konnect      | time="2020-09-11T09:52:36Z" level=info msg="set provider validation key" id=konnectd-tokens-signing-key type="*rsa.PublicKey"
kopano_konnect      | time="2020-09-11T09:52:36Z" level=info msg="set provider validation key" id=default type="*rsa.PublicKey"
kopano_konnect      | time="2020-09-11T09:52:36Z" level=info msg="oidc token signing default set up" alg=PS256 id=konnectd-tokens-signing-key method="*jwt.SigningMethodRSAPSS"
kopano_konnect      | time="2020-09-11T09:52:36Z" level=info msg="serve started"
kopano_konnect      | time="2020-09-11T09:52:36Z" level=info msg="starting http listener" listenAddr="0.0.0.0:8777"
kopano_konnect      | time="2020-09-11T09:52:36Z" level=info msg="ready to handle requests"
kopano_konnect      | time="2020-09-11T09:52:36Z" level=info msg="authority is now ready" id=ucs-konnect type=oidc
kopano_konnect      | /usr/local/bin/wrapper.sh: line 17: can't create /kopano/ssl/konnectd-tokens-signing-key.pem: Permission denied
kopano_konnect      | 2020/09/11 13:03:48 Waiting for: file:///kopano/ssl/konnectd-tokens-signing-key.pem
kopano_konnect      | 2020/09/11 13:03:49 File file:///kopano/ssl/konnectd-tokens-signing-key.pem had been generated
kopano_konnect      | /usr/local/bin/wrapper.sh: line 37: can't create /kopano/ssl/konnectd-encryption.key: Permission denied
kopano_konnect      | 2020/09/11 13:03:49 Waiting for: file:///kopano/ssl/konnectd-encryption.key
kopano_konnect      | 2020/09/11 13:03:50 File file:///kopano/ssl/konnectd-encryption.key had been generated
kopano_konnect      | Entrypoint: Skipping guest mode configuration, as it is already configured.
kopano_konnect      | Patching identifier registration for external OIDC provider
kopano_konnect      | Checking if external OIDC provider is reachable
kopano_konnect      | 2020/09/11 13:03:51 Waiting for: https://digital.quadridge.com/.well-known/openid-configuration
kopano_konnect      | 2020/09/11 13:03:51 Received 503 from https://digital.quadridge.com/.well-known/openid-configuration. Sleeping 1s
kopano_konnect      | 2020/09/11 13:03:52 Received 503 from https://digital.quadridge.com/.well-known/openid-configuration. Sleeping 1s
kopano_konnect      | 2020/09/11 13:03:53 Received 503 from https://digital.quadridge.com/.well-known/openid-configuration. Sleeping 1s
kopano_konnect      | 2020/09/11 13:03:54 Received 503 from https://digital.quadridge.com/.well-known/openid-configuration. Sleeping 1s
kopano_konnect      | 2020/09/11 13:03:55 Received 503 from https://digital.quadridge.com/.well-known/openid-configuration. Sleeping 1s
kopano_konnect      | 2020/09/11 13:03:56 Received 503 from https://digital.quadridge.com/.well-known/openid-configuration. Sleeping 1s
kopano_konnect      | 2020/09/11 13:03:57 Received 502 from https://digital.quadridge.com/.well-known/openid-configuration. Sleeping 1s
kopano_konnect      | 2020/09/11 13:03:58 Received 502 from https://digital.quadridge.com/.well-known/openid-configuration. Sleeping 1s
kopano_konnect      | 2020/09/11 13:03:59 Received 502 from https://digital.quadridge.com/.well-known/openid-configuration. Sleeping 1s
kopano_konnect      | 2020/09/11 13:04:00 Received 200 from https://digital.quadridge.com/.well-known/openid-configuration
kopano_konnect      | Entrypoint: Issuer url (--iss): https://digital.quadridge.com/meetid
kopano_konnect      | Entrypoint: Allowing guest login
kopano_konnect      | Entrypoint: Setting base-path to /meetid
kopano_konnect      | 2020/09/11 13:04:00 Waiting for: file:///etc/machine-id
kopano_konnect      | 2020/09/11 13:04:00 Waiting for: file:///var/lib/dbus/machine-id
kopano_konnect      | 2020/09/11 13:04:01 File file:///var/lib/dbus/machine-id had been generated
kopano_konnect      | 2020/09/11 13:04:01 File file:///etc/machine-id had been generated
kopano_konnect      | time="2020-09-11T13:04:02Z" level=info msg="serve start"
kopano_konnect      | time="2020-09-11T13:04:02Z" level=info msg="client controlled guests are enabled"
kopano_konnect      | time="2020-09-11T13:04:02Z" level=info msg="loading encryption secret from file" file=/kopano/ssl/konnectd-encryption.key
kopano_konnect      | time="2020-09-11T13:04:02Z" level=info msg="loading signing key" path=/kopano/ssl/konnectd-tokens-signing-key.pem
kopano_konnect      | time="2020-09-11T13:04:02Z" level=warning msg="skipped as signer with same kid already loaded" kid=konnectd-tokens-signing-key path=/kopano/ssl/konnectd-tokens-signing-key.pem
kopano_konnect      | time="2020-09-11T13:04:02Z" level=info msg="encryption set up with 32 key size"
kopano_konnect      | time="2020-09-11T13:04:02Z" level=warning msg="authority has no id, using name" id=ucs-konnect
kopano_konnect      | time="2020-09-11T13:04:02Z" level=info msg="using external default authority" id=ucs-konnect
kopano_konnect      | time="2020-09-11T13:04:02Z" level=info msg="ldap server identifier backend set up" ldap="ldap://digital.quadridge.com:7389 "
kopano_konnect      | time="2020-09-11T13:04:02Z" level=info msg="identifier set up" security="A256GCM:A256GCMKW"
kopano_konnect      | time="2020-09-11T13:04:02Z" level=info msg="using identifier backed identity manager"
kopano_konnect      | time="2020-09-11T13:04:02Z" level=info msg="identity manager set up" claims="[name family_name given_name email email_verified]" name=ldap scopes="[offline_access konnect/raw_sub kopano/pubs kopano/gc kopano/kwm kopano/kvs profile email konnect/uuid]"
kopano_konnect      | time="2020-09-11T13:04:02Z" level=info msg="identity guest manager set up"
kopano_konnect      | time="2020-09-11T13:04:02Z" level=info msg="set provider signing alg" alg=PS256
kopano_konnect      | time="2020-09-11T13:04:02Z" level=info msg="set provider signing key" id=konnectd-tokens-signing-key method="*jwt.SigningMethodRSAPSS" type="*rsa.PrivateKey"
kopano_konnect      | time="2020-09-11T13:04:02Z" level=info msg="set provider validation key" id=konnectd-tokens-signing-key type="*rsa.PublicKey"
kopano_konnect      | time="2020-09-11T13:04:02Z" level=info msg="set provider validation key" id=default type="*rsa.PublicKey"
kopano_konnect      | time="2020-09-11T13:04:02Z" level=info msg="oidc token signing default set up" alg=PS256 id=konnectd-tokens-signing-key method="*jwt.SigningMethodRSAPSS"
kopano_konnect      | time="2020-09-11T13:04:02Z" level=info msg="serve started"
kopano_konnect      | time="2020-09-11T13:04:02Z" level=info msg="starting http listener" listenAddr="0.0.0.0:8777"
kopano_konnect      | time="2020-09-11T13:04:02Z" level=info msg="ready to handle requests"
kopano_konnect      | time="2020-09-11T13:04:02Z" level=info msg="authority is now ready" id=ucs-konnect type=oidc

fbartels · September 12, 2020, 2:45pm

No, as you can see in the line below the error message the file was successfully found afterwards. (this is a bit of a trick in the container, normally certs are created by the ssl container, but if that one is not present the konnect container could create them as well if the permissions allow it).

aashutosh · September 12, 2020, 2:58pm

Oh yes, I realised that. I have raised ticket with Kopano as advised by you. Surprisingly, there is a scenario where the page doesnt go into loop: when I login to Kopano meet first and then I login to Kopano Web.
Otherwise, If I try to login to Kopano Web and access Kopano Meet from the Intranet plugin this problem of loop comes.