Make Meet available for external Kopano users

Hi@all,

we have been testing Kopano-Meet for a while for internal communication of Kopano users. Works.

Now I would also like to integrate users who access Kopano from outside.

(Kopano debug according to Wiki see at the end).

About the environment:

The master (with Open ID) runs under 192.168.24.5 (srv01.mydomain.local). Since there is another UCS backup (192.168.4.4) on which OpenID is not installed, I have changed the DNS CNAME “ucs-sso” so that it points exclusively to the master.

Kopano (Core, WebApp, Z-Push and Meet) runs on the host com01.mydomain.local (192.168.24.6). So that we can call Kopano from the same address both internally and externally, I have set a DNS entry for the subdomain gw.myexternaldomain.de -> WAN-IP (local gateway) on the external web server and routed it to the Kopano server at the pfSense using an HA proxy (based on the subdomain).

This also works without any problems. Since the pfSense does NAT reflection, I can also use Kopano from the LAN at: https://gw.myexternaldomain.de/webapp.

What do I have to do now so that this also works with Meet?

If I try to call Mett from an external location:

https://gw.myexternaldomain.de/meet

I am redirected to:

https://com01.mydomain.local/meet/

which of course does not work. Here are the relevant debug outputs:

om com01

root@com01:/etc/kopano/webapp# univention-app info
UCS: 4.4-7 errata870
Installed: fetchmail=6.3.26 kopano-core=8.7.1.0-1 kopano-meet=2.3.1_0 kopano-webapp=3.5.14.2539-2 z-push-kopano=2.4.5
Upgradable:

on com01

root@com01:/etc/kopano/webapp# univention-run-join-scripts
univention-run-join-scripts: runs all join scripts existing on local computer.
copyright (c) 2001-2020 Univention GmbH, Germany

Enter DC Master Account : Administrator
Enter DC Master Password: 

Search LDAP binddn:                                        done
Running pre-joinscripts hook(s):                           done
Running 00kopano4ucs-safemode-on.inst                      skipped (already executed)
Running 03univention-directory-listener.inst               skipped (already executed)
Running 04univention-ldap-client.inst                      skipped (already executed)
Running 08univention-apache.inst                           skipped (already executed)
Running 11univention-pam.inst                              skipped (already executed)
Running 18python-univention-directory-manager.inst         skipped (already executed)
Running 20univention-directory-policy.inst                 skipped (already executed)
Running 20univention-join.inst                             skipped (already executed)
Running 26univention-nagios-common.inst                    skipped (already executed)
Running 30univention-appcenter.inst                        skipped (already executed)
Running 30univention-nagios-client.inst                    skipped (already executed)
Running 33univention-portal.inst                           skipped (already executed)
Running 34univention-management-console-server.inst        skipped (already executed)
Running 35univention-appcenter-docker.inst                 skipped (already executed)
Running 35univention-management-console-module-appcenter.inskipped (already executed)
Running 35univention-management-console-module-diagnostic.iskipped (already executed)
Running 35univention-management-console-module-join.inst   skipped (already executed)
Running 35univention-management-console-module-lib.inst    skipped (already executed)
Running 35univention-management-console-module-mrtg.inst   skipped (already executed)
Running 35univention-management-console-module-quota.inst  skipped (already executed)
Running 35univention-management-console-module-reboot.inst skipped (already executed)
Running 35univention-management-console-module-services.insskipped (already executed)
Running 35univention-management-console-module-setup.inst  skipped (already executed)
Running 35univention-management-console-module-sysinfo.instskipped (already executed)
Running 35univention-management-console-module-top.inst    skipped (already executed)
Running 35univention-management-console-module-ucr.inst    skipped (already executed)
Running 35univention-management-console-module-updater.instskipped (already executed)
Running 36univention-management-console-module-apps.inst   skipped (already executed)
Running 50kopano-meet.inst                                 skipped (already executed)
Running 70kopano4ucs-udm.inst                              skipped (already executed)
Running 70kopano4ucs.inst                                  skipped (already executed)
Running 71kopano4ucs-webapp.inst                           skipped (already executed)
Running 81univention-nfs-server.inst                       skipped (already executed)
Running 92univention-fetchmail-schema.inst                 skipped (already executed)
Running 92univention-fetchmail.inst                        skipped (already executed)
Running 92univention-management-console-web-server.inst    skipped (already executed)
Running 98univention-pkgdb-tools.inst                      skipped (already executed)
Running 99kopano4ucs-safemode-off.inst                     skipped (already executed)
Running post-joinscripts hook(s):                          done

on com01

root@com01:/etc/kopano/webapp# ucr dump | grep kopano/docker | grep -v PASSWORD
kopano/docker/ENABLE_MCU_API: no
kopano/docker/FQDN_MEET: com01.mydomain.local
kopano/docker/FQDN_SSO: ucs-sso.mydomain.local
kopano/docker/GRID_WEBAPP: no
kopano/docker/INSECURE: no
kopano/docker/MEET_GUEST_ALLOW: no
kopano/docker/MEET_GUEST_REGEXP: ^group/public/.*
kopano/docker/PIPELINE_FORCED_REGEXP: @conference/.*
kopano/docker/TURN_SERVICE_URL: https://ucs-turn.kopano.com/turnserverauth/
kopano/docker/TURN_USER: KST0300-8YUG3GPVX

on srv01

root@srv01:~# ucr search --brief oidc/konnectd/issuer_identifier
oidc/konnectd/issuer_identifier: https://ucs-sso.mydomain.local

on srv01

root@srv01:~# curl $(ucr get oidc/konnectd/issuer_identifier)/.well-known/openid-configuration
{
  "issuer": "https://ucs-sso.mydomain.local",
  "authorization_endpoint": "https://ucs-sso.mydomain.local/signin/v1/identifier/_/authorize",
  "token_endpoint": "https://ucs-sso.mydomain.local/konnect/v1/token",
  "userinfo_endpoint": "https://ucs-sso.mydomain.local/konnect/v1/userinfo",
  "end_session_endpoint": "https://ucs-sso.mydomain.local/signin/v1/identifier/_/endsession",
  "check_session_iframe": "https://ucs-sso.mydomain.local/konnect/v1/session/check-session.html",
  "jwks_uri": "https://ucs-sso.mydomain.local/konnect/v1/jwks.json",
  "scopes_supported": [
    "openid",
    "offline_access",
    "email",
    "konnect/uuid",
    "konnect/raw_sub",
    "profile"
  ],
  "response_types_supported": [
    "id_token token",
    "id_token",
    "code id_token",
    "code id_token token"
  ],
  "subject_types_supported": [
    "public"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256",
    "RS384",
    "RS512",
    "PS256",
    "PS384",
    "PS512"
  ],
  "userinfo_signing_alg_values_supported": [
    "RS256",
    "RS384",
    "RS512",
    "PS256",
    "PS384",
    "PS512"
  ],
  "request_object_signing_alg_values_supported": [
    "ES256",
    "ES384",
    "ES512",
    "RS256",
    "RS384",
    "RS512",
    "PS256",
    "PS384",
    "PS512",
    "none",
    "EdDSA"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_basic",
    "none"
  ],
  "token_endpoint_auth_signing_alg_values_supported": [
    "RS256",
    "RS384",
    "RS512",
    "PS256",
    "PS384",
    "PS512"
  ],
  "claims_parameter_supported": true,
  "claims_supported": [
    "iss",
    "sub",
    "aud",
    "exp",
    "iat",
    "name",
    "family_name",
    "given_name",
    "email",
    "email_verified"
  ],
  "request_parameter_supported": true,
  "request_uri_parameter_supported": false
}

on srv01

root@srv01:~# curl $(ucr get oidc/konnectd/issuer_identifier)/signin/v1/welcome
<!doctype html><html lang="en"><head data-kopano-build="0.33.11"><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name="theme-color" content="#ffffff"><link rel="shortcut icon" href="./static/favicon.ico" type="image/x-icon"><meta property="csp-nonce" content="4T4XR4QjUHsE7sflnG7OHkrhVufsY-3T_hz7zzF6cpU="><title>Kopano Sign in</title><link href="./static/css/main.1c108bb6.chunk.css" rel="stylesheet"></head><body><noscript>You need to enable JavaScript to run this app.</noscript><div id="bg"><div id="bg-thumb"></div><div id="bg-enhanced"></div></div><div id="root" data-path-prefix="/signin/v1"></div><div id="font-preloader"><span>aA</span>Bb</div><script src="./static/js/runtime-main.78a800d5.js"></script><script src="./static/js/main.2d77eadc.chunk.js"></script></body></html>r

on com01

root@com01:/etc/kopano/webapp# curl https://$(ucr get kopano/docker/FQDN_SSO)/signin/v1/welcome
<!doctype html><html lang="en"><head data-kopano-build="0.33.11"><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name="theme-color" content="#ffffff"><link rel="shortcut icon" href="./static/favicon.ico" type="image/x-icon"><meta property="csp-nonce" content="luzpRAnqSLIY4MFJpphwThb-6pfWTDA2WRwmTMcPvwI="><title>Kopano Sign in</title><link href="./static/css/main.1c108bb6.chunk.css" rel="stylesheet"></head><body><noscript>You need to enable JavaScript to run this app.</noscript><div id="bg"><div id="bg-thumb"></div><div id="bg-enhanced"></div></div><div id="root" data-path-prefix="/signin/v1"></div><div id="font-preloader"><span>aA</span>Bb</div><script src="./static/js/runtime-main.78a800d5.js"></script><script src="./static/js/main.2d77eadc.chunk.js"></script></body></html>r

on com01

root@com01:/etc/kopano/webapp# grep -v 'secret\|"d"\|"x"\|"y"' /etc/kopano/docker/konnectd-identifier-registration.yaml
clients: null
authorities:
- name: ucs-konnect
  default: true
  iss: https://ucs-sso.mydomain.local
  client_id: kopano-meet
  authority_type: oidc
  response_type: id_token
  scopes:
  - openid
  - profile
  - email
  trusted: true
  end_session_enabled: true

on com01

root@com01:/var/lib/univention-appcenter/apps/kopano-meet/compose# docker-compose ps
      Name                    Command                   State                         Ports                 
------------------------------------------------------------------------------------------------------------
kopano_grapi       /usr/bin/dumb-init -- /kop ...   Up (unhealthy)                                          
kopano_kapi        /usr/bin/dumb-init -- /kop ...   Up (healthy)                                            
kopano_konnect     wrapper.sh                       Up (healthy)     6777/tcp, 8777/tcp                     
kopano_kwmserver   docker-entrypoint.sh wrapp ...   Up (healthy)     6778/tcp, 8778/tcp                     
kopano_meet        /kopano/start-service.sh         Up (healthy)                                            
kopano_ssl         /start.sh                        Exit 0                                                  
kopano_web         wrapper.sh wrapper.sh            Up (healthy)     0.0.0.0:2015->2015/tcp, 443/tcp, 80/tcp

These two values need to be changed so that they contain domains that can also be resolved for external users. In addition to this there may be changes neccesary to to the OpenID Provider app, so that it also properly listens on the external domain.

PS: being able to reach the ucs-sso domain is only required for users that are supposed to login. If you only have guests coming from the external network the ucs-sso domain does not need to be changed.

I have changed these two variables:

kopano/docker/FQDN_MEET: gw.externaldomain.de
kopano/docker/FQDN_SSO: ucs-sso.externaldomain.de

When I call up from externally in the browser:

https://gw.externaldomain.de/webapp

I get to the Kopano WebApp login. This has been the case all along and is also used.

When I call:

https://ucs-sso.externaldomain.de

from external I get to my UCS Master. In both cases, the address is not rewritten in the browser.

I can also call up both URLs internally without them being rewritten.

If I now enter (regardless of whether from internal or external):

https://gw.externaldomain.de/meet

the address is rewritten in the browser to:

https://com01.mydomain.local/meet

Of course, this only works internally. Where do I change this?

When these variables are changed through the app settings then the following script is triggered to update the apache configuration. It sounds like the variables were changed outside of the appcenter if the apache configuration still has the old values.

https://stash.z-hub.io/projects/K4U/repos/kopano-apps/browse/kopano-meet/configure_host

Good shot!

ok, once back and set again. Via the App Centre. Now I also land on the Kopano Meet page when I call it up:

https://gw.externaldomain.de/meet/r/call

However, nothing happens afterwards. After some time “Meet-Logo” the button “Login” appears but nothing happens when I click on it

In that case we are back at the debugging commands from the first post. especially the curl commands. Also the browser console should give an indication what goes wrong.

com01

root@com01:~# univention-run-join-scripts
univention-run-join-scripts: runs all join scripts existing on local computer.
copyright (c) 2001-2020 Univention GmbH, Germany

Enter DC Master Account : Administrator
Enter DC Master Password: 

Search LDAP binddn:                                        done
Running pre-joinscripts hook(s):                           done
Running 00kopano4ucs-safemode-on.inst                      skipped (already executed)
Running 03univention-directory-listener.inst               skipped (already executed)
Running 04univention-ldap-client.inst                      skipped (already executed)
Running 08univention-apache.inst                           skipped (already executed)
Running 11univention-pam.inst                              skipped (already executed)
Running 18python-univention-directory-manager.inst         skipped (already executed)
Running 20univention-directory-policy.inst                 skipped (already executed)
Running 20univention-join.inst                             skipped (already executed)
Running 26univention-nagios-common.inst                    skipped (already executed)
Running 30univention-appcenter.inst                        skipped (already executed)
Running 30univention-nagios-client.inst                    skipped (already executed)
Running 33univention-portal.inst                           skipped (already executed)
Running 34univention-management-console-server.inst        skipped (already executed)
Running 35univention-appcenter-docker.inst                 skipped (already executed)
Running 35univention-management-console-module-appcenter.inskipped (already executed)
Running 35univention-management-console-module-diagnostic.iskipped (already executed)
Running 35univention-management-console-module-join.inst   skipped (already executed)
Running 35univention-management-console-module-lib.inst    skipped (already executed)
Running 35univention-management-console-module-mrtg.inst   skipped (already executed)
Running 35univention-management-console-module-quota.inst  skipped (already executed)
Running 35univention-management-console-module-reboot.inst skipped (already executed)
Running 35univention-management-console-module-services.insskipped (already executed)
Running 35univention-management-console-module-setup.inst  skipped (already executed)
Running 35univention-management-console-module-sysinfo.instskipped (already executed)
Running 35univention-management-console-module-top.inst    skipped (already executed)
Running 35univention-management-console-module-ucr.inst    skipped (already executed)
Running 35univention-management-console-module-updater.instskipped (already executed)
Running 36univention-management-console-module-apps.inst   skipped (already executed)
Running 50kopano-meet.inst                                 done
Running 70kopano4ucs-udm.inst                              skipped (already executed)
Running 70kopano4ucs.inst                                  skipped (already executed)
Running 71kopano4ucs-webapp.inst                           skipped (already executed)
Running 81univention-nfs-server.inst                       skipped (already executed)
Running 92univention-fetchmail-schema.inst                 skipped (already executed)
Running 92univention-fetchmail.inst                        skipped (already executed)
Running 92univention-management-console-web-server.inst    skipped (already executed)
Running 98univention-pkgdb-tools.inst                      skipped (already executed)
Running 99kopano4ucs-safemode-off.inst                     skipped (already executed)
Running post-joinscripts hook(s):                          done

com01

root@com01:~# ucr dump | grep kopano/docker | grep -v PASSWORD
kopano/docker/ENABLE_MCU_API: no
kopano/docker/FQDN_MEET: gw.externaldomain.de
kopano/docker/FQDN_SSO: ucs-sso.externaldomain.de
kopano/docker/GRID_WEBAPP: no
kopano/docker/INSECURE: no
kopano/docker/MEET_GUEST_ALLOW: no
kopano/docker/MEET_GUEST_REGEXP: ^group/public/.*
kopano/docker/PIPELINE_FORCED_REGEXP: @conference/.*
kopano/docker/TURN_SERVICE_URL: https://ucs-turn.kopano.com/turnserverauth/
kopano/docker/TURN_USER: KST0300-**********

srv01

root@srv01:~# ucr search --brief oidc/konnectd/issuer_identifier
oidc/konnectd/issuer_identifier: https://ucs-sso.externaldomain.de

srv01

root@srv01:~# curl $(ucr get oidc/konnectd/issuer_identifier)/.well-known/openid-configuration
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.25 (Univention) Server at ucs-sso.externaldomain.de Port 443</address>
</body></html>

srv01

root@srv01:~# curl $(ucr get oidc/konnectd/issuer_identifier)/signin/v1/welcome
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.25 (Univention) Server at ucs-sso.externaldomain.de Port 443</address>
</body></html>

com01

root@com01:~# curl https://$(ucr get kopano/docker/FQDN_SSO)/signin/v1/welcome
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.25 (Univention) Server at ucs-sso.externaldomain.de Port 443</address>
</body></html>

com01

root@com01:~# grep -v 'secret\|"d"\|"x"\|"y"' /etc/kopano/docker/konnectd-identifier-registration.yaml
clients: null
authorities:
- name: ucs-konnect
  default: true
  iss: https://ucs-sso.externaldomain.de
  client_id: kopano-meet
  authority_type: oidc
  response_type: id_token
  scopes:
  - openid
  - profile
  - email
  trusted: true
  end_session_enabled: true

com01

root@com01:~# cd /var/lib/univention-appcenter/apps/kopano-meet/compose
root@com01:/var/lib/univention-appcenter/apps/kopano-meet/compose# docker-compose ps
      Name                    Command                       State                            Ports                 
-------------------------------------------------------------------------------------------------------------------
kopano_grapi       /usr/bin/dumb-init -- /kop ...   Up (unhealthy)                                                 
kopano_kapi        /usr/bin/dumb-init -- /kop ...   Up (health: starting)                                          
kopano_konnect     wrapper.sh                       Up (unhealthy)          6777/tcp, 8777/tcp                     
kopano_kwmserver   docker-entrypoint.sh wrapp ...   Up (unhealthy)          6778/tcp, 8778/tcp                     
kopano_meet        /kopano/start-service.sh         Up (healthy)                                                   
kopano_ssl         /start.sh                        Exit 0                                                         
kopano_web         wrapper.sh wrapper.sh            Up (healthy)            0.0.0.0:2015->2015/tcp, 443/tcp, 80/tcp

I guess the message “404 Not Found” in the curl commands is the problem, isn’t it?

Selstam only that it works when I call:

https://ucs-sso.externaldomain.de

On the master (srv01) I found three values in the UCR that have the value “https://ucs-sso.mydomain.local/…”. (i.e. internal):

• saml/idp/entityID
• ucs/server/sso/fqdn
• umc/saml/idp-server

Should I change the FQHN there to the external domain?

When using another domain than the default one in the univention openid provider the apache configuration needs to be manually adjusted. I wrote about this in UCS SSO and LetsEncrypt before.

That does not seem to be the problem. I have created the link accordingly (on srv01 / master):

root@srv01:/etc/apache2/
root@srv01:/etc/apache2# ln -s conf-available/openid-connect-provider.conf conf-enabled/openid-connect-provider.conf
root@srv01:/etc/apache2# ls -la conf-enabled/openid-connect-provider.conf
lrwxrwxrwx 1 root root 43 Jan 19 16:49 conf-enabled/openid-connect-provider.conf -> conf-available/openid-connect-provider.conf
root@srv01:/etc/apache2# a2enconf openid-connect-provider.conf
Removing dangling link /etc/apache2/conf-enabled/openid-connect-provider.confEnabling conf openid-connect-provider.
To activate the new configuration, you need to run:
  systemctl reload apache2
root@srv01:/etc/apache2# systemctl reload apache2

However, no change

Another hint. My UCS server does not have SSL certificates directly from LE.

This is all done by pfSense. A subdomain is created there for each UCS host, e.g. gw.externeldomain.de -> com01.mydomain.local. pfSense holds the LE certificates and “shows” them to the browser. The pfSense itself then connects to the corresponding UCS via the HA proxy. This in turn has its self-signed certificate. However, the browser does not see this

Having the Univention OpenID app listening on another domain is something that has been discussed a few times on this forum already. I would suggest using the search or opening a ticket with the univention support.

OK, I got it. You still have to make some adjustments for sso to work externally.

These can be found here: