Openid v1 broken

Problem:
I can’t login to kopano-meet anymore.

Debug:

root@dienste:/root/debug/# curl $(ucr get oidc/konnectd/issuer_identifier)/.well-known/openid-configuration
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>503 Service Unavailable</title>
...
 root@dienste:/root/debug/# docker logs kopano_konnect
time="2020-08-13T08:08:49Z" level=error msg="error while oidc provider update: oidc provider error: failed to fetch discover document: failed to fetch JSON (status: 503)" id=ucs-konnect type=oidc

When I look in /etc/kopano/ I have certificates from different dates. The full startup-logs from kopano_konnect:

/usr/local/bin/wrapper.sh: line 17: can't create /kopano/ssl/konnectd-tokens-signing-key.pem: Permission denied
2020/08/13 08:08:45 Waiting for: file:///kopano/ssl/konnectd-tokens-signing-key.pem
2020/08/13 08:08:46 File file:///kopano/ssl/konnectd-tokens-signing-key.pem had been generated
/usr/local/bin/wrapper.sh: line 37: can't create /kopano/ssl/konnectd-encryption.key: Permission denied
2020/08/13 08:08:46 Waiting for: file:///kopano/ssl/konnectd-encryption.key
2020/08/13 08:08:47 File file:///kopano/ssl/konnectd-encryption.key had been generated
Entrypoint: Skipping guest mode configuration, as it is already configured.
Patching identifier registration for external OIDC provider
Entrypoint: Issuer url (--iss): https://meet.domain.tld/meetid
Entrypoint: Allowing guest login
Entrypoint: Setting base-path to /meetid
2020/08/13 08:08:48 Waiting for: file:///etc/machine-id
2020/08/13 08:08:48 Waiting for: file:///var/lib/dbus/machine-id
2020/08/13 08:08:49 File file:///var/lib/dbus/machine-id had been generated
2020/08/13 08:08:49 File file:///etc/machine-id had been generated
time="2020-08-13T08:08:49Z" level=info msg="serve start"
time="2020-08-13T08:08:49Z" level=info msg="client controlled guests are enabled"
time="2020-08-13T08:08:49Z" level=info msg="loading encryption secret from file" file=/kopano/ssl/konnectd-encryption.key
time="2020-08-13T08:08:49Z" level=info msg="loading signing key" path=/kopano/ssl/konnectd-tokens-signing-key.pem
time="2020-08-13T08:08:49Z" level=warning msg="skipped as signer with same kid already loaded" kid=konnectd-tokens-signing-key path=/kopano/ssl/konnectd-tokens-signing-key.pem
time="2020-08-13T08:08:49Z" level=info msg="encryption set up with 32 key size"
time="2020-08-13T08:08:49Z" level=warning msg="authority has no id, using name" id=ucs-konnect
time="2020-08-13T08:08:49Z" level=info msg="using external default authority" id=ucs-konnect
time="2020-08-13T08:08:49Z" level=info msg="ldap server identifier backend set up" ldap="ldap://dienste.intern.domain.tld:7389 "
time="2020-08-13T08:08:49Z" level=info msg="identifier set up" security="A256GCM:A256GCMKW"
time="2020-08-13T08:08:49Z" level=info msg="using identifier backed identity manager"
time="2020-08-13T08:08:49Z" level=info msg="identity manager set up" claims="[name family_name given_name email email_verified]" name=ldap scopes="[offline_access kopano/gc kopano/kwm kopano/kvs kopano/pubs profile email konnect/uuid konnect/raw_sub]"
time="2020-08-13T08:08:49Z" level=info msg="identity guest manager set up"
time="2020-08-13T08:08:49Z" level=info msg="set provider signing alg" alg=PS256
time="2020-08-13T08:08:49Z" level=info msg="set provider signing key" id=konnectd-tokens-signing-key method="*jwt.SigningMethodRSAPSS" type="*rsa.PrivateKey"
time="2020-08-13T08:08:49Z" level=info msg="set provider validation key" id=konnectd-tokens-signing-key type="*rsa.PublicKey"
time="2020-08-13T08:08:49Z" level=info msg="set provider validation key" id=default type="*rsa.PublicKey"
time="2020-08-13T08:08:49Z" level=info msg="oidc token signing default set up" alg=PS256 id=konnectd-tokens-signing-key method="*jwt.SigningMethodRSAPSS"
time="2020-08-13T08:08:49Z" level=info msg="serve started"
time="2020-08-13T08:08:49Z" level=info msg="starting http listener" listenAddr="0.0.0.0:8777"
time="2020-08-13T08:08:49Z" level=info msg="ready to handle requests"
time="2020-08-13T08:08:49Z" level=error msg="error while oidc provider update: oidc provider error: failed to fetch discover document: failed to fetch JSON (status: 503)" id=ucs-konnect type=oidc

I’m not sure if it is related to the current update of kopano-meet. As the meet didn’t work after the update I downgraded the app to version before: v2.1 … That is the version I’m sure worked with openid v1 at some time.

Best,
Bernd

Hi @lebernd,

the provider behind oidc/konnectd/issuer_identifier is the one in the “openid connect provider app” and the “service unavailable” makes it sound like that one is not running.

Ah - I thought I miss one container… but I can’t start it…
Well I can start and systemd showing it without error but it isn’t running…
I’ll investigate later.

Mastodon