ownCloud and Wordpress down after todays update to 4.3-3 errata407

tpfann · January 18, 2019, 7:05am

Hi,

after I have applied the update 4.3-3 errata407 this morning, ownCloud and Wordpress are no longer reachable. Other url’s like Collabora admin console or Kopano are still reachable.

When I try to access e.g. ownCloud it just gives me:

# Not Found
The requested URL /owncloud/index.php/login was not found on this server.
Apache/2.4.25 (Univention) Server at remote.convice.de Port 443

Any hint or support would be much appreciated.

btw.: Both docker containers for Wordpress and ownCloud are up- and running.

tpfann · January 18, 2019, 7:20am

I just found out that ownCloud and Wordpress are still reachable via the local IP-Address.
Therefore I assume that the root-cause is more related to the todays Lets-Encrypt update (1.2.2-6) and not the errata407 release.

Moritz_Bunkus · January 18, 2019, 8:32am

Hey,

can you please show the output of the following commands:

ls -l /etc/apache2/sites-enabled
cat /etc/apache2/sites-available/default-ssl.conf
univention-check-templates

Thanks.

It’s not a general issue with 4.3-3 errata407 (meaning it doesn’t happen for everyone: on my own test installation both Nextcloud & Owncloud are still available).

Kind regards
mosu

tpfann · January 18, 2019, 8:37am

Hi Moritz,

thx for your feedback, here comes the requested information:

root@xxxxxx:~# ls -l /etc/apache2/sites-enabled

lrwxrwxrwx 1 root root 35 Mär 29  2018 000-default.conf -> ../sites-available/000-default.conf
lrwxrwxrwx 1 root root 35 Mär 29  2018 default-ssl.conf -> ../sites-available/default-ssl.conf
lrwxrwxrwx 1 root root 39 Mär 29  2018 kopano-presence.conf -> ../sites-available/kopano-presence.conf
lrwxrwxrwx 1 root root 37 Nov 22 08:49 kopano-webapp.conf -> ../sites-available/kopano-webapp.conf
lrwxrwxrwx 1 root root 42 Mär 29  2018 kopano-webmeetings.conf -> ../sites-available/kopano-webmeetings.conf
lrwxrwxrwx 1 root root 34 Mär 29  2018 univention.conf -> ../sites-available/univention.conf
lrwxrwxrwx 1 root root 46 Mär 29  2018 univention-letsencrypt.conf -> ../sites-available/univention-letsencrypt.conf
lrwxrwxrwx 1 root root 41 Nov 15 09:04 univention-portal.conf -> ../sites-available/univention-portal.conf
lrwxrwxrwx 1 root root 39 Mär 29  2018 univention-saml.conf -> ../sites-available/univention-saml.conf
lrwxrwxrwx 1 root root 50 Mai  2  2018 univention-server-overview.conf -> ../sites-available/univention-server-overview.conf

root@xxxxxxx:~# cat /etc/apache2/sites-available/default-ssl.conf
# Warning: This file is auto-generated and might be overwritten by
#          univention-config-registry.
#          Please edit the following file(s) instead:
# Warnung: Diese Datei wurde automatisch generiert und kann durch
#          univention-config-registry ueberschrieben werden.
#          Bitte bearbeiten Sie an Stelle dessen die folgende(n) Datei(en):
#
#       /etc/univention/templates/files/etc/apache2/sites-available/ssl.d/00start
#       /etc/univention/templates/files/etc/apache2/sites-available/ssl.d/10hsts
#       /etc/univention/templates/files/etc/apache2/sites-available/ssl.d/10univention-appcenter
#       /etc/univention/templates/files/etc/apache2/sites-available/ssl.d/99end
#

<IfModule mod_ssl.c>

<VirtualHost *:443>
        IncludeOptional /etc/apache2/ucs-sites.conf.d/*.conf
        SSLEngine on
        SSLProxyEngine on
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
        SSLProxyCheckPeerExpire off
        SSLCertificateFile /etc/univention/letsencrypt/signed_chain.crt
        SSLCertificateKeyFile /etc/univention/letsencrypt/domain.key
        SSLCACertificateFile /etc/univention/ssl/ucsCA/CAcert.pem
        SSLCertificateChainFile /etc/univention/letsencrypt/intermediate.pem

        #SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

        ### To enable special log format for HTTPS-access
        # LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %p" combinedssl
        # CustomLog /var/log/apache2/access.log combinedssl     ## with port number



        ProxyPass /owncloud http://127.0.0.1:40007/owncloud retry=0
        ProxyPassReverse /owncloud http://127.0.0.1:40007/owncloud


        ProxyPass /wordpress https://127.0.0.1:40003/wordpress retry=0
        ProxyPassReverse /wordpress https://127.0.0.1:40003/wordpress

no output at all when I run “univention-check-templates”

Best regards
Thomas

Moritz_Bunkus · January 18, 2019, 9:07am

Hey,

it’s quite likely this is a bug in the Let’s Encrypt app (or rather in the Apache server configuration for that app). SuiteCRM is affected as well — my guess is any app is affected. See the following thread where Univention’s Nico Gulden is already triaging the issue:

I suggest you follow that thread for the time being.

tpfann · January 18, 2019, 9:20am

… just wondering why Kopano, Collabora admin page and UCS Portal are still working (with the correct lets-encrypt certificate)?!

Moritz_Bunkus · January 18, 2019, 9:26am

The Kopano Webapp is configured as a global Alias (see the content of kopano-webapp.conf). This alias applies to all VirtualHosts configured for Apache. Collabora is likely configured in a similar way (I don’t have it installed at the moment and cannot verify that’s really the case).

The affected apps, SuiteCRM & Wordpress, are configured via directives located within a specific VirtualHost definition. Requests to your server somehow end up within a different configured VirtualHost than the default one in default-ssl.conf for reasons that aren’t all that clear just yet.

damrose · January 18, 2019, 9:29am

We have identified an issue with yesterdays let’s encrypt App update. The Proxy directives for Docker Apps are not correctly included in the new let’s encrypt VirtualHost configuration, so Docker Apps cannot be reached when accessed via the domain configured for the App.

We have removed the App update for now and are working on a solution as well as a workaround for users that already installed the update.

tpfann · January 18, 2019, 9:33am

@Moritz: thx for your explainations
@damrose: glad to hear that you were able to identify the root cause - waiting for the hotfix/workarround now

gulden · January 18, 2019, 12:02pm

And here is the reference to the issue.

damrose · January 18, 2019, 12:42pm

We just released an update for the let’s encrypt App. Please update to App Version 1.2.2-8 to get the fixed version, although we also uploaded fixed packages to the previously removed App.

Users that update from now on will automatically install the most recent App version and should not encounter any issues with accessing their Docker Apps.

tpfann · January 18, 2019, 12:59pm

Everything is back to normal. Thx for the quick fix! Have a nice weekend everyone.