Problem: UCS App Installation Fails Due to Redirect to External S3 Endpoint

Knowledge Base Community
, , , ,
1

UCS App Installation Fails Due to Redirect to External S3 Endpoint

Problem

When installing applications from the App Center in UCS, downloads from the artifact registry may fail.

The domain artifacts.software-univention.de redirects blob download requests to an external S3 endpoint (s3.de-west-1.psmanaged.com).

In environments with restrictive firewall or proxy configurations, this redirect can be blocked, resulting in installation failures.

curl https://s3.de-west-1.psmanaged.com

<!DOCTYPE html
	PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
	 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-US">
<head>
<title>Web Security Gateway</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
</head>
<body content-type="text/plain; charset=UTF-8">
<span id="redir_msg" style="display: none"><p>Redirecting you to Web Security Gateway.</p></span><script language="JavaScript" x-barracuda="1">
if (0) {
  document.write('<div style="border: 1px dotted red; padding: 2px; font-family: sans; font-size: 12px; color: black; background-color: white">This portion of the requested page has been blocked.
<skip>

Investigation

When pulling container images from:

https://artifacts.software-univention.de

the registry could responds with an HTTP 307 Temporary Redirect pointing to:

https://s3.de-west-1.psmanaged.com

Example output:

[fabian@svalka ~]$ curl -sk -H "Authorization: Bearer $(curl -sk "https://artifacts.software-univention.de/service/token?service=harbor-registry&scope=repository:ucsschool/ucsschool-kelvin-rest-api:pull" | jq -r '.token')" https://artifacts.software-univention.de/v2/ucsschool/ucsschool-kelvin-rest-api/blobs/$(curl -sk -H "Authorization: Bearer $(curl -sk "https://artifacts.software-univention.de/service/token?service=harbor-registry&scope=repository:ucsschool/ucsschool-kelvin-rest-api:pull" | jq -r '.token')" -H "Accept: application/vnd.oci.image.manifest.v1+json" https://artifacts.software-univention.de/v2/ucsschool/ucsschool-kelvin-rest-api/manifests/release3.1.0 | jq '.layers[0].digest' -r) -v
[…]
< HTTP/2 307 
< date: Fri, 23 Jan 2026 08:38:20 GMT
< content-type: application/octet-stream
< content-length: 0
< location: https://s3.de-west-1.psmanaged.com/artifacts-software-univention-de/docker/registry/v2/blobs/sha256/dc/dc0decf4841d19b14e836c2d82bd5cb9540fb5e0d1359549ca243f49036557e9/data?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=...

This redirect is expected behavior.
s3.de-west-1.psmanaged.com is the S3 object storage backend of Univention’s hosting provider.

Root Cause

Firewalls, proxies, or web security gateways block outbound traffic to:

s3.de-west-1.psmanaged.com

As a result, container image layers cannot be downloaded.

In some environments, the proxy returns a web filtering page instead of the expected blob content.

Example test:

curl https://s3.de-west-1.psmanaged.com

Blocked response:

<title>Web Security Gateway</title>
...
Redirecting you to Web Security Gateway.
...

This confirms that the request is intercepted by a proxy or firewall.

Related Bugreport: 58990

Solution

These domains must be allowed in the firewall and proxy configuration, if the UCS is behind a proxy:

updates.software-univention.de
appcenter.software-univention.de
artifacts.software-univention.de
s3.de-west-1.psmanaged.com
license.univention.de

Ensure:

  • HTTPS (TCP/443) outbound access is permitted
  • SSL inspection does not break registry authentication
  • No content filtering interferes with OCI image downloads

Verification

Test connectivity using verbose curl:

curl -v https://updates.software-univention.de
curl -v https://appcenter.software-univention.de
curl -v https://artifacts.software-univention.de
curl -v https://s3.de-west-1.psmanaged.com
curl -v https://license.univention.de

Expected result:

  • Successful TLS handshake
  • HTTP 200/301/302 responses (no proxy block page)
  • No Web Security Gateway HTML output

Recommendation

Customers operating UCS in restricted enterprise environments should:

  • Explicitly whitelist all required Univention infrastructure endpoints.
  • Review proxy policies for container registry redirects.