Strange network issue on 127.0.0.1 with openid/kopano

I am setting up an ucs 5.x for oidc to use it as external SSO auth source for owncloud and discourse. When accessing the ucs with the owncloud client, i get an error message

grafik

We already isolated the issue to the UCS config, see

A local curl call on the ucs shows:

root@idp:~# nslookup idp.netzwissen.de
Server:         136.243.85.155
Address:        136.243.85.155#53
Name:   idp.netzwissen.de
Address: 136.243.85.155

But for 127.0.0.1


root@idp:~# curl -I https://127.0.0.1
curl: (60) SSL: no alternative certificate subject name matches target host name '127.0.0.1'
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

How can I fix this?

That error message only means that your test with curling https://127.0.0.1 hit this issue, it does not necessarily mean ownCloud has the same issue. In fact it already tell you that it could not verify the certificate chain, which means that the owncloud server does not trust the connection and therefore refuses it. You need to either import the univention ca on the owncloud host or change the certificate on Univention to a trusted one from for example Lets Encrypt.

We already found the root cause:
The Univention UCS provides the OIDC API endpoints on a separate DNS name ucs-sso.xxx instead of the main DNS idp.xxx . This ucs-sso DNS name was not listed as a valid (second) DNS name in the LE certificate. Therefore the ssl encryption for the curl call from the owncloud server could not be established correctly.

Mastodon