search

nextcloud / spreed

🗨️ Nextcloud Talk – chat, video & audio calls for Nextcloud
https://nextcloud.com/talk
GNU Affero General Public License v3.0
1.63k stars 436 forks source link

Coturn not supported after update from Nextcloud 27 (Latest version) to Nextcloud 28 (with Talk Update) #12315

Closed Speed7811 closed 5 months ago

Speed7811 commented 5 months ago

Dear all,

we are using Nextcloud 27 (Latest Version) with Talk (latest version for 27). We are using Coturn on a separate Ubuntu 22.04 LTS server (version 2.1.5 => Latest on 22.04) and now updated Nextcloud to Version 28. Now in the Administration page of "Talk" I can press the button to check the Turn server and there is a exclamation mark. In 27 there no problem.

See the image to show the problem:

Coturn_Check

My questions are:

  1. Is this a bug or do I need to update the Coturn server?
  2. Where can I find the error message when I click the button => When I press the button no protocol entry will be written to nextcloud.log

Talk app

Talk app version: 18.0.7

Custom Signaling server configured: yes

Custom TURN server configured: yes

Custom STUN server configured: yes

Browser

Microphone available: yes

Camera available: yes

Operating system: Windows

Browser name: Opera

Browser version: 109.0.5097.68

Browser log

``` Insert your browser log here, this could for example include: a) The javascript console log b) The network log c) ... ```

Server configuration

Operating system: Ubuntu 22.04 LTS

Web server: Apache

Database: Maria

PHP version: 8.2

Nextcloud Version: 28.0.5

List of activated apps:

``` Enabled: - activity: 2.20.0 - bruteforcesettings: 2.8.0 - circles: 28.0.0 - cloud_federation_api: 1.11.0 - comments: 1.18.0 - contacts: 5.5.3 - contactsinteraction: 1.9.0 - dav: 1.29.1 - federatedfilesharing: 1.18.0 - federation: 1.18.0 - files: 2.0.0 - files_external: 1.20.0 - files_pdfviewer: 2.9.0 - files_reminders: 1.1.0 - files_sharing: 1.20.0 - files_trashbin: 1.18.0 - firstrunwizard: 2.17.0 - keeweb: 0.6.18 - logreader: 2.13.0 - lookup_server_connector: 1.16.0 - mail: 3.6.0 - nextcloud_announcements: 1.17.0 - notifications: 2.16.0 - oauth2: 1.16.3 - password_policy: 1.18.0 - photos: 2.4.0 - previewgenerator: 5.5.0 - privacy: 1.12.0 - provisioning_api: 1.18.0 - related_resources: 1.3.0 - serverinfo: 1.18.0 - settings: 1.10.1 - sharebymail: 1.18.0 - spreed: 18.0.7 - support: 1.11.1 - survey_client: 1.16.0 - systemtags: 1.18.0 - text: 3.9.1 - theming: 2.3.0 - twofactor_backupcodes: 1.17.0 - twofactor_email: 2.7.4 - twofactor_totp: 10.0.0-beta.2 - unsplash: 2.2.2 - updatenotification: 1.18.0 - viewer: 2.2.0 - workflowengine: 2.10.0 Disabled: - admin_audit: 1.18.0 - dashboard: 7.8.0 (installed 7.0.0) - encryption: 2.16.0 - files_versions: 1.21.0 (installed 1.20.0) - recommendations: 2.0.0 (installed 1.2.0) - suspicious_login: 6.0.0 - user_ldap: 1.19.0 - user_status: 1.8.1 (installed 1.8.1) - weather_status: 1.8.0 (installed 1.0.0) ```

Nextcloud configuration:

``` If you have access to your command line run e.g.: sudo -u www-data php occ config:list system from within your Nextcloud installation folder ```

Server log (data/nextcloud.log)

``` Insert your server log here ```
nickvergessen commented 5 months ago

Can you check the browser console if it says any error? Otherwise the mostlikely issue is that the secret is not matching

Speed7811 commented 5 months ago

Hey,

the secret is 100% correct. In 27 it is the same secret and I didn't changed it. Addionally I have a second Nextcloud 27 instance which uses the same Coturn server an there is no problem!

Here you can find the console window - it seems to be something with the certificate expiration:

Coturn_Console_Window

Addionally I got with nmap the certificate and it doesn't seems to be expired - so why don't Talk accept it?

The result of nmap (I changed my domain to 'mydomain'):

pi@cloud:~ $ nmap -v -p 443 --script ssl-cert coturn.mydomain.de
Starting Nmap 7.93 ( https://nmap.org ) at 2024-05-08 21:20 CEST
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 21:20
Completed NSE at 21:20, 0.00s elapsed
Initiating Ping Scan at 21:20
Scanning coturn.mydomain.de (20.113.158.244) [2 ports]
Completed Ping Scan at 21:20, 0.02s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:20
Completed Parallel DNS resolution of 1 host. at 21:20, 0.03s elapsed
Initiating Connect Scan at 21:20
Scanning coturn.mydomain.de (20.113.158.244) [1 port]
Discovered open port 443/tcp on 20.113.158.244
Completed Connect Scan at 21:20, 0.01s elapsed (1 total ports)
NSE: Script scanning 20.113.158.244.
Initiating NSE at 21:20
Completed NSE at 21:20, 0.03s elapsed
Nmap scan report for coturn.mydomain.de (20.113.158.244)
Host is up (0.015s latency).

PORT    STATE SERVICE
443/tcp open  https
| ssl-cert: Subject: commonName=coturn.mydomain.de
| Subject Alternative Name: DNS:coturn.mydomain.de
| Issuer: commonName=R3/organizationName=Let's Encrypt/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-03-20T21:24:03
| Not valid after:  2024-06-18T21:24:02
| MD5:   24cf3c73e472bcd4580b678f8a438785
| SHA-1: 07cdd5b76a24677a64c0fc5d164dac36078da719
| -----BEGIN CERTIFICATE-----
| MIIE5jCCA86gAwIBAgISBLQR3QILIVLgMMcmlsQI1AkTMA0GCSqGSIb3DQEBCwUA
| MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
| EwJSMzAeFw0yNDAzMjAyMTI0MDNaFw0yNDA2MTgyMTI0MDJaMBgxFjAUBgNVBAMT
| DWNvdHVybi5yd2guZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCP
| vmeHNZOf9Dhw8MfUu8rz6xL/fDGupj651flx6OfkpOb+NzzE6w1M06MKQPkr4NBc
| w9lQn72MPHO4t8PG+gaEoyWgcUTUrov6H47Cj361v9V4XOHUAUJjzMYbQqUM/DHs
| jQriZezF4b5yHGRimHn7gZwtbuGpJWlNmTOF9lFTZhah/L2DPkZPdSpwdovfpezO
| RcuUunVxRP1Fw5ck2AQTZ/NS3Dlo2xRKX2PcK4eHvQPWs2i8mxon3Y2M4qmtnUWu
| EtWsT2GC/4BUY7VHUHGB6O0AnCla8DHecys+NftI8ydf1aQ5yiT9IKzUgjG4TOwi
| jaQVq8/bg5VrKxWs0zRFAgMBAAGjggIOMIICCjAOBgNVHQ8BAf8EBAMCBaAwHQYD
| VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0O
| BBYEFEqst+Eh0oBQmskGt+tE0G06tCy7MB8GA1UdIwQYMBaAFBQusxe3WFbLrlAJ
| QOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL3Iz
| Lm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5vcmcv
| MBgGA1UdEQQRMA+CDWNvdHVybi5yd2guZGUwEwYDVR0gBAwwCjAIBgZngQwBAgEw
| ggEDBgorBgEEAdZ5AgQCBIH0BIHxAO8AdQBIsONr2qZHNA/lagL6nTDrHFIBy1bd
| LIHZu7+rOdiEcwAAAY5d9t1BAAAEAwBGMEQCIA+PxdlMaLgNm6avnX6Bt1hA2s6E
| kGAPL58uiujWnB5VAiA3QpVClY02owdyDjVgmULcfo1LVOuV7INGDzyddq8O9AB2
| ADtTd3U+LbmAToswWwb+QDtn2E/D9Me9AA0tcm/h+tQXAAABjl323UEAAAQDAEcw
| RQIgZzyDID3CBMZcgfKsHm43JX9HhJu24yKAvVphiTpmQakCIQD5XCSOtltmr/G3
| GN4CovDNWLZ28GhEYZqaHD7xMlpRHjANBgkqhkiG9w0BAQsFAAOCAQEAORUiywRI
| mh8WzdTrZ9+62B0qlMNzDoiKfbu09d5LfXfel0SsFML9j6hCeQfWbeHhZCExeLef
| 8F9iQurh922DI9MDIlI079c+wNSZOfL2THdnAwtFtdjqrJAQr6Lb8h/xePhOzRJr
| dNzPqf4+rcm7QshWlQNVXSevzABBEoAxiWDhbccdedqfQrNQ6CwqK6HaSMh79uZl
| iFHsr9+Jh8MQFc8gwDjnyOsr6Mq1gBl2nZH65pBLJ23QvumVAnRhLXV8L2UReGnl
| gVfScX/yiaXp50NmQwoWmBTq+LMBavWIGcUwZjxTeJm74Ls1gyxbsJDF448hNr98
| AVXRQ5XYhasyYg==
|_-----END CERTIFICATE-----

NSE: Script Post-scanning.
Initiating NSE at 21:20
Completed NSE at 21:20, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.48 seconds
SystemKeeper commented 5 months ago

Please check your nextcloud.log. The failure might be expected if the nextcloud server itself is unable to connect to your coturn. But you should see an error in the log.

SystemKeeper commented 5 months ago

Some additional infos can be found at https://github.com/nextcloud/spreed/issues/11327

Speed7811 commented 5 months ago

Hey,

loglevel is already set 0 which means 'debug'. I have a tail -f /var/log/nextcloud/nextcloud.log running and I'm sure that I'm the only user which uses the Nextcloud instance. When I press the "Check"-button I don't get any protocol entries written in the log.

As I meantioned in the comment it looks like the Coturn server can be contacted but cause seems to be that the certificate doesn't be accepted.

Best regards

Rainer

SystemKeeper commented 5 months ago

I just noticed that you get a 403 on the request, that must happen before it hits the controller, otherwise an exception should be logged like https://github.com/nextcloud/spreed/blob/0d7b4f9befb7f1eb7996b8d4d5c5253a20298aa6/lib/Controller/CertificateController.php#L49

anything special about your user? Full admin rights ?

SystemKeeper commented 5 months ago

For the sake of trying, can you retest when you remove the „:443“ part?

pmarini-nc commented 5 months ago

Did you check https://github.com/nextcloud/spreed/issues/11550?

Speed7811 commented 5 months ago

Hey... yes I got a 403 here:

Coturn_Console_Window_1

I tried it by removing the "443" and the same result.

I checked the coturn logs during the test and I got some TLS errors:

17831: : session 000000000000000161: realm <coturn.mydomain.de> user <>: incoming packet message processed, error 401: Unauthorized
17831: : session 000000000000000163: realm <coturn.mydomain.de> user <>: incoming packet message processed, error 401: Unauthorized
17831: : session 001000000000000154: realm <coturn.mydomain.de> user <>: incoming packet message processed, error 401: Unauthorized
17831: : session 000000000000000166: realm <coturn.mydomain.de> user <>: incoming packet message processed, error 401: Unauthorized
17831: : IPv4. Local relay addr: 10.0.0.4:42072
17831: : session 000000000000000161: new, realm=<coturn.mydomain.de>, username=<1715198726:turn-test-user>, lifetime=600, cipher=ECDHE-RSA-AES128-GCM-SHA256, method=TLSv1.2
17831: : session 000000000000000161: realm <coturn.mydomain.de> user <1715198726:turn-test-user>: incoming packet ALLOCATE processed, success
17831: : IPv4. Local relay addr: 10.0.0.4:58386
17831: : session 000000000000000163: new, realm=<coturn.mydomain.de>, username=<1715198726:turn-test-user>, lifetime=600, cipher=ECDHE-RSA-AES128-GCM-SHA256, method=TLSv1.2
17831: : session 000000000000000163: realm <coturn.mydomain.de> user <1715198726:turn-test-user>: incoming packet ALLOCATE processed, success
17831: : IPv4. Local relay addr: 10.0.0.4:41107
17831: : session 001000000000000154: new, realm=<coturn.mydomain.de>, username=<1715198726:turn-test-user>, lifetime=600, cipher=ECDHE-RSA-AES128-GCM-SHA256, method=TLSv1.2
17831: : session 001000000000000154: realm <coturn.mydomain.de> user <1715198726:turn-test-user>: incoming packet ALLOCATE processed, success
17831: : IPv4. Local relay addr: 10.0.0.4:61846
17831: : session 000000000000000166: new, realm=<coturn.mydomain.de>, username=<1715198726:turn-test-user>, lifetime=600, cipher=ECDHE-RSA-AES128-GCM-SHA256, method=TLSv1.2
17831: : session 000000000000000166: realm <coturn.mydomain.de> user <1715198726:turn-test-user>: incoming packet ALLOCATE processed, success
17831: : session 000000000000000162: TLS/TCP socket disconnected: 91.248.xxx.xx:51214
17831: : session 000000000000000162: usage: realm=<coturn.mydomain.de>, username=<>, rp=0, rb=0, sp=0, sb=0
17831: : session 000000000000000162: peer usage: realm=<coturn.mydomain.de>, username=<>, rp=0, rb=0, sp=0, sb=0
17831: : session 000000000000000162: closed (2nd stage), user <> realm <coturn.mydomain.de> origin <>, local 10.0.0.4:443, remote 91.248.xxx.xx:51214, reason: TLS/TCP socket buffer operation error (callback)
17831: : session 000000000000000164: TLS/TCP socket disconnected: 91.248.xxx.xx:51213
17831: : session 000000000000000164: usage: realm=<coturn.mydomain.de>, username=<>, rp=0, rb=0, sp=0, sb=0
17831: : session 000000000000000164: peer usage: realm=<coturn.mydomain.de>, username=<>, rp=0, rb=0, sp=0, sb=0
17831: : session 000000000000000164: closed (2nd stage), user <> realm <coturn.mydomain.de> origin <>, local 10.0.0.4:443, remote 91.248.xxx.xx:51213, reason: TLS/TCP socket buffer operation error (callback)
17831: : session 000000000000000166: TLS/TCP socket disconnected: 91.248.xxx.xx:51216
17831: : session 000000000000000166: usage: realm=<coturn.mydomain.de>, username=<1715198726:turn-test-user>, rp=2, rb=152, sp=2, sb=228
17831: : session 000000000000000166: peer usage: realm=<coturn.mydomain.de>, username=<1715198726:turn-test-user>, rp=0, rb=0, sp=0, sb=0
17831: : session 000000000000000166: closed (2nd stage), user <1715198726:turn-test-user> realm <coturn.mydomain.de> origin <>, local 10.0.0.4:443, remote 91.248.xxx.xx:51216, reason: **TLS/TCP socket buffer operation error (callback)**

Are there any changes which belongs to the communication with TLS? I don't changed anything on the Coturn Server an with 27 it works.

Best regards

Rainer

nickvergessen commented 5 months ago

Or is your admin user not in the list of groups that are allowed to use talk? #11550

Speed7811 commented 5 months ago

Lol... thats it!

I'm the admin user but I changed the permissions a few weeks ago... I remove the Talk permission from the admin. I have never thought that the Turnserver check needs the talk permission.

You made my day! Thank you so much!

Best regards

Rainer

fancycode commented 5 months ago

Maybe the TURN server check should always be allowed for admins, similar to https://github.com/nextcloud/spreed/pull/8330 and https://github.com/nextcloud/spreed/pull/10961

nickvergessen commented 5 months ago

Yeah, that's why there is #11550 as a good-first-issue

fancycode commented 5 months ago

...mondays :see_no_evil: