search

owncloud / core

:cloud: ownCloud web server core (Files, DAV, etc.)
https://owncloud.com
GNU Affero General Public License v3.0
8.36k stars 2.06k forks source link

Federation - cURL and SSL error #23634

Closed mat-l closed 2 years ago

mat-l commented 8 years ago

Steps to reproduce

  1. Added federation or owncloud ID of a friend

    Expected behaviour

Tell us what should happen ...

Actual behaviour

Tell us what happens instead Since adding and later on deleting the owncloud ID of a friend, my owncloud log is filling with lot's of error messages twice a second.

Server configuration

Operating system: Arch Linux ARM for ORDID-X

Web server: Nginx Database: mysqld 10.1.13-MariaDB PHP version: 7.0.4 ownCloud version: (see ownCloud admin page) 9.0.0 Updated from an older ownCloud or fresh install: Fresh install after it crashed before Where did you install ownCloud from: Arch AUR Signing status (ownCloud 9.0 and above):

Login as admin user into your ownCloud and access 
Integrity checker has been disabled. Integrity cannot be verified.
paste the results here.

List of activated apps:

Enabled:
  - admin_migrate: 0.1
  - calendar: 1.0
  - comments: 0.2
  - contacts: 1.1.0.0
  - dav: 0.1.5
  - federatedfilesharing: 0.1.0
  - federation: 0.0.4
  - files: 1.4.4
  - files_odfviewer: 0.1
  - files_pdfviewer: 0.8
  - files_sharing: 0.9.1
  - files_texteditor: 2.1
  - files_trashbin: 0.8.0
  - files_versions: 1.2.0
  - files_videoviewer: 0.1.3
  - firstrunwizard: 1.1
  - news: 8.0.0
  - provisioning_api: 0.4.1
  - systemtags: 0.2
  - templateeditor: 0.1
  - updatenotification: 0.1.0
  - user_migrate: 0.1
Disabled:
  - activity
  - apptemplate
  - django_auth
  - emoji
  - encryption
  - encryption_dummy
  - external
  - files_archive
  - files_external
  - files_sgfviewer
  - files_svgedit
  - fluxx_compensator
  - impress
  - imprint
  - ownpad_lite
  - pong
  - pushnotifications
  - reader
  - search
  - tattoo
  - testing
  - user_external
  - user_ldap
  - user_oauth
  - user_openid_provider
  - user_persona
  - user_saml
  - user_vd
  - user_webfinger

The content of config/config.php:

{
    "system": {
        "instanceid": "octbd314421r",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "owncloud.mnethome.de"
        ],
        "datadirectory": "\/mnt\/ExterneHDD1\/Server\/owncloud-daten",
        "overwrite.cli.url": "https:\/\/owncloud.mnethome.de",
        "dbtype": "mysql",
        "version": "9.0.0.19",
        "dbname": "owncloudDB",
        "dbhost": "localhost",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "logtimezone": "UTC",
        "installed": true,
        "mail_smtpmode": "smtp",
        "mail_from_address": "tobias.masiak",
        "mail_domain": "mnethome.de",
        "mail_smtpsecure": "ssl",
        "mail_smtphost": "smtp.variomedia.de",
        "mail_smtpport": "465",
        "mail_smtpauthtype": "LOGIN",
        "mail_smtpauth": 1,
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "theme": "",
        "loglevel": 0,
        "maintenance": false
    }
}

Are you using external storage, if yes which one: local/smb/sftp/... no Are you using encryption: yes/no no Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/... no

LDAP configuration (delete this part if not used)

With access to your command line run e.g.:
sudo -u www-data php occ ldap:show-config
from within your ownCloud installation folder

Without access to your command line download the data/owncloud.db to your local
computer or access your SQL server remotely and run the select query:
SELECT * FROM `oc_appconfig` WHERE `appid` = 'user_ldap';

Eventually replace sensitive data as the name/IP-address of your LDAP server or groups.

Client configuration

Browser: Firfox Operating system: Windows / AntergOS

Logs

Web server error log

No logs regarding the error described above.
Insert your webserver log here

No logs regarding the error described above.

ownCloud log (data/owncloud.log)

These line were written two times per second into the log

{"reqId":"R3+7zdwUALnu6MXMNqR9","remoteAddr":"95.88.146.199","app":"core","message":"cURL error 51: SSL: no alternative certificate subject name matches target host name 'owncloud.dapor.net'","level":3,"time":"2016-03-29T18:44:50+00:00","method":"GET","url":"\/ocs\/v2.php\/apps\/files_sharing\/api\/v1\/shares?subfiles=true&path=%2F&format=json"}

{"reqId":"3ndo7A7eAMYCDt9xBfr2","remoteAddr":"","app":"core","message":"cURL error 51: SSL: no alternative certificate subject name matches target host name 'owncloud.dapor.net'","level":3,"time":"2016-03-29T18:45:19+00:00","method":"--","url":"--"}

Browser log

Insert your browser log here, this could for example include:

a) 
b) 
c)
mat-l commented 8 years ago

any ideas on how to stop flooding my owncloud.log? Regards matl

tflidd commented 8 years ago

Just use your hostname in common names of your certificate. You can check your ssl-setting on ssllabs.com (it works on self-issued certificates as well).

mat-l commented 8 years ago

We are both using letsencrypt for the certificates. Therefore I think we don't can/have to edit the common names during the certificate creation. This is done automatically if I am not wrong. Nevertheless, the flooding of my owncloud.log stops luckily again.

PVince81 commented 8 years ago

@LukasReschke @icewind1991 @schiesbn

thommierother commented 8 years ago

I have the same error messages with a slightly different setup, which make federation practically impossible. My setup:

The error log of the server receiving the sharing notification shows: {"reqId":"Toh9zy62WpMVPv+WwmIe","remoteAddr":"79.194.106.223","app":"core","message":"cURL error 51: SSL: no alternative certificate subject name matches target host name 'www.fluechtlinge-esslingen.de'","level":3,"time":"May 11, 2016 09:11:29","method":"PROPFIND","url":"\/owncloud\/remote.php\/webdav\/","user":"Thommie"}

And when I try to enter www.fluechtlinge-esslingen.de as a trusted server in the admin page, I get:

"CURL error 60: SSL certificate problem: unable to get local issuer certificate" when entering the federated servers address (https://www.fluechtlinge-esslingen.de/owncloud)

TrurlMcByte commented 8 years ago

Getting same errors when use http without SSL at all. It seems that somewhere lost protocol type.

PVince81 commented 7 years ago

Is this still an issue with more recent OC versions and openssl ?

thommierother commented 7 years ago

I am testing with two OC 9.05 instances and I still see this error on one of them. Which is funny, because both have ubuntu server 16.04 LTS underneath and should use the same curl version therefore.... let me know if you need more details ...

thommierother commented 7 years ago

I also can not do a federated share from a 9.1.1 instance to the (same as above) 9.0.5 instance. The sharing initialisation from 9.1.1 itself is possible, but the confirmation/acceptance of the shared directory from the 9.05 instance fails without any message in the logfile. Is there a way to increase logging for operation of the federation/federatedfilesharing app?

dassencio commented 7 years ago

I also had this issue when upgrading from ownCloud 9.1.1 to 9.1.2. During the update process, I get the error mentioned above:

cURL error 51: SSL: no alternative certificate subject name matches target host name 'localhost'

I am also using an SSL certificate signed by Let's Encrypt.

dassencio commented 7 years ago

If have changed 'verify' to false on getDefaultOptions() on this file: updater/vendor/guzzlehttp/guzzle/src/Client.php. Now I'm getting a different error:

Server error response [url] http://localhost/index.php/occ/config:list [status code] 503 [reason phrase] Service Unavailable

geekonthepc commented 7 years ago

@dassencio Your solution solved the issue for me, thank you.

Also using SSL certificate from Let's Encrypt.

ghost commented 7 years ago

@geekonthepc @dassencio Please note that this is no solution but a workaround which might have serve impacts on the security of your installation when using the updater app (e.g. a Man-in-the-Middle attack could be possible during the time the updater is downloading an update).

Furthermore the original issue here is not related to the updater app at all. The message might be similar but the issue originally reported here was reported for the federation where the remote endpoint of the federation is providing a wrong / misconfigured SSL certificate.

geekonthepc commented 7 years ago

@kdslkdsaldsal Thank you for that advice. I have now updated the app but will re-enable verification. I'm unsure why this issue is consistently occuring with users who use Let's Encrypt, but I would imagine this something to do with the certificate itself. I haven't been able to find any further information on resolving this issue so will keep an eye out to see if this issue is mentioned in further updates.

dassencio commented 7 years ago

@kdslkdsaldsal : I only posted that information because I thought it would help the ownCloud developers find a solution to this problem. I reverted that change exactly because of the security implications you mentioned.

ghost commented 7 years ago

@geekonthepc @dassencio If this still happening with newer versions of ownCloud and the updater app then please create a new issue at https://github.com/owncloud/updater/issues.

If there is no such issue created there it won't be noticed and fixed as this is unrelated to the issue discussed here.

Edit

Seems that specific issue with the updater app is already tracked at https://github.com/owncloud/core/issues/26906 and https://github.com/owncloud/updater/issues/414

dassencio commented 7 years ago

@kdslkdsaldsal : Indeed, I've opened #26906 about a couple of months ago.

thommierother commented 6 years ago

This bug is still present in 10.0.3. I can not find any workaround through editing of in the curl settings. I experimented with curlopt_ssl_verifyhost=0 and curlopt_ssl_verifypeer=0 but the error message is the same. I am NOT shure if this is simply an environment issue ...

ownclouders commented 6 years ago

Hey, this issue has been closed because the label status/STALE is set and there were no updates for 7 days. Feel free to reopen this issue if you deem it appropriate.

(This is an automated comment from GitMate.io.)

PVince81 commented 6 years ago

Do I understand it correctly that all involved certificates are valid ?

thommierother commented 6 years ago

As far as I understand it, yes. I have two OC 10.04 instances hoste on the same physical server, but running in different VMs and with different public IPs/Cnames. Both use LetsEncrypt certs but still I see the curl-generated cert errors for the federated sharing between the OC instances.

ownclouders commented 6 years ago

Hey, this issue has been closed because the label status/STALE is set and there were no updates for 7 days. Feel free to reopen this issue if you deem it appropriate.

(This is an automated comment from GitMate.io.)

PVince81 commented 5 years ago

@thommierother still happening with 10.0.10 I guess ? (am not aware of any related changes, but maybe library updates could have fixed this)

JammingBen commented 2 years ago

Closing due to stale. Please re-open if the problem still persists.