OCIS web downloads fail

[prohtex]

I have an OCIS deployment running on macos. I recently upgraded from a 5.0 alpha to 5.0.5 by replacing the binary and adding the needed OCIS_SERVICE_ACCOUNT and OCIS_SERVICE_ACCOUNT_SECRET env vars.

When I attempt to download a file from the web, I get a standard apache web authentication dialogue. Clicking "cancel" results in a 0b file. Very odd.

Below is the terminal output from the server. The relevant messages seem to be "proxy error signature match" "Could not get user by claim"

server:~ user$ sudo /opt/ocis.sh
Password:
2024/07/04 14:49:21 ERROR failed to set GOMEMLIMIT package=github.com/KimMachineGun/automemlimit/memlimit error="failed to set GOMEMLIMIT: cgroups is not supported on this system"

{"level":"error","service":"thumbnails","time":"2024-07-04T14:49:37-04:00","message":"resource info is missing checksum"}
{"level":"error","service":"thumbnails","time":"2024-07-04T14:50:01-04:00","message":"resource info is missing checksum"}
^C{"level":"error","service":"auth-machine","server":"auth-machine","time":"2024-07-04T14:50:59-04:00","message":"Shutting down server"}
server:~ user$ sudo /opt/ocis.sh
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 6m34.175197s","authenticator":"oidc","path":"/ocs/v1.php/cloud/user","time":"2024-07-04T15:01:06-04:00","message":"failed to authenticate the request"}
2024/07/04 18:15:51 http: TLS handshake error from 44.220.188.137:43714: unexpected EOF
2024/07/04 18:52:48 http: TLS handshake error from 0.0.0.0:43034: unexpected EOF
2024/07/04 18:52:49 http: TLS handshake error from 0.0.0.0:45388: tls: unsupported SSLv2 handshake received
2024/07/04 18:53:20 http: TLS handshake error from 0.0.0.0:43676: tls: first record does not look like a TLS handshake
2024/07/04 18:53:20 http: TLS handshake error from 0.0.0.0:43680: tls: unsupported SSLv2 handshake received
2024/07/04 18:53:30 http: TLS handshake error from 0.0.0.0:55478: tls: no cipher suite supported by both client and server
2024/07/04 18:53:30 http: TLS handshake error from 0.0.0.0:55522: tls: client offered only unsupported versions: [301]
2024/07/04 18:53:30 http: TLS handshake error from 0.0.0.0:55494: tls: client offered only unsupported versions: [301]
2024/07/04 18:53:30 http: TLS handshake error from 0.0.0.0:55508: tls: no cipher suite supported by both client and server
2024/07/04 18:53:30 http: TLS handshake error from 0.0.0.0:55512: tls: unsupported SSLv2 handshake received
2024/07/04 18:53:30 http: TLS handshake error from 0.0.0.0:55536: tls: no cipher suite supported by both client and server
2024/07/04 18:53:30 http: TLS handshake error from 0.0.0.0:55530: tls: client offered only unsupported versions: []
2024/07/04 18:53:30 http: TLS handshake error from 0.0.0.0:55548: EOF
2024/07/04 18:53:30 http: TLS handshake error from 0.0.0.0:55572: tls: client offered only unsupported versions: [301]
2024/07/04 18:53:30 http: TLS handshake error from 0.0.0.0:55556: tls: client offered only unsupported versions: [302 301]
2024/07/04 18:53:30 http: TLS handshake error from 0.0.0.0:55602: tls: client offered only unsupported versions: [301]
2024/07/04 18:53:30 http: TLS handshake error from 0.0.0.0:55612: tls: client offered only unsupported versions: [302 301]
2024/07/04 18:53:30 http: TLS handshake error from 0.0.0.0:55586: tls: no cipher suite supported by both client and server
2024/07/04 18:53:30 http: TLS handshake error from 0.0.0.0:55584: EOF
2024/07/04 18:53:30 http: TLS handshake error from 0.0.0.0:55628: tls: client offered only unsupported versions: [301]
2024/07/04 18:53:30 http: TLS handshake error from 0.0.0.0:55650: tls: client offered only unsupported versions: [301]
2024/07/04 18:53:30 http: TLS handshake error from 0.0.0.0:55634: EOF
2024/07/04 18:53:30 http: TLS handshake error from 0.0.0.0:55644: EOF
2024/07/04 18:53:30 http: TLS handshake error from 0.0.0.0:55660: EOF
2024/07/04 18:53:30 http: TLS handshake error from 0.0.0.0:55670: tls: client offered only unsupported versions: [301]
2024/07/04 18:53:30 http: TLS handshake error from 0.0.0.0:55676: tls: no cipher suite supported by both client and server
2024/07/04 18:53:30 http: TLS handshake error from 0.0.0.0:55698: tls: client offered only unsupported versions: [301]
2024/07/04 18:53:30 http: TLS handshake error from 0.0.0.0:55682: EOF
2024/07/04 18:53:31 http: TLS handshake error from 0.0.0.0:55712: tls: client offered only unsupported versions: []
2024/07/04 18:53:31 http: TLS handshake error from 0.0.0.0:55736: tls: client offered only unsupported versions: [301]
2024/07/04 18:53:31 http: TLS handshake error from 0.0.0.0:55714: read tcp 0.0.0.0:9200->0.0.0.0:55714: read: connection reset by peer
2024/07/04 18:53:31 http: TLS handshake error from 0.0.0.0:55726: EOF
2024/07/04 18:53:31 http: TLS handshake error from 0.0.0.0:55752: tls: no cipher suite supported by both client and server
2024/07/04 18:53:31 http: TLS handshake error from 0.0.0.0:55790: tls: client offered only unsupported versions: [301]
2024/07/04 18:53:31 http: TLS handshake error from 0.0.0.0:55784: tls: no cipher suite supported by both client and server
2024/07/04 18:53:31 http: TLS handshake error from 0.0.0.0:55768: read tcp 0.0.0.0:9200->0.0.0.0:55768: read: connection reset by peer
2024/07/04 18:53:31 http: TLS handshake error from 0.0.0.0:55804: tls: no cipher suite supported by both client and server
2024/07/04 18:53:31 http: TLS handshake error from 0.0.0.0:55820: tls: client offered only unsupported versions: [301]
2024/07/04 18:53:31 http: TLS handshake error from 0.0.0.0:55810: EOF
2024/07/04 18:53:31 http: TLS handshake error from 0.0.0.0:55816: EOF
2024/07/04 18:53:31 http: TLS handshake error from 0.0.0.0:55836: tls: no cipher suite supported by both client and server
2024/07/04 18:53:31 http: TLS handshake error from 0.0.0.0:55852: tls: client offered only unsupported versions: [301]
2024/07/04 18:53:31 http: TLS handshake error from 0.0.0.0:55840: EOF
2024/07/04 18:53:31 http: TLS handshake error from 0.0.0.0:55842: EOF
2024/07/04 18:53:31 http: TLS handshake error from 0.0.0.0:55866: tls: no cipher suite supported by both client and server
2024/07/04 18:53:32 http: TLS handshake error from 0.0.0.0:55878: EOF
2024/07/04 18:53:32 http: TLS handshake error from 0.0.0.0:55874: read tcp 0.0.0.0:9200->0.0.0.0:55874: read: connection reset by peer
2024/07/04 18:53:32 http: TLS handshake error from 0.0.0.0:55882: tls: client offered only unsupported versions: [302 301]
2024/07/04 18:53:32 http: TLS handshake error from 0.0.0.0:55892: tls: no cipher suite supported by both client and server
2024/07/04 18:53:32 http: TLS handshake error from 0.0.0.0:55904: tls: no cipher suite supported by both client and server
2024/07/04 18:53:32 http: TLS handshake error from 0.0.0.0:55906: tls: no cipher suite supported by both client and server
2024/07/04 18:53:32 http: TLS handshake error from 0.0.0.0:55910: tls: no cipher suite supported by both client and server
2024/07/04 18:53:32 http: TLS handshake error from 0.0.0.0:55912: EOF
2024/07/04 18:53:33 http: TLS handshake error from 0.0.0.0:55916: EOF
2024/07/04 18:53:33 http: TLS handshake error from 0.0.0.0:55930: EOF
2024/07/04 18:53:52 http: TLS handshake error from 0.0.0.0:55938: EOF
2024/07/04 21:37:26 http: TLS handshake error from 48.216.178.106:36566: tls: first record does not look like a TLS handshake
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 11.009796s","authenticator":"oidc","path":"/graph/v1.0/me/drives","time":"2024-07-05T00:01:46-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 1.004269s","authenticator":"oidc","path":"/graph/v1.0/me/drives","time":"2024-07-05T00:06:47-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 1.014154s","authenticator":"oidc","path":"/graph/v1.0/me/drives","time":"2024-07-05T00:11:48-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 1.188557s","authenticator":"oidc","path":"/graph/v1.0/me/drives","time":"2024-07-05T00:16:49-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 1.089392s","authenticator":"oidc","path":"/graph/v1.0/me/drives","time":"2024-07-05T00:21:50-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 82.802ms","authenticator":"oidc","path":"/graph/v1.0/me/drives","time":"2024-07-05T00:26:50-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 61.37ms","authenticator":"oidc","path":"/graph/v1.0/me/drives","time":"2024-07-05T00:31:50-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 64.624ms","authenticator":"oidc","path":"/graph/v1.0/me/drives","time":"2024-07-05T00:36:50-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 28.911181s","authenticator":"oidc","path":"/graph/v1.0/me/drives","time":"2024-07-05T00:42:18-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 28.979087s","authenticator":"oidc","path":"/remote.php/webdav/","time":"2024-07-05T00:47:47-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 910.388ms","authenticator":"oidc","path":"/graph/v1.0/me/drives","time":"2024-07-05T00:52:48-04:00","message":"failed to authenticate the request"}
2024/07/05 00:53:45 http: TLS handshake error from 0.0.0.0:15668: EOF
2024/07/05 00:53:45 http: TLS handshake error from 0.0.0.0:15672: EOF
2024/07/05 00:53:45 http: TLS handshake error from 0.0.0.0:15678: EOF
2024/07/05 00:53:46 http: TLS handshake error from 0.0.0.0:15688: EOF
2024/07/05 00:53:46 http: TLS handshake error from 0.0.0.0:15698: EOF
2024/07/05 00:53:46 http: TLS handshake error from 0.0.0.0:15706: tls: client offered only unsupported versions: [302 301]
2024/07/05 00:53:47 http: TLS handshake error from 0.0.0.0:15712: read tcp 0.0.0.0:9200->0.0.0.0:15712: read: connection reset by peer
2024/07/05 00:53:47 http: TLS handshake error from 0.0.0.0:15718: EOF
2024/07/05 00:53:48 http: TLS handshake error from 0.0.0.0:15732: EOF
2024/07/05 00:53:48 http: TLS handshake error from 0.0.0.0:15740: read tcp 0.0.0.0:9200->0.0.0.0:15740: read: connection reset by peer
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 8m46.80277s","authenticator":"oidc","path":"/dav/spaces/dc0b96eb-74ac-49aa-bbf4-fe3415810fd7$945e05c8-29f8-4c72-8938-f69cf932434c/","time":"2024-07-05T13:13:10-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 1.625859s","authenticator":"oidc","path":"/graph/v1.0/me/drives","time":"2024-07-05T13:17:07-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 625.134ms","authenticator":"oidc","path":"/graph/v1.0/me/drives","time":"2024-07-05T13:22:07-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 612.522ms","authenticator":"oidc","path":"/graph/v1.0/me/drives","time":"2024-07-05T13:27:07-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 616.105ms","authenticator":"oidc","path":"/graph/v1.0/me/drives","time":"2024-07-05T13:32:07-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 2h12m13.869805s","authenticator":"oidc","path":"/remote.php/webdav/","time":"2024-07-05T13:35:46-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 1.611435s","authenticator":"oidc","path":"/graph/v1.0/me/drives","time":"2024-07-05T13:37:08-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 20m21.493123s","authenticator":"oidc","path":"/remote.php/webdav/","time":"2024-07-05T13:38:31-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"could not authenticate with username and password user: xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69, got code: 6","authenticator":"basic","path":"/index.php/apps/oauth2/api/v1/token","time":"2024-07-05T13:38:34-04:00","message":"failed to authenticate request"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 764.924ms","authenticator":"oidc","path":"/graph/v1.0/me/drives","time":"2024-07-05T13:42:08-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 7.591843s","authenticator":"oidc","path":"/graph/v1.0/me/drives","time":"2024-07-05T13:47:15-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 3m14.548072s","authenticator":"oidc","path":"/graph/v1.0/me/drives","time":"2024-07-05T13:48:59-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 10m3.206491s","authenticator":"oidc","path":"/graph/v1.0/me/drives","time":"2024-07-05T13:50:50-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 578.928ms","authenticator":"oidc","path":"/graph/v1.0/me/drives","time":"2024-07-05T13:52:15-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 11.36522s","authenticator":"oidc","path":"/graph/v1.0/me/drives","time":"2024-07-05T13:54:11-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 566.163ms","authenticator":"oidc","path":"/graph/v1.0/me/drives","time":"2024-07-05T13:57:15-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 5m24.820108s","authenticator":"oidc","path":"/graph/v1.0/me/drives","time":"2024-07-05T14:01:14-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 2m36.755192s","authenticator":"oidc","path":"/remote.php/webdav/","time":"2024-07-05T14:01:47-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 553.545ms","authenticator":"oidc","path":"/graph/v1.0/me/drives","time":"2024-07-05T14:02:15-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 1.554504s","authenticator":"oidc","path":"/graph/v1.0/me/drives","time":"2024-07-05T14:07:16-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 526.506ms","authenticator":"oidc","path":"/graph/v1.0/me/drives","time":"2024-07-05T14:12:16-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 6m37.924829s","authenticator":"oidc","path":"/graph/v1.0/me/drives","time":"2024-07-05T14:13:24-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 626.171ms","authenticator":"oidc","path":"/graph/v1.0/me/drives","time":"2024-07-05T14:17:16-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 620.041ms","authenticator":"oidc","path":"/graph/v1.0/me/drives","time":"2024-07-05T14:22:16-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 5m48.989419s","authenticator":"oidc","path":"/remote.php/webdav/","time":"2024-07-05T14:24:13-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"could not authenticate with username and password user: xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69, got code: 6","authenticator":"basic","path":"/index.php/apps/oauth2/api/v1/token","time":"2024-07-05T14:24:27-04:00","message":"failed to authenticate request"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 704.119ms","authenticator":"oidc","path":"/graph/v1.0/me/drives","time":"2024-07-05T14:27:16-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 27.966024s","authenticator":"oidc","path":"/remote.php/webdav/","time":"2024-07-05T14:30:25-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 6.125855s","authenticator":"oidc","path":"/graph/v1.0/me/drives","time":"2024-07-05T14:32:22-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 23h39m57.817931s","authenticator":"oidc","path":"/ocs/v1.php/cloud/user","time":"2024-07-05T14:34:29-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 9.928407s","authenticator":"oidc","path":"/remote.php/webdav/","time":"2024-07-05T14:35:35-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 104.99ms","authenticator":"oidc","path":"/graph/v1.0/me/drives","time":"2024-07-05T14:37:22-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 9.911929s","authenticator":"oidc","path":"/remote.php/webdav/","time":"2024-07-05T14:40:45-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 169.162ms","authenticator":"oidc","path":"/remote.php/webdav/","time":"2024-07-05T14:42:22-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 9.887026s","authenticator":"oidc","path":"/remote.php/webdav/","time":"2024-07-05T14:45:55-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 102.413ms","authenticator":"oidc","path":"/graph/v1.0/me/drives","time":"2024-07-05T14:47:22-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 9.858628s","authenticator":"oidc","path":"/remote.php/webdav/","time":"2024-07-05T14:51:05-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 101.826ms","authenticator":"oidc","path":"/graph/v1.0/me/drives","time":"2024-07-05T14:52:22-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 9.929571s","authenticator":"oidc","path":"/remote.php/webdav/","time":"2024-07-05T14:56:15-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 1.163565s","authenticator":"oidc","path":"/graph/v1.0/me/drives","time":"2024-07-05T14:57:23-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 20m59.931781s","authenticator":"oidc","path":"/ocs/v1.php/cloud/user","time":"2024-07-05T15:00:29-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"thumbnails","time":"2024-07-05T15:00:31-04:00","message":"resource info is missing checksum"}
{"level":"error","service":"proxy","error":"signature mismatch: expected ff668c9da4aaba1813abc08f580309bc71f12c44d4ebf52270699c146bfecd08 != actual 871840de192d05190f12f45c002713643a98459acf388234c3934216695b95fa","authenticator":"signed_url","path":"/remote.php/dav/spaces/dc0b96eb-74ac-49aa-bbf4-fe3415810fd7$4c7bc07e-8526-454b-ad2c-fc28654b26a9/folder/file.jpg","url":"/remote.php/dav/spaces/dc0b96eb-74ac-49aa-bbf4-fe3415810fd7$4c7bc07e-8526-454b-ad2c-fc28654b26a9/folder/file.jpg?OC-Credential=peter&OC-Date=2024-07-05T19%3A00%3A47.841Z&OC-Expires=1200&OC-Verb=GET&OC-Algo=PBKDF2%2F10000-SHA512&OC-Signature=871840de192d05190f12f45c002713643a98459acf388234c3934216695b95fa","time":"2024-07-05T15:00:47-04:00","message":"Could not get user by claim"}
{"level":"error","service":"proxy","error":"signature mismatch: expected ff668c9da4aaba1813abc08f580309bc71f12c44d4ebf52270699c146bfecd08 != actual 871840de192d05190f12f45c002713643a98459acf388234c3934216695b95fa","authenticator":"signed_url","path":"/remote.php/dav/spaces/dc0b96eb-74ac-49aa-bbf4-fe3415810fd7$4c7bc07e-8526-454b-ad2c-fc28654b26a9/folder/file.jpg","url":"/remote.php/dav/spaces/dc0b96eb-74ac-49aa-bbf4-fe3415810fd7$4c7bc07e-8526-454b-ad2c-fc28654b26a9/folder/file.jpg?OC-Credential=peter&OC-Date=2024-07-05T19%3A00%3A47.841Z&OC-Expires=1200&OC-Verb=GET&OC-Algo=PBKDF2%2F10000-SHA512&OC-Signature=871840de192d05190f12f45c002713643a98459acf388234c3934216695b95fa","time":"2024-07-05T15:00:59-04:00","message":"Could not get user by claim"}
{"level":"error","service":"proxy","error":"signature mismatch: expected c4653f64ba11ee03859924b228bdd6640f744fd92b2a6aa708bb4d6576b706d1 != actual f00c4a8f592f15244db6ff22ecfe4f7d1d55b646029c0f7be9ef93fb840a8492","authenticator":"signed_url","path":"/remote.php/dav/spaces/dc0b96eb-74ac-49aa-bbf4-fe3415810fd7$4c7bc07e-8526-454b-ad2c-fc28654b26a9/folder/file.jpg","url":"/remote.php/dav/spaces/dc0b96eb-74ac-49aa-bbf4-fe3415810fd7$4c7bc07e-8526-454b-ad2c-fc28654b26a9/folder/file.jpg?OC-Credential=peter&OC-Date=2024-07-05T19%3A01%3A12.169Z&OC-Expires=1200&OC-Verb=GET&OC-Algo=PBKDF2%2F10000-SHA512&OC-Signature=f00c4a8f592f15244db6ff22ecfe4f7d1d55b646029c0f7be9ef93fb840a8492","time":"2024-07-05T15:01:12-04:00","message":"Could not get user by claim"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 9.905443s","authenticator":"oidc","path":"/remote.php/webdav/","time":"2024-07-05T15:01:25-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"signature mismatch: expected c4653f64ba11ee03859924b228bdd6640f744fd92b2a6aa708bb4d6576b706d1 != actual f00c4a8f592f15244db6ff22ecfe4f7d1d55b646029c0f7be9ef93fb840a8492","authenticator":"signed_url","path":"/remote.php/dav/spaces/dc0b96eb-74ac-49aa-bbf4-fe3415810fd7$4c7bc07e-8526-454b-ad2c-fc28654b26a9/folder/file.jpg","url":"/remote.php/dav/spaces/dc0b96eb-74ac-49aa-bbf4-fe3415810fd7$4c7bc07e-8526-454b-ad2c-fc28654b26a9/folder/file.jpg?OC-Credential=peter&OC-Date=2024-07-05T19%3A01%3A12.169Z&OC-Expires=1200&OC-Verb=GET&OC-Algo=PBKDF2%2F10000-SHA512&OC-Signature=f00c4a8f592f15244db6ff22ecfe4f7d1d55b646029c0f7be9ef93fb840a8492","time":"2024-07-05T15:01:41-04:00","message":"Could not get user by claim"}
{"level":"error","service":"thumbnails","time":"2024-07-05T15:02:13-04:00","message":"resource info is missing checksum"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 156.845ms","authenticator":"oidc","path":"/graph/v1.0/me/drives","time":"2024-07-05T15:02:23-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"thumbnails","time":"2024-07-05T15:02:52-04:00","message":"resource info is missing checksum"}
{"level":"error","service":"proxy","error":"signature mismatch: expected e1a89a6ef74e1f0e54f83e74afd2341ce3a717bd0254406a31af4c8bfa891ef8 != actual dd65deb323490dc41a5c3ef61b1db7ceba9c1d9a66484384fc26b013ce5d998b","authenticator":"signed_url","path":"/remote.php/dav/spaces/dc0b96eb-74ac-49aa-bbf4-fe3415810fd7$4c7bc07e-8526-454b-ad2c-fc28654b26a9/folder/file.jpg","url":"/remote.php/dav/spaces/dc0b96eb-74ac-49aa-bbf4-fe3415810fd7$4c7bc07e-8526-454b-ad2c-fc28654b26a9/folder/file.jpg?OC-Credential=peter&OC-Date=2024-07-05T19%3A03%3A09.684Z&OC-Expires=1200&OC-Verb=GET&OC-Algo=PBKDF2%2F10000-SHA512&OC-Signature=dd65deb323490dc41a5c3ef61b1db7ceba9c1d9a66484384fc26b013ce5d998b","time":"2024-07-05T15:03:09-04:00","message":"Could not get user by claim"}
{"level":"error","service":"proxy","error":"signature mismatch: expected e1a89a6ef74e1f0e54f83e74afd2341ce3a717bd0254406a31af4c8bfa891ef8 != actual dd65deb323490dc41a5c3ef61b1db7ceba9c1d9a66484384fc26b013ce5d998b","authenticator":"signed_url","path":"/remote.php/dav/spaces/dc0b96eb-74ac-49aa-bbf4-fe3415810fd7$4c7bc07e-8526-454b-ad2c-fc28654b26a9/folder/file.jpg","url":"/remote.php/dav/spaces/dc0b96eb-74ac-49aa-bbf4-fe3415810fd7$4c7bc07e-8526-454b-ad2c-fc28654b26a9/folder/file.jpg?OC-Credential=peter&OC-Date=2024-07-05T19%3A03%3A09.684Z&OC-Expires=1200&OC-Verb=GET&OC-Algo=PBKDF2%2F10000-SHA512&OC-Signature=dd65deb323490dc41a5c3ef61b1db7ceba9c1d9a66484384fc26b013ce5d998b","time":"2024-07-05T15:03:12-04:00","message":user}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 9.892711s","authenticator":"oidc","path":"/remote.php/webdav/","time":"2024-07-05T15:06:35-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 145.533ms","authenticator":"oidc","path":"/graph/v1.0/me/drives","time":"2024-07-05T15:07:23-04:00","message":"failed to authenticate the request"}

[prohtex]

Hi @micbar, hope you are well! Any idea why this might be happening? I could not find any documentation for upgrading from prerelease v5 to 5.0.5 or from 5 to 6. I am just assuming the upgrade path for the precompiled binaries is to swap out the binary, but if there are more steps I'd be grateful for a point in the right direction.

It seems like "Cannot get user by claim" has something to do with my authentication method, but beyond that I'm lost.

Here's the script I use to run OCIS on macos as well as the contents of my ocis.yaml

#!/bin/bash

export OCIS_URL=https://files.<redacted>.com
export PROXY_HTTP_ADDR=0.0.0.0:9200
export PROXY_TLS=true
export OCIS_INSECURE=true
export OCIS_LOG_LEVEL=error
export OCIS_CONFIG_DIR=/opt/ocis
export OCIS_BASE_DATA_PATH=/Volumes/<redacted>/ocis
export PROXY_ENABLE_BASIC_AUTH=true
#export IDP_ACCESS_TOKEN_EXPIRATION=86400
#export IDP_ID_TOKEN_EXPIRATION=86400

export OCIS_SERVICE_ACCOUNT_ID=<redacted-j>
export OCIS_SERVICE_ACCOUNT_SECRET=<redacted-k>

ulimit -n 1024

#/opt/local/bin/ocis server
/opt/local/bin/ocis-5.0.5-darwin-amd64 server
#/opt/local/bin/ocis-6.0.0-darwin-amd64 server

token_manager:
  jwt_secret: <redacted-a>
machine_auth_api_key: <redacted-b>
system_user_api_key: <redacted-c>
transfer_secret: <redacted-d>
system_user_id: <redacted-e>
admin_user_id: <redacted-f>
graph:
  application:
    id: 4<redacted-g>
  events:
    tls_insecure: true
  spaces:
    insecure: true
  identity:
    ldap:
      bind_password: <redacted-i>
  service_account:
    service_account_id: <redacted-j>
    service_account_secret: <redacted-k>
idp:
  ldap:
    bind_password: <redacted-l>
idm:
  service_user_passwords:
    admin_password: <redacted-m>
    idm_password: <redacted-i>
    reva_password: <redacted-n>
    idp_password: <redacted-l>
proxy:
  oidc:
    insecure: true
  insecure_backends: true
  service_account:
    service_account_id: <redacted-j>
    service_account_secret: <redacted-k>
frontend:
  app_handler:
    insecure: true
  archiver:
    insecure: true
  service_account:
    service_account_id: <redacted-j>
    service_account_secret: <redacted-k>
auth_basic:
  auth_providers:
    ldap:
      bind_password: <redacted-n>
auth_bearer:
  auth_providers:
    oidc:
      insecure: true
users:
  drivers:
    ldap:
      bind_password: <redacted-n>
groups:
  drivers:
    ldap:
      bind_password: <redacted-n>
ocdav:
  insecure: true
thumbnails:
  thumbnail:
    transfer_secret: <redacted-o>
    webdav_allow_insecure: true
    cs3_allow_insecure: true
search:
  events:
    tls_insecure: true
  service_account:
    service_account_id: <redacted-j>
    service_account_secret: <redacted-k>
audit:
  events:
    tls_insecure: true
settings:
  service_account_ids:
  - <redacted-j>
sharing:
  events:
    tls_insecure: true
storage_users:
  events:
    tls_insecure: true
  mount_id: <redacted-p>
  service_account:
    service_account_id: <redacted-j>
    service_account_secret: <redacted-k>
notifications:
  notifications:
    events:
      tls_insecure: true
  service_account:
    service_account_id: <redacted-j>
    service_account_secret: <redacted-k>
nats:
  nats:
    tls_skip_verify_client_cert: true
gateway:
  storage_registry:
    storage_users_mount_id: <redacted-p>
userlog:
  service_account:
    service_account_id: <redacted-j>
    service_account_secret: <redacted-k>
auth_service:
  service_account:
    service_account_id: <redacted-j>
    service_account_secret: <redacted-k>
clientlog:
  service_account:
    service_account_id: <redacted-j>
    service_account_secret: <redacted-k>

[micbar]

We had a bug in the signed urls in 5.0.0

That can cause old presigned URLs before the upgrade to fail.

Restart should fix everything.

I am just assuming the upgrade path for the precompiled binaries is to swap out the binary, but if there are more steps I'd be grateful for a point in the right direction.

Your asssuption is correct. When we need manual interaction, we would mention that in the release notes.

[prohtex]

We had a bug in the signed urls in 5.0.0

That can cause old presigned URLs before the upgrade to fail.

Restart should fix everything.

Hi @micbar thanks for the reply. I have tried everything I can think of - restarting the server process, logging out and back in, changing the OCIS_SERVICE_ACCOUNT key etc, and I still have the issue. I am currently running 5.0.5. When I switch over to 6.0 binary, I end up with this issue plus #9538

[prohtex]

I also tried 6.1.0. Using Web, I can upload and delete files, but not download them. Thumbnails don't work. I also can't replace the logo for some reason-it acts like it is replaced, but doesn't work.

server:~ user$ sudo /opt/ocis.sh
2024/07/08 12:08:54 ERROR failed to set GOMEMLIMIT package=github.com/KimMachineGun/automemlimit/memlimit error="failed to set GOMEMLIMIT: cgroups is not supported on this system"
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 650.633ms","authenticator":"oidc","path":"/graph/v1.0/me/drives","time":"2024-07-08T12:11:36-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"thumbnails","time":"2024-07-08T12:15:40-04:00","message":"resource info is missing checksum"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 635.751ms","authenticator":"oidc","path":"/graph/v1.0/me/drives","time":"2024-07-08T12:16:36-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 798.423ms","authenticator":"oidc","path":"/graph/v1.0/me/drives","time":"2024-07-08T12:21:36-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 7m30.517866s","authenticator":"oidc","path":"/ocs/v2.php/apps/notifications/api/v1/notifications/sse","time":"2024-07-08T12:25:38-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is expired by 797.045ms","authenticator":"oidc","path":"/graph/v1.0/me/drives","time":"2024-07-08T12:26:36-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"thumbnails","time":"2024-07-08T12:27:02-04:00","message":"resource info is missing checksum"}
{"level":"error","service":"proxy","error":"signature mismatch: expected 9d9a8f09b314ef3e30986eabc76a125a049778706ce31a31ca57f0a2d47a3e93 != actual bb1980114cf83897b2343ff5ced09758bd6f5de95ebfc2a623b61bab58a3d8e7","authenticator":"signed_url","path":"/remote.php/dav/spaces/dc0b96eb-74ac-49aa-bbf4-fe3415810fd7$4c7bc07e-8526-454b-ad2c-fc28654b26a9/DSCF2003.JPG","url":"/remote.php/dav/spaces/dc0b96eb-74ac-49aa-bbf4-fe3415810fd7$4c7bc07e-8526-454b-ad2c-fc28654b26a9/DSCF2003.JPG?OC-Credential=peter&OC-Date=2024-07-08T16%3A27%3A33.388Z&OC-Expires=1200&OC-Verb=GET&OC-Algo=PBKDF2%2F10000-SHA512&OC-Signature=bb1980114cf83897b2343ff5ced09758bd6f5de95ebfc2a623b61bab58a3d8e7","time":"2024-07-08T12:27:33-04:00","message":"Could not get user by claim"}
{"level":"error","service":"proxy","error":"signature mismatch: expected 9d9a8f09b314ef3e30986eabc76a125a049778706ce31a31ca57f0a2d47a3e93 != actual bb1980114cf83897b2343ff5ced09758bd6f5de95ebfc2a623b61bab58a3d8e7","authenticator":"signed_url","path":"/remote.php/dav/spaces/dc0b96eb-74ac-49aa-bbf4-fe3415810fd7$4c7bc07e-8526-454b-ad2c-fc28654b26a9/DSCF2003.JPG","url":"/remote.php/dav/spaces/dc0b96eb-74ac-49aa-bbf4-fe3415810fd7$4c7bc07e-8526-454b-ad2c-fc28654b26a9/DSCF2003.JPG?OC-Credential=peter&OC-Date=2024-07-08T16%3A27%3A33.388Z&OC-Expires=1200&OC-Verb=GET&OC-Algo=PBKDF2%2F10000-SHA512&OC-Signature=bb1980114cf83897b2343ff5ced09758bd6f5de95ebfc2a623b61bab58a3d8e7","time":"2024-07-08T12:27:34-04:00","message":"Could not get user by claim"}
{"level":"error","service":"thumbnails","time":"2024-07-08T12:27:44-04:00","message":"resource info is missing checksum"}
{"level":"error","service":"thumbnails","time":"2024-07-08T12:27:59-04:00","message":"resource info is missing checksum"}
{"level":"error","service":"thumbnails","time":"2024-07-08T12:28:00-04:00","message":"resource info is missing checksum"}

[micbar]

Something seems to be really broken.

Seems that all access tokens and signatures are invalid.

[micbar]

@ScharfViktor could you try reproduce that?

[prohtex]

Something seems to be really broken.

Seems that all access tokens and signatures are invalid.

My prior version was 5.0.0-rc.5. When I switch back to that binary, everything works fine. I haven't tried starting fresh but am hoping to avoid that...

[ScharfViktor]

@ScharfViktor could you try reproduce that?

hm, I couldn't reproduce it. I tried to switch ocis between ocis-5.0.5-darwin-arm64 and cis-6.1.0-darwin-amd64 with envs:

export OCIS_URL=https://ocis-server:9200
export PROXY_HTTP_ADDR=0.0.0.0:9200
export PROXY_TLS=true
export OCIS_INSECURE=true
export OCIS_LOG_LEVEL=error
export OCIS_CONFIG_DIR=/Users/scharfviktor/.ocis-test/config
export OCIS_BASE_DATA_PATH=/Users/scharfviktor/.ocis-test
export PROXY_ENABLE_BASIC_AUTH=true
export OCIS_SERVICE_ACCOUNT_ID=uuid
export OCIS_SERVICE_ACCOUNT_SECRET=test

works fine to me. I can download files and view thumbnails

[prohtex]

@ScharfViktor could you try reproduce that?

hm, I couldn't reproduce it. I tried to switch ocis between ocis-5.0.5-darwin-arm64 and cis-6.1.0-darwin-amd64 with envs:

export OCIS_URL=https://ocis-server:9200
export PROXY_HTTP_ADDR=0.0.0.0:9200
export PROXY_TLS=true
export OCIS_INSECURE=true
export OCIS_LOG_LEVEL=error
export OCIS_CONFIG_DIR=/Users/scharfviktor/.ocis-test/config
export OCIS_BASE_DATA_PATH=/Users/scharfviktor/.ocis-test
export PROXY_ENABLE_BASIC_AUTH=true
export OCIS_SERVICE_ACCOUNT_ID=uuid
export OCIS_SERVICE_ACCOUNT_SECRET=test

works fine to me. I can download files and view thumbnails

Steps to reproduce would be to initialize storage with 5.0.0-rc5 and go from there

[ScharfViktor]

Steps to reproduce would be to initialize storage with 5.0.0-rc5 and go from there

also works if I upgrade ocis from ocis-5.0.0-rc.5-darwin-amd64 to cis-6.1.0-darwin-amd64

[prohtex]

Steps to reproduce would be to initialize storage with 5.0.0-rc5 and go from there

also works if I upgrade ocis from ocis-5.0.0-rc.5-darwin-amd64 to cis-6.1.0-darwin-amd64

Strange. Well, I appreciate you guys looking into it. Unless there's anything else you can think of that would cause this to happen, I'm willing to try it. Otherwise I guess I will start over with a fresh install.

[micbar]

I would not start with a fresh system. There seems to be a problem which I would suggest to find. Maybe related to the bare metal setup. We don’t have a lot of these. And MacOS is also very rare.

[prohtex]

I would not start with a fresh system. There seems to be a problem which I would suggest to find. Maybe related to the bare metal setup. We don’t have a lot of these. And MacOS is also very rare.

Yes, I have a WOPI deployment in a Docker container in a VMware VM that we use for some things. For large files we have this other bare metal setup. I am using the shell script you see above and then a plist LaunchDaemon to keep it running. All in all it was very simple to set up-much easier than getting Docker working on a Mac.

Below is my apache config, which hasn't changed.

<VirtualHost *:80>
    ServerName files1.<redacted>.com
    DocumentRoot /opt/www/files1.<redacted>.com/
    ErrorLog "/opt/local/var/log/apache2/error_log"
    CustomLog "/opt/local/var/log/apache2/default.access_log" common
    CustomLog "/opt/local/var/log/apache2/access_log" vcommon
    CustomLog "/opt/local/var/log/apache2/extended_log" vuser
</VirtualHost>

<VirtualHost *:443>
  ServerName files1.<redacted>.com

  SSLProxyEngine on
  SSLProxyVerify none
  SSLProxyCheckPeerCN off
  SSLProxyCheckPeerName off
  SSLProxyCheckPeerExpire off

  ProxyPass / https://localhost:9200/
  ProxyPassReverse / https://localhost:9200/
  ProxyPreserveHost on

  SSLCertificateFile /opt/local/etc/letsencrypt/live/files1.<redacted>.com/fullchain.pem
  SSLCertificateKeyFile /opt/local/etc/letsencrypt/live/files1.<redacted>.com/privkey.pem

  Include /opt/local/etc/letsencrypt/options-ssl-apache.conf
  #SSLOpenSSLConfCmd DHParameters /opt/local/etc/letsencrypt/ssl-dhparams.pem

  ErrorLog "/opt/local/var/log/apache2/files1_error_log"
  CustomLog "/opt/local/var/log/apache2/files1_access_log" vcommon

</VirtualHost>

Were there any changes to ocis.yaml between 5.0.0-rc5 and 5.0.5? Or anything there or in the env vars I should play with?

Thanks again.

[prohtex]

I would not start with a fresh system. There seems to be a problem which I would suggest to find. Maybe related to the bare metal setup. We don’t have a lot of these. And MacOS is also very rare.

As a troubleshooting step I did the following:

1. Fresh install using ./ocis init
2. Run server ./ocis server

2024/07/10 02:44:23 ERROR failed to set GOMEMLIMIT package=github.com/KimMachineGun/automemlimit/memlimit error="failed to set GOMEMLIMIT: cgroups is not supported on this system"

{"level":"info","time":"2024-07-10T02:44:25-04:00","caller":"github.com/cs3org/reva/v2@v2.21.0/pkg/storage/utils/decomposedfs/decomposedfs.go:183","message":"Migrating spaces directory structure..."}
{"level":"info","time":"2024-07-10T02:44:25-04:00","caller":"github.com/cs3org/reva/v2@v2.21.0/pkg/storage/utils/decomposedfs/decomposedfs.go:183","message":"Migrating space types indexes..."}
{"level":"info","root":"<redacted>/ocis1/storage/metadata","time":"2024-07-10T02:44:25-04:00","caller":"github.com/cs3org/reva/v2@v2.21.0/pkg/storage/utils/decomposedfs/decomposedfs.go:183","message":"Migrating to messagepack metadata backend..."}
{"level":"info","time":"2024-07-10T02:44:25-04:00","caller":"github.com/cs3org/reva/v2@v2.21.0/pkg/storage/utils/decomposedfs/decomposedfs.go:183","message":"done."}
{"level":"warn","error":"open <redacted>/ocis1/storage/metadata/indexes/by-user-id: no such file or directory","time":"2024-07-10T02:44:25-04:00","caller":"github.com/cs3org/reva/v2@v2.21.0/pkg/storage/utils/decomposedfs/decomposedfs.go:183","message":"error listing user indexes"}
{"level":"warn","error":"open <redacted>/ocis1/storage/metadata/indexes/by-group-id: no such file or directory","time":"2024-07-10T02:44:25-04:00","caller":"github.com/cs3org/reva/v2@v2.21.0/pkg/storage/utils/decomposedfs/decomposedfs.go:183","message":"error listing group indexes"}
{"level":"info","time":"2024-07-10T02:44:25-04:00","caller":"github.com/cs3org/reva/v2@v2.21.0/pkg/storage/utils/decomposedfs/decomposedfs.go:183","message":"done."}
{"level":"info","time":"2024-07-10T02:44:25-04:00","caller":"github.com/cs3org/reva/v2@v2.21.0/pkg/storage/utils/decomposedfs/decomposedfs.go:183","message":"done."}
{"level":"info","time":"2024-07-10T02:44:25-04:00","caller":"github.com/cs3org/reva/v2@v2.21.0/pkg/storage/utils/decomposedfs/decomposedfs.go:183","message":"Migrating spaces directory structure..."}
{"level":"info","time":"2024-07-10T02:44:25-04:00","caller":"github.com/cs3org/reva/v2@v2.21.0/pkg/storage/utils/decomposedfs/decomposedfs.go:183","message":"Migrating space types indexes..."}
{"level":"info","root":"<redacted>/ocis1/storage/users","time":"2024-07-10T02:44:25-04:00","caller":"github.com/cs3org/reva/v2@v2.21.0/pkg/storage/utils/decomposedfs/decomposedfs.go:183","message":"Migrating to messagepack metadata backend..."}
{"level":"info","time":"2024-07-10T02:44:25-04:00","caller":"github.com/cs3org/reva/v2@v2.21.0/pkg/storage/utils/decomposedfs/decomposedfs.go:183","message":"done."}
{"level":"warn","error":"open <redacted>/ocis1/storage/users/indexes/by-user-id: no such file or directory","time":"2024-07-10T02:44:25-04:00","caller":"github.com/cs3org/reva/v2@v2.21.0/pkg/storage/utils/decomposedfs/decomposedfs.go:183","message":"error listing user indexes"}
{"level":"warn","error":"open <redacted>/ocis1/storage/users/indexes/by-group-id: no such file or directory","time":"2024-07-10T02:44:25-04:00","caller":"github.com/cs3org/reva/v2@v2.21.0/pkg/storage/utils/decomposedfs/decomposedfs.go:183","message":"error listing group indexes"}
{"level":"info","time":"2024-07-10T02:44:25-04:00","caller":"github.com/cs3org/reva/v2@v2.21.0/pkg/storage/utils/decomposedfs/decomposedfs.go:183","message":"done."}
{"level":"info","time":"2024-07-10T02:44:25-04:00","caller":"github.com/cs3org/reva/v2@v2.21.0/pkg/storage/utils/decomposedfs/decomposedfs.go:183","message":"done."}
{"level":"error","service":"proxy","error":"not found","service":"com.owncloud.web.idp","time":"2024-07-10T02:44:27-04:00","message":"could not select service from the registry"}
2024/07/10 02:44:27 http: proxy error: unsupported protocol scheme ""
{"level":"error","service":"proxy","error":"failed to verify access token: 502 Bad Gateway: ","authenticator":"oidc","path":"/graph/v1.0/me/drives","time":"2024-07-10T02:44:27-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"not found","service":"com.owncloud.web.idp","time":"2024-07-10T02:44:27-04:00","message":"could not select service from the registry"}
2024/07/10 02:44:27 http: proxy error: unsupported protocol scheme ""
{"level":"error","service":"proxy","error":"could not authenticate with username and password user: xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69, got code: 6","authenticator":"basic","path":"/index.php/apps/oauth2/api/v1/token","time":"2024-07-10T02:44:27-04:00","message":"failed to authenticate request"}
{"level":"error","service":"proxy","error":"failed to verify access token: crypto/rsa: verification error","authenticator":"oidc","path":"/remote.php/webdav/","time":"2024-07-10T02:44:30-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: crypto/rsa: verification error","authenticator":"oidc","path":"/remote.php/webdav/","time":"2024-07-10T02:44:34-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: crypto/rsa: verification error","authenticator":"oidc","path":"/ocs/v1.php/cloud/capabilities","time":"2024-07-10T02:44:43-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: crypto/rsa: verification error","authenticator":"oidc","path":"/api/v0/settings/roles-list","time":"2024-07-10T02:44:43-04:00","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: crypto/rsa: verification error","authenticator":"oidc","path":"/graph/v1.0/me","time":"2024-07-10T02:44:43-04:00","message":"failed to authenticate the request"}
^C{"level":"error","service":"groups","server":"groups","time":"2024-07-10T02:47:09-04:00","message":"Shutting down server"}

Edit: Thumbnails are working, but when I try to download a file I get the web authentication dialog. So, this is happening on a fresh install as well.

[meveric]

I experience similar issues with bare metal install under Linux. Using ocis 5.0.5 or below I'm able to download files via oCIS Web, but using version 6.0.0 or 6.1.0 each download via web interface ends in a signature mismatch error.

{"level":"error","service":"proxy","error":"signature mismatch: expected 65bca42caf193a6e85131121e395ec1b93dfdf03499e2b69c8e43f2635704cff != actual 44a89a472b67fc1d59dc2716c53cfee24a7ca86cf4c41fb2da23acf56e136149","authenticator":"signed_url","path":"/remote.php/dav/spaces/f2528657-cfb9-4ce7-af08-805a4bb9fae1$4c49c1a8-4e31-1030-8639-1f621ceb306f/Windows Test.xlsx","url":"/remote.php/dav/spaces/f2528657-cfb9-4ce7-af08-805a4bb9fae1$4c49c1a8-4e31-1030-8639-1f621ceb306f/Windows%20Test.xlsx?OC-Credential=tschaaf&OC-Date=2024-07-10T14%3A46%3A32.788Z&OC-Expires=1200&OC-Verb=GET&OC-Algo=PBKDF2%2F10000-SHA512&OC-Signature=44a89a472b67fc1d59dc2716c53cfee24a7ca86cf4c41fb2da23acf56e136149","time":"2024-07-10T14:46:32Z","message":"Could not get user by claim"}

WebDAV seems unaffected I can also open a picture in the preview or use OnlyOffice via WOPI.

External LDAP provider is used for user authentication.

[prohtex]

I experience similar issues with bare metal install under Linux. Using ocis 5.0.5 or below I'm able to download files via oCIS Web, but using version 6.0.0 or 6.1.0 each download via web interface ends in a signature mismatch error.

{"level":"error","service":"proxy","error":"signature mismatch: expected 65bca42caf193a6e85131121e395ec1b93dfdf03499e2b69c8e43f2635704cff != actual 44a89a472b67fc1d59dc2716c53cfee24a7ca86cf4c41fb2da23acf56e136149","authenticator":"signed_url","path":"/remote.php/dav/spaces/f2528657-cfb9-4ce7-af08-805a4bb9fae1$4c49c1a8-4e31-1030-8639-1f621ceb306f/Windows Test.xlsx","url":"/remote.php/dav/spaces/f2528657-cfb9-4ce7-af08-805a4bb9fae1$4c49c1a8-4e31-1030-8639-1f621ceb306f/Windows%20Test.xlsx?OC-Credential=tschaaf&OC-Date=2024-07-10T14%3A46%3A32.788Z&OC-Expires=1200&OC-Verb=GET&OC-Algo=PBKDF2%2F10000-SHA512&OC-Signature=44a89a472b67fc1d59dc2716c53cfee24a7ca86cf4c41fb2da23acf56e136149","time":"2024-07-10T14:46:32Z","message":"Could not get user by claim"}

WebDAV seems unaffected I can also open a picture in the preview or use OnlyOffice via WOPI.

External LDAP provider is used for user authentication.

@ScharfViktor @micbar Echoing that for me the WebDAV connections are unaffected. Sync with apps works fine. Only web downloads result in the apache auth dialog.

[2403905]

Can't reproduce on mac. Could it be some apache configuration issue? Please take a look at the similar issues: https://github.com/owncloud/ocis/issues/9499 https://github.com/owncloud/ocis/issues/8694

[prohtex]

Can't reproduce on mac. Could it be some apache configuration issue? Please take a look at the similar issues: #9499 #8694

Hi @2403905 thanks for the pointer-I think the key to solving this is to identify what changed between 5.0.0-rc5 and 5.0.5 that would impact an apache reverse proxy configuration.

As it stands, I can simply switch my binary back from 5.0.5 to rc5 and the issue is solved completely. Should I start trying other old versions to identify when the change occurred? My apache config is posted above. I did try restarting apache a few times.

[meveric]

Something else I found: Using FireFox instead of Chrome downloads start working. First time using FireFox to download a file, prompts a second login in browser (probably due to files are being downloaded with "WebDAV" in the background(?))

For this to work "PROXY_ENABLE_BASIC_AUTH" must be active else download in FireFox doesn't work either. Which currently I use anyway as I want to use WebDAV directly on client without extra authentication software.

Still trying to see if apache headers can adjusted for this to work, I also read some said using nginx instead works, I might try this as well, but I would prefer to keep using apache instead.

[prohtex]

Something else I found: Using FireFox instead of Chrome downloads start working. First time using FireFox to download a file, prompts a second login in browser (probably due to files are being downloaded with "WebDAV" in the background(?))

For this to work "PROXY_ENABLE_BASIC_AUTH" must be active else download in FireFox doesn't work either. Which currently I use anyway as I want to use WebDAV directly on client without extra authentication software.

Still trying to see if apache headers can adjusted for this to work, I also read some said using nginx instead works, I might try this as well, but I would prefer to keep using apache instead.

Edit: I can confirm this behavior with Firefox. I haven't tried Chrome but assume it would be the same as Safari. Until this point I hadn't actually tried to log in with the HTTP auth dialog. When I do so, it does work in Safari too. However, in both Safari and Firefox, the "_" character is appended to the beginning and end of the downloaded filename. Very odd.

I hope it is not the case that bare metal with apache is unsupported going forward.

[meveric]

Finally got around testing with nginx instead of apache and could confirm nginx is working. I dug a bit deeper and the option

proxy_set_header Host $host;

in nginx does make this setup work, removing this header from nginx results in the same behavior as in apache.

I assumed setting something like: RequestHeader set Host "<ServerName>" in apache config should work here, but it seems not to work.

Edit: Asked an AI and here's what it said: Nginx's proxy_set_header directive modifies the request before it is proxied, whereas Apache's RequestHeader directive only modifies the response. It also suggested building my own apache module, which modifies the request before it's proxied.

[micbar]

@meveric Thank you for digging! That sounds like the first real "hunch" on this problem. I am interested to see if apache could be used to proxy ocis also.

We ourselves have good experience with nginx and traefik.

[meveric]

@micbar Please keep in mind, that in general it works fine using apache if using oCIS 5.x (under Linux at least) this seems entirely related to changes made in oCIS 6.x. (while I can't speak for MAC where this issue seems to show up even in 5.0.5 here).

As well as some browsers work, using the basic_auth backend.

[prohtex]

Edit: Asked an AI and here's what it said: Nginx's proxy_set_header directive modifies the request before it is proxied, whereas Apache's RequestHeader directive only modifies the response. It also suggested building my own apache module, which modifies the request before it's proxied.

I tried quite a few options in my Apache vhost config, but they did not work. This user suggested that ProxyPreserveHost On might work, but alas, not for me: https://stackoverflow.com/questions/17227789/changing-request-header-before-forward-proxy-in-apache

The config I tried is as follows:

<VirtualHost *:80>
    ServerName files1.<redacted>.com
    DocumentRoot /opt/www/files1.<redacted>.com/
    ErrorLog "/opt/local/var/log/apache2/error_log"
    CustomLog "/opt/local/var/log/apache2/default.access_log" common
    CustomLog "/opt/local/var/log/apache2/access_log" vcommon
    CustomLog "/opt/local/var/log/apache2/extended_log" vuser
</VirtualHost>

<VirtualHost *:443>
  ServerName files1.<redacted>.com

  SSLProxyEngine on
  SSLProxyVerify none
  SSLProxyCheckPeerCN off
  SSLProxyCheckPeerName off
  SSLProxyCheckPeerExpire off

  ProxyPass / https://localhost:9200/
  ProxyPassReverse / https://localhost:9200/
  ProxyPreserveHost on
  ProxyAddHeaders On
  RequestHeader set Host "files1.<redacted>.com"
  ProxyRequests On

  SSLCertificateFile /opt/local/etc/letsencrypt/live/files1.<redacted>.com/fullchain.pem
  SSLCertificateKeyFile /opt/local/etc/letsencrypt/live/files1.<redacted>.com/privkey.pem

  Include /opt/local/etc/letsencrypt/options-ssl-apache.conf
  #SSLOpenSSLConfCmd DHParameters /opt/local/etc/letsencrypt/ssl-dhparams.pem

  ErrorLog "/opt/local/var/log/apache2/files1_error_log"
  CustomLog "/opt/local/var/log/apache2/files1_access_log" vcommon

</VirtualHost>

[prohtex]

@meveric Thank you for digging! That sounds like the first real "hunch" on this problem. I am interested to see if apache could be used to proxy ocis also.

We ourselves have good experience with nginx and traefik.

Apache works perfectly on 5.0rc5, but not on subsequent versions. I forget where I found the config above-I believe it was contributed by another user in these forums. I did tweak it some, but never had any issues until moving to more recent versions. I hope the culprit can be identified, because for me at least, there is not much point to a bare metal version if there can't be a choice of web server (Apache being the more popular server by far).

The next step for me is to give up and move to an intel NUC for our local fileserver, in which case I would be using a Docker deployment.

[micbar]

@butonic any ideas?

we had a sec fix in 5.0.0 in regards of signed urls.

[prohtex]

@butonic any ideas?

we had a sec fix in 5.0.0 in regards of signed urls.

Hi @micbar @ScharfViktor

I've tested the latest release (6.4.0, darwin amd64 build) on Apache with the ProxyPass directives outlined above and can confirm the web authentication problem persists.

If there's a preferred set of Apache directives or other troubleshooting steps, I'm happy to do them. If it is helpful, I can also set up a new VMWare VM with Ubuntu Server and see if these issues with Apache exist in that environment. I haven't played with Nginx just because we don't use it on any server.

One of my favorite things about this project (and, I think, a nice advantage over competitors) is the fact that you guys don't require everyone to deploy with Docker but provide binaries for every release with a bare metal configuration option. I wish I could force all our users to rely on the OC apps but some still need to use Web.

Thanks guys for all the hard work! Let me know what I can do to run this down.

[micbar]

Looking into your initial post.

2024/07/05 00:53:46 http: TLS handshake error from 0.0.0.0:15706: tls: client offered only unsupported versions: [302 301]

2024/07/04 18:52:49 http: TLS handshake error from 0.0.0.0:45388: tls: unsupported SSLv2 handshake received
2024/07/04 18:53:20 http: TLS handshake error from 0.0.0.0:43676: tls: first record does not look like a TLS handshake
2024/07/04 18:53:20 http: TLS handshake error from 0.0.0.0:43680: tls: unsupported SSLv2 handshake received
2024/07/04 18:53:30 http: TLS handshake error from 0.0.0.0:55478: tls: no cipher suite supported by both client and server

This looks fishy. Seems that your Operating System and the reverse proxy have issues to establish a TLS connection.

[prohtex]

Looking into your initial post.

2024/07/05 00:53:46 http: TLS handshake error from 0.0.0.0:15706: tls: client offered only unsupported versions: [302 301]

2024/07/04 18:52:49 http: TLS handshake error from 0.0.0.0:45388: tls: unsupported SSLv2 handshake received
2024/07/04 18:53:20 http: TLS handshake error from 0.0.0.0:43676: tls: first record does not look like a TLS handshake
2024/07/04 18:53:20 http: TLS handshake error from 0.0.0.0:43680: tls: unsupported SSLv2 handshake received
2024/07/04 18:53:30 http: TLS handshake error from 0.0.0.0:55478: tls: no cipher suite supported by both client and server

This looks fishy. Seems that your Operating System and the reverse proxy have issues to establish a TLS connection.

Thanks for the pointer. I see there are some resources here, so I'll try to play around with the vhost conf more. For now we are still using 5.0rc5 and it works great with the config above.

From what I understand, OCIS uses a self-signed certificate on 9200 and apache reverse proxy passes traffic through the public domain with proper certificate. Is there any configuration regarding the local certificate that I can play with?

[micbar]

IMHO it is not about the Certificate.

This looks more low level, a mismatch in the TLS handshake on the protocol level.

Can you tell me your operating system? Maybe we can try that too.