[solved] Nexcloud: communication failure

Started by qinohe, June 24, 2018, 04:58:16 PM

Previous topic - Next topic
June 24, 2018, 04:58:16 PM Last Edit: June 24, 2018, 07:26:22 PM by qinohe
Hello all,

Trying the Nextcloud backup, but I seem to bump into something and keep getting

The following input errors were detected:

    communication failure
   

after hitting 'Setup/TestNextcloud'
   
My Nextcloud server is Debian specs are:
4.9.0-6-amd64
nextcloud 13.0.4
a separate user for Opnsense backups, TOTP enabled(which shouldn't matter since app id is used)
a app password for Opnsense
Nextcloud machine firewall set to allow Opnsense

The same method is used for an android phone a mediaplayer and ArchLinux on a different account, they seem to work fine.

Logs contain no info about this or I'm looking for the wrong ones.
Live view shows all connections are allowed.
Tried with 2fa and without (on Nextcloud) and logout to activate the change, the failure is the same.

Thanks mark

edit: one thing I forgot to mention may be important or not !?
I'm NOT running my Nexcloud server on:
nextcloud.server.domain
Instead I have it on:
server.domain/nextcloud

I have the same result.
Running nextcloud on a virtual private server in my domain.
I am sure my credentials are correct ;)

Do you use TLS with an untrusted certificate?
What do the logs say (OPNsense logs)?
Is

Quote from: qinohe on June 24, 2018, 04:58:16 PM
Trying the Nextcloud backup, but I seem to bump into something and keep getting

The following input errors were detected:

    communication failure
   

after hitting 'Setup/TestNextcloud'
The error means that the backup is not successful. The real information is in the logs.

Quote from: qinohe on June 24, 2018, 04:58:16 PM
My Nextcloud server is Debian specs are:
4.9.0-6-amd64
nextcloud 13.0.4
I developed the code with a nextcloud 13.0.2 server running a GNU/Linux distribution - so this will probably work.
Quote from: qinohe on June 24, 2018, 04:58:16 PM
a separate user for Opnsense backups, TOTP enabled(which shouldn't matter since app id is used)
a app password for Opnsense
Nextcloud machine firewall set to allow Opnsense

The same method is used for an android phone a mediaplayer and ArchLinux on a different account, they seem to work fine.
An app password should not be affected by TOTP etc. since they are more like tokens.

Quote from: qinohe on June 24, 2018, 04:58:16 PM
Logs contain no info about this or I'm looking for the wrong ones.
Live view shows all connections are allowed.
Tried with 2fa and without (on Nextcloud) and logout to activate the change, the failure is the same.

Thanks mark

App passwords should always work. The log you should check is the syslog.

Quote from: qinohe on June 24, 2018, 04:58:16 PM
edit: one thing I forgot to mention may be important or not !?
I'm NOT running my Nexcloud server on:
nextcloud.server.domain
Instead I have it on:
server.domain/nextcloud

forgot http(s):// in front? /remote.php... is appended automatically.

June 24, 2018, 06:11:58 PM #3 Last Edit: June 24, 2018, 06:23:16 PM by qinohe
Hey fabian, thanks for the clear answer.

Your first Q. :yes using self signed cert. for my server, all is a localdomain.

Next: what say the logs:
config[23141]: {"url":"https:\/\/cloud.localdomain\/nextcloud\/remote.php\/dav\/files\/backer\/","content_type":null,"http_code":0,"header_size":0,"request_size":0,"filetime":-1,"ssl_verify_result":18,"redirect_count":0,"total_time":0.164199,"namelookup_time":0.004971,"connect_time":0.005542,"pretransfer_time":0,"size_upload":0,"size_download":0,"speed_download":0,"speed_upload":0,"download_content_length":-1,"upload_content_length":-1,"starttransfer_time":0,"redirect_time":0,"redirect_url":"","primary_ip":"10.10.100.6","certinfo":[],"primary_port":443,"local_ip":"10.10.100.1","local_port":42812}

Than: no hehe I did not forget the 's'  :P  I click on it from another webpage I don't know what I was thinking here, I don't do that, just the address

I allraedy 'knew' app password should be okay with 2fa but still tested I, wanted to be sure that was not an issue when I post here, thanks.

ssl_verify_result":18 means TLS certificate verify issue -> OPNsense does not trust your certificate and rejects the connection.
Here is a user with a simmilar issue (using the CACert CA: https://github.com/opnsense/core/pull/2289#issuecomment-399716802)

June 24, 2018, 07:25:59 PM #5 Last Edit: June 24, 2018, 10:14:53 PM by qinohe
Hey fabian, yes that works thanks for the answer.
Now the Nextcloud server is reached trough a webpage served by that same server and thus in the HTTP_REFERER checks,
really I would not have found for a long time,  problem solved for now  8)

Thanks mark

edit: thanks for this app fabian it works well!
Now I still have a question:
How or when is a backup triggered? is it as soon when changes are made, hmm. just tried that seems to not be the case.
NVM. it's in the wiki   :-[

Quote from: qinohe on June 24, 2018, 06:11:58 PM
Hey fabian, thanks for the clear answer.

Your first Q. :yes using self signed cert. for my server, all is a localdomain.

Next: what say the logs:
config[23141]: {"url":"https:\/\/cloud.localdomain\/nextcloud\/remote.php\/dav\/files\/backer\/","content_type":null,"http_code":0,"header_size":0,"request_size":0,"filetime":-1,"ssl_verify_result":18,"redirect_count":0,"total_time":0.164199,"namelookup_time":0.004971,"connect_time":0.005542,"pretransfer_time":0,"size_upload":0,"size_download":0,"speed_download":0,"speed_upload":0,"download_content_length":-1,"upload_content_length":-1,"starttransfer_time":0,"redirect_time":0,"redirect_url":"","primary_ip":"10.10.100.6","certinfo":[],"primary_port":443,"local_ip":"10.10.100.1","local_port":42812}

Than: no hehe I did not forget the 's'  :P  I click on it from another webpage I don't know what I was thinking here, I don't do that, just the address

I allraedy 'knew' app password should be okay with 2fa but still tested I, wanted to be sure that was not an issue when I post here, thanks.

Hello,

I have a similar issue, with number 20

is there any fix ?

config[80861]: {"url":"https:\/\/cloud.domain.com\/\/remote.php\/dav\/files\/opnsense\/","content_type":null,"http_code":0,"header_size":0,"request_size":0,"filetime":-1,"ssl_verify_result":20,"redirect_count":0,"total_time":0.033315,"namelookup_time":4.9e-5,"connect_time":0.007027,"pretransfer_time":0,"size_upload":0,"size_download":0,"speed_download":0,"speed_upload":0,"download_content_length":-1,"upload_content_length":-1,"starttransfer_time":0,"redirect_time":0,"redirect_url":"","primary_ip":"192.168.1.5","certinfo":[],"primary_port":443,"local_ip":"192.168.1.1","local_port":32217}


Thank you

Very likely another certificate validation error. I would check host name and time range of the certificate but I don't know this code.

Quote from: fabian on June 26, 2018, 10:40:09 PM
Very likely another certificate validation error. I would check host name and time range of the certificate but I don't know this code.

I have put the CA certificate on the path mentioned and now I get another error:

config[29464]: {"url":"https:\/\/cloud.domain.com\/remote.php\/dav\/files\/opnsense\/","content_type":null,"http_code":0,"header_size":0,"request_size":0,"filetime":-1,"ssl_verify_result":1,"redirect_count":0,"total_time":0.25138,"namelookup_time":0.078396,"connect_time":0.086301,"pretransfer_time":0,"size_upload":0,"size_download":0,"speed_download":0,"speed_upload":0,"download_content_length":-1,"upload_content_length":-1,"starttransfer_time":0,"redirect_time":0,"redirect_url":"","primary_ip":"192.168.1.5","certinfo":[],"primary_port":443,"local_ip":"192.168.1.1","local_port":42651}

would be easier to implement on the webui ignore SSL certificate validation ? that would be perfect as we could use any self signed SSL

thank you

Hey akron, what @fabian says, and a question: did you check the certificate with another connection, did that work?
My guess, there's something wrong with the crt.
Btw. I simply pushed the crt. to the store and that was it, no CA (need to set that up in spare time, heck, I may use Opnsense for that  :P)

Greetings mark

Quote from: qinohe on June 27, 2018, 01:33:37 PM
Hey akron, what @fabian says, and a question: did you check the certificate with another connection, did that work?
My guess, there's something wrong with the crt.
Btw. I simply pushed the crt. to the store and that was it, no CA (need to set that up in spare time, heck, I may use Opnsense for that  :P)

Greetings mark

I am confuse, I am getting another error now ssl_verify_result":20

what I did was to put the SSL crt /usr/local/share/certs the crt contains the certificate data followed by private key, is this correct? also I tried to put in pem format no change

Quote from: akron on June 27, 2018, 02:52:54 PM
Quote from: qinohe on June 27, 2018, 01:33:37 PM
Hey akron, what @fabian says, and a question: did you check the certificate with another connection, did that work?
My guess, there's something wrong with the crt.
Btw. I simply pushed the crt. to the store and that was it, no CA (need to set that up in spare time, heck, I may use Opnsense for that  :P)

Greetings mark

I am confuse, I am getting another error now ssl_verify_result":20

Not an authority on this matter but a quote from https://www.openssl.org/docs/man1.0.2/apps/verify.html :
Quote
20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate

    the issuer certificate could not be found: this occurs if the issuer certificate of an untrusted certificate cannot be found.
^^ probably a wrong value, check your CRT  ;).
Quote
what I did was to put the SSL crt /usr/local/share/certs the crt contains the certificate data followed by private key, is this correct? also I tried to put in pem format no change

I only put theCRT. in the store no keys no nothing,just the CRT.
I guess U understand that this is completely outside the scope of Opnsense  ;D

I don't know if it would be redundant but If there is interest for it I could make a little guide based  on the use of self signed CRT's with the help of the OPNsense and put it in Tutorials, there is no entry in the wiki, yet.

Greetings mark

Documentation is always good - The docs repository is here: https://github.com/opnsense/docs

Don't forget to add a warning about the issue, that an update of the system cert bundle may undo the change.

Nice to know, I'll start with  a text based guide I put in https://forum.opnsense.org/index.php?board=24.0
Users can give their experience/findings and I create a wiki page. I already have a guide running on my Mediawiki server, but it's not ready for distribution.

Yea, if the store is updated your input is gone, it just happened a few hours ago, but I was prepared  8), I will add the warning..