[solved] Nexcloud: communication failure

[qinohe]

Hello all,

Trying the Nextcloud backup, but I seem to bump into something and keep getting

Code: [Select]

The following input errors were detected:

    communication failure
    after hitting 'Setup/TestNextcloud'
   
My Nextcloud server is Debian specs are:
4.9.0-6-amd64
nextcloud 13.0.4
a separate user for Opnsense backups, TOTP enabled(which shouldn't matter since app id is used)
a app password for Opnsense
Nextcloud machine firewall set to allow Opnsense

The same method is used for an android phone a mediaplayer and ArchLinux on a different account, they seem to work fine.

Logs contain no info about this or I'm looking for the wrong ones.
Live view shows all connections are allowed.
Tried with 2fa and without (on Nextcloud) and logout to activate the change, the failure is the same.

Thanks mark

edit: one thing I forgot to mention may be important or not !?
I'm NOT running my Nexcloud server on:
nextcloud.server.domain
Instead I have it on:
server.domain/nextcloud

[frank_p]

I have the same result.
Running nextcloud on a virtual private server in my domain.
I am sure my credentials are correct

[fabian]

Do you use TLS with an untrusted certificate?
What do the logs say (OPNsense logs)?
Is

Trying the Nextcloud backup, but I seem to bump into something and keep getting

Code: [Select]

The following input errors were detected:

    communication failure
    after hitting 'Setup/TestNextcloud'

The error means that the backup is not successful. The real information is in the logs.

My Nextcloud server is Debian specs are:
4.9.0-6-amd64
nextcloud 13.0.4

I developed the code with a nextcloud 13.0.2 server running a GNU/Linux distribution - so this will probably work.

a separate user for Opnsense backups, TOTP enabled(which shouldn't matter since app id is used)
a app password for Opnsense
Nextcloud machine firewall set to allow Opnsense

The same method is used for an android phone a mediaplayer and ArchLinux on a different account, they seem to work fine.

An app password should not be affected by TOTP etc. since they are more like tokens.

Logs contain no info about this or I'm looking for the wrong ones.
Live view shows all connections are allowed.
Tried with 2fa and without (on Nextcloud) and logout to activate the change, the failure is the same.

Thanks mark

App passwords should always work. The log you should check is the syslog.

edit: one thing I forgot to mention may be important or not !?
I'm NOT running my Nexcloud server on:
nextcloud.server.domain
Instead I have it on:
server.domain/nextcloud

forgot http(s):// in front? /remote.php… is appended automatically.

[qinohe]

Hey fabian, thanks for the clear answer.

Your first Q. :yes using self signed cert. for my server, all is a localdomain.

Next: what say the logs:

Code: [Select]

config[23141]: {"url":"https:\/\/cloud.localdomain\/nextcloud\/remote.php\/dav\/files\/backer\/","content_type":null,"http_code":0,"header_size":0,"request_size":0,"filetime":-1,"ssl_verify_result":18,"redirect_count":0,"total_time":0.164199,"namelookup_time":0.004971,"connect_time":0.005542,"pretransfer_time":0,"size_upload":0,"size_download":0,"speed_download":0,"speed_upload":0,"download_content_length":-1,"upload_content_length":-1,"starttransfer_time":0,"redirect_time":0,"redirect_url":"","primary_ip":"10.10.100.6","certinfo":[],"primary_port":443,"local_ip":"10.10.100.1","local_port":42812}
Than: no hehe I did not forget the 's'    I click on it from another webpage I don't know what I was thinking here, I don't do that, just the address

I allraedy 'knew' app password should be okay with 2fa but still tested I, wanted to be sure that was not an issue when I post here, thanks.

[fabian]

ssl_verify_result":18 means TLS certificate verify issue -> OPNsense does not trust your certificate and rejects the connection.
Here is a user with a simmilar issue (using the CACert CA: https://github.com/opnsense/core/pull/2289#issuecomment-399716802)

[qinohe]

Hey fabian, yes that works thanks for the answer.
Now the Nextcloud server is reached trough a webpage served by that same server and thus in the HTTP_REFERER checks,
really I would not have found for a long time,  problem solved for now 

Thanks mark

edit: thanks for this app fabian it works well!
Now I still have a question:
How or when is a backup triggered? is it as soon when changes are made, hmm. just tried that seems to not be the case.
NVM. it's in the wiki   

[akron]

Hey fabian, thanks for the clear answer.

Your first Q. :yes using self signed cert. for my server, all is a localdomain.

Next: what say the logs:

Code: [Select]

config[23141]: {"url":"https:\/\/cloud.localdomain\/nextcloud\/remote.php\/dav\/files\/backer\/","content_type":null,"http_code":0,"header_size":0,"request_size":0,"filetime":-1,"ssl_verify_result":18,"redirect_count":0,"total_time":0.164199,"namelookup_time":0.004971,"connect_time":0.005542,"pretransfer_time":0,"size_upload":0,"size_download":0,"speed_download":0,"speed_upload":0,"download_content_length":-1,"upload_content_length":-1,"starttransfer_time":0,"redirect_time":0,"redirect_url":"","primary_ip":"10.10.100.6","certinfo":[],"primary_port":443,"local_ip":"10.10.100.1","local_port":42812}
Than: no hehe I did not forget the 's'    I click on it from another webpage I don't know what I was thinking here, I don't do that, just the address

I allraedy 'knew' app password should be okay with 2fa but still tested I, wanted to be sure that was not an issue when I post here, thanks.

Hello,

I have a similar issue, with number 20

is there any fix ?

config[80861]: {"url":"https:\/\/cloud.domain.com\/\/remote.php\/dav\/files\/opnsense\/","content_type":null,"http_code":0,"header_size":0,"request_size":0,"filetime":-1,"ssl_verify_result":20,"redirect_count":0,"total_time":0.033315,"namelookup_time":4.9e-5,"connect_time":0.007027,"pretransfer_time":0,"size_upload":0,"size_download":0,"speed_download":0,"speed_upload":0,"download_content_length":-1,"upload_content_length":-1,"starttransfer_time":0,"redirect_time":0,"redirect_url":"","primary_ip":"192.168.1.5","certinfo":[],"primary_port":443,"local_ip":"192.168.1.1","local_port":32217}


Thank you

[fabian]

Very likely another certificate validation error. I would check host name and time range of the certificate but I don't know this code.

[akron]

Very likely another certificate validation error. I would check host name and time range of the certificate but I don't know this code.

I have put the CA certificate on the path mentioned and now I get another error:

config[29464]: {"url":"https:\/\/cloud.domain.com\/remote.php\/dav\/files\/opnsense\/","content_type":null,"http_code":0,"header_size":0,"request_size":0,"filetime":-1,"ssl_verify_result":1,"redirect_count":0,"total_time":0.25138,"namelookup_time":0.078396,"connect_time":0.086301,"pretransfer_time":0,"size_upload":0,"size_download":0,"speed_download":0,"speed_upload":0,"download_content_length":-1,"upload_content_length":-1,"starttransfer_time":0,"redirect_time":0,"redirect_url":"","primary_ip":"192.168.1.5","certinfo":[],"primary_port":443,"local_ip":"192.168.1.1","local_port":42651}

would be easier to implement on the webui ignore SSL certificate validation ? that would be perfect as we could use any self signed SSL

thank you

[qinohe]

Hey akron, what @fabian says, and a question: did you check the certificate with another connection, did that work?
My guess, there's something wrong with the crt.
Btw. I simply pushed the crt. to the store and that was it, no CA (need to set that up in spare time, heck, I may use Opnsense for that  )

Greetings mark

[akron]

Hey akron, what @fabian says, and a question: did you check the certificate with another connection, did that work?
My guess, there's something wrong with the crt.
Btw. I simply pushed the crt. to the store and that was it, no CA (need to set that up in spare time, heck, I may use Opnsense for that  )

Greetings mark

I am confuse, I am getting another error now ssl_verify_result":20

what I did was to put the SSL crt /usr/local/share/certs the crt contains the certificate data followed by private key, is this correct? also I tried to put in pem format no change

[qinohe]

Hey akron, what @fabian says, and a question: did you check the certificate with another connection, did that work?
My guess, there's something wrong with the crt.
Btw. I simply pushed the crt. to the store and that was it, no CA (need to set that up in spare time, heck, I may use Opnsense for that  )

Greetings mark

I am confuse, I am getting another error now ssl_verify_result":20

Not an authority on this matter but a quote from https://www.openssl.org/docs/man1.0.2/apps/verify.html :

20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate

    the issuer certificate could not be found: this occurs if the issuer certificate of an untrusted certificate cannot be found.

^^ probably a wrong value, check your CRT  .

what I did was to put the SSL crt /usr/local/share/certs the crt contains the certificate data followed by private key, is this correct? also I tried to put in pem format no change

I only put theCRT. in the store no keys no nothing,just the CRT.
I guess U understand that this is completely outside the scope of Opnsense 

[qinohe]

I don't know if it would be redundant but If there is interest for it I could make a little guide based  on the use of self signed CRT's with the help of the OPNsense and put it in Tutorials, there is no entry in the wiki, yet.

Greetings mark

[fabian]

Documentation is always good - The docs repository is here: https://github.com/opnsense/docs

Don't forget to add a warning about the issue, that an update of the system cert bundle may undo the change.

[qinohe]

Nice to know, I'll start with  a text based guide I put in https://forum.opnsense.org/index.php?board=24.0
Users can give their experience/findings and I create a wiki page. I already have a guide running on my Mediawiki server, but it's not ready for distribution.

Yea, if the store is updated your input is gone, it just happened a few hours ago, but I was prepared  , I will add the warning..