Setup check for .well-known/caldav & carddav broken on Firefox

[rigrig]

Steps to reproduce

1. Log in using Firefox
2. go to //settings/admin/overview
3. Look under Security & setup warnings

Expected behaviour

I should see (This happens in Chrome)

All checks passed.

Actual behaviour

I see (Using Firefox)

There are some warnings regarding your setup.

• Your web server is not properly set up to resolve "/.well-known/caldav". Further information can be found in the documentation.
• Your web server is not properly set up to resolve "/.well-known/carddav". Further information can be found in the documentation.

Server configuration

Operating system: Linux: Devuan 2.0.0
Web server: Apache 2.4.25 (behind Nginx 1.14.0 proxy)
Database: PostgreSQL 6.9.6
PHP version: 7.0.30
Nextcloud version: 14.0.2 (Also happened in 14.0.2 RC2, but I figured it got fixed in #11738)
Updated from an older Nextcloud: Updated from previous RC

Client configuration

Browser: Firefox 60.2.2esr (64-bit)
Operating system: Linux: Devuan 2.0.0

What seems to happen:

Firefox:

1. The setup-check requests https://fnp.tubul.net/.well-known/caldav, which is redirected:

Request headers

PROPFIND /.well-known/caldav HTTP/1.1
Host: fnp.tubul.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: */*
Accept-Language: en-GB,en-US;q=0.8,en;q=0.5,nl;q=0.3
Accept-Encoding: gzip, deflate, br
requesttoken: *****:*****
OCS-APIREQUEST: true
X-Requested-With: XMLHttpRequest
Cookie: __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; nc_username=*****; nc_token=*****; nc_session_id=***** oc_sessionPassphrase=*****; ocaed*****=*****
DNT: 1
Connection: keep-alive

Response headers (empty body)

HTTP/2.0 301 Moved Permanently
server: nginx/1.14.0
date: Thu, 11 Oct 2018 12:15:38 GMT
content-type: text/html; charset=iso-8859-1
content-length: 244
location: http://fnp.tubul.net/remote.php/dav/
x-clacks-overhead: GNU Terry Pratchett
strict-transport-security: max-age=31536000; includeSubDomains; preload
X-Firefox-Spdy: h2

2. The redirected request to https://fnp.tubul.net/remote.php/dav/ returns a 401:

Request headers

PROPFIND /remote.php/dav/ HTTP/1.1
Host: fnp.tubul.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: */*
Accept-Language: en-GB,en-US;q=0.8,en;q=0.5,nl;q=0.3
Accept-Encoding: gzip, deflate, br
requesttoken: *****:*****
OCS-APIREQUEST: true
X-Requested-With: XMLHttpRequest
DNT: 1
Connection: keep-alive

Response headers

HTTP/2.0 401 Unauthorized
server: nginx/1.14.0
date: Thu, 11 Oct 2018 12:15:39 GMT
content-type: application/xml; charset=utf-8
content-length: 235
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
set-cookie: ocaed*****=******; path=/; secure; HttpOnly
oc_sessionPassphrase=*****; path=/; secure; HttpOnly
__Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
__Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
content-security-policy: default-src 'self' tubul.net *.tubul.net;child-src 'self' tubul.net *.tubul.net www.openstreetmap.org;frame-ancestors 'self' tubul.net *.tubul.net;style-src 'self' tubul.net 'unsafe-inline';script-src 'unsafe-inline' 'unsafe-eval' 'self';object-src 'none';img-src https: data: blob:; font-src 'self' data: blob:;connect-src *;upgrade-insecure-requests
x-frame-options: SAMEORIGIN
www-authenticate: DummyBasic realm="Tubul"
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
referrer-policy: no-referrer
x-robots-tag: none
x-download-options: noopen
x-permitted-cross-domain-policies: none
strict-transport-security: max-age=31536000; includeSubDomains; preload
X-Firefox-Spdy: h2

Response body:

<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
  <s:exception>Sabre\DAV\Exception\NotAuthenticated</s:exception>
  <s:message>Cannot authenticate over ajax calls</s:message>
</d:error>

In Chrome (where the check works fine)

1. The setup-check request is redirected:

Request headers

accept: */*
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9,nl;q=0.8
cookie: oc_sessionPassphrase=*****; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; ocaed*****=*****; nc_username=*****; nc_token=*****; nc_session_id=*****
dnt: 1
ocs-apirequest: true
origin: https://fnp.tubul.net
requesttoken: *****:*****
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
x-requested-with: XMLHttpRequest

Response headers (empty body)

content-length: 244
content-type: text/html; charset=iso-8859-1
date: Thu, 11 Oct 2018 12:40:15 GMT
location: http://fnp.tubul.net/remote.php/dav/
server: nginx/1.14.0
status: 301
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-clacks-overhead: GNU Terry Pratchett

2. The redirected request to https://fnp.tubul.net/remote.php/dav/ returns a 207:

Request headers

accept: */*
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9,nl;q=0.8
cookie: oc_sessionPassphrase=*****; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; oc*****=*****; nc_username=*****; nc_token=*****; nc_session_id=*****
dnt: 1
ocs-apirequest: true
origin: https://fnp.tubul.net
requesttoken: *****:*****
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
x-requested-with: XMLHttpRequest

Response headers

cache-control: no-store, no-cache, must-revalidate
content-length: 5547
content-security-policy: default-src 'self' tubul.net *.tubul.net;child-src 'self' tubul.net *.tubul.net www.openstreetmap.org;frame-ancestors 'self' tubul.net *.tubul.net;style-src 'self' tubul.net 'unsafe-inline';script-src 'unsafe-inline' 'unsafe-eval' 'self';object-src 'none';img-src https: data: blob:; font-src 'self' data: blob:;connect-src *;upgrade-insecure-requests
content-type: application/xml; charset=utf-8
date: Thu, 11 Oct 2018 12:40:15 GMT
dav: 1, 3, extended-mkcol, access-control, calendarserver-principal-property-search, nc-calendar-search, nc-enable-birthday-calendar
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
referrer-policy: no-referrer
server: nginx/1.14.0
status: 207
strict-transport-security: max-age=31536000; includeSubDomains; preload
vary: Brief,Prefer
x-content-type-options: nosniff
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-robots-tag: none
x-xss-protection: 1; mode=block

Response body:

<?xml version="1.0"?>
<d:multistatus xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns" xmlns:oc="http://owncloud.org/ns" xmlns:nc="http://nextcloud.org/ns"><d:response><d:href>/remote.php/dav/</d:href><d:propstat><d:prop><d:resourcetype><d:collection/></d:resourcetype></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat></d:response><d:response><d:href>/remote.php/dav/principals/</d:href><d:propstat><d:prop><d:resourcetype><d:collection/></d:resourcetype></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat><d:propstat><d:prop><d:getlastmodified/><d:getcontentlength/><d:quota-used-bytes/><d:quota-available-bytes/><d:getetag/><d:getcontenttype/></d:prop><d:status>HTTP/1.1 404 Not Found</d:status></d:propstat></d:response><d:response><d:href>/remote.php/dav/files/</d:href><d:propstat><d:prop><d:resourcetype><d:collection/></d:resourcetype></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat><d:propstat><d:prop><d:getlastmodified/><d:getcontentlength/><d:quota-used-bytes/><d:quota-available-bytes/><d:getetag/><d:getcontenttype/></d:prop><d:status>HTTP/1.1 404 Not Found</d:status></d:propstat></d:response><d:response><d:href>/remote.php/dav/calendars/</d:href><d:propstat><d:prop><d:resourcetype><d:collection/></d:resourcetype></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat><d:propstat><d:prop><d:getlastmodified/><d:getcontentlength/><d:quota-used-bytes/><d:quota-available-bytes/><d:getetag/><d:getcontenttype/></d:prop><d:status>HTTP/1.1 404 Not Found</d:status></d:propstat></d:response><d:response><d:href>/remote.php/dav/system-calendars/</d:href><d:propstat><d:prop><d:resourcetype><d:collection/></d:resourcetype></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat><d:propstat><d:prop><d:getlastmodified/><d:getcontentlength/><d:quota-used-bytes/><d:quota-available-bytes/><d:getetag/><d:getcontenttype/></d:prop><d:status>HTTP/1.1 404 Not Found</d:status></d:propstat></d:response><d:response><d:href>/remote.php/dav/public-calendars/</d:href><d:propstat><d:prop><d:resourcetype><d:collection/></d:resourcetype></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat><d:propstat><d:prop><d:getlastmodified/><d:getcontentlength/><d:quota-used-bytes/><d:quota-available-bytes/><d:getetag/><d:getcontenttype/></d:prop><d:status>HTTP/1.1 404 Not Found</d:status></d:propstat></d:response><d:response><d:href>/remote.php/dav/addressbooks/</d:href><d:propstat><d:prop><d:resourcetype><d:collection/></d:resourcetype></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat><d:propstat><d:prop><d:getlastmodified/><d:getcontentlength/><d:quota-used-bytes/><d:quota-available-bytes/><d:getetag/><d:getcontenttype/></d:prop><d:status>HTTP/1.1 404 Not Found</d:status></d:propstat></d:response><d:response><d:href>/remote.php/dav/systemtags/</d:href><d:propstat><d:prop><d:resourcetype><d:collection/></d:resourcetype></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat><d:propstat><d:prop><d:getlastmodified/><d:getcontentlength/><d:quota-used-bytes/><d:quota-available-bytes/><d:getetag/><d:getcontenttype/></d:prop><d:status>HTTP/1.1 404 Not Found</d:status></d:propstat></d:response><d:response><d:href>/remote.php/dav/systemtags-relations/</d:href><d:propstat><d:prop><d:resourcetype><d:collection/></d:resourcetype></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat><d:propstat><d:prop><d:getlastmodified/><d:getcontentlength/><d:quota-used-bytes/><d:quota-available-bytes/><d:getetag/><d:getcontenttype/></d:prop><d:status>HTTP/1.1 404 Not Found</d:status></d:propstat></d:response><d:response><d:href>/remote.php/dav/comments/</d:href><d:propstat><d:prop><d:resourcetype><d:collection/></d:resourcetype></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat><d:propstat><d:prop><d:getlastmodified/><d:getcontentlength/><d:quota-used-bytes/><d:quota-available-bytes/><d:getetag/><d:getcontenttype/></d:prop><d:status>HTTP/1.1 404 Not Found</d:status></d:propstat></d:response><d:response><d:href>/remote.php/dav/uploads/</d:href><d:propstat><d:prop><d:resourcetype><d:collection/></d:resourcetype></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat><d:propstat><d:prop><d:getlastmodified/><d:getcontentlength/><d:quota-used-bytes/><d:quota-available-bytes/><d:getetag/><d:getcontenttype/></d:prop><d:status>HTTP/1.1 404 Not Found</d:status></d:propstat></d:response><d:response><d:href>/remote.php/dav/avatars/</d:href><d:propstat><d:prop><d:resourcetype><d:collection/></d:resourcetype></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat><d:propstat><d:prop><d:getlastmodified/><d:getcontentlength/><d:quota-used-bytes/><d:quota-available-bytes/><d:getetag/><d:getcontenttype/></d:prop><d:status>HTTP/1.1 404 Not Found</d:status></d:propstat></d:response><d:response><d:href>/remote.php/dav/trashbin/</d:href><d:propstat><d:prop><d:resourcetype><d:collection/></d:resourcetype></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat><d:propstat><d:prop><d:getlastmodified/><d:getcontentlength/><d:quota-used-bytes/><d:quota-available-bytes/><d:getetag/><d:getcontenttype/></d:prop><d:status>HTTP/1.1 404 Not Found</d:status></d:propstat></d:response><d:response><d:href>/remote.php/dav/versions/</d:href><d:propstat><d:prop><d:resourcetype><d:collection/></d:resourcetype></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat><d:propstat><d:prop><d:getlastmodified/><d:getcontentlength/><d:quota-used-bytes/><d:quota-available-bytes/><d:getetag/><d:getcontenttype/></d:prop><d:status>HTTP/1.1 404 Not Found</d:status></d:propstat></d:response></d:multistatus>

[rigrig]

I guess this might be an issue with Firefox not handling the redirect correctly?
But even then it would be nice not to get a warning when things are set up correctly.

[nextcloud-bot]

GitMate.io thinks possibly related issues are #8766 (Caldav ), #11733 (Fix a misleading setup check for .well-known/caldav & carddav), #7905 (CSS broken in firefox), and #5947 (webDAV PROPFIND).

[rigrig]

Looks like it's caused by my nginx proxy/apache setup:
the redirect points to http:// instead of https:// and chrome handles this better than firefox
Manually changing the rewrite rule in htaccess to
RewriteRule ^\.well-known/carddav https://fnp.tubul.net/remote.php/dav/ [R=301,L]
fixed it, but hardcoding the server name isn't a very nice solution...

[linucksrox]

I handled this by adding location blocks to my nginx proxy configuration:

        location /.well-known/carddav {
                return 301 $scheme://$host/remote.php/dav;
        }

        location /.well-known/caldav {
                return 301 $scheme://$host/remote.php/dav;
        }

[rigrig]

Thanks, I fixed it by adding
proxy_redirect http://$host/ https://$host/;
to my nginx proxy configuration.

Closing this now, as "not handling a badly setup reverse proxy" hardly seems to be a NC bug.