Federation Sharing Stop working: 403 Forbidden

[berho]

Steps to reproduce

1. Share folder on server A to user on server B

2. Accept sharing on server B

3. See log on server B and find:
   error while sending notification for federated share: Client error: POST https://nc.serverB.dom/index.php/ocm/notifications resulted in a 403 Forbidden response

4. Share folder on server B for user on server A

5. Error Message in UI on Server B: "Sharing Test failed because u@serverA.dom was not found. Possibly the server is not reachable or uses a self-signed certificate."
   (I do not use a self-signed certificate!)

Expected behaviour

Shared folder can be accessed on trustd server.

Actual behaviour

Federation sharing stop working on NC 17 (maybe 16 too)

Server configuration detail

Operating system: Linux 4.4.0-ui19255.033-uiabi1-infong-amd64 #1 SMP Debian 4.4.192-1~ui80+1 (2019-09-12) x86_64

Webserver: Apache (cgi-fcgi)

Database: mysql 5.7.27

PHP version:

7.3.12
Modules loaded: Core, date, libxml, openssl, pcre, sqlite3, zlib, bcmath, bz2, calendar, ctype, curl, dba, dom, hash, fileinfo, filter, ftp, gd, gettext, gmp, SPL, iconv, session, intl, json, mbstring, standard, PDO, mysqlnd, pdo_sqlite, Phar, posix, Reflection, imap, shmop, SimpleXML, soap, sodium, pdo_mysql, exif, tidy, tokenizer, wddx, xml, xmlreader, xmlwriter, xsl, zip, mysqli, cgi-fcgi, Zend OPcache

Nextcloud version: 17.0.1 - 17.0.1.1

Updated from an older Nextcloud/ownCloud or fresh install:

Where did you install Nextcloud from: unknown

Signing status

Array
(
)

List of activated apps

Enabled:
 - accessibility: 1.3.0
 - activity: 2.10.1
 - bruteforcesettings: 1.4.0
 - calendar: 1.7.1
 - cloud_federation_api: 1.0.0
 - comments: 1.7.0
 - contacts: 3.1.6
 - dav: 1.13.0
 - drawio: 0.9.4
 - encryption: 2.5.0
 - federatedfilesharing: 1.7.0
 - federation: 1.7.0
 - files: 1.12.0
 - files_pdfviewer: 1.6.0
 - files_rightclick: 0.15.1
 - files_sharing: 1.9.0
 - files_trashbin: 1.7.0
 - files_versions: 1.10.0
 - files_videoplayer: 1.6.0
 - firstrunwizard: 2.6.0
 - gallery: 18.4.0
 - hsts: 0.3.0
 - issuetemplate: 0.5.0
 - logreader: 2.2.0
 - lookup_server_connector: 1.5.0
 - maps: 0.1.2
 - nextcloud_announcements: 1.6.0
 - notifications: 2.5.0
 - oauth2: 1.5.0
 - onlyoffice: 3.0.2
 - passman: 2.3.5
 - password_policy: 1.7.0
 - privacy: 1.1.0
 - provisioning_api: 1.7.0
 - recommendations: 0.5.0
 - sensorlogger: 0.1.2
 - serverinfo: 1.7.0
 - sharebymail: 1.7.0
 - support: 1.0.1
 - survey_client: 1.5.0
 - suspicious_login: 3.0.0
 - systemtags: 1.7.0
 - text: 1.1.1
 - theming: 1.8.0
 - twofactor_backupcodes: 1.6.0
 - twofactor_totp: 4.1.0
 - updatenotification: 1.7.0
 - viewer: 1.2.0
 - workflowengine: 1.7.0
Disabled:
 - admin_audit
 - files_external
 - user_ldap

Configuration (config/config.php)

{
    "instanceid": "***REMOVED SENSITIVE VALUE***",
    "passwordsalt": "***REMOVED SENSITIVE VALUE***",
    "secret": "***REMOVED SENSITIVE VALUE***",
    "trusted_domains": [
        "nc.serverA.dom"
    ],
    "datadirectory": "***REMOVED SENSITIVE VALUE***",
    "skeletondirectory": "\/homepages\/19\/345646\/htdocs\/CloudData\/skeleton",
    "overwrite.cli.url": "https:\/\/nc.serverA.dom",
    "overwriteprotocol": "https",
    "dbtype": "mysql",
    "version": "17.0.1.1",
    "dbname": "***REMOVED SENSITIVE VALUE***",
    "dbhost": "***REMOVED SENSITIVE VALUE***",
    "dbport": "",
    "dbtableprefix": "oc_",
    "mysql.utf8mb4": true,
    "dbuser": "***REMOVED SENSITIVE VALUE***",
    "dbpassword": "***REMOVED SENSITIVE VALUE***",
    "installed": true,
    "mail_smtpmode": "smtp",
    "mail_from_address": "***REMOVED SENSITIVE VALUE***",
    "mail_domain": "***REMOVED SENSITIVE VALUE***",
    "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpport": "25",
    "maintenance": false,
    "theme": "",
    "mail_smtpauthtype": "LOGIN",
    "mail_smtpauth": 1,
    "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
    "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpsecure": "tls",
    "onlyoffice": {
        "jwt_header": "***REMOVED SENSITIVE VALUE***"
    },
    "app_install_overwrite": [
        "issuetemplate"
    ]
}

Are you using external storage, if yes which one: no

Are you using encryption: 1

Are you using an external user-backend, if yes which one: no

Client configuration

Browser: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0

Operating system:

Logs

Web server error log

on ServerA:
92.48.141.0 - - [03/Dec/2019:20:11:31 +0100] "POST /index.php/apps/files_sharing/shareinfo?t=fcOfh90LkSPnAVK HTTP/1.1" 403 623 nc.serverA.dom "-" "Nextcloud Server Crawler" "-"
92.48.141.0 - - [03/Dec/2019:20:11:31 +0100] "POST /index.php/apps/files_sharing/shareinfo?t=fcOfh90LkSPnAVK HTTP/1.1" 403 623 nc.serverA.dom "-" "Nextcloud Server Crawler" "-"
92.48.141.0 - - [03/Dec/2019:20:11:32 +0100] "POST /index.php/ocm/notifications HTTP/1.1" 403 623 nc.serverA.dom "-" "Nextcloud Server Crawler" "-"
92.48.141.0 - - [03/Dec/2019:20:11:32 +0100] "POST /ocs/v2.php/cloud/shares/3/decline?format=json HTTP/1.1" 403 623 nc.serverA.dom "-" "Nextcloud Server Crawler" "-"

Nextcloud log

on ServerB:
Error	no app in context	error while sending notification for federated share: Client error: `POST https://nc.serverA.dom/index.php/ocm/notifications` resulted in a `403 Forbidden` response: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd (truncated...) 	
2019-12-03T20:11:32+0100

Browser log

[berho]

Still the same on NC 17.0.2 !

No one can help?

[berho]

Can anyone confirm that federational sharing works without error in version 17?
I can't get it working anymore :(

[aignerat]

hey,

is it possible, that the filename is 64 char +?

regards

chris

[berho]

No, even when I want to share a direcory in the root folder the error is the same.

regards

[aignerat]

ok, then I can't tell the problem, sorry, my problem + solution had a 403-error too
#19635
when you login as admin, are the servers green or at least yellow? Check config.php maybe you switched from http to https ('overwrite.cli.url')

[berho]

The servers are yellow in admin settings. If I use "add automatically" the server is added, I can accept the share, folder is shown in files. But when I click on the folder I get an error message "folder not accessable" and the shared folder is removed.

[aignerat]

if you can access the database, look into oc_trusted_servers (oc_ = standardprefix), if the shared-secret is inserted (should be the case because you can share, just to be sure). Then look into oc_share_external if an entry for the file/folder is made. This table is mostly used to "store" information of federated shares.

[aignerat]

another option you have is update the federation app, if you haven't allready

[berho]

There is an entry in oc_trusted_servers, but shared-secret is null. Table oc_share_external is empty :-/

[aignerat]

so the handshake for the connection is not made, if you want a quick dirty fix to get it going (testserver or dev-server), just insert any key in the table. if you want to do it how it's meant to be, look at your config.php for overwrite.cli.url, check if it is https and the correct domain (fqdn needed) and trusted_server needs to contain the fqdn too.

[szaimen]

Is this Issue still valid? If not, please close this issue. Thanks! :)

[aignerat]

@berho is this closable? I think it's solved.