5.0.0beta2 Install Failure - WebDAV/SSL #1909

Closed
austinbeam opened this Issue Feb 26, 2013 · 24 comments

Comments

Projects
None yet
10 participants
@austinbeam

Hello there,
I'm experiencing trouble installing OwnCloud v5.0.0beta2 during which I receive the following output from OwnCloud:

ScreenShot240

Your web server is not yet properly setup to allow files synchronization because the WebDAV interface seems to be broken.

This error occurs immediately after entering credentials for the initial setup. When I then try to login to the OwnCloud installation, the login attempt fails with:

Lost your password?

I have tried the installation multiple times without success. Based on the logs, I believe the issue is related to my SSL certificate and curl. It appears curl isn't seeing a valid CA for my cert (Comodo PositiveSSL). I'm assuming SabreDAV is attempting to confirm that it is operational (and failing) and is subsequently causing the entire installation process to fail.

I can confirm that my SSL certificate is valid as it works properly for all other uses on this server. I'm hoping this is as easy to fix as adding the proper CA for my certificate so that curl knows to trust it. If this is the case, where do I need to put the CA for this to work properly? Is curl using a default set of CA certs or is it using any at all?

I would imagine others installing in an SSL environment would encounter this issue as well if this is related to untrusted CAs, especially considering many people will be using self-signed certificates.

My reporting template is below. Thanks for helping.

Expected behaviour

Owncloud installs properly

Actual behaviour

Owncloud fails to install with:

Your web server is not yet properly setup to allow files synchronization because the WebDAV interface seems to be broken.

Steps to reproduce

  1. Configure working ssl-only apache2 webserver with ssl certificate from PositiveSSL
  2. Add owncloud directory configuration to apache2
  3. Install owncloud
  4. Attempt to complete the installation via the web interface

Server configuration

Operating system:
Ubuntu 12.04
Web server:
apache2
Database:
SQLite
PHP version:
5.3.10-1ubuntu3.5
ownCloud version:
5.0.0beta2

Client configuration

Browser:
Chrome
Operating system:
Windows 7

Logs

Web server error log

[Mon Feb 25 23:06:23 2013] [error] [client 192.168.1.1] client denied by server configuration: /var/www/owncloud/data/htaccesstest.txt

ownCloud log (data/owncloud.log)

{"app":"core","message":"isWebDAVWorking: NO - Reason: exception 'Sabre_DAV_Exception' with message '[CURL] Error while making request: SSL certificate problem, verify that the CA cert is OK. Details:\nerror:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (error code: 60)' in \/var\/www\/owncloud\/3rdparty\/Sabre\/DAV\/Client.php:390\nStack trace:\n#0 \/var\/www\/owncloud\/3rdparty\/Sabre\/DAV\/Client.php(163): Sabre_DAV_Client->request('PROPFIND', '', '<?xml version=\"...', Array)\n#1 \/var\/www\/owncloud\/lib\/util.php(574): Sabre_DAV_Client->propFind('', Array)\n#2 \/var\/www\/owncloud\/lib\/setup.php(645): OC_Util::isWebDAVWorking()\n#3 [internal function]: OC_Setup::postSetupCheck(Array)\n#4 \/var\/www\/owncloud\/lib\/router.php(127): call_user_func(Array, Array)\n#5 \/var\/www\/owncloud\/lib\/base.php(586): OC_Router->match('\/post-setup-che...')\n#6 \/var\/www\/owncloud\/index.php(28): OC::handleRequest()\n#7 {main}","level":2,"time":1361855191}
@DeepDiver1975

This comment has been minimized.

Show comment
Hide comment
@DeepDiver1975

DeepDiver1975 Feb 26, 2013

Member

Thx - I'll take care of this.

Member

DeepDiver1975 commented Feb 26, 2013

Thx - I'll take care of this.

@karlitschek

This comment has been minimized.

Show comment
Hide comment
@karlitschek

karlitschek Feb 26, 2013

Member

Thanks

Member

karlitschek commented Feb 26, 2013

Thanks

@DeepDiver1975

This comment has been minimized.

Show comment
Hide comment
@DeepDiver1975

DeepDiver1975 Feb 26, 2013

Member

@evert hey - is it possible to pass additional curl options to class Sabre_DAV_Client? THX

Member

DeepDiver1975 commented Feb 26, 2013

@evert hey - is it possible to pass additional curl options to class Sabre_DAV_Client? THX

@eleith

This comment has been minimized.

Show comment
Hide comment
@eleith

eleith Feb 26, 2013

relevant discussion (with @evert) here: https://code.google.com/p/sabredav/issues/detail?id=206

for those that want to get it working now and use a self-signed cert, open up 3rdparty/Sabre/DAV/Client.php

and modify $curlSettings

$curlSettings = array(
  CURLOPT_RETURNTRANSFER => true,
  // Return headers as part of the response
  CURLOPT_HEADER => true,
  CURLOPT_POSTFIELDS => $body,
  // Automatically follow redirects
  CURLOPT_FOLLOWLOCATION => true,
  CURLOPT_MAXREDIRS => 5,
  CURLOPT_SSL_VERIFYPEER => false,
);

eleith commented Feb 26, 2013

relevant discussion (with @evert) here: https://code.google.com/p/sabredav/issues/detail?id=206

for those that want to get it working now and use a self-signed cert, open up 3rdparty/Sabre/DAV/Client.php

and modify $curlSettings

$curlSettings = array(
  CURLOPT_RETURNTRANSFER => true,
  // Return headers as part of the response
  CURLOPT_HEADER => true,
  CURLOPT_POSTFIELDS => $body,
  // Automatically follow redirects
  CURLOPT_FOLLOWLOCATION => true,
  CURLOPT_MAXREDIRS => 5,
  CURLOPT_SSL_VERIFYPEER => false,
);
@evert

This comment has been minimized.

Show comment
Hide comment
@evert

evert Feb 26, 2013

Hi guys,

I was indeed strictly against adding an option for this. I can't think of a valid reason why turning off VERIFYPEER is a good idea. If you use a self-signed certificate, you should check against those instead. See:

https://github.com/evert/SabreDAV/blob/master/lib/Sabre/DAV/Client.php#L111

That's how this really should be fixed; otherwise you might as well turn off https completely and switch to http..

Evert

evert commented Feb 26, 2013

Hi guys,

I was indeed strictly against adding an option for this. I can't think of a valid reason why turning off VERIFYPEER is a good idea. If you use a self-signed certificate, you should check against those instead. See:

https://github.com/evert/SabreDAV/blob/master/lib/Sabre/DAV/Client.php#L111

That's how this really should be fixed; otherwise you might as well turn off https completely and switch to http..

Evert

@DeepDiver1975

This comment has been minimized.

Show comment
Hide comment
@DeepDiver1975

DeepDiver1975 Feb 26, 2013

Member

@evert Thanks for your feedback!

We use the SabreDAV client here to simple self-test if WebDAV is configured properly on the server.
If the connection is secure or not I more or less don't care at all in this scenario.

Retrieving the correct certificate for this scenario will most probably result in more trouble than help.

Member

DeepDiver1975 commented Feb 26, 2013

@evert Thanks for your feedback!

We use the SabreDAV client here to simple self-test if WebDAV is configured properly on the server.
If the connection is secure or not I more or less don't care at all in this scenario.

Retrieving the correct certificate for this scenario will most probably result in more trouble than help.

@evert

This comment has been minimized.

Show comment
Hide comment
@evert

evert Feb 26, 2013

Sorry.. heavily under the weather here.

I hate it.. but I guess it's a valid use-case, and I would accept a patch for it, or even add it myself. (if you wanna open a ticket, I can try to get it resolved within the next few days).

Regardless I would still like to avoid allowing users to specify any curl settings directly, but rather abstract curl away from the user a bit. In a perfect world people don't know curl is being used as consumer of the Client, so I could swap it out in the future, if I have to :). So instead of a addCurlSettings() I'd add a setVerifyPeer()', and a few constants for the different options.

I hope this makes sense, my brain is made of mucus.

evert commented Feb 26, 2013

Sorry.. heavily under the weather here.

I hate it.. but I guess it's a valid use-case, and I would accept a patch for it, or even add it myself. (if you wanna open a ticket, I can try to get it resolved within the next few days).

Regardless I would still like to avoid allowing users to specify any curl settings directly, but rather abstract curl away from the user a bit. In a perfect world people don't know curl is being used as consumer of the Client, so I could swap it out in the future, if I have to :). So instead of a addCurlSettings() I'd add a setVerifyPeer()', and a few constants for the different options.

I hope this makes sense, my brain is made of mucus.

@schiessle

This comment has been minimized.

Show comment
Hide comment
@schiessle

schiessle Feb 26, 2013

Member

I agree with @evert. That's exactly why we introduced the function mentioned by Evert. The server Admin should take care that the default cert bundles are installed. If a user wants to connect to his personal home server with a self signed certificate he can upload it to ownCloud in the personal settings.

I also see @DeepDiver1975 point if it come to self-test. But we should not make this an option for the user when he uses the webdav mount

Member

schiessle commented Feb 26, 2013

I agree with @evert. That's exactly why we introduced the function mentioned by Evert. The server Admin should take care that the default cert bundles are installed. If a user wants to connect to his personal home server with a self signed certificate he can upload it to ownCloud in the personal settings.

I also see @DeepDiver1975 point if it come to self-test. But we should not make this an option for the user when he uses the webdav mount

@DeepDiver1975

This comment has been minimized.

Show comment
Hide comment
@DeepDiver1975

DeepDiver1975 Feb 26, 2013

Member

I'll submit a pull request tonight - Thanks!

Member

DeepDiver1975 commented Feb 26, 2013

I'll submit a pull request tonight - Thanks!

@DeepDiver1975

This comment has been minimized.

Show comment
Hide comment
@DeepDiver1975

DeepDiver1975 Feb 27, 2013

Member

There will be a SabreDAV 1.7.5 release on Friday.
I'll prepare pull requests on the weekend to fix this.

Member

DeepDiver1975 commented Feb 27, 2013

There will be a SabreDAV 1.7.5 release on Friday.
I'll prepare pull requests on the weekend to fix this.

@BernhardPosselt

This comment has been minimized.

Show comment
Hide comment
@BernhardPosselt

BernhardPosselt Feb 28, 2013

Contributor

Can someone create docs for this if the admin has to do something? i think its quite an important topic.

Contributor

BernhardPosselt commented Feb 28, 2013

Can someone create docs for this if the admin has to do something? i think its quite an important topic.

@monreal

This comment has been minimized.

Show comment
Hide comment
@monreal

monreal Mar 3, 2013

Contributor

I get the same message, but only on the top of the Admin section of the web interface. Running 5.0.0-RC1 atm. Will this be fixed in 5.0.0 final or is there anything I need to fix on the server side?

Contributor

monreal commented Mar 3, 2013

I get the same message, but only on the top of the Admin section of the web interface. Running 5.0.0-RC1 atm. Will this be fixed in 5.0.0 final or is there anything I need to fix on the server side?

@BernhardPosselt

This comment has been minimized.

Show comment
Hide comment
@BernhardPosselt

BernhardPosselt Mar 3, 2013

Contributor

Try master

Contributor

BernhardPosselt commented Mar 3, 2013

Try master

@monreal

This comment has been minimized.

Show comment
Hide comment
@monreal

monreal Mar 3, 2013

Contributor

Running master now and it looks like my problem is a little bit different. My webserver enforces the use of SSL client certificates which the Sabre client does not have:

{"app":"core","message":"isWebDAVWorking: NO - Reason: exception 'Sabre_DAV_Exception' with message '[CURL] Error while making request: NSS: client certificate not found (nickname not specified) (error code: 56)' in \/home\/www\/3rdparty\/Sabre\/DAV\/Client.php:410\nStack trace:\n#0 \/home\/www\/3rdparty\/Sabre\/DAV\/Client.php(179): Sabre_DAV_Client->request('PROPFIND', '', '<?xml version=\"...', Array)\n#1 \/home\/www\/owncloud\/lib\/util.php(590): Sabre_DAV_Client->propFind('', Array)\n#2 \/home\/www\/owncloud\/settings\/admin.php(34): OC_Util::isWebDAVWorking()\n#3 \/home\/www\/owncloud\/lib\/route.php(113) : runtime-created function(1): require_once('\/home\/www\/owncl...')\n#4 [internal function]: __lambda_func(Array)\n#5 \/home\/www\/owncloud\/lib\/router.php(127): call_user_func('?lambda_249', Array)\n#6 \/home\/www\/owncloud\/lib\/base.php(600): OC_Router->match('\/settings\/admin')\n#7 \/home\/www\/owncloud\/index.php(28): OC::handleRequest()\n#8 {main}","level":2,"time":1362316700}
Contributor

monreal commented Mar 3, 2013

Running master now and it looks like my problem is a little bit different. My webserver enforces the use of SSL client certificates which the Sabre client does not have:

{"app":"core","message":"isWebDAVWorking: NO - Reason: exception 'Sabre_DAV_Exception' with message '[CURL] Error while making request: NSS: client certificate not found (nickname not specified) (error code: 56)' in \/home\/www\/3rdparty\/Sabre\/DAV\/Client.php:410\nStack trace:\n#0 \/home\/www\/3rdparty\/Sabre\/DAV\/Client.php(179): Sabre_DAV_Client->request('PROPFIND', '', '<?xml version=\"...', Array)\n#1 \/home\/www\/owncloud\/lib\/util.php(590): Sabre_DAV_Client->propFind('', Array)\n#2 \/home\/www\/owncloud\/settings\/admin.php(34): OC_Util::isWebDAVWorking()\n#3 \/home\/www\/owncloud\/lib\/route.php(113) : runtime-created function(1): require_once('\/home\/www\/owncl...')\n#4 [internal function]: __lambda_func(Array)\n#5 \/home\/www\/owncloud\/lib\/router.php(127): call_user_func('?lambda_249', Array)\n#6 \/home\/www\/owncloud\/lib\/base.php(600): OC_Router->match('\/settings\/admin')\n#7 \/home\/www\/owncloud\/index.php(28): OC::handleRequest()\n#8 {main}","level":2,"time":1362316700}
@BernhardPosselt

This comment has been minimized.

Show comment
Hide comment
@BernhardPosselt

BernhardPosselt Mar 3, 2013

Contributor
Contributor

BernhardPosselt commented Mar 3, 2013

@evert

This comment has been minimized.

Show comment
Hide comment
@evert

evert Mar 3, 2013

Hi @raydiation , I don't really recognize this error.

Also, I would like to kindly request if you could do some debugging before asking me. I'm definitely willing to help with all kinds of stuff, and I enjoy it.. but it's important to me that in return, there's a bit of a display of effort..

evert commented Mar 3, 2013

Hi @raydiation , I don't really recognize this error.

Also, I would like to kindly request if you could do some debugging before asking me. I'm definitely willing to help with all kinds of stuff, and I enjoy it.. but it's important to me that in return, there's a bit of a display of effort..

@BernhardPosselt

This comment has been minimized.

Show comment
Hide comment
@BernhardPosselt

BernhardPosselt Mar 3, 2013

Contributor

@evert i see, i thought the error was somehow related to the latest fix in sabredav, im not working on the webdav component so i dont really know where to debug this correctly.

@icewind1991 @blizzz @bartv2

Contributor

BernhardPosselt commented Mar 3, 2013

@evert i see, i thought the error was somehow related to the latest fix in sabredav, im not working on the webdav component so i dont really know where to debug this correctly.

@icewind1991 @blizzz @bartv2

@evert

This comment has been minimized.

Show comment
Hide comment
@evert

evert Mar 3, 2013

No problem =) There's only two hits for this error on stackoverflow, so my first guess would be that SSL is misconfigured somehow.

evert commented Mar 3, 2013

No problem =) There's only two hits for this error on stackoverflow, so my first guess would be that SSL is misconfigured somehow.

@bartv2

This comment has been minimized.

Show comment
Hide comment
@bartv2

bartv2 Mar 3, 2013

Member

@monreal as you indicate your webserver enforces the use of SSL client certificates. Can you create a new issue, with the enhancement label? Thanks.

Member

bartv2 commented Mar 3, 2013

@monreal as you indicate your webserver enforces the use of SSL client certificates. Can you create a new issue, with the enhancement label? Thanks.

@monreal

This comment has been minimized.

Show comment
Hide comment
@monreal

monreal Mar 3, 2013

Contributor

Sure no problem.

Contributor

monreal commented Mar 3, 2013

Sure no problem.

@Erowlin

This comment has been minimized.

Show comment
Hide comment
@Erowlin

Erowlin Apr 15, 2013

UP (:

Server Configuration :

erowlin@tp:/var/www$ apache2 -v
Server version: Apache/2.2.22 (Ubuntu)
Server built: Mar 8 2013 15:53:13

erowlin@tp:/var/www$ php5 -v
PHP 5.3.10-1ubuntu3.6 with Suhosin-Patch (cli) (built: Mar 11 2013 14:31:48)
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2012 Zend Technologies

Navigateur :

Google Chrome

Version of owncloud : v5.0.4RC1

Last commit :
commit d484e14
Merge: 2fa34d6 19526c9
Author: Jan-Christoph Borchardt hey@jancborchardt.net
Date: Mon Apr 15 12:04:15 2013 -0700
commit d484e14
Merge: 2fa34d6 19526c9

Erowlin commented Apr 15, 2013

UP (:

Server Configuration :

erowlin@tp:/var/www$ apache2 -v
Server version: Apache/2.2.22 (Ubuntu)
Server built: Mar 8 2013 15:53:13

erowlin@tp:/var/www$ php5 -v
PHP 5.3.10-1ubuntu3.6 with Suhosin-Patch (cli) (built: Mar 11 2013 14:31:48)
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2012 Zend Technologies

Navigateur :

Google Chrome

Version of owncloud : v5.0.4RC1

Last commit :
commit d484e14
Merge: 2fa34d6 19526c9
Author: Jan-Christoph Borchardt hey@jancborchardt.net
Date: Mon Apr 15 12:04:15 2013 -0700
commit d484e14
Merge: 2fa34d6 19526c9

@bartv2

This comment has been minimized.

Show comment
Hide comment
@bartv2

bartv2 Apr 16, 2013

Member

@Erowlin can you give more information? And please open a new issue when it does not match this issue

Member

bartv2 commented Apr 16, 2013

@Erowlin can you give more information? And please open a new issue when it does not match this issue

@Erowlin

This comment has been minimized.

Show comment
Hide comment
@Erowlin

Erowlin Apr 16, 2013

It's exactly the same error, what do you need more?

I checked my apache2 configuration, no mod_webdav enabled.

Erowlin commented Apr 16, 2013

It's exactly the same error, what do you need more?

I checked my apache2 configuration, no mod_webdav enabled.

@bartv2

This comment has been minimized.

Show comment
Hide comment
@bartv2

bartv2 Apr 17, 2013

Member

@Erowlin the same error in owncloud.log? did you update 3rdparty?

Member

bartv2 commented Apr 17, 2013

@Erowlin the same error in owncloud.log? did you update 3rdparty?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment