After upgrade from 9.0.6 to 10.0.3 errors

eljot42 · October 13, 2017, 8:12am

After upgrade from 9.0.6 to 10.0.3 I have several errors regarding my owncloud installation.

In 9.0.6 everything woks perfect, noc errors warning except StrictHTTPS duration time.
Now, I receive every time the following errors:

In German:
Transaktionales Sperren sollte zur Nutzung des speicherbasierten Sperrens anstatt des langsamen Datenbank basierten Sperrens konfiguriert werden.
In the documentation the memchache is recommended.
"Dieser Server hat keine funktionierende Internetverbindung. Dies bedeutet, dass einige Funktionen wie das Einhängen externen Speicherplatzes, Update-Benachrichtigungen oder die Installation von Drittanbieter-Apps nicht funktionieren werden. Der Fernzugriff auf Dateien und der Versand von E-Mail-Benachrichtigungen kann ebenfalls nicht funktionieren. Es wird empfohlen, die Internetverbindung dieses Servers zu aktivieren, wenn Sie alle Funktionen nutzen möchten."

The error could not be possible. I have upgraded from a fully working version. The app installation worked properply. Also every other CMS isntallation on the server works properly. Connections are availabe in both directions to and from the server on several ports.
Which kind of connection owncloud uses to test the availability of h ttps://ownlcoud.org ?

No Marketplace connection:
Shortly the error message appears:
No marketplace connection: cURL error 77: error setting certificate verify locations: CAfile: /tmp/oc_tmp_rfRzGo-.crt CApath: /etc/ssl/certs
I have read in several threads that a ca_bundle.crt has to be present in config-dir. But this doesn't work at my installation. Therefore the api key is not working.

Curl-Tests:
curl -I -v h ttps://google.com
* Rebuilt URL to: h ttps://google.com/
* Trying 216.58.208.46...
* Connected to google.com (216.58.208.46) port 443 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 596 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_ECDSA_AES_128_GCM_SHA256
* server certificate verification OK
* server certificate status verification SKIPPED
* common name: *.google.com (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: EC
* certificate version: #3
* subject: C=US,ST=California,L=Mountain View,O=Google Inc,CN=*.google.com
* start date: Tue, 03 Oct 2017 17:45:20 GMT
* expire date: Tue, 26 Dec 2017 17:44:00 GMT
* issuer: C=US,O=Google Inc,CN=Google Internet Authority G2
* compression: NULL
* ALPN, server accepted to use http/1.1

HEAD / HTTP/1.1
Host: google.com
User-Agent: curl/7.47.0
Accept: /

< HTTP/1.1 302 Found
HTTP/1.1 302 Found
< Cache-Control: private
Cache-Control: private
< Content-Type: text/html; charset=UTF-8
Content-Type: text/html; charset=UTF-8
< Referrer-Policy: no-referrer
Referrer-Policy: no-referrer
< Location: h t t ps://www.google.de/?gfe_rd=cr&dcr=0&ei=gXHgWbXTJ4Lb8Afpm67IAQ
Location: h t t ps://www.google.de/?gfe_rd=cr&dcr=0&ei=gXHgWbXTJ4Lb8Afpm67IAQ
< Content-Length: 269
Content-Length: 269
< Date: Fri, 13 Oct 2017 07:55:45 GMT
Date: Fri, 13 Oct 2017 07:55:45 GMT
< Alt-Svc: quic=":443"; ma=2592000; v="39,38,37,35"
Alt-Svc: quic=":443"; ma=2592000; v="39,38,37,35"

<
* Connection #0 to host google.com left intact

With ownclod.org, I receive the following output:
curl -I -k -v h ttps://ownlcoud.org
* Rebuilt URL to: h ttps://ownlcoud.org/
* Trying 185.53.179.7...
* Connected to ownlcoud.org (185.53.179.7) port 443 (#0)
* found 149 certificates in /etc/ssl/certs/ca-certificates.crt
* found 745 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
* server certificate verification SKIPPED
* server certificate status verification SKIPPED
* common name: www.parkingcrew.com (does not match 'ownlcoud.org')
* server certificate expiration date FAILED
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: CN=www.parkingcrew.com
* start date: Mon, 24 Nov 2014 00:00:00 GMT
* expire date: Sat, 01 Jul 2017 23:59:59 GMT
* issuer: C=US,O=thawte\, Inc.,OU=Domain Validated SSL,CN=thawte DV SSL CA - G2
* compression: NULL
* ALPN, server accepted to use http/1.1

HEAD / HTTP/1.1
Host: ownlcoud.org
User-Agent: curl/7.47.0
Accept: /

< HTTP/1.1 302 Found
HTTP/1.1 302 Found
< Location: h ttp://ownlcoud.org?_xas=28d726c7756aabc895def1e90c2a4ca4b8e424ba
Location: h ttp://ownlcoud.org?_xas=28d726c7756aabc895def1e90c2a4ca4b8e424ba
< Date: Fri, 13 Oct 2017 08:14:00 GMT
Date: Fri, 13 Oct 2017 08:14:00 GMT
< Content-Type: text/plain; charset=utf-8
Content-Type: text/plain; charset=utf-8

<
* Connection #0 to host ownlcoud.org left intact

Without the -k oprion in curl:
curl -I -v h t t p s : //ownlcoud.org
* Rebuilt URL to: https ://ownlcoud.org/
* Trying 185.53.179.7...
* Connected to ownlcoud.org (185.53.179.7) port 443 (#0)
* found 149 certificates in /etc/ssl/certs/ca-certificates.crt
* found 745 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
* server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
* Closing connection 0
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http ://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

It seems that the ssl-certificate from owncloud is not set properly.
Please fix.

All links have an extra space character due to new user limitations.

dmitry · October 13, 2017, 9:45am

you have own l cound

it should be own Cloud

you switched the L and the C

also, could you tell me something about your setup?

eljot42 · October 13, 2017, 12:00pm

Sorry about the mistyped curl

Here is the correct curl output:
curl -I -v https://owncloud.org
* Rebuilt URL to: https://owncloud.org/
* Trying 213.239.207.28...
* Connected to owncloud.org (213.239.207.28) port 443 (#0)
* found 149 certificates in /etc/ssl/certs/ca-certificates.crt
* found 745 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* server certificate verification OK
* server certificate status verification SKIPPED
* common name: owncloud.org (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: CN=owncloud.org
* start date: Thu, 31 Aug 2017 13:56:00 GMT
* expire date: Wed, 29 Nov 2017 13:56:00 GMT
* issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
* compression: NULL
* ALPN, server did not agree to a protocol

HEAD / HTTP/1.1
Host: owncloud.org
User-Agent: curl/7.47.0
Accept: /

< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: nginx
Server: nginx
< Date: Fri, 13 Oct 2017 11:55:10 GMT
Date: Fri, 13 Oct 2017 11:55:10 GMT
< Content-Type: text/html; charset=UTF-8
Content-Type: text/html; charset=UTF-8
< Connection: keep-alive
Connection: keep-alive
< Vary: Accept-Encoding
Vary: Accept-Encoding
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
Pragma: no-cache
< Link: ; rel="https://api.w.org/"
Link: ; rel="https://api.w.org/"
< Link: ; rel=shortlink
Link: ; rel=shortlink
< Strict-Transport-Security: max-age=15768000
Strict-Transport-Security: max-age=15768000
< X-Frame-Options: SAMEORIGIN
X-Frame-Options: SAMEORIGIN
< X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; mode=block

<
* Connection #0 to host owncloud.org left intact

Therefore I think, a secure connection via curl to owncloud must be possible.

Which other setup information do you need?

dmitry · October 13, 2017, 12:22pm

how did you upgrade?

On what platform is ownCloud running?

does the owncloud.log file say anything important?

eljot42 · October 13, 2017, 1:26pm

The server is running Ubuntu server 16.04 LTS with all updates. httpd is apache with mysql db.

I have upgraded manually according to the manual (https://doc.owncloud.org/server/10.0/admin_manual/maintenance/upgrade.html)
The upgrade process ended successfull.

The log entry:
{"reqId":"PqyM1QBdp1IXfoTEuvxi","level":3,"time":"2017-10-13T07:00:03+00:00","remoteAddr":"","user":"--","app":"core","method":"--","url":"\/owncloud\/cron.php","message":"Error while running background job (class: OCA\Market\CheckUpdateBackgroundJob, arguments: ): {\"Exception\":\"OCP\\App\\AppManagerException\",\"Message\":\"No marketplace connection: cURL error 77: error setting certificate verify locations:\n CAfile: \\/tmp\\/oc_tmp_gzOKb8-.crt\n CApath: \\/etc\\/ssl\\/certs\",\"Code\":0,\"Trace\":\"#0 \\/owncloud\\/apps\\/market\\/lib\\/MarketService.php(512): OCA\\Market\\MarketService->httpGet('https:\\/\\/marketp...')\n#1 \\/owncloud\\/apps\\/market\\/lib\\/MarketService.php(393): OCA\\Market\\MarketService->queryData('apps_10.0.3', '\\/api\\/v1\\/platfor...')\n#2 \\/owncloud\\/apps\\/market\\/lib\\/MarketService.php(219): OCA\\Market\\MarketService->getApps()\n#3 \\/owncloud\\/apps\\/market\\/lib\\/MarketService.php(199): OCA\\Market\\MarketService->getAppInfo('activity')\n#4 \\/owncloud\\/apps\\/market\\/lib\\/MarketService.php(322): OCA\\Market\\MarketService->getAvailableUpdateVersion('activity')\n#5 \\/owncloud\\/apps\\/market\\/lib\\/CheckUpdateBackgroundJob.php(85): OCA\\Market\\MarketService->getUpdates()\n#6 \\/owncloud\\/lib\\/private\\/BackgroundJob\\/Job.php(57): OCA\\Market\\CheckUpdateBackgroundJob->run(NULL)\n#7 \\/owncloud\\/lib\\/private\\/BackgroundJob\\/TimedJob.php(53): OC\\BackgroundJob\\Job->execute(Object(OC\\BackgroundJob\\JobList), Object(OC\\Log))\n#8 \\/owncloud\\/cron.php(121): OC\\BackgroundJob\\TimedJob->execute(Object(OC\\BackgroundJob\\JobList), Object(OC\\Log))\n#9 {main}\",\"File\":\"\\/owncloud\\/apps\\/market\\/lib\\/MarketService.php\",\"Line\":475}"}
Since this entry, there is only another entry which is repeated several times:
{"reqId":"URqch6E1vWUBXqa3P7U1","level":3,"time":"2017-10-13T07:03:39+00:00","remoteAddr":"79.233.198.109","user":"loeffler","app":"PHP","method":"GET","url":"\/owncloud\/index.php\/settings\/admin?sectionid=general","message":"opendir(\/owncloud\/owncloud\/themes): failed to open dir: No such file or directory at /owncloud\/owncloud\/apps\/templateeditor\/lib\/mailtemplate.php#155"}

dmitry · October 13, 2017, 1:42pm

Can you explain why it does not work in your installation?

Also, your config.php would be helpful

eljot42 · October 13, 2017, 1:52pm

The inserted api key, issued via the marketplace, is said to be wrong.
I have no marketplace connection at all due to the failure also described above:
No marketplace connection: cURL error 77: error setting certificate verify locations: CAfile: /tmp/oc_tmp_awwkns-.crt CApath: /etc/ssl/certs

The server certificate from owncloud.org and the server can be verified ddirectly using the curl vie cli. As you can see in the curl output, the owncloud.org does not handle correctly a used protocol:
"* ALPN, server did not agree to a protocol"

In addition, the error message in the admin settings is also shown, that the server does not have an internet connection what is not in case.

The config.php:
$CONFIG = array (
'instanceid' => 'oc7253fc302b',
'passwordsalt' => 'salt',
'trusted_domains' =>
array (
0 => 'loefflerp.net',
1 => 'www.loefflerp.net',
2 => '178.254.42.141',
),
'datadirectory' => 'serverroot/owncloud/ownclouddata',
'dbtype' => 'mysql',
'version' => '10.0.3.3',
'dbname' => 'owncloud',
'dbhost' => 'localhost',
'dbtableprefix' => 'oc_',
'dbuser' => 'user',
'dbpassword' => 'passwd',
'installed' => true,
'forcessl' => true,
'theme' => '',
'maintenance' => false,
'mail_from_address' => 'owncloud',
'mail_smtpmode' => 'php',
'mail_domain' => 'loefflerp.de',
'overwriteprotocol' => 'https',
'overwritewebroot' => '/owncloud',
'secret' => 'secret',
'loglevel' => 0,
'overwrite.cli.url' => '/owncloud',
'trashbin_retention_obligation' => 'auto',
'htaccess.RewriteBase' => '/owncloud',
'enable_certificate_management' => true,
)

dmitry · October 13, 2017, 2:02pm

/tmp/oc_tmp_awwkns-.crt CApath: /etc/ssl/certs

can you check if your web user has the permissions on these files?

eljot42 · October 13, 2017, 2:08pm

There is no /tmp/oc_tmp_awwkns-.crt

The user www-data can write to /tmp:
sudo -u www-data touch test.txt
root@v36910:/tmp# ls -la
total 40
drwx------ 3 www-data www-data 4096 Aug 15 14:04 owncloud-oc7253fc302b
-rw-r--r-- 1 www-data www-data 0 Oct 13 08:30 owncloud-server-oc7253fc302b-cron.lock
-rw-r--r-- 1 www-data www-data 0 Oct 13 16:04 test.txt

The user www-data can also access the /etc/ssl/certs/:
sudo -u www-data ls -la /etc/ssl/certs/
gives all installed certificate

and
sudo -u www-data less /etc/ssl/certs/ca-certificates.crt
is also correct.