Cannot login to OCIS server after Bare Metal set up

spidee · October 23, 2023, 8:28am

Hello,

I have tried to install OCIS server on my personal server (Rocky Linux 9) following these steps https://doc.owncloud.com/ocis/next/depl-examples/bare-metal.html,
but after I insert admin login credentials to ownCloud server web portal (hosted on my domain) it fails with this message:

Not logged in

This could be because of a routine safety log out, or because your account is either inactive or not yet authorized for use. Please try logging in after a while or seek help from your Administrator.

There is strange entries in my logs saying “failed to verify certificate” even though TSL certificate validation should be off.

Oct 22 19:05:13 *******.cz ocis[2487891]: {"level":"error","service":"proxy","error":"failed to verify access token: Get \"https://cloud.*******.cz/.well-known/openid-configuration\": tls: failed to verify certificate: x509: certificate is valid for zeroshell.example.com, not cloud.*******.cz","authenticator":"oidc","path":"/api/v0/settings/values-list","time":"2023-10-22T19:05:13.347388066+02:00","message":"failed to authenticate the request"}
Oct 22 19:05:13 *******.cz ocis[2487891]: {"level":"warn","service":"frontend","pkg":"rhttp","traceid":"00000000000000000000000000000000","time":"2023-10-22T19:05:13.354471876+02:00","message":"core access token not set"}
Oct 22 19:05:13 *******.cz ocis[2487891]: {"level":"error","service":"gateway","pkg":"rgrpc","traceid":"00000000000000000000000000000000","error":"internal error: gateway: error finding an auth provider for type: bearer","type":"bearer","time":"2023-10-22T19:05:13.35509323+02:00","message":"error getting auth provider client"}

There are my ocis.env and ocis.yaml files

OCIS_URL=https://cloud.*******.cz
PROXY_HTTP_ADDR=0.0.0.0:9200
PROXY_TLS=false
OCIS_INSECURE=false

OCIS_LOG_LEVEL=warn

OCIS_CONFIG_DIR=/etc/ocis
OCIS_BASE_DATA_PATH=/var/lib/ocis

token_manager:
  jwt_secret: ************************************
machine_auth_api_key:************************************
system_user_api_key: ************************************
transfer_secret: ************************************
system_user_id: ************************************
admin_user_id: ************************************
graph:
  application:
    id: ************************************
  events:
    tls_insecure: true
  spaces:
    insecure: true
  identity:
    ldap:
      bind_password: ************************************
idp:
  ldap:
    bind_password: ************************************
idm:
  service_user_passwords:
    admin_password: ************************************
    idm_password: ************************************
    reva_password: ************************************
    idp_password: ************************************
proxy:
  oidc:
    insecure: true
  insecure_backends: true
frontend:
  archiver:
    insecure: true
auth_basic:
  auth_providers:
    ldap:
      bind_password: ************************************
auth_bearer:
  auth_providers:
    oidc:
      insecure: true
users:
  drivers:
    ldap:
      bind_password: ************************************
groups:
  drivers:
    ldap:
      bind_password: ************************************
ocdav:
  insecure: true
thumbnails:
  thumbnail:
    transfer_secret: ************************************
    webdav_allow_insecure: true
    cs3_allow_insecure: true
search:
  events:
    tls_insecure: true
audit:
  events:
    tls_insecure: true
sharing:
  events:
    tls_insecure: true
storage_users:
  events:
    tls_insecure: true
  mount_id: ************************************
notifications:
  notifications:
    events:
      tls_insecure: true
nats:
  nats:
    tls_skip_verify_client_cert: true
gateway:
  storage_registry:
    storage_users_mount_id: ************************************

I’m using my nginx proxy with valid SSL certificates (generated by letsencrytpt).

Do you know where could be a problem? Is there something I’m missing?

Thank you very much for help.

rhaferkamp · October 23, 2023, 3:29pm

spidee:

There is strange entries in my logs saying “failed to verify certificate” even though TSL certificate validation should be off.

Oct 22 19:05:13 *******.cz ocis[2487891]: {"level":"error","service":"proxy","error":"failed to verify access token: Get \"https://cloud.*******.cz/.well-known/openid-configuration\": tls: failed to verify certificate: x509: certificate is valid for zeroshell.example.com, not cloud.*******.cz","authenticator":"oidc","path":"/api/v0/settings/values-list","time":"2023-10-22T19:05:13.347388066+02:00","message":"failed to authenticate the request"}
Oct 22 19:05:13 *******.cz ocis[2487891]: {"level":"warn","service":"frontend","pkg":"rhttp","traceid":"00000000000000000000000000000000","time":"2023-10-22T19:05:13.354471876+02:00","message":"core access token not set"}
Oct 22 19:05:13 *******.cz ocis[2487891]: {"level":"error","service":"gateway","pkg":"rgrpc","traceid":"00000000000000000000000000000000","error":"internal error: gateway: error finding an auth provider for type: bearer","type":"bearer","time":"2023-10-22T19:05:13.35509323+02:00","message":"error getting auth provider client"}

There are my ocis.env and ocis.yaml files

PROXY_TLS=false
OCIS_INSECURE=false

Actually this does not mean that certificate validation is turned off. OCIS_INSECURE=false means that validation is on.
What happens is, that ocis needs to read the IDPs .well-known/openid-configuraton this request is sent to the public facing URL of the IDP ($OCIS_URL) and is not affected by the PROXY_TLS setting.

Sure? The certificate does not seem to be created for $OCIS_URL at least the error message says something different