Certificate error after upgrade to 5.0.0 from 4.0.6
I am looking for troubleshooting guidance. What can I try next?
Setup
browser (https://owncloud.example.com
) ↔ [Internet] ↔ (WAN) HAproxy reverse proxy on pfSense in a VM ↔ (LAN) OCIS in docker on a Ubuntu 22.04 VM
This setup has worked from OCIS 2.0.0 through following upgrades (docker compose pull
):
- 2.0.0 to 3.0.0
- 3.0.0 to 4.0.2
- 4.0.2 to 4.0.3
- 4.0.3 to 4.0.4
- 4.0.4 to 4.0.5
- 4.0.5 to 4.0.6
After upgrade from 4.0.6 to 5.0.0:
On the client browser (macOS 14.4.1 safari 17.4.1), when login I receive the following error mesages:
Unexpected HTTP response: 500. Please check your connection and try again.
I expect to pass login page and see the OCIS personal dashboard.
Error messages on the docker side (filtered by ERR):
2024-04-13T07:14:47Z ERR handleConnection ber.ReadPacket | service=idm error=remote error: tls: bad certificate line=github.com/owncloud/ocis/v2/ocis-pkg/log/logrus_wrapper.go:50
2024-04-13T07:14:47Z ERR identifier failed to logon with backend | service=idp error=ldap identifier backend logon connect error: LDAP Result Code 200 "Network Error": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2024-04-13T07:14:47Z is after 2024-04-05T08:43:54Z line=github.com/owncloud/ocis/v2/ocis-pkg/log/logrus_wrapper.go:50
I’ve checked the certificate for owncloud.example.com
is valid on pfSense.
I am using the built-in IDP.
$ docker version
Client: Docker Engine - Community
Version: 26.0.1
API version: 1.45
Go version: go1.21.9
Git commit: d260a54
Built: Thu Apr 11 10:53:21 2024
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 26.0.1
API version: 1.45 (minimum version 1.24)
Go version: go1.21.9
Git commit: 60b9add
Built: Thu Apr 11 10:53:21 2024
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.6.31
GitCommit: e377cd56a71523140ca6ae87e30244719194a521
runc:
Version: 1.1.12
GitCommit: v1.1.12-0-g51d5e94
docker-init:
Version: 0.19.0
GitCommit: de40ad0
At 4.0.6, docker-compose.yml
(no .env file):
version: "3.9"
services:
owncloud:
hostname: owncloud
image: owncloud/ocis:4.0.6
entrypoint:
- /bin/sh
# Run ocis init to initialize a configuration file with random secrets.
# It will fail on subsequent runs, because the config file already exists.
# Therefore we ignore the error and then start the ocis server
command: ["-c", "ocis init || true; ocis server"]
ports:
- 9200:9200
networks:
ocis-net:
environment:
OCIS_URL: https://owncloud.example.com
OCIS_LOG_LEVEL: "info"
OCIS_LOG_COLOR: "false"
PROXY_TLS: "false" # do not use SSL between Traefik and oCIS
# INSECURE: needed if oCIS / Traefik is using self generated certificates
OCIS_INSECURE: "true"
# admin user password
IDM_ADMIN_PASSWORD: "snipped" # this overrides the admin password from the configuration file
# demo users
IDM_CREATE_DEMO_USERS: "false"
volumes:
- /mnt/owncloud_config:/etc/ocis
- /mnt/owncloud_data:/var/lib/ocis
logging:
driver: "local"
restart: always
networks:
ocis-net:
At 5.0.0, docker-compose.yml
(no .env file):
version: "3.9"
services:
owncloud:
hostname: owncloud
image: owncloud/ocis:5.0.0
entrypoint:
- /bin/sh
# Run ocis init to initialize a configuration file with random secrets.
# It will fail on subsequent runs, because the config file already exists.
# Therefore we ignore the error and then start the ocis server
command: ["-c", "ocis init || true; ocis server"]
ports:
- 9200:9200
networks:
ocis-net:
environment:
OCIS_URL: https://owncloud.example.com
OCIS_LOG_LEVEL: "info"
OCIS_LOG_COLOR: "false"
PROXY_TLS: "false" # do not use SSL between Traefik and oCIS
# INSECURE: needed if oCIS / Traefik is using self generated certificates
OCIS_INSECURE: "true"
# admin user password
IDM_ADMIN_PASSWORD: "snipped" # this overrides the admin password from the configuration file
# demo users
IDM_CREATE_DEMO_USERS: "false"
OCIS_SERVICE_ACCOUNT_ID: "snipped"
OCIS_SERVICE_ACCOUNT_SECRET: "snipped"
volumes:
- /mnt/owncloud_config:/etc/ocis
- /mnt/owncloud_data:/var/lib/ocis
logging:
driver: "local"
restart: always
networks:
ocis-net:
I thought maybe 5.0.1 could fix something, so I just docker compose pull
as usual and also added
environment:
PROXY_HTTP_ADDR: "0.0.0.0:9200"
Same errors with or without the above change.
For each upgrade, I did read the upgrade section in the official docs for notable and breaking changes.
I could have missed something, but I don’t think so.
Unfortunately, I don’t have backups for volumes used in the docker-compose.
Is it safe to just run 4.0.6’s docker-compose.yml
now, as a downgrade workaround?