External user ftp - Unable to activate SSL

lejeczek · February 2, 2018, 3:56pm

Steps to reproduce

use external users
use vsftpd
use self signed certs

Expected behaviour

Would work

Actual behaviour

I see this in logs:

{"reqId":"WnSEf8amiVsa-ZQ@byujtgAAAAk","remoteAddr":"172.24.154.138","app":"PHP","message":"opendir(): Peer certificate CN=sucker.localdomain' did not match expected CN=localhost' at \/usr\/share\/owncloud\/apps\/user_external\/lib\/ftp.php#57","level":0,"time":"2018-02-02T15:32:15+00:00","method":"POST","url":"\/owncloud\/index.php\/login?user=interviewer_1","user":"--"}
{"reqId":"WnSEf8amiVsa-ZQ@byujtgAAAAk","remoteAddr":"172.24.154.138","app":"PHP","message":"opendir(ftps:\/\/...@localhost:990\/): failed to open dir: Unable to activate SSL mode at \/usr\/share\/owncloud\/apps\/user_external\/lib\/ftp.php#57","level":0,"time":"2018-02-02T15:32:15+00:00","method":"POST","url":"\/owncloud\/index.php\/login?user=interviewer_1","user":"--"}
{"reqId":"WnSEf8amiVsa-ZQ@byujtgAAAAk","remoteAddr":"172.24.154.138","app":"core","message":"Login failed: 'interviewer_1' (Remote IP: '172.24.154.138')","level":2,"time":"2018-02-02T15:32:15+00:00","method":"POST","url":"\/owncloud\/index.php\/login?user=interviewer_1","user":"--"}

Server configuration

Operating system: Centos 7

Web server: Apache

Database: mariadb

PHP version: 7

ownCloud version: 9.1.5

Updated from an older ownCloud or fresh install:

Where did you install ownCloud from:

Signing status (ownCloud 9.0 and above):

Login as admin user into your ownCloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results into https://gist.github.com/ and puth the link here.

The content of config/config.php:
...
'user_backends' => array (
0 => array (
'class' => 'OC_User_FTP',
'arguments' => array (
0 => 'localhost:990',
1 => 'true',
2 => array ( 'allow_self_signed' => true, ),
),
),
..

Log in to the web-UI with an administrator account and click on
'admin' -> 'Generate Config Report' -> 'Download ownCloud config report'
This report includes the config.php settings, the list of activated apps
and other details in a well sanitized form.

or 

If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your ownCloud installation folder

*ATTENTION:* Do not post your config.php file in public as is. Please use one of the above
methods whenever possible. Both, the generated reports from the web-ui and from occ config:list
consistently remove sensitive data. You still may want to review the report before sending.
If done manually then it is critical for your own privacy to dilligently
remove *all* host names, passwords, usernames, salts and other credentials before posting.
You should assume that attackers find such information and will use them against your systems.

List of activated apps:

If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your ownCloud installation folder.

Are you using external storage, if yes which one: local/smb/sftp/...

Are you using encryption: yes/no

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...

LDAP configuration (delete this part if not used)

With access to your command line run e.g.:
sudo -u www-data php occ ldap:show-config
from within your ownCloud installation folder

Without access to your command line download the data/owncloud.db to your local
computer or access your SQL server remotely and run the select query:
SELECT * FROM `oc_appconfig` WHERE `appid` = 'user_ldap';


Eventually replace sensitive data as the name/IP-address of your LDAP server or groups.

Client configuration

Browser:

Operating system:

Logs

Web server error log

Insert your webserver log here

ownCloud log (data/owncloud.log)

Insert your ownCloud log here

Browser log

Insert your browser log here, this could for example include:

a) The javascript console log
b) The network log 
c) ...

Strange thing, to me, is that from owncloud.log:
...
Peer certificate CN=sucker.localdomain' did not match expected CN=localhost' at ..
...
Where does owncloud get CNR=localhost from?
Both Apache & vsftpd point/use the same self signed certificates.

Would you know what might be a problem?
many thanks, L.

jvillafanez · February 5, 2018, 8:37am

{"reqId":"WnSEf8amiVsa-ZQ@byujtgAAAAk","remoteAddr":"172.24.154.138","app":"PHP","message":"opendir(ftps:\/\/...@localhost:990\/): failed to open dir: Unable to activate SSL mode at \/usr\/share\/owncloud\/apps\/user_external\/lib\/ftp.php#57","level":0,"time":"2018-02-02T15:32:15+00:00","method":"POST","url":"\/owncloud\/index.php\/login?user=interviewer_1","user":"--"}

Try accessing to sucker.localdomain instead of localhost in the ftp configuration.