Unable to connect storage mapping to Nextcloud

[Taomyn]

I cannot get my workspaces to connect to a configured storage mapping to Nextcloud v30. The provider information looks good when checking against your documentation, I know the WebDAV URL works from a Kasm workspace, and I have recreated the application password for the Nextcloud account I want to connect with to be sure it's correct, but nothing happens and the directly never shows up within my Brave browser workspace.

When I connect with a Terminal workspace I can change to /nextcloud but a directory listing returns:

ls: reading directory '.': Input/output error

I cannot see anything logged in Kasm and nothing is being logged on Nextcloud even though with tcpdump I see connections from Kasm to Nextcloud, so the traffic is flowing. Both are on my local network and are separate machines.

Is there some logging setting I am missing to be able to trace what Kasm is doing?

[Taomyn]

Quick update, I did manage to figure out that it's the docker plugin for rclone that performs the connection, and once I worked out how to access it's logs though docker, something I am not too familiar with, I saw this:

Dec 04 11:13:49 KODOS dockerd[194]: time="2024-12-04T11:13:49.752926632+01:00" level=info msg="ignoring event" container=e9013c3b16aa720f3f983c68c5af50b56a73f35faf2d9886967d30ee02defa0b module=libcontainerd namespace=moby topic=/tasks/delete type="*events.TaskDelete"
Dec 04 11:13:49 KODOS dockerd[194]: time="2024-12-04T11:13:49+01:00" level=error msg="2024/12/04 10:13:49 INFO  : webdav root '': poll-interval is not supported by this remote" plugin=4b8d2d63b7b67ac26abc615c313d98d9eac4bb05b33b47b9dea3bf165e905192
Dec 04 11:13:49 KODOS dockerd[194]: time="2024-12-04T11:13:49+01:00" level=error msg="2024/12/04 10:13:49 NOTICE: webdav root '': --vfs-cache-mode writes or full is recommended for this remote as it can't stream" plugin=4b8d2d63b7b67ac26abc615c313d98d9eac4bb05b33b47b9dea3bf165e905192
Dec 04 11:13:49 KODOS dockerd[194]: time="2024-12-04T11:13:49+01:00" level=error msg="2024/12/04 10:13:49 ERROR : webdav root '': Statfs failed: Propfind \"https://nextcloud.mydomain.com:443/remote.php/dav/files/myuser/\": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2024-12-04T10:13:49Z is after 2024-06-07T07:21:04Z" plugin=4b8d2d63b7b67ac26abc615c313d98d9eac4bb05b33b47b9dea3bf165e905192
Dec 04 11:13:59 KODOS dockerd[194]: time="2024-12-04T11:13:59+01:00" level=error msg="2024/12/04 10:13:59 ERROR : IO error: couldn't list files: Propfind \"https://nextcloud.mydomain.com:443/remote.php/dav/files/myuser/\": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2024-12-04T10:13:59Z is after 2024-06-07T07:21:04Z" plugin=4b8d2d63b7b67ac26abc615c313d98d9eac4bb05b33b47b9dea3bf165e905192
Dec 04 11:14:19 KODOS dockerd[194]: time="2024-12-04T11:14:19.740524197+01:00" level=info msg="ignoring event" container=9f746f500ea73ed64be442f3f4976eea485ac5a8fe5e0258d03309eba7b882e1 module=libcontainerd namespace=moby topic=/tasks/delete type="*events.TaskDelete"
Dec 04 11:14:19 KODOS dockerd[194]: time="2024-12-04T11:14:19.746431454+01:00" level=warning msg="ShouldRestart failed, container will not be restarted" container=9f746f500ea73ed64be442f3f4976eea485ac5a8fe5e0258d03309eba7b882e1 daemonShuttingDown=false error="restart canceled" execDuration=29.755246309s exitStatus="{137 2024-12-04 10:14:19.734965934 +0000 UTC}" hasBeenManuallyStopped=true restartCount=0
Dec 04 11:14:21 KODOS dockerd[194]: time="2024-12-04T11:14:21+01:00" level=error msg="2024/12/04 10:14:21 INFO  : Volume \"691ee3d200d39f25545ad61679db2cf8b7aa797eb632326ab30ccd94a46156a6\" unmounted externally" plugin=4b8d2d63b7b67ac26abc615c313d98d9eac4bb05b33b47b9dea3bf165e905192
Dec 04 11:42:40 KODOS dockerd[194]: time="2024-12-04T11:42:40+01:00" level=error msg="2024/12/04 10:42:40 ERROR : IO error: couldn't list files: Propfind \"https://nextcloud.mydomain.com:443/remote.php/dav/files/myuser/\": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2024-12-04T10:42:40Z is after 2024-06-07T07:21:04Z" plugin=4b8d2d63b7b67ac26abc615c313d98d9eac4bb05b33b47b9dea3bf165e905192

Seems it does not like my certificate as it thinks it has expired - this is odd because tests from other machines and also directly on the Kasm machine shows a valid certificate otherwise I'd be having many other Nextcloud problems elsewhere. Unfortunately I haven't been able to find a command to run in the docker plugin to test the certificate like I do using openssl, nor does "bash" seem to work even though the rclone.org site says it should. I can run nslookup and that returns the correct IP for my Nextcloud server.

[Taomyn]

I'm still struggling with this, and I just upgraded to 1.16.1 in case something in that might help. All I know is that I need to tell the rclone docker plugin to trust my local CA as the host it runs on already does, or inject the CA certificate into the plugin or as a last resort tell it not to check which doesn't appeal.

Anyone?

[j-travis]

certificate has expired or is not yet valid: current time 2024-12-04T10:13:49Z is after 2024-06-07T07:21:04Z

Can you double check that the cert on your nextcloud server isnt expired? This log would seem to indicate its expired in June.

I'd double check this using command line tools from the Kasm server itself. You don't have any transparent web proxies in your environment that may be intercepting the request do you?

[Taomyn]

Yes, I did the test on the Kasm server with curl as well, and I tried it again just now and this is what I get:

root:~# curl https://nextcloud.mydomain.com --verbose 
*   Trying 192.168.1.70:443...
* Connected to nextcloud.mydomain.com (192.168.1.70) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: CN=nextcloud.mydomain.com
*  start date: May 24 10:44:17 2024 GMT
*  expire date: May 24 10:44:17 2026 GMT
*  subjectAltName: host "nextcloud.mydomain.com" matched cert's "nextcloud.mydomain,com"
*  issuer: DC=com; DC=mydomain; CN=mydomain-SELMA-CA
*  SSL certificate verify ok.

What the container log is showing makes no sense which is why I was trying to access the rclone's shell.

I do have an HAProxy that's used for external access to my Nextcloud, but the IP above 192.168.1.70 is the internal IP so the curl is looking at what Kasm should be pointing at.

I'm writing this reply from within a Kasm Brave browser workspace and it's having no issues with certificates.

[Taomyn]

I also tried this to check what the rclone container is doing::

root:~# PLUGID=$(docker plugin list --no-trunc | awk '/rclone/{print$1}')
root@:~# runc --root /run/docker/runtime-runc/plugins.moby exec --tty $PLUGID nslookup nextcloud.mydomain.com
Server:192.168.1.11
Address:192.168.1.11:53

nextcloud.mydomain.comcanonical name = maggie.mydomain.com
Name:maggie.mydomain.com
Address: 192.168.1.70

nextcloud.mydomain.comcanonical name = maggie.mydomain.com

root:~# runc --root /run/docker/runtime-runc/plugins.moby exec --tty $PLUGID bash
ERRO[0000] exec failed: unable to start container process: exec: "bash": executable file not found in $PATH