Project

General

Profile

Actions

Support #30

closed

Unable to connect to the carddaw server, error: x509: certificate signed by unknown authority

Added by Pawel Wasylewicz over 1 year ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Start date:
03/26/2021
Due date:
% Done:

100%

Estimated time:

Description

Good morning,

I have been interested in this project for several months, I decided to run it for tests.

Unfortunately, I run into a number of problems.

The latest version 0.9.1 gives me the following error:

Unable to connect to the carddaw server, error: x509: certificate signed by unknown authority.

Runtime: gentoo linux, 64 bit;
CardDav server: Radicale (SSL, Webauth);
Server-side SSL certificates: LetsEncrypt;

On the system side, all openssl certificates and cases work fine.

A thorough message is:
CardDav Server sync failed with: Client new () failed with: FindCurrentUserPrincipal () failed with error: Propfind "https://domain.myserwername.com:52432/myfolder/carddav": x509: certificate signed by unknown authority

Please help.

Paul


Files

l2cpbg-0.9.1-beta-1-linux-amd64.tgz (9.25 MB) l2cpbg-0.9.1-beta-1-linux-amd64.tgz Hardcoded 'insecurecert' for testing Jörg Ebeling, 03/27/2021 12:48 AM
Actions #1

Updated by Jörg Ebeling over 1 year ago

Hi Paul,

nice to hear that you are interested in this project since several month.

Shame on me, that you get into trouble with it ;-)

The latest version 0.9.1 gives me the following error:

I guess you mean the newest 0.9.0.

Unable to connect to the carddaw server, error: x509: certificate signed by unknown authority.
...
On the system side, all openssl certificates and cases work fine.
...
A thorough message is:
CardDav Server sync failed with: Client new () failed with: FindCurrentUserPrincipal () failed with error: Propfind "https://domain.myserwername.com:52432/myfolder/carddav": x509: certificate signed by unknown authority

Well... even if the message x509: certificate signed by unknown authority clearly states the reason, I need to say that I've not much experience with your issue due to the completely new code basis for 0.9.x

But: I also have an CardDAV server which is running with a LetsEncrypt Certificate, so in general it should work.

If your CardDAV server is public accessible, are you willing to send me the URL:Port to joerg@shbe.net ? So that I can check/verify some certificate stuff?
For sure, I do not need any Account/Login information.
Today evening (or on weekend) I'll also check if there's some kind of option in the connection library which might allow "unknown authorities"

Kind regards

Jörg

Actions #2

Updated by Jörg Ebeling over 1 year ago

  • % Done changed from 0 to 10

Hi Paul.

Just did some certificate checking.

Well, I'm not an SSL/TLS expert, but it looks like your webserver misses the intermediate/chain certificate.

Do you have access to the webserver's SSL config where your Radicale runs?

If so, do you have the following entries within the relevant apache/vhost config?

SSLCertificateKeyFile /etc/letsencrypt/live/xxx/privkey.pem
SSLCertificateFile /etc/letsencrypt/live/xxx/fullchain.pem

In special the one to the 'fullchain.pem'?

If you don't have access to the webservers config, or everything is configured the right way, I could try to implement an option which skips insecure certificate configurations.

Actions #3

Updated by Jörg Ebeling over 1 year ago

Hi Paul!

I attached a beta to the ticket for testing.

It has a possible future insecurecert option hardcoded within this beta.

Here's the text which will get into the config if your test succeed:

# insecurecert controls whether a client verifies the server's certificate
# chain and host name. If insecurecert is true, crypto/tls accepts any
# certificate presented by the server and any host name in that certificate.
# In this mode, TLS is susceptible to machine-in-the-middle attacks unless
# custom verification is used. This should be used only for testing or in
# trusted environments.
#insecurecert = false
Actions #4

Updated by Jörg Ebeling over 1 year ago

  • % Done changed from 50 to 100
Actions #5

Updated by Jörg Ebeling over 1 year ago

  • Status changed from New to Feedback
Actions #6

Updated by Pawel Wasylewicz over 1 year ago

Joerg,

The switch you added works fine.

Thank you very much!

I went with the configuration in full swing.

Unfortunately, I have a configuration problem, as long as I learn to map
fields from Radicale to LDAP fields, I have a problem with the operation of
[location], i.e. with the modification of telephone numbers.

I have 9 digit numbers in Radicale (Polish cell phones), despite in my
opinion the correct configuration of the [location] section l2cpbg adds the
area variable with zero to these numbers. It doesn't work as described in
the documentation, or I get it wrong.

My [location] section
int = "48"
area = "68"
maxarealength = "9"
country = "PL"
#maxintlength = "2"
#extdialprefix = "0,"

in Radicale I have a number in the form of TEL; TYPE = CELL: 695704090 but
l2cpbg after ldap returns 068695704090, which is completely wrong. Trimming
by one maxarealenght completely cuts the TEL value.

Joerg will you tell me what I'm doing wrong?

Additionally, can two indexes be loaded for one ldap.map value?

For example:
[ldap.map.givenName]
dav = "N"
index = 1
index = 2

I want to load the first two values here (in Radicale they are separated by
commas).

Hope you don't get irritated by my questions.

Paul

sob., 27 mar 2021 o 18:30 Jörg Ebeling projects@shbe.net napisał(a):

Actions #7

Updated by Jörg Ebeling over 1 year ago

Hi Paul,

nice to hear that the first issue get solved!

While reading your [location]related question, I googl'ed about telephone numbers in Poland and I worry that it will not work without a further modification by me because I didn't handle 'national area prefixes' the right way (at least for Poland).
But before, let me ask if I understand your location requirements and the google result in the right way.

Assumption:
You're located in Poland int = "48" in the area Zielona Góra area = "68". Your local number is "111 111 11".

Q1:
The resulting international (E.164) formatted number would be "+486811111111"?

Q2:
Your Friend A, living in Leszno (area code 65) assuming his local number is "222 222 22".
Do you call him via "65 222 222 22" or "065 222 222 22"?

Q3:
You'r Friend B, also living in Zielona Góra (like you) has the local number "333 333 33".
Can you call min directly by dialing "333 333 33" or do you also need to prefix your own area code by dialing "68 333 333 33" (or "068 333 333 33")?

Q4:
If you wanna call me in Germany, you've to dial "004940...." ?
Dialing "+4940..." will also work?

Q5:
Your phone is dialing via a real VoIP IP-PBX like Asterisk or by a simple router like a Fritz!Box?

Regarding your ldap.map... question:
No, you can't add multiple index entries per ldap.map... entry. But you can add a separate ldap.map entry for a specific carddav field.
Simply drop me a sample so that I'm able to understand your requirement. (Best in Forum or as support ticket so that we don't mix different issues)

Actions #8

Updated by Pawel Wasylewicz over 1 year ago

Hi Joerg,

The problem it solves is a little more intricate.

I have a Grandstream UCM local VoIP server.

Besides, I keep a main address book in Radicale (Thunderbird).

There was a need to synchronize the Radicale book with a VoIP (grandstream)
phone connected to the UCM. The phone should receive a local LDAP book from
UCM and a book from Radicale. This is what I want to play with your
program. UCM makes it possible to connect to it as a client of another LDAP
server. In such a configuration, UCM replicates the external LDAP resource
and in total serves one LDAP directory for phones. So much in theory.

The problem is that I at Radicale mainly store cell phone numbers for my
contacts. Practically 2-3% of contacts have landline numbers. UCM needs the
field [ldap.map.ACCOUNTNUMBER] as an obligatory field to download data.
There I put him a mobile number from Radicale.
Unfortunately, this cell number is transformed from [location] and a local
prefix is added to it, so the whole operation loses its sense because these
numbers are useless.

Regarding your questions:
Local (landline) numbers are numbered XX NNN NN NN, where XX is the local
location zone (Zielona Góra (68), Leszno (65), Warsaw (22)) 7 digits N is
the telephone number.

Mobile numbers have 9-digit numbering, 555 555 555 for international calls
it would be +48 555 555 555.

We don't have to choose leading zeros.

ad 1. The international number for landline calls would be +48 XX NNN NN
NN, i.e. +48 68 666 66 66.

ad 2. When calling him from a mobile or landline phone, I do not have to
choose a leading zero. I only choose his number 65 333 33 33 along with the
local numbering zone.

ad 3. When calling from Zielona Góra (68) to Zielona Góra (68), I have to
provide the full 9-digit number with the local numbering zone, i.e. I dial
the full colleague's number 68 333 33 33 from both the landline and mobile
phone.

ad 4. I can call you either +4940 ... or 004940 ..

ad 5. This is how I make calls from an IP PBX.

I have not tested your solution with landline numbers.

I assumed that by specifying the maxarealength = "9" parameter, minimum 9
digit (cell) numbers should not undergo any transformation.

Even if I had the opportunity to detect if the numbers are written in
international form (+48), I would probably use it to standardize them and
send them all to UCM in a consistent international form. Of course, without
automatically adding a local numbering zone or other conversion.

I will create tickets for the rest.

Thanks a lot for your time.

wt., 30 mar 2021 o 13:18 Jörg Ebeling projects@shbe.net napisał(a):

Actions #9

Updated by Jörg Ebeling over 1 year ago

Pawel Wasylewicz wrote in #note-8:

Hi Joerg,

The problem it solves is a little more intricate.

I have a Grandstream UCM local VoIP server.

Besides, I keep a main address book in Radicale (Thunderbird).

Normal workflow so far...

There was a need to synchronize the Radicale book with a VoIP (grandstream)
phone connected to the UCM. The phone should receive a local LDAP book from
UCM and a book from Radicale. This is what I want to play with your
program. UCM makes it possible to connect to it as a client of another LDAP
server. In such a configuration, UCM replicates the external LDAP resource
and in total serves one LDAP directory for phones. So much in theory.

In past I didn't found any LDAP integrated phone book without limitations I stumbled with.
That was the reason why I decided to write an own LDAP Phonebook (Gateway).
But the way how your UCM act as an LDAP Gateway between his data and another LDAP Server is new to me ;-)
But interestingly :-)
What kind of contact data your UCM delivers in which you're interested in? Internal extension (numbers)?
Are you able/willing to send me a screenshot from the configuration part of the LDAP/LDAP relevant part?

The problem is that I at Radicale mainly store cell phone numbers for my
contacts. Practically 2-3% of contacts have landline numbers. UCM needs the
field [ldap.map.ACCOUNTNUMBER] as an obligatory field to download data.
There I put him a mobile number from Radicale.

Hmm... sure that's not the VCF's UID he's expecting? (btw. the VCF's UID field is also delivered as LDAP 'uid' field)

Unfortunately, this cell number is transformed from [location] and a local
prefix is added to it, so the whole operation loses its sense because these
numbers are useless.

Yes, and it is a bug!
I wrongly assumed that all countries do have/need an area-prefix.
I already opened a new bug ticket #33.
Please be so kind and read/check and go on there (if required).

Regarding your questions:
Local (landline) numbers are numbered XX NNN NN NN, where XX is the local
location zone (Zielona Góra (68), Leszno (65), Warsaw (22)) 7 digits N is
the telephone number.

Mobile numbers have 9-digit numbering, 555 555 555 for international calls
it would be +48 555 555 555.

We don't have to choose leading zeros.

That's the part I did wrong.

ad 1. The international number for landline calls would be +48 XX NNN NN
NN, i.e. +48 68 666 66 66.

ad 2. When calling him from a mobile or landline phone, I do not have to
choose a leading zero. I only choose his number 65 333 33 33 along with the
local numbering zone.

ad 3. When calling from Zielona Góra (68) to Zielona Góra (68), I have to
provide the full 9-digit number with the local numbering zone, i.e. I dial
the full colleague's number 68 333 33 33 from both the landline and mobile
phone.

ad 4. I can call you either +4940 ... or 004940 ..

ad 5. This is how I make calls from an IP PBX.

I have not tested your solution with landline numbers.

I assumed that by specifying the maxarealength = "9" parameter, minimum 9
digit (cell) numbers should not undergo any transformation.

Yes/No. The maxarealength is for a fully different use case I'll explain soon.
You might try a hack before.
Try setting maxarealength to the same value (or as second try less than) your maxintlength (which I guess is something <= 3).
The (wrongly) hardcoded national dial prefix "0" is only added/prefixed (together with the configured location.area number), if the received/transmitted num is > maxintlen and <= maxarealength.
This might work around your problem with my bug.

maxarealength was implemented because of another reason:
Here in Germany, as well as in a lot of other European countries, we do have to dial a national area prefix and do NOT need to dial a national prefix for call to the same area.
So people using Thunderbird like you (or me also), as well as Nextcloud, Daylite and all the like, enter the contact number in multiple variations.
I.e.:
Friend A (in same city): LLL LLL LL (L = local number)
Friend B (in same city but entered @ moonlight phase): XNN LLL LLL LL (X=National prefix, N=National Code)
Friend C (in another country): +II NN LLL LLL LL (I=Internation code)
Friend D (in another country after the 3rd beer): YYII (X)NN LLL LLL LL (Y=International prefix. X doesn't need to be entered but often written as (X)

To handle all these cases (and some more) in a chaotic maintained CardDAV addressbook, I required to get a differentiation between the max length of a number within the local area = maxarealength (forgotten to say that Europe has small Cities which do only have 4-5 L numbers against large cities which do have 7-8 L Numbers).

Please be patient, sound not like a big change, but I need to implement a lot new test- cases.

Don't forget to subscribe to the new tickets so that you get informed ;-)

Thanks a lot for your detailed description!

Cya
Jörg

Actions #10

Updated by Jörg Ebeling over 1 year ago

  • Status changed from Feedback to Closed
Actions

Also available in: Atom PDF

Go to top