DAVx5 & Nginx w/ client certificate



  • Hello,

    I have set up Nextcloud 18 successfully. It is accessible behind Nginx which requires a client certificate (issued by a self signed CA). Access from a webbrowser works without a problem (client certificate to connect to Nginx, then username/password for Nextcloud).

    Now, I would like to access my contacts and calendar from my smartphone (Android 10) and so I installed DAVx5 and put a client certificate on the smartphone. I tried “connect with URL and client certificate” but always get the result that access to CalDAV or CardDAV service is not possible.

    In both cases, the Nginx Server shows the following in the logs:

    172.28.64.75 - - [14/Mar/2020:22:47:26 +0100] "PROPFIND /remote.php/dav HTTP/1.1" 401 569 "-" "DAVx5/2.6.5-gplay (2020/03/07; dav4jvm; okhttp/3.12.10) Android/9"
    172.28.64.75 - - [14/Mar/2020:22:47:26 +0100] "PROPFIND /.well-known/carddav HTTP/1.1" 301 185 "-" "DAVx5/2.6.5-gplay (2020/03/07; dav4jvm; okhttp/3.12.10) Android/9"
    172.28.64.75 - - [14/Mar/2020:22:47:26 +0100] "PROPFIND /remote.php/dav HTTP/1.1" 401 569 "-" "DAVx5/2.6.5-gplay (2020/03/07; dav4jvm; okhttp/3.12.10) Android/9"
    172.28.64.75 - - [14/Mar/2020:22:47:26 +0100] "PROPFIND /.well-known/carddav HTTP/1.1" 301 185 "-" "DAVx5/2.6.5-gplay (2020/03/07; dav4jvm; okhttp/3.12.10) Android/9"
    172.28.64.75 - - [14/Mar/2020:22:47:26 +0100] "PROPFIND /remote.php/dav HTTP/1.1" 401 569 "-" "DAVx5/2.6.5-gplay (2020/03/07; dav4jvm; okhttp/3.12.10) Android/9"
    172.28.64.75 - - [14/Mar/2020:22:47:26 +0100] "PROPFIND / HTTP/1.1" 405 5 "-" "DAVx5/2.6.5-gplay (2020/03/07; dav4jvm; okhttp/3.12.10) Android/9"
    172.28.64.75 - - [14/Mar/2020:22:47:27 +0100] "PROPFIND /remote.php/dav HTTP/1.1" 401 569 "-" "DAVx5/2.6.5-gplay (2020/03/07; dav4jvm; okhttp/3.12.10) Android/9"
    172.28.64.75 - - [14/Mar/2020:22:47:27 +0100] "PROPFIND /.well-known/caldav HTTP/1.1" 301 185 "-" "DAVx5/2.6.5-gplay (2020/03/07; dav4jvm; okhttp/3.12.10) Android/9"
    172.28.64.75 - - [14/Mar/2020:22:47:27 +0100] "PROPFIND /remote.php/dav HTTP/1.1" 401 569 "-" "DAVx5/2.6.5-gplay (2020/03/07; dav4jvm; okhttp/3.12.10) Android/9"
    172.28.64.75 - - [14/Mar/2020:22:47:27 +0100] "PROPFIND /.well-known/caldav HTTP/1.1" 301 185 "-" "DAVx5/2.6.5-gplay (2020/03/07; dav4jvm; okhttp/3.12.10) Android/9"
    172.28.64.75 - - [14/Mar/2020:22:47:27 +0100] "PROPFIND /remote.php/dav HTTP/1.1" 401 569 "-" "DAVx5/2.6.5-gplay (2020/03/07; dav4jvm; okhttp/3.12.10) Android/9"
    172.28.64.75 - - [14/Mar/2020:22:47:27 +0100] "PROPFIND / HTTP/1.1" 405 5 "-" "DAVx5/2.6.5-gplay (2020/03/07; dav4jvm; okhttp/3.12.10) Android/9"
    

    Now, am I doing something wrong or is it normal that it fails?
    Is there a better way to do it, knowing that I would like to keep it mandatory for the client to present a valid certificate?

    Or is this not a DAVx5 problem after all, but a server side problem (Nginx and Nextcloud)?

    DAVx5: 2.6.5-gplay
    Nextcloud version: 18
    Operating system: Devuan (Beowulf/Ceres, amd64)
    Nginx: 1.14.2-2+deb10u1
    PHP version: 7.3.11-1~deb10u1

    Just to make it clear, using the same device with the same certificate, I am able to login to Nextcloud using Chrome. And trying to access https://nextcloud.example.com/remote.php/dav with Chrome, I am prompted for the username/password before getting the following message:

    This is the WebDAV interface. It can only be accessed by WebDAV clients such as the Nextcloud desktop sync client.
    

    From my understanding, it should also work with DAVx5, shouldn’t it?

    Thank you in advance for your feedback and best regards
    Tom


  • developer

    Hi,

    Access from a webbrowser works without a problem (client certificate to connect to Nginx, then username/password for Nextcloud).

    Yes. Can you enable verbose Web server logging (especially about client cert. auth)? What does it say?

    Also, what do verbose DAVx5 logs say?

    Edit: Sorry, no. DAVx5 uses client certs as authentication. In this case, there is no username/pwd.


  • developer



  • @rfc2822

    I see the last message there goes back to august of last year. Is there anything in your pipeline concerning certificate and user/password authentication?

    Thanks in advance


  • developer

    @Totom said in DAVx5 & Nginx w/ client certificate:

    I see the last message there goes back to august of last year. Is there anything in your pipeline concerning certificate and user/password authentication?

    Currently, there is https://gitlab.com/bitfireAT/davx5-ose/-/merge_requests/13/diffs

    However, it would require UI changes, which are always very complicated and have big impact. So at the moment, it’s on the idea list, but there’s no priority for that.


Log in to reply
 

Similar topics

  • 2
  • 9
  • 2