ICloud 403 error when syncing non-all-day task

AutoImport-danthe93

Hi,

I am getting a 403 unauthorised error when trying to sync tasks with iCloud using Davdroid.

This only happens when setting a specific time for events, when editing or creating new tasks on my Android device.

However, the tasks are synced fine when changing all other attributes, and sync fine when enabling "All Day" option.

Thanks.

rfc2822

Thanks for your report. Please read Reporting issues and provide all information mentioned there, including detailled steps to reproduce the issue, client and server software details, and verbose logs.

AutoImport-danthe93

This is the log I am getting:

06-17 09:25:34.777   29137-1897/? I/davdroid.DavSyncAdapter﹕ Performing sync for authority org.dmfs.tasks
06-17 09:25:34.777   29137-1897/? D/davdroid.DavSyncAdapter﹕ Creating new DavHttpClient
06-17 09:25:34.778   29137-1897/? D/davdroid.DavSyncAdapter﹕ Server supports VCard version 3.0
06-17 09:25:34.786   29137-1897/? V/davdroid.URIUtils﹕ Normalized URL https://p02-caldav.icloud.com:443/xxx/calendars/tasks/ -> https://p02-caldav.icloud.com:443/xxx/calendars/tasks/
06-17 09:25:34.786   29137-1897/? D/davdroid.WebDavResource﹕ Using preemptive authentication (not compatible with Digest auth)
06-17 09:25:34.797   29137-1897/? I/davdroid.SyncManager﹕ Remotely removing 0 deleted resource(s) (if not changed)
06-17 09:25:34.805   29137-1897/? I/davdroid.SyncManager﹕ Uploading 0 new resource(s) (if not existing)
06-17 09:25:34.811   29137-1897/? I/davdroid.SyncManager﹕ Uploading 1 modified resource(s) (if not changed)
06-17 09:25:34.993   29137-1897/? V/davdroid.URIUtils﹕ Normalized URL xxx.ics -> xxx.ics


06-17 09:25:35.644   29137-1897/? E/davdroid.DavSyncAdapter﹕ Hard HTTP error 403
    at.bitfire.davdroid.webdav.HttpException: 403 Forbidden
            at at.bitfire.davdroid.webdav.WebDavResource.checkResponse(WebDavResource.java:430)
            at at.bitfire.davdroid.webdav.WebDavResource.checkResponse(WebDavResource.java:404)
            at at.bitfire.davdroid.webdav.WebDavResource.put(WebDavResource.java:381)
            at at.bitfire.davdroid.resource.RemoteCollection.update(RemoteCollection.java:196)
            at at.bitfire.davdroid.syncadapter.SyncManager.pushDirty(SyncManager.java:169)
            at at.bitfire.davdroid.syncadapter.SyncManager.synchronize(SyncManager.java:50)
            at at.bitfire.davdroid.syncadapter.DavSyncAdapter.onPerformSync(DavSyncAdapter.java:144)
            at android.content.AbstractThreadedSyncAdapter$SyncThread.run(AbstractThreadedSyncAdapter.java:259)

The issue can be replicated by doing the following:
1.) Create a new task using a particular date and time, and timezone.
2.) Go to settings > account > force sync (of DavDroid account containing tasks)
3.) Error pops up and sync fails.

Error does not occur when a date is not set. For example, creating a new task with all day enabled, or no dates specify means that no error occurs.
This error also happens when editing or completing already existing tasks from iCloud which have a time.

Client software:
Davdroid 0.8.0 and Tasks (Marten Gajda)
Server: Apple servers (iCloud)

rfc2822

Thanks for the extensive information. Unfortunately, the setprop calls from https://github.com/bitfireAT/davdroid/wiki/How-to-view-the-logs where not done, so traffic was not logged.

Which time zone? Does it work with other time zones?

AutoImport-danthe93

Here you go:

06-17 14:25:07.259  27754-12389/at.bitfire.davdroid:sync I/davdroid.DavSyncAdapter﹕ Performing sync for authority org.dmfs.tasks
06-17 14:25:07.259  27754-12389/at.bitfire.davdroid:sync D/davdroid.DavSyncAdapter﹕ Creating new DavHttpClient
06-17 14:25:07.260  27754-12389/at.bitfire.davdroid:sync I/davdroid.DavHttpClient﹕ Wire logging active, disabling HTTP compression
06-17 14:25:07.262  27754-12389/at.bitfire.davdroid:sync D/davdroid.DavSyncAdapter﹕ Server supports VCard version 3.0
06-17 14:25:07.297  27754-12389/at.bitfire.davdroid:sync V/davdroid.URIUtils﹕ Normalized URL https://p02-caldav.icloud.com:443/xxx/calendars/tasks/ -> https://p02-caldav.icloud.com:443/xxx/calendars/tasks/
06-17 14:25:07.297  27754-12389/at.bitfire.davdroid:sync D/davdroid.WebDavResource﹕ Using preemptive authentication (not compatible with Digest auth)
06-17 14:25:07.307  27754-12389/at.bitfire.davdroid:sync I/davdroid.SyncManager﹕ Remotely removing 0 deleted resource(s) (if not changed)
06-17 14:25:07.316  27754-12389/at.bitfire.davdroid:sync I/davdroid.SyncManager﹕ Uploading 0 new resource(s) (if not existing)
06-17 14:25:07.324  27754-12389/at.bitfire.davdroid:sync I/davdroid.SyncManager﹕ Uploading 1 modified resource(s) (if not changed)
06-17 14:25:07.351  27754-12389/at.bitfire.davdroid:sync V/davdroid.URIUtils﹕ Normalized URL xxx.ics -> xxx.ics
06-17 14:25:07.384  27754-12389/at.bitfire.davdroid:sync D/HttpClient﹕ CookieSpec selected: best-match
06-17 14:25:07.384  27754-12389/at.bitfire.davdroid:sync D/HttpClient﹕ Re-using cached 'basic' auth scheme for https://p02-caldav.icloud.com:443
06-17 14:25:07.386  27754-12389/at.bitfire.davdroid:sync D/HttpClient﹕ Connection request: [route: HttpRoute[{s}->https://p02-caldav.icloud.com:443]][total kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 3]
06-17 14:25:07.387  27754-12389/at.bitfire.davdroid:sync D/HttpClient﹕ Connection leased: [id: 9][route: HttpRoute[{s}->https://p02-caldav.icloud.com:443]][total kept alive: 0; route allocated: 1 of 2; total allocated: 1 of 3]
06-17 14:25:07.387  27754-12389/at.bitfire.davdroid:sync D/HttpClient﹕ Opening connection HttpRoute[{s}->https://p02-caldav.icloud.com:443]
06-17 14:25:07.492  27754-12389/at.bitfire.davdroid:sync D/HttpClient﹕ Connecting to p02-caldav.icloud.com/17.172.208.29:443
06-17 14:25:07.492  27754-12389/at.bitfire.davdroid:sync D/HttpClient﹕ Connecting socket to p02-caldav.icloud.com/17.172.208.29:443 with timeout 20000
06-17 14:25:07.812  27754-12389/at.bitfire.davdroid:sync D/HttpClient﹕ Enabled protocols: [TLSv1, TLSv1.1, TLSv1.2]
06-17 14:25:07.812  27754-12389/at.bitfire.davdroid:sync D/HttpClient﹕ Enabled cipher suites:[TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
06-17 14:25:07.812  27754-12389/at.bitfire.davdroid:sync D/HttpClient﹕ Enabling SNI for p02-caldav.icloud.com
06-17 14:25:07.812  27754-12389/at.bitfire.davdroid:sync D/HttpClient﹕ Starting handshake
06-17 14:25:07.994  27754-12389/at.bitfire.davdroid:sync D/HttpClient﹕ Secure session established
06-17 14:25:07.994  27754-12389/at.bitfire.davdroid:sync D/HttpClient﹕ negotiated protocol: TLSv1.2
06-17 14:25:07.994  27754-12389/at.bitfire.davdroid:sync D/HttpClient﹕ negotiated cipher suite: SSL_RSA_WITH_RC4_128_SHA
06-17 14:25:07.994  27754-12389/at.bitfire.davdroid:sync D/HttpClient﹕ peer principal: C=US, ST=California, O=Apple Inc., OU=management:idms.group.506364, CN=*.icloud.com
06-17 14:25:07.995  27754-12389/at.bitfire.davdroid:sync D/HttpClient﹕ peer alternative names: [*.icloud.com]
06-17 14:25:07.995  27754-12389/at.bitfire.davdroid:sync D/HttpClient﹕ issuer principal: C=US, O=Apple Inc., OU=Certification Authority, CN=Apple IST CA 2 - G1
06-17 14:25:07.996  27754-12389/at.bitfire.davdroid:sync D/HttpClient﹕ Connection established 192.168.xxx.xxx:60125<->17.172.208.29:443
06-17 14:25:07.996  27754-12389/at.bitfire.davdroid:sync D/HttpClient﹕ Executing request PUT /xxx/calendars/tasks/xxx.ics HTTP/1.1
06-17 14:25:07.996  27754-12389/at.bitfire.davdroid:sync D/HttpClient﹕ Target auth state: CHALLENGED
06-17 14:25:07.996  27754-12389/at.bitfire.davdroid:sync D/HttpClient﹕ Proxy auth state: UNCHALLENGED
06-17 14:25:08.000  27754-12389/at.bitfire.davdroid:sync D/Wire﹕ http-outgoing-9 >> "PUT /xxx/calendars/tasks/xxx.ics HTTP/1.1[\r][\n]"
06-17 14:25:08.000  27754-12389/at.bitfire.davdroid:sync D/Wire﹕ http-outgoing-9 >> "If-Match: "C=21x@U=dbcxxxxx-299d-433c-xxxx-b03320axxxxx"[\r][\n]"
06-17 14:25:08.000  27754-12389/at.bitfire.davdroid:sync D/Wire﹕ http-outgoing-9 >> "Content-Type: text/calendar[\r][\n]"
06-17 14:25:08.000  27754-12389/at.bitfire.davdroid:sync D/Wire﹕ http-outgoing-9 >> "Content-Length: 436[\r][\n]"
06-17 14:25:08.000  27754-12389/at.bitfire.davdroid:sync D/Wire﹕ http-outgoing-9 >> "Host: p02-caldav.icloud.com:443[\r][\n]"
06-17 14:25:08.000  27754-12389/at.bitfire.davdroid:sync D/Wire﹕ http-outgoing-9 >> "Connection: Keep-Alive[\r][\n]"
06-17 14:25:08.000  27754-12389/at.bitfire.davdroid:sync D/Wire﹕ http-outgoing-9 >> "User-Agent: DAVdroid/0.8.0[\r][\n]"
06-17 14:25:08.000  27754-12389/at.bitfire.davdroid:sync D/Wire﹕ http-outgoing-9 >> "Authorization: Basic xxxxxxxxxxxxxxxxxxxxxx[\r][\n]"
06-17 14:25:08.000  27754-12389/at.bitfire.davdroid:sync D/Wire﹕ http-outgoing-9 >> "[\r][\n]"
06-17 14:25:08.000  27754-12389/at.bitfire.davdroid:sync D/Wire﹕ http-outgoing-9 >> "BEGIN:VCALENDAR[\r][\n]"
06-17 14:25:08.000  27754-12389/at.bitfire.davdroid:sync D/Wire﹕ http-outgoing-9 >> "VERSION:2.0[\r][\n]"
06-17 14:25:08.000  27754-12389/at.bitfire.davdroid:sync D/Wire﹕ http-outgoing-9 >> "PRODID:-//bitfire web engineering//DAVdroid 0.8.0 (ical4j 1.0.x)//EN[\r][\n]"
06-17 14:25:08.000  27754-12389/at.bitfire.davdroid:sync D/Wire﹕ http-outgoing-9 >> "BEGIN:VTODO[\r][\n]"
06-17 14:25:08.000  27754-12389/at.bitfire.davdroid:sync D/Wire﹕ http-outgoing-9 >> "DTSTAMP:20150617T122507Z[\r][\n]"
06-17 14:25:08.000  27754-12389/at.bitfire.davdroid:sync D/Wire﹕ http-outgoing-9 >> "UID:xxxxxxxxxxxxxx[\r][\n]"
06-17 14:25:08.000  27754-12389/at.bitfire.davdroid:sync D/Wire﹕ http-outgoing-9 >> "CREATED:xxxxxxx0T212010Z[\r][\n]"
06-17 14:25:08.001  27754-12389/at.bitfire.davdroid:sync D/Wire﹕ http-outgoing-9 >> "LAST-MODIFIED:20150617T121701Z[\r][\n]"
06-17 14:25:08.001  27754-12389/at.bitfire.davdroid:sync D/Wire﹕ http-outgoing-9 >> "SUMMARY:Accounts WS[\r][\n]"
06-17 14:25:08.001  27754-12389/at.bitfire.davdroid:sync D/Wire﹕ http-outgoing-9 >> "STATUS:COMPLETED[\r][\n]"
06-17 14:25:08.001  27754-12389/at.bitfire.davdroid:sync D/Wire﹕ http-outgoing-9 >> "DUE;TZID=Europe/Malta:20111111T090000[\r][\n]"
06-17 14:25:08.001  27754-12389/at.bitfire.davdroid:sync D/Wire﹕ http-outgoing-9 >> "DTSTART;TZID=Europe/Malta:20111111T090000[\r][\n]"
06-17 14:25:08.001  27754-12389/at.bitfire.davdroid:sync D/Wire﹕ http-outgoing-9 >> "COMPLETED:20150617T121701Z[\r][\n]"
06-17 14:25:08.001  27754-12389/at.bitfire.davdroid:sync D/Wire﹕ http-outgoing-9 >> "PERCENT-COMPLETE:100[\r][\n]"
06-17 14:25:08.001  27754-12389/at.bitfire.davdroid:sync D/Wire﹕ http-outgoing-9 >> "END:VTODO[\r][\n]"
06-17 14:25:08.001  27754-12389/at.bitfire.davdroid:sync D/Wire﹕ http-outgoing-9 >> "END:VCALENDAR[\r][\n]"
06-17 14:25:08.224  27754-12389/at.bitfire.davdroid:sync D/Wire﹕ http-outgoing-9 << "HTTP/1.1 403 Forbidden[\r][\n]"
06-17 14:25:08.224  27754-12389/at.bitfire.davdroid:sync D/Wire﹕ http-outgoing-9 << "Content-Length: 137[\r][\n]"
06-17 14:25:08.224  27754-12389/at.bitfire.davdroid:sync D/Wire﹕ http-outgoing-9 << "Server: iCloudCalendarServer 15CPlus26[\r][\n]"
06-17 14:25:08.224  27754-12389/at.bitfire.davdroid:sync D/Wire﹕ http-outgoing-9 << "DAV: 1, access-control, calendar-access, calendar-schedule, calendar-auto-schedule, calendar-managed-attachments, calendarserver-sharing, calendarserver-subscribed, calendarserver-home-sync[\r][\n]"
06-17 14:25:08.224  27754-12389/at.bitfire.davdroid:sync D/Wire﹕ http-outgoing-9 << "X-Transaction-Id: e44ebfc6-xxxxxxx[\r][\n]"
06-17 14:25:08.224  27754-12389/at.bitfire.davdroid:sync D/Wire﹕ http-outgoing-9 << "Date: Wed, 17 Jun 2015 12:25:08 GMT[\r][\n]"
06-17 14:25:08.224  27754-12389/at.bitfire.davdroid:sync D/Wire﹕ http-outgoing-9 << "X-Responding-Server: st11p02me-caldav038 8 xxxxxx[\r][\n]"
06-17 14:25:08.224  27754-12389/at.bitfire.davdroid:sync D/Wire﹕ http-outgoing-9 << "Content-Type: text/xml[\r][\n]"
06-17 14:25:08.224  27754-12389/at.bitfire.davdroid:sync D/Wire﹕ http-outgoing-9 << "Strict-Transport-Security: max-age=31536000; includeSubDomains[\r][\n]"
06-17 14:25:08.224  27754-12389/at.bitfire.davdroid:sync D/Wire﹕ http-outgoing-9 << "[\r][\n]"
06-17 14:25:08.224  27754-12389/at.bitfire.davdroid:sync D/Wire﹕ http-outgoing-9 << "<?xml version='1.0' encoding='UTF-8'?><error xmlns='DAV:'><valid-calendar-object-resource xmlns='urn:ietf:params:xml:ns:caldav'/></error>"
06-17 14:25:08.225  27754-12389/at.bitfire.davdroid:sync D/HttpClient﹕ Connection can be kept alive indefinitely
06-17 14:25:08.225  27754-12389/at.bitfire.davdroid:sync D/HttpClient﹕ Authentication succeeded
06-17 14:25:08.225  27754-12389/at.bitfire.davdroid:sync D/HttpClient﹕ http-outgoing-9: Shutdown connection
06-17 14:25:08.232  27754-12389/at.bitfire.davdroid:sync D/HttpClient﹕ Connection discarded
06-17 14:25:08.232  27754-12389/at.bitfire.davdroid:sync D/HttpClient﹕ http-outgoing-9: Close connection
06-17 14:25:08.232  27754-12389/at.bitfire.davdroid:sync D/HttpClient﹕ Connection released: [id: 9][route: HttpRoute[{s}->https://p02-caldav.icloud.com:443]][total kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 3]
06-17 14:25:08.238  27754-12389/at.bitfire.davdroid:sync E/davdroid.DavSyncAdapter﹕ Hard HTTP error 403
    at.bitfire.davdroid.webdav.HttpException: 403 Forbidden
            at at.bitfire.davdroid.webdav.WebDavResource.checkResponse(WebDavResource.java:430)
            at at.bitfire.davdroid.webdav.WebDavResource.checkResponse(WebDavResource.java:404)
            at at.bitfire.davdroid.webdav.WebDavResource.put(WebDavResource.java:381)
            at at.bitfire.davdroid.resource.RemoteCollection.update(RemoteCollection.java:196)
            at at.bitfire.davdroid.syncadapter.SyncManager.pushDirty(SyncManager.java:169)
            at at.bitfire.davdroid.syncadapter.SyncManager.synchronize(SyncManager.java:50)
            at at.bitfire.davdroid.syncadapter.DavSyncAdapter.onPerformSync(DavSyncAdapter.java:144)
            at android.content.AbstractThreadedSyncAdapter$SyncThread.run(AbstractThreadedSyncAdapter.java:259)
06-17 14:25:08.258  27754-12389/at.bitfire.davdroid:sync I/davdroid.DavSyncAdapter﹕ Sync complete for org.dmfs.tasks
06-17 14:25:08.268  27754-27754/at.bitfire.davdroid:sync D/davdroid.DavSyncAdapter﹕ Closing httpClient
06-17 14:25:08.270  27754-27882/at.bitfire.davdroid:sync D/HttpClient﹕ Connection manager is shutting down
06-17 14:25:08.270  27754-27882/at.bitfire.davdroid:sync D/HttpClient﹕ Connection manager shut down

All timezones result in the same bug.

rfc2822

Is Apple's two-factor authentication disabled?

AutoImport-danthe93

Yes 2 factor authentication is disabled.

As I said, syncing works fine unless a task contains a populated time field.
On 17 Jun 2015 2:47 pm, "rfc2822" notifications@github.com wrote:

Apple two-factor authentication is disabled?

—
Reply to this email directly or view it on GitHub
https://github.com/bitfireAT/davdroid/issues/553#issuecomment-112786172.

AutoImport-danthe93

Any news on this issue?

On 17 June 2015 at 15:06, Daniel Theuma theumad@gmail.com wrote:

Yes 2 factor authentication is disabled.

As I said, syncing works fine unless a task contains a populated time
field.
On 17 Jun 2015 2:47 pm, "rfc2822" notifications@github.com wrote:

Apple two-factor authentication is disabled?

—
Reply to this email directly or view it on GitHub
https://github.com/bitfireAT/davdroid/issues/553#issuecomment-112786172
.

rfc2822

No, has still to be investigated. I guess that the created iCal file is somehow not acceptable for iCloud. If you have time and experience, you could try to do the PUT request manually with different content and find out which field causes the error.

AutoImport-danthe93

The error is caused by the time field. If a task is created without a time
field, then the error does not occur. If a task is created with a time
field, then the error occurs.

On 13 July 2015 at 14:38, rfc2822 notifications@github.com wrote:

No, has still to be investigated. I guess that the created iCal file is
somehow not acceptable for iCloud. If you have time and experience, you
could try to do the PUT request manually with different content and find
out which field causes the error.

—
Reply to this email directly or view it on GitHub
https://github.com/bitfireAT/davdroid/issues/553#issuecomment-120913664.

AutoImport-danthe93

Therefore, setting a task as 'All Day' means that synchronisation is fine.
If instead of 'All Day', specific time is specified, then the error occurs.

Completing, or editing a task which contains a time field will result in
the error as well.

On 13 July 2015 at 16:53, Daniel Theuma theumad@gmail.com wrote:

The error is caused by the time field. If a task is created without a time
field, then the error does not occur. If a task is created with a time
field, then the error occurs.

On 13 July 2015 at 14:38, rfc2822 notifications@github.com wrote:

No, has still to be investigated. I guess that the created iCal file is
somehow not acceptable for iCloud. If you have time and experience, you
could try to do the PUT request manually with different content and find
out which field causes the error.

—
Reply to this email directly or view it on GitHub
https://github.com/bitfireAT/davdroid/issues/553#issuecomment-120913664
.

rfc2822

Can't reproduce the problem here, adding/modifying task on iCloud via DAVdroid works (with time fields set).

06-17 14:25:08.001  27754-12389/at.bitfire.davdroid:sync D/Wire﹕ http-outgoing-9 >> "DUE;TZID=Europe/Malta:20111111T090000[\r][\n]"

I wonder how you could set the Malta time zone? My Android devices don't show this time zone.

Can you please try to add a new task with another time zone, for instance Europe/Vienna and see whether it works?

AutoImport-danthe93

Seems to be working now. I don't kniw what happened. Could have been some kind of misconfiguration on Apple's side. Will reopen if problem resurfaces.

rfc2822

Ok, perfect