Re: [Freedombox-discuss] Can't get android phone to connect to radicale.
On Tue, Feb 07, 2017 at 12:41:54PM -0500, Daniel Gnoutcheff wrote: > On 02/06/2017 11:15 PM, A. F. Cano wrote: > > Failed to obtain certificate for domain .freedombox.rocks: Failed > > authorization procedure. .freedombox.rocks (http-01): > > urn:acme:error:connection :: The server could not connect to the client > > to verify the domain :: Could not connect to .freedombox.rocks > > From this, it sounds like the HTTP server on .freedombox.rocks > is not reachable from the public Internet. It needs to be in order for > the "http-01" validation method to work [1]. > > What happens if you try to visit http://.freedombox.rocks/ in a > browser, preferably from a public Wifi network or some other independent > network? Trying this from a real outside network will have to wait until saturday, but trying it from an inside machine it seems that DNS does its job and sends the packets to the right place. I get: Your connection is not secure The owner of .freedombox.rocks has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website. This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox only connect to it securely. As a result, it is not possible to add an exception for this certificate. > What happens when you run > > getent ahosts .freedombox.rocks >From the same internal machine I get: 75.226.115.229 STREAM .freedombox.rocks 75.226.115.229 DGRAM 75.226.115.229 RAW This address is the same one that ifconfig reports on the freedombox for the ppp0 interface, which is the outside interface. So it seems to be working. > from a Linux workstation? > > Is the freedombox behind another router? If so, have we verified port No. The ppp connection is the outside interface, via a CDMA phone. > forwarding for tcp ports 80 and 443? > > > > Stopping orbot and disabling the firewall seem to not fix the issue. > > Right. I think we *also* need to fix certificate issue. I'll keep digging into the iptables rules. I have a lot to learn in this area so it might take a while. > > I don't see any packets going to/from the phone with wireshark, > > Are you running wireshark on the freedombox itself? If not, I'm not > sure I'd trust that packet dump. Capturing unicast traffic that doesn't I'm running wireshark on the machine that has the wifi interface to which the android phone connects (wlan0) and capturing the packets of that interface. This android phone is not the same one I use to connect to the internet via ppp. I'm also learning the many options of wireshark and I'm quite overwhelmed by the amount of packets wireshark is displaying. I've tried to restrict what gets displayed to what comes/goes from/to the android phone (static IP address), but I'm still getting flooded with MDNS packets. > involve the capturing host is tricky business [2]. Maybe try tcpdump on > the freedombox (via ssh)? > > [1] https://tools.ietf.org/html/draft-ietf-acme-acme-05#section-7.2 > > [2] https://wiki.wireshark.org/CaptureSetup/WLAN Thanks. I'll check this next but I wanted to send out what I can quickly. Augustine ___ Freedombox-discuss mailing list Freedombox-discuss@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
Re: [Freedombox-discuss] Can't get android phone to connect to radicale.
On 02/06/2017 11:15 PM, A. F. Cano wrote: > Failed to obtain certificate for domain .freedombox.rocks: Failed > authorization procedure. .freedombox.rocks (http-01): > urn:acme:error:connection :: The server could not connect to the client > to verify the domain :: Could not connect to .freedombox.rocks From this, it sounds like the HTTP server on .freedombox.rocks is not reachable from the public Internet. It needs to be in order for the "http-01" validation method to work [1]. What happens if you try to visit http://.freedombox.rocks/ in a browser, preferably from a public Wifi network or some other independent network? What happens when you run getent ahosts .freedombox.rocks from a Linux workstation? Is the freedombox behind another router? If so, have we verified port forwarding for tcp ports 80 and 443? > Stopping orbot and disabling the firewall seem to not fix the issue. Right. I think we *also* need to fix certificate issue. > I don't see any packets going to/from the phone with wireshark, Are you running wireshark on the freedombox itself? If not, I'm not sure I'd trust that packet dump. Capturing unicast traffic that doesn't involve the capturing host is tricky business [2]. Maybe try tcpdump on the freedombox (via ssh)? [1] https://tools.ietf.org/html/draft-ietf-acme-acme-05#section-7.2 [2] https://wiki.wireshark.org/CaptureSetup/WLAN signature.asc Description: OpenPGP digital signature ___ Freedombox-discuss mailing list Freedombox-discuss@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
Re: [Freedombox-discuss] Can't get android phone to connect to radicale.
On Mon, Feb 06, 2017 at 11:57:45AM -0500, Daniel Gnoutcheff wrote: > ... > > This may be a sign that SSL certificate verification is failing. > Stuffing that message into DuckDuckGo found me a fellow who got the same > error message and eventually determined that his server's certificate > had an unsuitable commonName value: > > > http://stackoverflow.com/questions/12346368/android-httpsurlconnection-javax-net-ssl-sslexception-connection-closed-by-peer > > If that's the case here, then we somehow need to teach this thing to > accept the cert or prepare a certificate that's more to its liking. > > What certificate are we using on https://192.168.1.27/? What's the > commonName, and what's the signing CA? Mmm... I had used the "letsencrypt" feature to obtain one. I just checked and it was expired (valid through Jan 28 2017 it said - in green). I tried to re-obtain a new one and I got this: Failed to obtain certificate for domain .freedombox.rocks: Failed authorization procedure. .freedombox.rocks (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to .freedombox.rocks Then I tried to revoke it and that worked, but trying to re-obtain it gave the same error message above. That's where I'm stuck now. The diagnostics returned "failed", predictably. The dynamic DNS client is up to date as of 2 minutes ago. > > If I disable the android firewall I get this: > > > > === Android log > > > 2017-01-29 16:59:14 2 [HttpClient$1] <-- HTTP FAILED: > > java.net.ConnectException: Failed to connect to /192.168.1.27:443 > > 2017-01-29 16:59:14 2 [ui.setup.DavResourceFinder] PROPFIND/OPTIONS on > > user-given URL failed > > EXCEPTION java.net.ConnectException: Failed to connect to /192.168.1.27:443 > > That indeed looks like a firewall block. Based on this, I'd say that > fixing/disabling the firewall is necessary (but not sufficient) to get > this working. Stopping orbot and disabling the firewall seem to not fix the issue. I don't see any packets going to/from the phone with wireshark, so there is in fact a problem with the firewall on the phone. I'll keep digging into this. Still the certificate issue above is puzzling. Any hints? Thanks. Augustine ___ Freedombox-discuss mailing list Freedombox-discuss@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
Re: [Freedombox-discuss] Can't get android phone to connect to radicale.
On 02/04/2017 01:52 PM, A. F. Cano wrote: > === Android log > EXCEPTION javax.net.ssl.SSLException: Connection closed by peer This may be a sign that SSL certificate verification is failing. Stuffing that message into DuckDuckGo found me a fellow who got the same error message and eventually determined that his server's certificate had an unsuitable commonName value: http://stackoverflow.com/questions/12346368/android-httpsurlconnection-javax-net-ssl-sslexception-connection-closed-by-peer If that's the case here, then we somehow need to teach this thing to accept the cert or prepare a certificate that's more to its liking. What certificate are we using on https://192.168.1.27/? What's the commonName, and what's the signing CA? > If I disable the android firewall I get this: > > === Android log > 2017-01-29 16:59:14 2 [HttpClient$1] <-- HTTP FAILED: > java.net.ConnectException: Failed to connect to /192.168.1.27:443 > 2017-01-29 16:59:14 2 [ui.setup.DavResourceFinder] PROPFIND/OPTIONS on > user-given URL failed > EXCEPTION java.net.ConnectException: Failed to connect to /192.168.1.27:443 That indeed looks like a firewall block. Based on this, I'd say that fixing/disabling the firewall is necessary (but not sufficient) to get this working. HTH! Later, Daniel signature.asc Description: OpenPGP digital signature ___ Freedombox-discuss mailing list Freedombox-discuss@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
Re: [Freedombox-discuss] Can't get android phone to connect to radicale.
On Sun, Feb 05, 2017 at 08:59:49AM +0100, permondes - sagen wrote: > ... > On my Android phone with DAVDroid (actually also in Evolution), I have > to add the calendar-name, the link looks like: > > https://192.168.1.27/radicale/// That didn't work either. > The trailing / was mandatory, it did not work without. Tried with and without trailing /. Also tried chown radicale.radicale (it was previously owned by .users). No difference. Also tried https://192.168.1.27/radicale/collections/// "collections" is also part of the path. No difference. Also tried with in all the combinations I could think of. I noticed that there were 2 additional files in /var/lib/radicale/collections//: ddressbook.vcf.props and Calendar.ics.props I don't know how they ended up there, I certainly didn't put them there. Interestingly, addressbook.vcf.props was misspelled as "addessbook.vcf.props". Even after correcting the spellings so that the file names match the vcf and ics files that contain the addressbook and calendar data respectively, I get the exact same error. Can anyone suggest any android tool that might help debug this? Thanks! Augustine ___ Freedombox-discuss mailing list Freedombox-discuss@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
Re: [Freedombox-discuss] Can't get android phone to connect to radicale.
Am Samstag, den 04.02.2017, 21:11 -0500 schrieb A. F. Cano: > On Sat, Feb 04, 2017 at 02:30:58PM -0500, James Valleroy wrote: > > On 02/04/2017 01:52 PM, A. F. Cano wrote: > > > === Android log > > >... > > > 2017-01-28 20:33:55 2 [ui.setup.DavResourceFinder] Checking user-given > > > URL: https://192.168.1.27/radicale// > > > 2017-01-28 20:33:55 2 [HttpClient$1] --> PROPFIND > > > https://192.168.1.27/radicale// http/1.1 > > > ... > > > This is what Davdroid says: > > > > > > Configuration detection > > > > > > Couldn't find CalDAV or CardDAV service. > > > > There shouldn't be any changes needed for the firewall. > > Keep in mind that this is the firewall that's on the phone. > > > What are you using for the Base URL in Davdroid? I just tried > > The one above: https://192.168.1.27/radicale// > > > https:// and that worked. > > I just tried that (with and without trailing /). It didn't work. > Also tried: > > https:///radicale (with and without trailing /) > https:///radicale/ (with and without trailing /) > https://.freedombox.rocks (with and without trailing /) > https://.freedombox.rocks/radicale (with and without trailing /) > > The ones with freedombox.rocks took longer to return the error, so I'm > wondering if those requests went out on the internet (or the tor > network - orbot is running on the phone, but tor is not activated on > the freedombox). In any case, they all failed. > > > James > > Thanks for replying. I'm not too familiar with Android and compared to > the tools I have with linux, it's quite cumbersome to debug. Any other > suggestions? Anyone? > > Augustine On my Android phone with DAVDroid (actually also in Evolution), I have to add the calendar-name, the link looks like: https://192.168.1.27/radicale/// The trailing / was mandatory, it did not work without. Dietmar > > > ___ > Freedombox-discuss mailing list > Freedombox-discuss@lists.alioth.debian.org > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss ___ Freedombox-discuss mailing list Freedombox-discuss@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
Re: [Freedombox-discuss] Can't get android phone to connect to radicale.
On Sat, Feb 04, 2017 at 02:30:58PM -0500, James Valleroy wrote: > On 02/04/2017 01:52 PM, A. F. Cano wrote: > > === Android log > >... > > 2017-01-28 20:33:55 2 [ui.setup.DavResourceFinder] Checking user-given URL: > > https://192.168.1.27/radicale// > > 2017-01-28 20:33:55 2 [HttpClient$1] --> PROPFIND > > https://192.168.1.27/radicale// http/1.1 > > ... > > This is what Davdroid says: > > > > Configuration detection > > > > Couldn't find CalDAV or CardDAV service. > > There shouldn't be any changes needed for the firewall. Keep in mind that this is the firewall that's on the phone. > What are you using for the Base URL in Davdroid? I just tried The one above: https://192.168.1.27/radicale// > https:// and that worked. I just tried that (with and without trailing /). It didn't work. Also tried: https:///radicale (with and without trailing /) https:///radicale/ (with and without trailing /) https://.freedombox.rocks (with and without trailing /) https://.freedombox.rocks/radicale (with and without trailing /) The ones with freedombox.rocks took longer to return the error, so I'm wondering if those requests went out on the internet (or the tor network - orbot is running on the phone, but tor is not activated on the freedombox). In any case, they all failed. > James Thanks for replying. I'm not too familiar with Android and compared to the tools I have with linux, it's quite cumbersome to debug. Any other suggestions? Anyone? Augustine ___ Freedombox-discuss mailing list Freedombox-discuss@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
Re: [Freedombox-discuss] Can't get android phone to connect to radicale.
On 02/04/2017 01:52 PM, A. F. Cano wrote: > === Android log > > 2017-01-28 20:33:55 2 [ui.setup.DavResourceFinder] Finding initial carddav > service configuration > 2017-01-28 20:33:55 2 [ui.setup.DavResourceFinder] Checking user-given URL: > https://192.168.1.27/radicale// > 2017-01-28 20:33:55 2 [HttpClient$1] --> PROPFIND > https://192.168.1.27/radicale// http/1.1 > 2017-01-28 20:33:55 2 [HttpClient$1] Content-Type: application/xml; > charset=utf-8 > 2017-01-28 20:33:55 2 [HttpClient$1] Content-Length: 290 > 2017-01-28 20:33:55 2 [HttpClient$1] Depth: 0 > 2017-01-28 20:33:55 2 [HttpClient$1] > 2017-01-28 20:33:55 2 [HttpClient$1] ?> xmlns:CARD="urn:ietf:params:xml:ns:carddav"> /> /> > 2017-01-28 20:33:55 2 [HttpClient$1] --> END PROPFIND (290-byte body) > 2017-01-28 20:33:55 2 [HttpClient$1] <-- HTTP FAILED: > javax.net.ssl.SSLException: Connection closed by peer > 2017-01-28 20:33:55 2 [ui.setup.DavResourceFinder] PROPFIND/OPTIONS on > user-given URL failed > EXCEPTION javax.net.ssl.SSLException: Connection closed by peer > > === > > Even though it says "Connection closed by peer" I see no log entry on the > FreedomBox about radicale being accessed. I have configured Korganizer and > Kaddressbook on a Debian machine and when those sync up with the FreedomBox > I do see an entry. This seems to imply that the problem happens before > radicale sees any packets. > > This is what Davdroid says: > > Configuration detection > > Couldn't find CalDAV or CardDAV service. There shouldn't be any changes needed for the firewall. What are you using for the Base URL in Davdroid? I just tried https:// and that worked. -- James signature.asc Description: OpenPGP digital signature ___ Freedombox-discuss mailing list Freedombox-discuss@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss