Calendar not found (OPTION requests return 404)

[rrrnld]

Steps to reproduce

1. Set up any calendar via CalDAV in Evolution: Enter your server URL and user name, click on "Find Calendars", all your calendars will be listed
2. Select any calendar to set up
3. You will receive a message: "Failed to connect calendar: CalDAV $selectedCalendar"

Expected behaviour

I should be able to interact with the calendar I just selected.

Actual behaviour

Evolution sends an OPTION request to the DAV endpoint:

x.x.x.x - - [05/Jan/2019:10:00:35 +0100] "OPTIONS /remote.php/dav/calendars/$user/$calendar/ HTTP/1.1" 404 249 "-" "Evolution/3.30.3"

As shown in the log entry above the server responds with "not found". Just sending a GET request works fine but I guess evolution is trying to figure out whether it has write access? I'm not very familiar with the DAV protocol. The actual response body looks like this:

<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
  <s:exception>Sabre\DAV\Exception\NotFound</s:exception>
  <s:message>File with name /calendars could not be located</s:message>
</d:error>

I am only seeing this behavior since updating to Nextcloud 15 (and updating all the apps with it). Is this an issue with Nextcloud or the calendar app? Any help is very appreciated, thanks!

Environment

Calendar version: 1.6.4
PHP version: PHP 7.0.33-1+ubuntu18.04.1+deb.sury.org+1
Nextcloud version: 15.0.0.10

nginx config:

server {
    listen 80;
    listen [::]:80;
    server_name example.com;
    # enforce https
    return 301 https://$server_name$request_uri;
    # index index.html;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name example.com;

    ssl_certificate /etc/dehydrated/certs/example.com/fullchain.pem;
    ssl_certificate_key /etc/dehydrated/certs/example.com/privkey.pem;
    #ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    #ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
    add_header Referrer-Policy "no-referrer-when-downgrade";
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none; 

    root /var/www/example.com;

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # respond to acme challenge when running dehydrated for letsencrypt certs
    location ^~ /.well-known/acme-challenge {
        alias /var/www/dehydrated;
    }

    # The following 2 rules are only needed for the user_webfinger app.
    # Uncomment it if you're planning to use this app.
    #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
    #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
    # last;

    location = /.well-known/carddav {
        return 301 $scheme://$host/remote.php/dav;
    }
    location = /.well-known/caldav {
        return 301 $scheme://$host/remote.php/dav;
    }

    # set max upload size
    client_max_body_size 4G;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    # Uncomment if your server is build with the ngx_pagespeed module
    # This module is currently not supported.
    #pagespeed off;

    location / {
        rewrite ^ /index.php$uri;
    }

    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
        deny all;
    }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
        deny all;
    }

    location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
        fastcgi_split_path_info ^(.+\.php)(/.*)$;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param HTTPS on;
        #Avoid sending the security headers twice
        fastcgi_param modHeadersAvailable true;
        fastcgi_param front_controller_active true;
        fastcgi_pass php-handler;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
    }

    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
        try_files $uri/ =404;
        index index.php;
    }

    # Adding the cache control header for js and css files
    # Make sure it is BELOW the PHP block
    location ~ \.(?:css|js|woff|svg|gif)$ {
        try_files $uri /index.php$uri$is_args$args;
        add_header Cache-Control "public, max-age=15778463";
        # Add headers to serve security related headers (It is intended to
        # have those duplicated to the ones above)
        # Before enabling Strict-Transport-Security headers please read into
        # this topic first.
        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
        #
        # WARNING: Only add the preload option once you read about
        # the consequences in https://hstspreload.org/. This option
        # will add the domain to a hardcoded list that is shipped
        # in all major browsers and getting removed from this list
        # could take several months.
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
        # Optional: Don't log access to assets
        access_log off;
    }

    location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
        try_files $uri /index.php$uri$is_args$args;
        # Optional: Don't log access to other assets
        access_log off;
    }
}

[georgehrke]

@icewind1991 I think this might be related to your anonymous Options plugin

[georgehrke]

The actual response body looks like this:

@heyarne Can you please check if the actual request contains any kind of authentication? thx

[rullzer]

This will be fixed in 15.0.1: #13354

[rullzer]

So let me then actually close this. 😉

[ril159]

I have had this error after upgrading from 14.0.4 to 14.0.6. CardDav ist still syncing. I found a change in the file mentioned in #13354. After I copied the file from 14.0.4 CalDav starts syncing.

[georgehrke]

@ril159 Thx. Seems like we didn't back port the fix to Nextcloud 14. Onto it ...