WebDAV error message with GnuTLS Apache SSL System

[piotr58]

There is an error message about WebDAV on OC 5 installation when using a SSL connexion and GnuTLS certificate Apache2 module.
The message is:
Your web server is not yet properly setup to allow files synchronization
because the WebDAV interface seems to be broken.
On owncloud/data/owncloud.log, we have:
{"app":"core","message":"isWebDAVWorking: NO - Reason: exception
'Sabre_DAV_Exception' with message '[CURL] Error while making request:
error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol (error
code: 35)' in /var/www/owncloud/3rdparty/Sabre/DAV/Client.php:410\nStack
trace:\n#0 /var/www/owncloud/3rdparty/Sabre/DAV/Client.php(179):
Sabre_DAV_Client->request('PROPFIND', '', '<?xml version="...', Array)\n#1
/var/www/owncloud/lib/util.php(590): Sabre_DAV_Client->propFind('', Array)\n#2
/var/www/owncloud/settings/admin.php(34): OC_Util::isWebDAVWorking()\n#3
/var/www/owncloud/lib/route.php(113) : runtime-created function(1):
require_once('/var/www/ownclo...')\n#4 [internal function]: __lambda_func(Array)\n#5
/var/www/owncloud/lib/router.php(127): call_user_func('?lambda_8', Array)\n#6
/var/www/owncloud/lib/base.php(606): OC_Router->match('/settings/admin')\n#7
/var/www/owncloud/index.php(28): OC::handleRequest()\n#8
{main}","level":2,"time":1363823944}

I try to use mod_ssl module just to this virtual host (OC) and GnuTLS module to the others on our Apache server. I have the same message.

The only way we have is to replace GnuTLS apache module to SSL module on ALL virtual hosts...

This is not really a good solution because we have chosen GnuTLS apache module because SSL one don't accept multiple domain certificate by server...

Our configuration:
OS : Debian wheezy
ownCloud: 5.0 from repository

[BernhardPosselt]

@blizzz @icewind1991

[mmattel]

similar to #2511

[julienfastre]

I have the same problème :

isWebDAVWorking: NO - Reason: exception 'Sabre_DAV_Exception' with message '[CURL] Error while making request: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol (error code: 35)' in /srv/www/cloud/owncloud-5.0/3rdparty/Sabre/DAV/Client.php:410 Stack trace: #0 /srv/www/cloud/owncloud-5.0/3rdparty/Sabre/DAV/Client.php(179): Sabre_DAV_Client->request('PROPFIND', '', '<?xml version="...', Array) #1 /srv/www/cloud/owncloud-5.0/lib/util.php(590): Sabre_DAV_Client->propFind('', Array) #2 /srv/www/cloud/owncloud-5.0/settings/admin.php(34): OC_Util::isWebDAVWorking() #3 /srv/www/cloud/owncloud-5.0/lib/route.php(113) : runtime-created function(1): require_once('/srv/www/cloud/...') #4 [internal function]: __lambda_func(Array) #5 /srv/www/cloud/owncloud-5.0/lib/router.php(127): call_user_func('?lambda_131', Array) #6 /srv/www/cloud/owncloud-5.0/lib/base.php(608): OC_Router->match('/settings/admin') #7 /srv/www/cloud/owncloud-5.0/index.php(28): OC::handleRequest() #8 {main} 

@mmattel The error message seems to be different here from #2511 : Error while making request: couldn't connect to host (error code: 7) in 2511, Error while making request: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol (error code: 35) here.

I also use gnutls.

[dodger-one]

Hi all,
I found similar error on my site running with nginx:

{"app":"core","message":"isWebDAVWorking: NO - Reason: exception 'Sabre_DAV_Exception' with message '[CURL] Error while making request: SSL certificate problem, verify that the CA cert is OK. Details:\nerror:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed (error code: 60)' in /www/owncloud.ciberterminal.net/3rdparty/Sabre/DAV/Client.php:410\nStack trace:\n#0 /www/owncloud.ciberterminal.net/3rdparty/Sabre/DAV/Client.php(179): Sabre_DAV_Client->request('PROPFIND', '', '<?xml version="...',
Array)\n#1 /www/owncloud.ciberterminal.net/lib/util.php(593): Sabre_DAV_Client->propFind('', Array)\n#2 /www/owncloud.ciberterminal.net/settings/admin.php(34): OC_Util::isWebDAVWorking()\n#3 /www/owncloud.ciberterminal.net/lib/route.php(113) : runti
me-created function(1): require_once('/home/www/cloud...')\n#4 [internal function]: __lambda_func(Array)\n#5 /www/owncloud.ciberterminal.net/lib/router.php(127): call_user_func('?lambda_90', Array)\n#6 /www/owncloud.ciberterminal.net/lib/base.php(608):
OC_Router->match('/settings/admin')\n#7 /www/owncloud.ciberterminal.net/index.php(28): OC::handleRequest()\n#8 {main}","level":2,"time":1368539032}


I've a self-signed certificate on my site, and is well-known that curl does not like it so much :-P
So I added my CA to the server which is running Owncloud.
Try it :-) cause your description (error 35) is very general:

CURLE_SSL_CONNECT_ERROR (35)
A problem occurred somewhere in the SSL/TLS handshake. You really want the error buffer and read the message there as it pinpoints the problem slightly more. Could be certificates (file formats, paths, permissions), passwords, and others.

[treynolen]

On the original error at the beginning of this issue, I've noticed several people with Debian or Ubuntu having the same problem. I think the issue is that on Debian and Ubuntu, by default the /etc/hosts file is populated with
127.0.0.1 fully.qualified.name

The issue is that php-curl is trying to contact Apache locally on 127.0.0.1 (assuming they are using fully.qualified.name for your instance) and their SSL site is probably not bound to 127.0.0.1 so it can't reach the site. If you change the 127.0.0.1 to the IP your SSL owncloud instance is bound to, it should work.

[julienfastre]

Hi,

I added my owncloud instance's fully qualified name to my IP address but this seems not work.

The line I modified :

xx.xx.xx.xx name0 name1 owncloud.example.com # I added 'owncloud.example.com'

Error message :

isWebDAVWorking: NO - Reason: exception 'Sabre_DAV_Exception' with message '[CURL] Error while making request: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol (error code: 35)' in /srv/www/cloud/owncloud-5.0/3rdparty/Sabre/DAV/Client.php:410 Stack trace: #0 /srv/www/cloud/owncloud-5.0/3rdparty/Sabre/DAV/Client.php(179): Sabre_DAV_Client->request('PROPFIND', '', '<?xml version="...', Array) #1 /srv/www/cloud/owncloud-5.0/lib/util.php(599): Sabre_DAV_Client->propFind('', Array) #2 /srv/www/cloud/owncloud-5.0/settings/admin.php(34): OC_Util::isWebDAVWorking() #3 /srv/www/cloud/owncloud-5.0/lib/route.php(113) : runtime-created function(1): require_once('/srv/www/cloud/...') #4 [internal function]: __lambda_func(Array) #5 /srv/www/cloud/owncloud-5.0/lib/router.php(127): call_user_func('?lambda_8', Array) #6 /srv/www/cloud/owncloud-5.0/lib/base.php(610): OC_Router->match('/settings/admin') #7 /srv/www/cloud/owncloud-5.0/index.php(28): OC::handleRequest() #8 {main}

I use Ubuntu 12.04.2

[treynolen]

From the command line, ping your.owncloud.instance. and make sure it resolves to the correct IP that the SSL instance of Apache2 responds on.

[julienfastre]

I did so... And the IP responding match the IP at the beginning of the line where I added 'owncloud.example.com'.

But, when I do ping owncloud.example.com from outside of my command line's server I have this result :

64 bytes from example.com (xx.xx.xx.xx): icmp_req=1 ttl=55 time=43.8 ms
64 bytes from example.com (xx.xx.xx.xx): icmp_req=2 ttl=55 time=32.7 ms
64 bytes from example.com (xx.xx.xx.xx): icmp_req=3 ttl=55 time=31.5 ms

where example.com is not owncloud.example.com !

And from the command'line server, I obtain :

64 bytes from owncloud.example.com (xx.xx.xx.xx): icmp_req=1 ttl=64 time=0.098 ms

where owncloud.example.com is the responding URL for my owncloud instance.

[Rid]

I'm also seeing this issue on multiple installs of CentOS 5.8 with GnuTLS, it's not happening on CentOS 6.4 with mod_ssl, unfortunately mod_ssl on CentOS 5 doesn't support SNI due to the version of OpenSSL (0.9.8e-22.el5_8.4) so we're unable to switch to mod_ssl.

We're running gnutls-2.12.23 and mod_gnutls-0.5.10 with apache 2.2.23.

The webserver is having no problems resolving the DNS. The issue only occurs when browsing owncloud with SSL, without SSL the error disappears.

[leaf-node]

i installed libgnutls-openssl27 on debian wheezy after a reboot, and now i'm not getting the error. when i run the following command:

openssl ciphers -v 'ALL' | grep SSLv2

i don't get any output, so it looks like the insecure sslv2 ciphers haven't been installed. :)

would someone please update the installation instructions to mention this dependency when using mod_gnutls?

thanks!

[leaf-node]

never mind... :( it looks like i visited the site using http:// that time. when i tried it again with https://, i got the same error again.

[computersalat]

Having this problem on a clean install of SLES 11.
But using mod_ssl with apache.

isWebDAVWorking: NO - Reason: exception 'Sabre_DAV_Exception' with message '[CURL] Error while making request: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol (error code: 35)' in /srv/www/htdocs/owncloud/3rdparty/Sabre/DAV/Client.php:410 Stack trace: #0 /srv/www/htdocs/owncloud/3rdparty/Sabre/DAV/Client.php(179): Sabre_DAV_Client->request('PROPFIND', '', '<?xml version="...', Array) #1 /srv/www/htdocs/owncloud/lib/util.php(648): Sabre_DAV_Client->propFind('', Array) #2 /srv/www/htdocs/owncloud/settings/admin.php(34): OC_Util::isWebDAVWorking() #3 /srv/www/htdocs/owncloud/lib/route.php(113) : runtime-created function(1): require_once('/srv/www/htdocs...') #4 [internal function]: __lambda_func(Array) #5 /srv/www/htdocs/owncloud/lib/router.php(127): call_user_func('?lambda_90', Array) #6 /srv/www/htdocs/owncloud/lib/base.php(629): OC_Router->match('/settings/admin') #7 /srv/www/htdocs/owncloud/index.php(28): OC::handleRequest() #8 {main}

why is OC talking about 'unknown protocol' ??

BTW using SSL23 is not a good idea cause SSL2 is known to be insecure.
used SSLCipherSuite ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!MD5:@strength

[letheed]

I had a similar issue yesterday after installing OC6 on a ubuntu 13.10 server.
An error code 35 showed up in the logs (Sabre_DAV_Exception)...
A warning message that WebDAV might not be working properly appeared in the isWebDAVWorking post-install-check and in the administration panel. Client wouldn't connect either (coudn't reach owncloud.domain.com/status.php), though webdav through my browser was just fine.
After some research, turns out it's a problem with the TLS version used by the server that is not compatible with the openssl client.
I setup nginx to use TLS1.2 only, but TLS1.1 and 1.2 were disabled in the openssl client since Ubuntu 12.04 since some website didn't support it properly and couldn't be reached anymore (see https://bugs.launchpad.net/openssl/+bug/965371).
Adding TLS1.1 and TLS1.0 in nginx.conf solved the issue.
Fortunately TLS1.2 support is now much better and it will be supported again from 14.04 on. It was added back to openssl 2 weeks ago (see https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1257877) in the trusty repositories.
I upgraded my desktop machine from saucy to trusty and set nginx back to TLS1.2. The client is now able to reach the server during the account setup.
I'm not sure if that is actually the same issue for you here but so many people have had an error 35 with webdav that I though I could spare some of them some trouble.

[karlitschek]

Do you use a self signed ssl cert?

[letheed]

Yes, I do.

[mmattel]

Hello Frank,

I have the same issue here and tried a lot around. Here are my findings.
Ubuntu 12.04, Apache, MySql, latest patchlevel, accessing owncloud via https

1.) I deleted my self signed certificate
2.) I signed up at www.cacert.org and created a certificate following the guide at http://wiki.cacert.org/SimpleApacheCert
3.) I downloaded the signed certificate and imported it to apache
4.) following the guide at: http://turboflash.wordpress.com/2009/06/23/curl-adding-installing-trusting-new-self-signed-certificate/
I copied the certificate to /usr/share/ca-certificates, added my certificate to the ca-certificates.conf file and executed sudo update-ca-certificates --fresh
5.) sudo service apache2 restart

At this point things looked better but I am still stuck. sudo curl https://mydomain.com now reports that it is principly fine with the certificate but now responds with "forbidden".
Here is the output of the curl command (btw: the same with parameter -k)

sudo curl https://mydomain.com

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /
on this server.</p>
<hr>
<address>Apache/2.2.22 (Ubuntu) Server at https://mydomain.com Port 443</address>
</body></html>

Here are my owncloud.log entries:

• with my original self signed ssl certificate via https://mydomain.com:
  {"app":"core","message":"isWebDAVWorking: NO - Reason: [CURL] Error while making request: SSL: unable to obtain common name from peer certificate (error code: 51) (Sabre_DAV_Exception)","level":2,"time":"2013-12-17T11:44:25+00:00"}
• accessing owncloud from my internal network via https://hostname:
  {"app":"core","message":"isWebDAVWorking: NO - Reason: [CURL] Error while making request: SSL peer certificate or SSH remote key was not OK (error code: 51) (Sabre_DAV_Exception)","level":2,"time":"2013-12-28T20:56:47+00:00"}
• now with my new signed certificate via https://mydomain.com:
  {"app":"core","message":"isWebDAVWorking: NO - Reason: Forbidden (Sabre_DAV_Exception_Forbidden)","level":2,"time":"2013-12-28T22:12:03+00:00"}

I have not tried it with the sync client, but this will come in the next days.

Maybe this page helps to find/come over the issue: http://curl.haxx.se/docs/sslcerts.html
As they write "1. Tell libcurl to not verify the peer" sounds to me a interesting approach

Best regards
Martin

[mmattel]

add on, a additional message coming from owncloud.log

{"app":"core","message":"isWebDAVWorking: NO - Reason: [CURL] Error while making request: Operation timed out after 10001 milliseconds with 0 bytes received (error code: 28) (Sabre_DAV_Exception)","level":2,"time":"2013-12-28T23:39:28+00:00"}

[BjoKaSH]

Same problem here as the original report.
Using curl from command line gives contradicting results.

Details:

Expected behaviour

No error message in Admin panel.
Curl working

Actual behaviour

Error message in Admin panel: (Same as original reporter, just different language)

Einrichtungswarnung Dein Web-Server ist noch nicht für Datei-Synchronisation bereit, weil die WebDAV-Schnittstelle vermutlich defekt ist. Bitte prüfe die Instalationsanleitungen. 

Additional tests with curl on command line:

Running curl from my client Mac results in:

bj $ curl -v https://share.xxx-yyy.de/remote.php/webdav/
* About to connect() to share.xxx-yyy.de port 443 (#0)
*   Trying 213.239.x.y...
* Adding handle: conn: 0x100837800
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x100837800) send_pipe: 1, recv_pipe: 0
* Connected to share.xxx-yyy.de (213.239.x.y) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /opt/local/share/curl/curl-ca-bundle.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
*    subject: serialNumber=jw-n...Pw; OU=GT...; OU=See www.rapidssl.com/resources/cps (c)14; OU=Domain Control Validated - RapidSSL(R); CN=*.xxx-yyy.de
*    start date: 2014-01-08 02:42:46 GMT
*    expire date: 2015-01-10 22:04:10 GMT
*    subjectAltName: share.xxx-yyy.de matched
*    issuer: C=US; O=GeoTrust, Inc.; CN=RapidSSL CA
*    SSL certificate verify ok.
> GET /remote.php/webdav/ HTTP/1.1
> User-Agent: curl/7.33.0
> Host: share.xxx-yyy.de
> Accept: */*
> 
* Empty reply from server
* Connection #0 to host share.xxx-yyy.de left intact
curl: (52) Empty reply from server

Running curl on the server machine results in:

vu2002@srv2:~$ curl -v https://share.xxx-yyy.de/remote.php/webdav/
* About to connect() to share.xxx-yyy.de port 443 (#0)
*   Trying 213.239.x.y... connected
* Connected to share.xxx-yyy.de (213.239.x.y) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
*        subject: serialNumber=jw-n...Pw; OU=GT...; OU=See www.rapidssl.com/resources/cps (c)14; OU=Domain Control Validated - RapidSSL(R); CN=*.xxx-yyy.de
*        start date: 2014-01-08 02:42:46 GMT
*        expire date: 2015-01-10 22:04:10 GMT
*        subjectAltName: share.xxx-yyy.de matched
*        issuer: C=US; O=GeoTrust, Inc.; CN=RapidSSL CA
*        SSL certificate verify ok.
> GET /remote.php/webdav/ HTTP/1.1
> User-Agent: curl/7.21.0 (i486-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.15 libssh2/1.2.6
> Host: share.xxx-yyy.de
> Accept: */*
>
* SSL read: error:00000000:lib(0):func(0):reason(0), errno 104
* Closing connection #0

Server configuration

Operating system: Debian 6.0.7

Web server: Apache/2.2.16 (Debian)

Database: mysql Ver 14.14 Distrib 5.1.49, for debian-linux-gnu (i486)

PHP version: PHP 5.3.3-7+squeeze17

ownCloud version: ownCloud 5.0.14a

Updated from an older ownCloud or fresh install: fresh install

List of activated app:

Bookmarks
Calendar
Contacts
Deleted files
Eagle Eye
First Run Wizard
Full Text Search
ODF Viewer
PDF Viewer
Pictures
Share Files
Text Editor
Versions
Files move
Mozilla Sync

The content of config/config.php: (Without the database password and passwordsalt)

<?php
$CONFIG = array (
  'instanceid' => '52c168258a884',
  'passwordsalt' => '...',
  'datadirectory' => '/data/www/htdocs_share/data',
  'dbtype' => 'mysql',
  'version' => '5.0.28',
  'dbname' => '...',
  'dbhost' => 'localhost',
  'dbtableprefix' => 'oc_',
  'dbuser' => '...',
  'dbpassword' => '...',
  'installed' => true,
  'loglevel' => '2',
  'forcessl' => true,
);

Are you using external storage, if yes which one: none

Client configuration

Browser: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:24.0) Gecko/20100101 Firefox/24.0

Operating system: MacOSX 10.6.8

Logs

Web server error log

--- no relevant lines in apache error log ---

ownCloud log (data/owncloud.log)

{"app":"PHP","message":"curl_setopt_array(): CURLOPT_FOLLOWLOCATION cannot be activated when safe_mode is enabled or an open_basedir is set at \/data\/www\/htdocs_share\/3rdparty\/Sabre\/DAV\/Client.php#462","level":2,"time":"2014-01-10T00:22:39+00:00"}
{"app":"core","message":"isWebDAVWorking: NO - Reason: exception 'Sabre_DAV_Exception' with message '[CURL] Error while making request: SSL read: error:00000000:lib(0):func(0):reason(0), errno 104 (error code: 56)' in \/data\/www\/htdocs_share\/3rdparty\/Sabre\/DAV\/Client.php:410\nStack trace:\n#0 \/data\/www\/htdocs_share\/3rdparty\/Sabre\/DAV\/Client.php(179): Sabre_DAV_Client->request('PROPFIND', '', '<?xml version=\"...', Array)\n#1 \/data\/www\/htdocs_share\/lib\/util.php(650): Sabre_DAV_Client->propFind('', Array)\n#2 \/data\/www\/htdocs_share\/settings\/admin.php(34): OC_Util::isWebDAVWorking()\n#3 \/data\/www\/htdocs_share\/lib\/route.php(113) : runtime-created function(1): require_once('\/data\/www\/htdoc...')\n#4 [internal function]: __lambda_func(Array)\n#5 \/data\/www\/htdocs_share\/lib\/router.php(127): call_user_func('?lambda_256', Array)\n#6 \/data\/www\/htdocs_share\/lib\/base.php(629): OC_Router->match('\/settings\/admin')\n#7 \/data\/www\/htdocs_share\/index.php(28): OC::handleRequest()\n#8 {main}","level":2,"time":"2014-01-10T00:22:39+00:00"}

[PVince81]

In #7045 it has been suggested to prevent the curl call to verify the host.

[computersalat]

After removing the 'htaccess (Auth)' everything is fine now.
And the 'error message' was really confusing.

[elcapo]

I'm having exactly the same problem, also using:

• Debian Wheezy
• Name-based Apache Virtual Hosts
• GNUTLS
• Self Signed Certificate.

By the way, not sure if I was doing something silly but I tried to apply the path proposed in #8181 to my a OwnCloud 6.0.3 development environment, but still have the message. owncloud.log says:

{"app":"core","message":"isWebDAVWorking: NO - Reason: [CURL] Error while making request: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol (error code: 35) (Sabre_DAV_Exception)","level":2,"time":"2014-05-18T02:33:56+00:00"}

[PVince81]

Obsoleted by #7051
WebDAV check will be done through ajax in the next OC 7 release.