diff --git a/admin_manual/images/code-integrity-admin.png b/admin_manual/images/code-integrity-admin.png deleted file mode 100644 index 038f426ad..000000000 Binary files a/admin_manual/images/code-integrity-admin.png and /dev/null differ diff --git a/admin_manual/images/code-integrity-notification.png b/admin_manual/images/code-integrity-notification.png deleted file mode 100644 index e6b78e6e1..000000000 Binary files a/admin_manual/images/code-integrity-notification.png and /dev/null differ diff --git a/admin_manual/issues/code_signing.rst b/admin_manual/issues/code_signing.rst new file mode 100644 index 000000000..70ed1c00f --- /dev/null +++ b/admin_manual/issues/code_signing.rst @@ -0,0 +1,216 @@ +============ +Code Signing +============ + +.. sectionauthor:: Lukas Reschke + +ownCloud supports code signing for the core releases, and for ownCloud +applications. Code signing gives our users an additional layer of security by +ensuring that nobody other than authorized persons can push updates. + +It also ensures that all upgrades have been executed properly, so that no files +are left behind, and all old files are properly replaced. In the past, invalid +updates were a significant source of errors when updating ownCloud. + +FAQ +--- + +Why Did ownCloud Add Code Signing? +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +By supporting Code Signing we add another layer of security by ensuring that +nobody other than authorized persons can push updates for applications, and +ensuring proper upgrades. + +Do We Lock Down ownCloud? +^^^^^^^^^^^^^^^^^^^^^^^^^ + +The ownCloud project is open source and always will be. We do not want to +make it more difficult for our users to run ownCloud. Any code signing errors on +upgrades will not prevent ownCloud from running, but will display a warning on +the Admin page. For applications that are not tagged "Official" the code signing +process is optional. + +Not Open Source Anymore? +^^^^^^^^^^^^^^^^^^^^^^^^ + +The ownCloud project is open source and always will be. The code signing +process is optional, though highly recommended. The code check for the +core parts of ownCloud is enabled when the ownCloud release version branch has +been set to stable. + +For custom distributions of ownCloud it is recommended to change the release +version branch in version.php to something else than "stable". + +Is Code Signing Mandatory For Apps? +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Code signing is optional for all third-party applications. Applications +with a tag of "Official" on apps.owncloud.com require code signing. + +Fixing Invalid Code Integrity +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +A code integrity error message ("There were problems with the code integrity +check. More information…") appears in a yellow banner at the top of your +ownCloud Web interface: + +.. image:: images/code-integrity-notification.png + :alt: Code integrity warning banner. + +Clicking on this link will take you to your ownCloud admin page, which provides +the following options: + +1. Link to this documentation entry. +2. Show a list of invalid files. +3. Trigger a rescan. + +.. image:: images/code-integrity-admin.png + :alt: Links for resolving code integrity warnings. + +To debug issues caused by the code integrity check click on "List of invalid +files…", and you will be shown a text document listing the different issues. The +content of the file will look similar to the following example: + +.. code-block:: text + + Technical information + ===================== + The following list covers which files have failed the integrity check. Please read + the previous linked documentation to learn more about the errors and how to fix + them. + + Results + ======= + - core + - INVALID_HASH + - /index.php + - /version.php + - EXTRA_FILE + - /test.php + - calendar + - EXCEPTION + - OC\IntegrityCheck\Exceptions\InvalidSignatureException + - Signature data not found. + + Raw output + ========== + Array + ( + [core] => Array + ( + [INVALID_HASH] => Array + ( + [/index.php] => Array + ( + [expected] => + f1c5e2630d784bc9cb02d5a28f55d6f24d06dae2a0fee685f3 + c2521b050955d9d452769f61454c9ddfa9c308146ade10546c + fa829794448eaffbc9a04a29d216 + [current] => + ce08bf30bcbb879a18b49239a9bec6b8702f52452f88a9d321 + 42cad8d2494d5735e6bfa0d8642b2762c62ca5be49f9bf4ec2 + 31d4a230559d4f3e2c471d3ea094 + ) + + [/version.php] => Array + ( + [expected] => + c5a03bacae8dedf8b239997901ba1fffd2fe51271d13a00cc4 + b34b09cca5176397a89fc27381cbb1f72855fa18b69b6f87d7 + d5685c3b45aee373b09be54742ea + [current] => + 88a3a92c11db91dec1ac3be0e1c87f862c95ba6ffaaaa3f2c3 + b8f682187c66f07af3a3b557a868342ef4a271218fe1c1e300 + c478e6c156c5955ed53c40d06585 + ) + + ) + + [EXTRA_FILE] => Array + ( + [/test.php] => Array + ( + [expected] => + [current] => + 09563164f9904a837f9ca0b5f626db56c838e5098e0ccc1d8b + 935f68fa03a25c5ec6f6b2d9e44a868e8b85764dafd1605522 + b4af8db0ae269d73432e9a01e63a + ) + + ) + + ) + + [calendar] => Array + ( + [EXCEPTION] => Array + ( + [class] => OC\IntegrityCheck\Exceptions\InvalidSignature + Exception + [message] => Signature data not found. + ) + + ) + + ) + +In above error output it can be seen that: + +1. In the ownCloud core (that is, the ownCloud server itself) the files + "index.php" and "version.php" do have the wrong version. +2. In the ownCloud core the unrequired extra file "/test.php" has been found. +3. It was not possible to verify the signature of the calendar application. + +The solution is to upload the correct "index.php" and "version.php" files, and +delete the "test.php" file. For the calendar exception contact the developer of +the application. For other means on how to receive support please take a look at +https://owncloud.org/support/. After fixing these problems verify by clicking +"Rescan…". + +Errors +====== + +The following errors can be encountered when trying to verify a code signature. + +- ``INVALID_HASH`` + + - The file has a different hash than specified within ``signature.json``. This + usually happens when the file has been modified after writing the signature + data. + +- ``MISSING_FILE`` + + - The file cannot be found but has been specified within ``signature.json``. + Either a required file has been left out, or ``signature.json`` needs to be + edited. + +- ``EXTRA_FILE`` + + - The file does not exist in ``signature.json``. This usually happens when a + file has been removed and ``signature.json`` has not been updated. + +- ``EXCEPTION`` + + - Another exception has prevented the code verification. There are currently + these following exceptions: + + - ``Signature data not found.``` + + - The app has mandatory code signing enforced but no ``signature.json`` + file has been found in its ``appinfo`` folder. + + - ``Certificate is not valid.`` + + - The certificate has not been issued by the official ownCloud Code + Signing Root Authority. + + - ``Certificate is not valid for required scope. (Requested: %s, current: %s)`` + + - The certificate is not valid for the defined application. Certificates + are only valid for the defined app identifier and cannot be used for + others. + + - ``Signature could not get verified.`` + + - There was a problem with verifying the signature of ``signature.json``. diff --git a/admin_manual/issues/general_troubleshooting.rst b/admin_manual/issues/general_troubleshooting.rst new file mode 100644 index 000000000..dbec12d74 --- /dev/null +++ b/admin_manual/issues/general_troubleshooting.rst @@ -0,0 +1,301 @@ +======================= +General Troubleshooting +======================= + +If you have trouble installing, configuring or maintaining ownCloud, please +refer to our community support channels: + +* `The ownCloud Forums`_ + +.. note:: The ownCloud forums have a `FAQ page`_ where each topic corresponds + to typical mistakes or frequently occurring issues + +* `The ownCloud User mailing list`_ +* The ownCloud IRC chat channel ``irc://#owncloud@freenode.net`` on + freenode.net, also accessible via `webchat`_ + +Please understand that all these channels essentially consist of users like you +helping each other out. Consider helping others out where you can, to +contribute +back for the help you get. This is the only way to keep a community like +ownCloud healthy and sustainable! + +If you are using ownCloud in a business or otherwise large scale deployment, +note that ownCloud Inc. offers the `Enterprise Subscription`_ with commercial +support options. + +Bugs +---- + +If you think you have found a bug in ownCloud, please: + +* Search for a solution (see the options above) +* Double-check your configuration + +If you can't find a solution, please use our `bugtracker`_. + +.. _the ownCloud Forums: http://forum.owncloud.org +.. _FAQ page: https://forum.owncloud.org/viewforum.php?f=17 +.. _the ownCloud User mailing list: + https://mailman.owncloud.org/mailman/listinfo/user +.. _webchat: http://webchat.freenode.net/?channels=owncloud +.. _Enterprise Subscription: https://owncloud.com/lp/community-or-enterprise/ +.. _bugtracker: + http://doc.owncloud.org/server/9.0/developer_manual/bugtracker/index.html +.. TODO ON RELEASE: Update version number above on release + +General Troubleshooting +----------------------- + +When you see warnings about ``code integrity``, refer to :doc:`code_signing`. + +Disable 3rdparty / non-shipped apps +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +It might be possible that 3rd party / non-shipped apps are causing various +different issues. Always disable 3rd party apps before upgrades, and for +troubleshooting. Please refer to the :ref:`apps_commands_label` on how +to disable an app from command line. + +ownCloud Logfiles +^^^^^^^^^^^^^^^^^ + +In a standard ownCloud installation the log level is set to ``Normal``. To find +any issues you need to raise the log level to ``All`` in your ``config.php`` +file, or to **Everything** on your ownCloud Admin page. Please see +:doc:`../configuration_server/logging_configuration` for more information on +these log levels. + +Some logging - for example JavaScript console logging - needs manually editing +the configuration file. Edit :file:`config/config.php` and add +``define('DEBUG', +true);``:: + + `_. + +.. note:: The logfile of ownCloud is located in the data directory + ``owncloud/data/owncloud.log``. + +.. _label-phpinfo: + +PHP Version and Information +^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +You will need to know your PHP version and configurations. To do this, create a +plain-text file named **phpinfo.php** and place it in your Web root, for +example ``/var/www/html/phpinfo.php``. (Your Web root may be in a different +location; your Linux distribution documentation will tell you where.) This file +contains just this line:: + + + +Open this file in a Web browser by pointing your browser to +``localhost/phpinfo.php``: + +.. figure:: ../images/phpinfo.png + +Your PHP version is at the top, and the rest of the page contains abundant +system information such as active modules, active `.ini` files, and much more. +When you are finished reviewing your information you must delete +``phpinfo.php``, or move it outside of your Web directory, because it is a +security risk to expose such sensitive data. + +Debugging Sync Issues +^^^^^^^^^^^^^^^^^^^^^ + +.. note:: The data directory on the server is exclusive to ownCloud and must + not be modified manually. + +Disregarding this can lead to unwanted behaviours like: + +* Problems with sync clients +* Undetected changes due to caching in the database + +If you need to directly upload files from the same server please use a WebDAV +command line client like ``cadaver`` to upload files to the WebDAV interface at: + + https://example.org/owncloud/remote.php/webdav + +Common problems / error messages +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Some common problems / error messages found in your logfiles as described above: + +* ``SQLSTATE[HY000] [1040] Too many connections`` -> You need to increase the + connection limit of your database, please refer to the manual of your database + for more information. +* ``SQLSTATE[HY000]: General error: 5 database is locked`` -> You're using + ``SQLite`` + which can't handle a lot of parallel requests. Please consider converting to + another database like described in + :doc:`../configuration_database/db_conversion`. +* ``SQLSTATE[HY000]: General error: 2006 MySQL server has gone away`` -> The + database request takes too long and therefore the MySQL server times out. Its + also possible that the server is dropping a packet that is too large. Please + refer to the manual of your database for how to raise the config options + ``wait_timeout`` and/or ``max_allowed_packet``. +* ``SQLSTATE[HY000] [2002] No such file or directory`` -> There is a problem + accessing your SQLite database file in your data directory + (``data/owncloud.db``). Please check the permissions of this folder/file or + if it exists at all. If you're using MySQL please start your database. +* ``Connection closed / Operation cancelled`` -> This could be caused by wrong + ``KeepAlive`` settings within your Apache config. Make sure that + ``KeepAlive`` is set to ``On`` and also try to raise the limits of + ``KeepAliveTimeout`` and ``MaxKeepAliveRequests``. +* ``No basic authentication headers were found`` -> This error is shown in your + ``data/owncloud.log`` file. Some Apache modules like ``mod_fastcgi``, ``mod_fcgid`` + or ``mod_proxy_fcgi`` are not passing the needed authentication headers to + PHP and so the login to ownCloud via WebDAV, CalDAV and CardDAV clients is + failing. Information on how to correctly configure your environment can be + found at the `forums `_. + +Troubleshooting Webserver and PHP problems +------------------------------------------ + +Logfiles +^^^^^^^^ + +When having issues the first step is to check the logfiles provided by PHP, the +Webserver and ownCloud itself. + +.. note:: In the following the paths to the logfiles of a default Debian + installation running Apache2 with mod_php is assumed. On other webservers, + Linux distros or operating systems they can differ. + +* The logfile of Apache2 is located in ``/var/log/apache2/error.log``. +* The logfile of PHP can be configured in your ``/etc/php5/apache2/php.ini``. + You need to set the directive ``log_errors`` to ``On`` and choose the path + to store the logfile in the ``error_log`` directive. After those changes you + need to restart your Webserver. +* The logfile of ownCloud is located in the data directory + ``/var/www/owncloud/data/owncloud.log``. + +Webserver and PHP modules +^^^^^^^^^^^^^^^^^^^^^^^^^ + +.. note:: Lighttpd is not supported with ownCloud, and some ownCloud features + may not work at all on Lighttpd. + +There are some Webserver or PHP modules which are known to cause various +problems like broken up-/downloads. The following shows a draft overview of +these modules: + +1. Apache + +* mod_pagespeed +* mod_evasive +* mod_security +* mod_reqtimeout +* mod_deflate +* libapache2-mod-php5filter (use libapache2-mod-php5 instead) +* mod_spdy together with libapache2-mod-php5 / mod_php (use fcgi or php-fpm + instead) +* mod_dav +* mod_xsendfile / X-Sendfile (causing broken downloads if not configured + correctly) + +2. NginX + +* ngx_pagespeed +* HttpDavModule +* X-Sendfile (causing broken downloads if not configured correctly) + +3. Mac OS X server + +* mod_auth_apple +* com.apple.webapp.webdavsharing + +4. PHP + +* eAccelerator + +Troubleshooting WebDAV +---------------------- + +ownCloud uses SabreDAV, and the SabreDAV documentation is comprehensive and +helpful. + +.. note: Lighttpd is not supported on ownCloud, and Lighttpd WebDAV does not + work with ownCloud. + +See: + +* `SabreDAV FAQ `_ +* `Webservers `_ (Lists lighttpd as not + recommended) +* `Working with large files `_ (Shows a PHP + bug in older SabreDAV versions and information for mod_security problems) +* `0 byte files `_ (Reasons for empty files on the + server) +* `Clients `_ (A comprehensive list of WebDAV + clients, and possible problems with each one) +* `Finder, OS X's built-in WebDAV client + `_ + (Describes problems with Finder on various webservers) + +There is also a well maintained FAQ thread available at the `ownCloud Forums +`_ +which contains various additional information about WebDAV problems. + +Troubleshooting Contacts & Calendar +----------------------------------- + +.. _service-discovery-label: + +Service discovery +^^^^^^^^^^^^^^^^^ + +Some clients - especially iOS - have problems finding the proper sync URL, even +when explicitly configured to use it. + +There are several techniques to remedy this, which are described extensively at +the `Sabre DAV website `_. + +If your ownCloud instance is installed in a subfolder under the web server's +document root and the client has difficulties finding the Cal- or CardDAV +end-points, configure your web server to redirect from a "well-known" URL to +the +one used by ownCloud. When using the Apache web server this is easily achieved +using a :file:`.htaccess` file in the document root of your site. + +Say your instance is located in the ``owncloud`` folder, so the URL to it is +``ADDRESS/owncloud``, create or edit the :file:`.htaccess` file and add the +following lines:: + + Redirect 301 /.well-known/carddav /owncloud/remote.php/carddav + Redirect 301 /.well-known/caldav /owncloud/remote.php/caldav + +Now change the URL in the client settings to just use ``ADDRESS`` instead of +e.g. ``ADDRESS/remote.php/carddav/principals/username``. + +This problem is being discussed in the `forum +`_. + +Unable to update Contacts or Events +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +If you get an error like ``PATCH https://ADDRESS/some_url HTTP/1.0 501 Not +Implemented`` it is likely caused by one of the following reasons: + +Using Pound reverse-proxy/load balancer + As of writing this Pound doesn't support the HTTP/1.1 verb. + Pound is easily `patched + `_ + to support HTTP/1.1. + +Other issues +------------ + +Some services like *Cloudflare* can cause issues by minimizing JavaScript +and loading it only when needed. When having issues like a not working +login button or creating new users make sure to disable such services +first. \ No newline at end of file diff --git a/admin_manual/issues/images/code-integrity-admin.png b/admin_manual/issues/images/code-integrity-admin.png new file mode 100644 index 000000000..7f8545eb7 Binary files /dev/null and b/admin_manual/issues/images/code-integrity-admin.png differ diff --git a/admin_manual/issues/images/code-integrity-notification.png b/admin_manual/issues/images/code-integrity-notification.png new file mode 100644 index 000000000..dd9646d23 Binary files /dev/null and b/admin_manual/issues/images/code-integrity-notification.png differ diff --git a/admin_manual/issues/index.rst b/admin_manual/issues/index.rst index 768ed9084..da2c977c9 100644 --- a/admin_manual/issues/index.rst +++ b/admin_manual/issues/index.rst @@ -1,299 +1,10 @@ ========================== Issues and Troubleshooting -========================== +========================== -If you have trouble installing, configuring or maintaining ownCloud, please -refer to our community support channels: +.. toctree:: + :maxdepth: 2 -* `The ownCloud Forums`_ - -.. note:: The ownCloud forums have a `FAQ page`_ where each topic corresponds - to typical mistakes or frequently occurring issues - -* `The ownCloud User mailing list`_ -* The ownCloud IRC chat channel ``irc://#owncloud@freenode.net`` on - freenode.net, also accessible via `webchat`_ - -Please understand that all these channels essentially consist of users like you -helping each other out. Consider helping others out where you can, to -contribute -back for the help you get. This is the only way to keep a community like -ownCloud healthy and sustainable! - -If you are using ownCloud in a business or otherwise large scale deployment, -note that ownCloud Inc. offers the `Enterprise Subscription`_ with commercial -support options. - -Bugs ----- - -If you think you have found a bug in ownCloud, please: - -* Search for a solution (see the options above) -* Double-check your configuration - -If you can't find a solution, please use our `bugtracker`_. - -.. _the ownCloud Forums: http://forum.owncloud.org -.. _FAQ page: https://forum.owncloud.org/viewforum.php?f=17 -.. _the ownCloud User mailing list: - https://mailman.owncloud.org/mailman/listinfo/user -.. _webchat: http://webchat.freenode.net/?channels=owncloud -.. _Enterprise Subscription: https://owncloud.com/lp/community-or-enterprise/ -.. _bugtracker: - http://doc.owncloud.org/server/9.0/developer_manual/bugtracker/index.html -.. TODO ON RELEASE: Update version number above on release - -General Troubleshooting ------------------------ - -Disable 3rdparty / non-shipped apps -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -It might be possible that 3rd party / non-shipped apps are causing various -different issues. Always disable 3rd party apps before upgrades, and for -troubleshooting. Please refer to the :ref:`apps_commands_label` on how -to disable an app from command line. - -ownCloud Logfiles -^^^^^^^^^^^^^^^^^ - -In a standard ownCloud installation the log level is set to ``Normal``. To find -any issues you need to raise the log level to ``All`` in your ``config.php`` -file, or to **Everything** on your ownCloud Admin page. Please see -:doc:`../configuration_server/logging_configuration` for more information on -these log levels. - -Some logging - for example JavaScript console logging - needs manually editing -the configuration file. Edit :file:`config/config.php` and add -``define('DEBUG', -true);``:: - - `_. - -.. note:: The logfile of ownCloud is located in the data directory - ``owncloud/data/owncloud.log``. - -.. _label-phpinfo: - -PHP Version and Information -^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -You will need to know your PHP version and configurations. To do this, create a -plain-text file named **phpinfo.php** and place it in your Web root, for -example ``/var/www/html/phpinfo.php``. (Your Web root may be in a different -location; your Linux distribution documentation will tell you where.) This file -contains just this line:: - - - -Open this file in a Web browser by pointing your browser to -``localhost/phpinfo.php``: - -.. figure:: ../images/phpinfo.png - -Your PHP version is at the top, and the rest of the page contains abundant -system information such as active modules, active `.ini` files, and much more. -When you are finished reviewing your information you must delete -``phpinfo.php``, or move it outside of your Web directory, because it is a -security risk to expose such sensitive data. - -Debugging Sync Issues -^^^^^^^^^^^^^^^^^^^^^ - -.. note:: The data directory on the server is exclusive to ownCloud and must - not be modified manually. - -Disregarding this can lead to unwanted behaviours like: - -* Problems with sync clients -* Undetected changes due to caching in the database - -If you need to directly upload files from the same server please use a WebDAV -command line client like ``cadaver`` to upload files to the WebDAV interface at: - - https://example.org/owncloud/remote.php/webdav - -Common problems / error messages -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -Some common problems / error messages found in your logfiles as described above: - -* ``SQLSTATE[HY000] [1040] Too many connections`` -> You need to increase the - connection limit of your database, please refer to the manual of your database - for more information. -* ``SQLSTATE[HY000]: General error: 5 database is locked`` -> You're using - ``SQLite`` - which can't handle a lot of parallel requests. Please consider converting to - another database like described in - :doc:`../configuration_database/db_conversion`. -* ``SQLSTATE[HY000]: General error: 2006 MySQL server has gone away`` -> The - database request takes too long and therefore the MySQL server times out. Its - also possible that the server is dropping a packet that is too large. Please - refer to the manual of your database for how to raise the config options - ``wait_timeout`` and/or ``max_allowed_packet``. -* ``SQLSTATE[HY000] [2002] No such file or directory`` -> There is a problem - accessing your SQLite database file in your data directory - (``data/owncloud.db``). Please check the permissions of this folder/file or - if it exists at all. If you're using MySQL please start your database. -* ``Connection closed / Operation cancelled`` -> This could be caused by wrong - ``KeepAlive`` settings within your Apache config. Make sure that - ``KeepAlive`` is set to ``On`` and also try to raise the limits of - ``KeepAliveTimeout`` and ``MaxKeepAliveRequests``. -* ``No basic authentication headers were found`` -> This error is shown in your - ``data/owncloud.log`` file. Some Apache modules like ``mod_fastcgi``, ``mod_fcgid`` - or ``mod_proxy_fcgi`` are not passing the needed authentication headers to - PHP and so the login to ownCloud via WebDAV, CalDAV and CardDAV clients is - failing. Information on how to correctly configure your environment can be - found at the `forums `_. - -Troubleshooting Webserver and PHP problems ------------------------------------------- - -Logfiles -^^^^^^^^ - -When having issues the first step is to check the logfiles provided by PHP, the -Webserver and ownCloud itself. - -.. note:: In the following the paths to the logfiles of a default Debian - installation running Apache2 with mod_php is assumed. On other webservers, - Linux distros or operating systems they can differ. - -* The logfile of Apache2 is located in ``/var/log/apache2/error.log``. -* The logfile of PHP can be configured in your ``/etc/php5/apache2/php.ini``. - You need to set the directive ``log_errors`` to ``On`` and choose the path - to store the logfile in the ``error_log`` directive. After those changes you - need to restart your Webserver. -* The logfile of ownCloud is located in the data directory - ``/var/www/owncloud/data/owncloud.log``. - -Webserver and PHP modules -^^^^^^^^^^^^^^^^^^^^^^^^^ - -.. note:: Lighttpd is not supported with ownCloud, and some ownCloud features - may not work at all on Lighttpd. - -There are some Webserver or PHP modules which are known to cause various -problems like broken up-/downloads. The following shows a draft overview of -these modules: - -1. Apache - -* mod_pagespeed -* mod_evasive -* mod_security -* mod_reqtimeout -* mod_deflate -* libapache2-mod-php5filter (use libapache2-mod-php5 instead) -* mod_spdy together with libapache2-mod-php5 / mod_php (use fcgi or php-fpm - instead) -* mod_dav -* mod_xsendfile / X-Sendfile (causing broken downloads if not configured - correctly) - -2. NginX - -* ngx_pagespeed -* HttpDavModule -* X-Sendfile (causing broken downloads if not configured correctly) - -3. Mac OS X server - -* mod_auth_apple -* com.apple.webapp.webdavsharing - -4. PHP - -* eAccelerator - -Troubleshooting WebDAV ----------------------- - -ownCloud uses SabreDAV, and the SabreDAV documentation is comprehensive and -helpful. - -.. note: Lighttpd is not supported on ownCloud, and Lighttpd WebDAV does not - work with ownCloud. - -See: - -* `SabreDAV FAQ `_ -* `Webservers `_ (Lists lighttpd as not - recommended) -* `Working with large files `_ (Shows a PHP - bug in older SabreDAV versions and information for mod_security problems) -* `0 byte files `_ (Reasons for empty files on the - server) -* `Clients `_ (A comprehensive list of WebDAV - clients, and possible problems with each one) -* `Finder, OS X's built-in WebDAV client - `_ - (Describes problems with Finder on various webservers) - -There is also a well maintained FAQ thread available at the `ownCloud Forums -`_ -which contains various additional information about WebDAV problems. - -Troubleshooting Contacts & Calendar ------------------------------------ - -.. _service-discovery-label: - -Service discovery -^^^^^^^^^^^^^^^^^ - -Some clients - especially iOS - have problems finding the proper sync URL, even -when explicitly configured to use it. - -There are several techniques to remedy this, which are described extensively at -the `Sabre DAV website `_. - -If your ownCloud instance is installed in a subfolder under the web server's -document root and the client has difficulties finding the Cal- or CardDAV -end-points, configure your web server to redirect from a "well-known" URL to -the -one used by ownCloud. When using the Apache web server this is easily achieved -using a :file:`.htaccess` file in the document root of your site. - -Say your instance is located in the ``owncloud`` folder, so the URL to it is -``ADDRESS/owncloud``, create or edit the :file:`.htaccess` file and add the -following lines:: - - Redirect 301 /.well-known/carddav /owncloud/remote.php/carddav - Redirect 301 /.well-known/caldav /owncloud/remote.php/caldav - -Now change the URL in the client settings to just use ``ADDRESS`` instead of -e.g. ``ADDRESS/remote.php/carddav/principals/username``. - -This problem is being discussed in the `forum -`_. - -Unable to update Contacts or Events -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -If you get an error like ``PATCH https://ADDRESS/some_url HTTP/1.0 501 Not -Implemented`` it is likely caused by one of the following reasons: - -Using Pound reverse-proxy/load balancer - As of writing this Pound doesn't support the HTTP/1.1 verb. - Pound is easily `patched - `_ - to support HTTP/1.1. - -Other issues ------------- - -Some services like *Cloudflare* can cause issues by minimizing JavaScript -and loading it only when needed. When having issues like a not working -login button or creating new users make sure to disable such services -first. \ No newline at end of file + general_troubleshooting + code_signing + \ No newline at end of file diff --git a/admin_manual/maintenance/code-signing.rst b/admin_manual/maintenance/code-signing.rst deleted file mode 100644 index fd2423a89..000000000 --- a/admin_manual/maintenance/code-signing.rst +++ /dev/null @@ -1,177 +0,0 @@ -============ -Code Signing -============ - -.. sectionauthor:: Lukas Reschke - -ownCloud supports code signing for the core releases as well as dedicated applications. Code signing gives our users an -additional layer of security by ensuring that nobody else than authorized persons can push updates for your applications. - -It furthermore ensures that all upgrades have been executed properly. This means that no additional files are left as well -as all old files have been properly replaced. In the past invalid performed updates where a major source of errors when -updating ownCloud. - -FAQ -=== - -Why did ownCloud add Code Signing? ----------------------------------- -By supporting Code Signing we add another layer of security by ensuring that nobody else than authorized persons can push -updates for applications. As well we do ensure that people properly updated their ownCloud instances. - -Do we lock down ownCloud? -------------------------- -The ownCloud project is open-source and will always be that. We do have no intentions to make it harder for people to -manually adjust their instances. In fact, any fail with the code integrity of ownCloud core while upgrading will not -prevent the usage of ownCloud. It will barely display a notification to the administrator. For applications that are not -tagged "Official" the code signing process is purely optional. - -Not open-source anymore? ------------------------- -ownCloud is an open-source project and will always be that. In fact, the code signing process is purely optional. The -code check for the core parts of ownCloud is furthermore only enabled when the ownCloud release version branch has been -set to stable. - -For custom distributions of ownCloud it is recommended to change the release version branch in version.php to something -else than "stable". - -Is code signing mandatory for apps? ------------------------------------ - -Code signing is purely optional for all third-party applications. Applications with a tag of "Official" on apps.owncloud.com -do however require Code Signing. - -Fixing invalid code integrity -============================= - -An error with the code integrity checker does usually imply that an update has been performed wrongly. As a logged-in -administrator you will notice this with the following notification ("There were problems with the code integrity check. More information…") which is displayed on each page: - -.. image:: ../images/code-integrity-notification.png - -Clicking on this link will lead you to the administrator page which offers you the following options: - -1. Link to this documentation entry. -2. Show a list of invalid files. -3. Trigger a rescan. - -.. image:: ../images/code-integrity-admin.png - -To debug issues caused by the code integrity check please click on "List of invalid files…", you will be shown a text -document listing the different issues. The content of the file will look similar to the following one: - -.. code-block:: text - - Technical information - ===================== - The following list covers which files have failed the integrity check. Please read - the previous linked documentation to learn more about the errors and how to fix - them. - - Results - ======= - - core - - INVALID_HASH - - /index.php - - /version.php - - EXTRA_FILE - - /test.php - - calendar - - EXCEPTION - - OC\IntegrityCheck\Exceptions\InvalidSignatureException - - Signature data not found. - - Raw output - ========== - Array - ( - [core] => Array - ( - [INVALID_HASH] => Array - ( - [/index.php] => Array - ( - [expected] => f1c5e2630d784bc9cb02d5a28f55d6f24d06dae2a0fee685f3c2521b050955d9d452769f61454c9ddfa9c308146ade10546cfa829794448eaffbc9a04a29d216 - [current] => ce08bf30bcbb879a18b49239a9bec6b8702f52452f88a9d32142cad8d2494d5735e6bfa0d8642b2762c62ca5be49f9bf4ec231d4a230559d4f3e2c471d3ea094 - ) - - [/version.php] => Array - ( - [expected] => c5a03bacae8dedf8b239997901ba1fffd2fe51271d13a00cc4b34b09cca5176397a89fc27381cbb1f72855fa18b69b6f87d7d5685c3b45aee373b09be54742ea - [current] => 88a3a92c11db91dec1ac3be0e1c87f862c95ba6ffaaaa3f2c3b8f682187c66f07af3a3b557a868342ef4a271218fe1c1e300c478e6c156c5955ed53c40d06585 - ) - - ) - - [EXTRA_FILE] => Array - ( - [/test.php] => Array - ( - [expected] => - [current] => 09563164f9904a837f9ca0b5f626db56c838e5098e0ccc1d8b935f68fa03a25c5ec6f6b2d9e44a868e8b85764dafd1605522b4af8db0ae269d73432e9a01e63a - ) - - ) - - ) - - [calendar] => Array - ( - [EXCEPTION] => Array - ( - [class] => OC\IntegrityCheck\Exceptions\InvalidSignatureException - [message] => Signature data not found. - ) - - ) - - ) - -In above error output it can be seen that: - -1. In the ownCloud core (that is, the ownCloud server itself) the files "index.php" and "version.php" do have the wrong version. -2. In the ownCloud core the unrequired extra file "/test.php" has been found. -3. It was not possible to verify the signature of the calendar application. - -As an instance administrator one should now upload the correct "index.php" and "version.php" file as well as delete the -"test.php" file. For the calendar exception one should contact the developer of the application. For other means on how -to receive support please take a look at https://owncloud.org/support/. After you fixed these problems you can verify this -by clicking "Rescan…". - -Errors -====== - -The following errors can be encountered when trying to verify a code signature. - -- ``INVALID_HASH`` - - - The file has a different hash than specified within ``signature.json``. This usually happens when the file has been modified again after writing the signature data. - -- ``MISSING_FILE`` - - - The file cannot be found but has been specified within ``signature.json``. This usually happens when a file has been forgotten to copy. - -- ``EXTRA_FILE`` - - - The file does not exist in ``signature.json``. This usually happens when a file has been forgotten to delete. - -- ``EXCEPTION`` - - - Another exception has prevented the code verification. There are currently the following exceptions: - - - ``Signature data not found.``` - - - The app has mandatory code signing enforced but no ``signature.json`` file has been found in it's ``appinfo`` folder. - - - ``Certificate is not valid.`` - - - The certificate has not been issued by the official ownCloud Code Signing Root Authority. - - - ``Certificate is not valid for required scope. (Requested: %s, current: %s)`` - - - The certificate is not valid for the defined application. Certificates are only valid for the defined app identifier and cannot be used for others. - - - ``Signature could not get verified.`` - - - There was a problem with verifying the signature of ``signature.json``. -