Unavoidable security & setup warnings with NC 21 update

I too am having this same issue. NC 21 on Ubuntu 20.04, proxied through a separate VM running Apache as a reverse proxy. Cannot figure out how to get rid of the webfinger error.

To those of us who are still having problems with ā€œ.well-knownā€:

  1. Do you have Social and/or Federation installed and enabled?
  2. Do you get 403 or 404 when hitting https://my.nextcloud.com/.well-known/i-am-the-wurst ?
  1. Canā€™t even install social, get an error message about extraction failing. Federation yes, but I tried disabling it and I still get the error message in admin
  2. No, I get a white page that just says: {ā€œmessageā€:ā€œi-am-the-wurst not supportedā€}

Appears thereā€™s an official issue for this bug too: Security and config warnings Ā· Issue #25753 Ā· nextcloud/server Ā· GitHub

  1. I donā€™t have either enabled, and I think Social is broken right now. However, I am wondering if webfinger/nodeinfo is only enabled and active IF either Social or Federation is also enabled. Social definitely uses them, but not sure about Federation.
  2. Thatā€™s more than me ā€“ I get 403, but the URL changes to https://my.nextcloud.com/index.php/.well-known/i-am-the-wurst . According to above, thatā€™s what itā€™s supposed to do, right?

The test is from Add well known handlers API by ChristophWurst Ā· Pull Request #24702 Ā· nextcloud/server Ā· GitHub, where it should return 404 (I havenā€™t tried from curl yet).

And a successful check either returns 404 or 200: server/admin.js at f37e150d1caa0918e3258011f3c9b04ce469bb7c Ā· nextcloud/server Ā· GitHub

Iā€™m sorry, who came up with that design?

Why do I want Nextcloud to verify any phone numbers? Just let people turn of verification and the problem is solved. Now I set a region so that nc is happy, but the verification will still fail for users, who do not live in that region, which is very much possible, if you have a worldwide user base. So whatā€™s the point?

P.S.: I have 3 SIM cards for 3 different countries. Thereā€™s a very good reason why I donā€™t add a country code to some of my phone numbers. (I know, not a profile thing, but still - an explanation why it can make sense not to use a country code.)

1 Like

I couldnā€™t agree more. Have three SIM for different countries. Users live in different countries.

It is become a disturbing trend that NC invents wheels and features just to implement something, which break design, alter established (very good) UX/UI and all this for what?! Sometimes I wish there would be a release/update channel, which would be based on 17 or 18 version only with security updatesā€¦ And sometimes I even afraid to update NC installation to avoid such ā€œfeaturesā€ like the problems on this thread

Yep, all the new ā€œfeaturesā€ that came out in the last 3 versions, I deactivated right away. Iā€™m not sure whoā€™s steering the boat, but itā€™s getting ridiculous.

It would be a lot better, if they were to finally fix pressing issues in the server core. Oh, and btw, the sync client still canā€™t do http2. In 2021. But at least they have a VFS that messes up normal sync operations. Just brilliant.

Pixolin,

Thanks for posting this! You just helped me out of the same problem.

Ken

I removed the translations for webfinger that were previously required. I left only translations for caldav and cardav. that fixed my issue

I am running NextCloud 21.0.0. These are the warnings on the Overview section (Security & setup warnings) on my server settings:

[Warning 1] * Your web server is not properly set up to resolve ā€œ/.well-known/webfingerā€. Further information can be found in the [documentation]
[Warning 2] * Your web server is not properly set up to resolve ā€œ/.well-known/nodeinfoā€. Further information can be found in the [documentation]
[Warning 3] * Your web server is not properly set up to resolve ā€œ/.well-known/caldavā€. Further information can be found in the [documentation]
[Warning 4] * Your web server is not properly set up to resolve ā€œ/.well-known/carddavā€. Further information can be found in the [documentation]

Let me label these warnings from Warning 1 to Warning 4.

Nextcloud resides in the subfolder /nextcloud on my Apache server and the DocumentRoot is set to ā€œvar/www/html/nextcloudā€ in default-ssl.conf. I can confirm that these lines that allow .htaccess to override configurations in the Apache server help to get ride of Warning 1 and Warning 2. I did not have to add any RewriteRule line in .htaccess.

<Directory /var/www/html/nextcloud>
    Options Indexes FollowSymLinks MultiViews
    AllowOverride All
    Order allow,deny
    allow from all
</Directory>

Reference: Apache .htaccess file - Examples and Common Uses | DigitalOcean

I am not yet able to get rid of Warning 3 and Warning 4

[Updated 3/29/2021: I follow the instructions here and it took care of Warning 3 and Warning 4 ā†’ Caldav and carddav error resolving - #8 by mable]

1 Like

Thank Picxolin , worked for me and have S3 native file storage config.

Am faceing the same isseus. Not of the above work
running nextcloud 21.0.2
Ubuntu server 18 tls
php 7.4

I managed to fix al of them except:

  • Your web server is not properly set up to resolve ā€œ/.well-known/webfingerā€. Further information can be found in the documentation.
  • Your web server is not properly set up to resolve ā€œ/.well-known/nodeinfoā€. Further information can be found in the documentation.

server {
listen 80;
listen [::]:80;
server_name example.com;

# Add headers to serve security related headers
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer;

#I found this header is needed on Ubuntu, but not on Arch Linux. 
add_header X-Frame-Options "SAMEORIGIN";

# Path to the root of your installation
root /usr/share/nginx/nextcloud/;

access_log /var/log/nginx/nextcloud.access;
error_log /var/log/nginx/nextcloud.error;

location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
}

# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
# last;

location = /.well-known/carddav {
    return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
   return 301 $scheme://$host/remote.php/dav;
}

location ~ /.well-known/acme-challenge {
  allow all;
}

# set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;

# Disable gzip to avoid the removal of the ETag header
gzip off;

# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;

error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;

location / {
   rewrite ^ /index.php;
}

location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
   deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
   deny all;
 }

location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
   include fastcgi_params;
   fastcgi_split_path_info ^(.+\.php)(/.*)$;
   try_files $fastcgi_script_name =404;
   fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
   fastcgi_param PATH_INFO $fastcgi_path_info;
   #Avoid sending the security headers twice
   fastcgi_param modHeadersAvailable true;
   fastcgi_param front_controller_active true;
   fastcgi_pass unix:/run/php/php7.4-fpm.sock;
   fastcgi_intercept_errors on;
   fastcgi_request_buffering off;
}

location ~ ^/(?:updater|ocs-provider)(?:$|/) {
   try_files $uri/ =404;
   index index.php;
}

# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~* \.(?:css|js)$ {
    try_files $uri /index.php$uri$is_args$args;
    add_header Cache-Control "public, max-age=7200";
    # Add headers to serve security related headers (It is intended to
    # have those duplicated to the ones above)
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
    add_header Referrer-Policy no-referrer;
    # Optional: Don't log access to assets
    access_log off;

}

location ~* .(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
try_files $uri /index.php$uri$is_args$args;
# Optional: Donā€™t log access to other assets
access_log off;
}
}

Iā€™m very much obliged to you! My ā€œ/.well-known/webfingerā€ error lasted for several months. After seeing your message, I fixed my error and now I passed all the security scans. Thank you very much!

Just AllowOverride All in /etc/apache/apache.conf and the caldav redirect errors should go away.

This works. Provided you remember to comment out (#) the already existing config for cardav and caldav. Iā€™m a newbie and hadnā€™t done that initially. And it didnā€™t work. After commenting out, adding these lines worked for me.

Works fine. Thanks.

NGINX users: Please consider switching to the newest nginx config template. Itā€™s heavily reworked and solves all above issues.

For the application server that is. And apart from (idependent!) proxy issues e.g. if you use a container or a even more complex setup.

i tried to enter this as an environment variable into my docker-compose.yml bat this seems to not work until now. :confused:

Hi there,
Thanks a lot guys.

Hello! i have the same error. What exactly did you do?

Thank you