I lost Access After Upgrade To v1.6.2

girish

@BetterWP Can you send me the URL of your instance to support@cloudron.io ? Let me see if it's something obvious.

BetterWP

@girish Done, Thanks

scooke

I am very curious.

girish

The issue is to do with Cloudflare. The logs show the error. The backend is getting a 403 when trying to access the dashboard. Looks like it is getting some captcha because of Cloudflare.

2024-01-31T20:00:20.310913401Z: ERROR   ▶ openid/GetAllProviders 0d3 Error while getting openid provider Cloudron: 403 Forbidden: <!DOCTYPE html><html lang="en-US"><head><title>Just a moment...</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><meta name="robots" content="noindex,nofollow"><meta name="viewport" content="width=device-width,initial-scale=1"><style>@keyframes lds-ring{0%{transform:rotate(0deg)}to{transform:rotate(360deg)}}*{box-sizing:border-box;margin:0;padding:0}html{line-height:1.15;-webkit-text-size-adjust:100%;color:#313131}button,html{font-family:system-ui,-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Helvetica Neue",Arial,"Noto Sans",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji"}@media (prefers-color-scheme:dark){body{background-color:#222;color:#d9d9d9}body a{color:#fff}body a:hover{text-decoration:underline;color:#ee730a}body .lds-ring div{border-color:#999 transparent transparent}body .font-red{color:#b20f03}body .big-button,body .pow-button{background-color:#4693ff;color:#1d1d1d}body #challenge-success-text{background-image:url(data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIzMiIgaGVpZ2h0PSIzMiIgZmlsbD0ibm9uZSIgdmlld0JveD0iMCAwIDI2IDI2Ij48cGF0aCBmaWxsPSIjZDlkOWQ5IiBkPSJNMTMgMGExMyAxMyAwIDEgMCAwIDI2IDEzIDEzIDAgMCAwIDAtMjZtMCAyNGExMSAxMSAwIDEgMSAwLTIyIDExIDExIDAgMCAxIDAgMjIiLz48cGF0aCBmaWxsPSIjZDlkOWQ5IiBkPSJtMTAuOTU1IDE2LjA1NS0zLjk1LTQuMTI1LTEuNDQ1IDEuMzg1IDUuMzcgNS42MSA5LjQ5NS05LjYtMS40Mi0xLjQwNXoiLz48L3N2Zz4)}}body{display:flex;flex-direction:column;min-height:100vh}body.no-js .loading-spinner{visibility:hidden}body.no-js .challenge-running{display:none}body.dark{background-color:#222;color:#d9d9d9}body.dark a{color:#fff}a:hover,body.dark a:hover,body.light a:hover{text-decoration:underline;color:#ee730a}body.dark .lds-ring div{border-color:#999 transparent transparent}body.dark .font-red{color:#b20f03}body.dark .big-button,body.dark .pow-button{background-color:#4693ff;color:#1d1d1d}body.dark #challenge-success-text{background-image:url(data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIzMiIgaGVpZ2h0PSIzMiIgZmlsbD0ibm9uZSIgdmlld0JveD0iMCAwIDI2IDI2Ij48cGF0aCBmaWxsPSIjZDlkOWQ5IiBkPSJNMTMgMGExMyAxMyAwIDEgMCAwIDI2IDEzIDEzIDAgMCAwIDAtMjZtMCAyNGExMSAxMSAwIDEgMSAwLTIyIDExIDExIDAgMCAxIDAgMjIiLz48cGF0aCBmaWxsPSIjZDlkOWQ5IiBkPSJtMTAuOTU1IDE2LjA1NS0zLjk1LTQuMTI1LTEuNDQ1IDEuMzg1IDUuMzcgNS42MSA5LjQ5NS05LjYtMS40Mi0xLjQwNXoiLz48L3N2Zz4)}body.light{color:#313131}a,body.light a{color:#0051c3}body.light .lds-ring div{border-color:#595959 transparent transparent}body.light .font-red{color:#fc574a}body.light .big-button,body.light .pow-button{border-color:#003681;background-color:#003681;color:#fff}body.light #challenge-success-text{background-image:url(data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIzMiIgaGVpZ2h0PSIzMiIgZmlsbD0ibm9uZSIgdmlld0JveD0iMCAwIDI2IDI2Ij48cGF0aCBmaWxsPSIjMzEzMTMxIiBkPSJNMTMgMGExMyAxMyAwIDEgMCAwIDI2IDEzIDEzIDAgMCAwIDAtMjZtMCAyNGExMSAxMSAwIDEgMSAwLTIyIDExIDExIDAgMCAxIDAgMjIiLz48cGF0aCBmaWxsPSIjMzEzMTMxIiBkPSJtMTAuOTU1IDE2LjA1NS0zLjk1LTQuMTI1LTEuNDQ1IDEuMzg1IDUuMzcgNS42MSA5LjQ5NS05LjYtMS40Mi0xLjQwNXoiLz48L3N2Zz4=)}a,body.light{background-color:transparent}a{transition:color 150ms ease;text-decoration:none}.main-content{margin:8rem auto;width:100%;max-width:60rem}.heading-favicon{margin-right:.5rem;width:2rem;height:2rem}.footer,.main-content{padding-right:1.5rem;padding-left:1.5rem}.main-wrapper{display:flex;flex:1;flex-direction:column;align-items:center}.font-red{color:#b20f03}.spacer{margin:2rem 0}.h1{line-height:3.75rem;font-size:2.5rem;font-weight:500}.core-msg,.h2{line-height:2.25rem;font-size:1.5rem}.h2{font-weight:500}.body-text,.core-msg{font-weight:400}.body-text{line-height:1.25rem;font-size:1rem}#challenge-error-text,#challenge-success-text{background-image:url(data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIzMiIgaGVpZ2h0PSIzMiIgZmlsbD0ibm9uZSI+PHBhdGggZmlsbD0iI0IyMEYwMyIgZD0iTTE2IDNhMTMgMTMgMCAxIDAgMTMgMTNBMTMuMDE1IDEzLjAxNSAwIDAgMCAxNiAzbTAgMjRhMTEgMTEgMCAxIDEgMTEtMTEgMTEuMDEgMTEuMDEgMCAwIDEtMTEgMTEiLz48cGF0aCBmaWxsPSIjQjIwRjAzIiBkPSJNMTcuMDM4IDE4LjYxNUgxNC44N0wxNC41NjMgOS41aDIuNzgzem0tMS4wODQgMS40MjdxLjY2IDAgMS4wNTcuMzg4LjQwNy4zODkuNDA3Ljk5NCAwIC41OTYtLjQwNy45ODQtLjM5Ny4zOS0xLjA1Ny4zODktLjY1IDAtMS4wNTYtLjM4OS0uMzk4LS4zODktLjM5OC0uOTg0IDAtLjU5Ny4zOTgtLjk4NS40MDYtLjM5NyAxLjA1Ni0uMzk3Ii8+PC9zdmc+);background-repeat:no-repeat;background-size:contain;padding-left:34px}#challenge-success-text{background-image:url(data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIzMiIgaGVpZ2h0PSIzMiIgZmlsbD0ibm9uZSIgdmlld0JveD0iMCAwIDI2IDI2Ij48cGF0aCBmaWxsPSIjMzEzMTMxIiBkPSJNMTMgMGExMyAxMyAwIDEgMCAwIDI2IDEzIDEzIDAgMCAwIDAtMjZtMCAyNGExMSAxMSAwIDEgMSAwLTIyIDExIDExIDAgMCAxIDAgMjIiLz48cGF0aCBmaWxsPSIjMzEzMTMxIiBkPSJtMTAuOTU1IDE2LjA1NS0zLjk1LTQuMTI1LTEuNDQ1IDEuMzg1IDUuMzcgNS42MSA5LjQ5NS05LjYtMS40Mi0xLjQwNXoiLz48L3N2Zz4=);padding-left:42px}.text-center{text-align:center}.big-button{transition-duration:200ms;transition-property:background-color,border-color,color;transition-timing-function:ease;border:.063rem solid #0051c3;border-radius:.313rem;padding:.375rem 1rem;line-height:1.313rem;font-size:.875rem}.big-button:hover{cursor:pointer}.captcha-prompt:not(.hidden){display:flex}.pow-button{margin:2rem 0;background-color:#0051c3;color:#fff}.pow-button:hover{border-color:#003681;background-color:#003681;color:#fff}.footer{margin:0 auto;width:100%;max-width:60rem;line-height:1.125rem;font-size:.75rem}.footer-inner{border-top:1px solid #d9d9d9;padding-top:1rem;padding-bottom:1rem}.clearfix::after{display:table;clear:both;content:""}.clearfix .column{float:left;padding-right:1.5rem;width:50%}.diagnostic-wrapper{margin-bottom:.5rem}.footer .ray-id{text-align:center}.footer .ray-id code{font-family:monaco,courier,monospace}.core-msg,.zone-name-title{overflow-wrap:break-word}.loading-spinner{height:76.391px}.lds-ring,.lds-ring div{display:inline-block;position:relative;width:1.875rem;height:1.875rem}.lds-ring div{box-sizing:border-box;display:block;position:absolute;border:.3rem solid #595959;border-radius:50%;border-color:#313131 transparent transparent;animation:lds-ring 1.2s cubic-bezier(.5,0,.5,1) infinite}.lds-ring div:nth-child(1){animation-delay:-.45s}.lds-ring div:nth-child(2){animation-delay:-.3s}.lds-ring div:nth-child(3){animation-delay:-.15s}@media screen and (-ms-high-contrast:active),screen and (-ms-high-contrast:none){.main-wrapper,body{display:block}}</style><meta http-equiv="refresh" content="375"></head><body class="no-js"><div class="main-wrapper" role="main"><div class="main-content"><noscript><div id="challenge-error-title"><div class="h2"><span id="challenge-error-text">Enable JavaScript and cookies to continue</span></div></div></noscript></div></div><script>(function(){window._cf_chl_opt={cvId: '3',cZone: "",cType: 'managed',cNounce: '79852',cRay: '84e48a4ecfca9134',cHash: 'dfb3620a0ed18b3',cUPMDTk: "\/openid\/.well-known\/openid-configuration?__cf_chl_tk=FDuAkfZczwkZYNP5UZvSzVUjCLMyr7FYv2qZgwZMFPo-1706731220-0-gaNycGzNCzs",cFPWv: 'g',cTTimeMs: '1000',cMTimeMs: '375000',cTplV: 5,cTplB: 'cf',cK: "visitor-time",fa: "\/openid\/.well-known\/openid-configuration?__cf_chl_f_tk=FDuAkfZczwkZYNP5UZvSzVUjCLMyr7FYv2qZgwZMFPo-1706731220-0-gaNycGzNCzs",md: "rpPS5TfjTiYBQgUGoIIzsRoirE5GKSoleHixD7dC1Dk-1706731220-1-Aa8ZRLNw3F7sJ2jlMQIWO5oLEqqw4E3FmWK9_fobA6oT9hBICzbCoArogIOlhOR7EeMqyXOY12MeU6iDJ0dJG1JWNDB-RSYbqGtx25vujDiG9SKdMUlWS4_VgtUorniXE5Wow10hIM_Fk2eJklQZYW0zryqHqIYfiPK01xB6zmWrFnNIiK5vRg4dro2mYAy3y1y7-iIvO1kiOPBuApiNz5Cha9VJsNZm5rCH3t3PMfduVKOTh3IrWjCSvas0ribeGTzgEhRPTRH34fiHfR8DCU8LVtzE60KbHdTc4VNMnntL2ykzPwdNQ6nQ7XiUASUSin5FAQcWXkcmqVrPiKV9VtcnHj-CriBGlWW2OUceqBjcMAgKmZvBATXjSvrtKInI6RzVkj6RyEgU84SzjkJMMvR1o1vgnSgsRSwNXpGWTSOZVnLo09zbNDa_TLHCN7AsDqRbCpw6KI2BtINsX5DlGVKa28LB8jGecZ1SI0BMeOqEyn7HIxKB1Mdk4NKjxdcv7pei9eaYl6mWSkR7aFWXTpQs1pK_EEgx7vVUr3z4SmLqK1_eMls__ZehnydOUJ1iSWmKm_4cACQCBEx_uv4HuJBsglnkiktENTPbsdzSiu3RVCZgAivODxfaqYr5EWQChYSqte70wbcKkiEIC31qXGZqZRad1dQyvTl_9zBKeUarmW4Z3wjdtn5faZ6mjfWuKW99MqoFiOJ5WKKnODCSrcgt7i-8EPnE_ksjDJlKFFvh6MUW0cfLXCW2n7H7kPHYtULwQsabp2zTsTQRcSOamT3ypaJFNSeBJJyHV3VJh6JRnkSpfPl54HETkbcW05Up9e4abtJ3FQ9u0vPeeiMJoSNvw0dceyl7F-Auvf-TKya4vazxVX-T7QOYywK-5SrblvWLvOew5uho_PFroA_IXbgmVN9xbjPMLq12oZeLQ_BhZ2hUQ7aI6R5C9tjmlIksY2ThuVzv5bCm7lKb5i1kjYTyHz9bR2GnXOYs13a5w8GxToS2T00R3UyAhSsXUozLdE7WlkYT9S8lji8INA8CmxM9LDGNE8Q7FtxksSJYFcmA4Ph-HxZYYUdcxG2GLQZkJHSe5_wUhOLWu_bRjHTonAeMIOPNMzUYrOP_v6iLPggw7TEmsNqESvFR6_m_JT6XjVQOu8SYOdqdS2zJn4VcFqYpaw2z0EjGwVTiacBZ6B_GMmZ2E3aUie2IvG-roVBTYC5h2RhaBvksDnvXMzUaaZvMX7jI-lVrUhZ5PjSCFM9Na4GQprij3z_5ZWj9kgW67819fCWdSKQNsMHtX0zb8ZX4GNNRW5L1dJ6HSQ9-cNNW8YXYoopjufu2aLS5sfqc9rdqm3bxt3fBdwdziOZ3_bYCQjvJJI7HIU_drNk_-MguUC0J6HJigluE5oIaP0aTNIJlJXx5FXRh_OUdbQ_5BpOtdthuUs4J7CWXSFBCA-3nHmETlG0MavPj0MAiAgPTDvutO1Q4gJQlegA-37Txrc732K-6GGUPFiU82zWISRupLs0TqR9dekkUHefK0hBI2nY-xKqvxa9r09lTDZAldxBPNLpXuCUEAECP8k2mVkGJPCPcKFvkxyzXL9VE0FV1D2TccloMdvhrVBkmtpbwK6Hio3-0mvxlwGmwIjJyxjhG99Xo20SwdRHQZeEhPmNBkUdbqIboCAf3uU0kbCh4eiA-BhFwF1tU9B6ZwHbTr5gVe1VBbQBso56o6_o0MgVv3I2Q24bCKeGu0pZTiEuE8EnrfvjkZkiy5Eb-OIXatoVBoHS4u0dNbBWl-tFoafxI0WjgpVSzdjiX1LSh45XGUs-OC_Z0gAMvhf0k-mGB_FQrZF3Lxj-5UzJX0uVF4r7QqdG2jBPPU1LPeUizn4w0tL3qn5LmvSBbyzo8ZzrToBZXVLemiRMAmBAc2fNWbXM5wRXxlC_Rr_WUfdoA3fOvnmOByCkVg_XR3hBY-KsspolLDTRJbgBbXh_fHbog0eUD9PgWZ-6V6gIHYD5Q3YD955g6rMA2vAW3-E50tJJTKsEYRYwvQB6gjpSLbl0fyh8CFyvTZ0DRE4oPpcUpSuXP-hzcBBHFnbrQ9hGUGv-ESKIPnkYVqkYpHjsEGHj6aZQLUGdKdlg8Msb0-VQK9ogRJqWMVYnTHhbJjq2KKYwuVkncud4JcVFYfrvsCAiTtb_F461yxpaRxqMbSZOrLmP-nMPGDSGwkacdTn_juKQQLrDJzmeLV44fI2LQh8ud4pBKAZCTsnqcbGT4l_UvdFgqwlhrrR2AoEFDd94q5sqYWkV414PT8wXrZVAsf_5hdtnSuL6DD0E7H3nMDK1bJ88MyP_T60SkOapOwa4dtNnMt7RgoXPQLvTJPUaNGDVm6S-mLVxgcUpaxm9EYqeCQvaK0wELuhOY0x-qXqd2zrOeWNGgBgRg7XCFaJKFd7PLuTrBiaT0EWsNW_CksfahUlEwNcJO0etSx3KGo3Qxr6v6Racq37zHadzGf-nH4bircIVRKP8mCb8UmweGITFcuBaFrQh0dt4C3jI80Q180ZhQ83jvW7-1yS3WFRcTNc4IE49w0DIs8dDzDKelmwmZWiTH-7Y4ua9sbpn6m9NY5hKvT78h3e2oe8UtoI7gvVdxa1F2PFaV7_u9neLXIIGnVyXpXASO2NmgSXocST6lw0XHLfm5bPd6fB5jq-KTViTKUwsenr0V_iSIwzR57P3lHYo0qKsHBRncgjmPe_g6aUTLUddld8m4a4gc3E6sFpeskwgJTVTujXiP2JMQxuMgmsigYzHGZPV3ZGymecTh5OEWevO-JVffqG0w4y8DiJFYqqX1XQ",cRq: {ru: 'aHR0cHM6Ly9teS5iZXR0ZXJ3cC5jbG91ZC9vcGVuaWQvLndlbGwta25vd24vb3BlbmlkLWNvbmZpZ3VyYXRpb24=',ra: 'R28taHR0cC1jbGllbnQvMi4w',rm: 'R0VU',d: 'g6QdYZrof7AgntuBjHtWFGEsNJNIxHao4Jk43rMDxKb4BlPDBkicLVm5rWAq6LIL3hDF3uBvXJXDec7M3ViDc4uGGKtyJ3kZTP4Dlp+ELtTh/90AZdiohGwivxsFKn/WsBbxlP9y+CHKe/VCLXVIabpav4PW+W9LPVR78c4ItknWhajE4jfC+xsoNbVtSlf+QLlsZoykppi36l6sQV54J2iBviv0DX+uJjMbGf9mOZ2v4YQ2m3xHJbPebb5j5bRVEN6ytlVchpCsbXurGpY5Jv/rbckEcR5uvDIZRXhCWMzXd4R2y2BcykV9TdiQJ6r5kcbCnJdR6Fxut+kQ6KfLLuOX+w4qT4f0ErD71WcOiV49uWvQ9bziYSNJB0UmMnfFo4Xd9NKUqjWQ1mnmmAQXUEao1e90uGc2gByxY8HpX5PtrYvP+e4LNZQp1ZHRZ4PREtv+8nze+m4oUUQ4Aj+n6USfDwaOnvzrqKLprY9A3ZYb+AKJSb/eBONeQINArrI9rfjC/fVA9zMNx+nyWHNeuIlO6XJTyFLsPTof09FQmNklBn++kbCkJbmk70GL1Rqccp4/WkCnJRyRRFbMuTHkDYLJVYkcKVmZyPnP8lcW2ZU=',t: 'MTcwNjczMTIyMC4yOTEwMDA=',cT: Math.floor(Date.now() / 1000),m: 'eqNgIQB+X661z5EffTFVGv/vK3qIxe5tFSBHa1+rMQc=',i1: 'u35QDiXmYdAzEC5KkqAk1g==',i2: 'clgEn7VHpkd4h8UFw9XlUg==',zh: 'Rq8b2sp8WWC4VEc7Q2WFrARt3jXrGg+dA4IeFXggSZk=',uh: 'AN+5vvENMpdOACvuRa1plLx7uNq9y3wYG+zurIv4jHM=',hh: 'rG6duFo5K1o+uwE7Bi6BUcdAaflycru+zDRuoSogfd0=',}};var cpo = document.createElement('script');cpo.src = '/cdn-cgi/challenge-platform/h/g/orchestrate/chl_page/v1?ray=84e48a4ecfca9134';window._cf_chl_opt.cOgUHash = location.hash === '' && location.href.indexOf('#') !== -1 ? '#' : location.hash;window._cf_chl_opt.cOgUQuery = location.search === '' && location.href.slice(0, location.href.length - window._cf_chl_opt.cOgUHash.length).indexOf('?') !== -1 ? '?' : location.search;if (window.history && window.history.replaceState) {var ogU = location.pathname + window._cf_chl_opt.cOgUQuery + window._cf_chl_opt.cOgUHash;history.replaceState(null, null, "\/openid\/.well-known\/openid-configuration?__cf_chl_rt_tk=FDuAkfZczwkZYNP5UZvSzVUjCLMyr7FYv2qZgwZMFPo-1706731220-0-gaNycGzNCzs" + window._cf_chl_opt.cOgUHash);cpo.onload = function() {history.replaceState(null, null, ogU);}}document.getElementsByTagName('head')[0].appendChild(cpo);}());</script></body></html>

@BetterWP I think you have to add some Cloudflare rules to allow https://my.domain.com/openid/.well-known/openid-configuration to not show captcha/challenge. If you curl the URL from web terminal, it doesn't work.

BetterWP

May I inquire where you observe this error, as I can't find logs for both Cloudron and Cloudflare WAF. @girish

girish

@BetterWP this was in the app logs. If you open the log viewer and then try to login , you will see the error.

Also, you can quickly disable Cloudflare proxying (for the dashboard domain my.xx) and test out if it works without it to narrow down the issue.

BetterWP

I did several times nothing at log for both the app and Cloudflare; could you check, please? I have already disabled some WAF rules. @girish

girish

@BetterWP have you disabled cloudflare entirely for the dashboard domain (my.xx.com) and tried? Basically, cloudflare is returning a captcha when trying to get the well-known file. You can try curl https://my.domain.com/openid/.well-known/openid-configuration from the Web terminal of Vikunja. It should display something like this:

$ curl https://my.smartserver.io/openid/.well-known/openid-configuration
{"authorization_endpoint":"https://my.smartserver.io/openid/auth","claims_parameter_supported":false,"claims_supported":["sub","email","email_verified","family_name","given_name","locale","name","preferred_username","sid","auth_time","iss"],"code_challenge_methods_supported":["S256"],"grant_types_supported":["authorization_code","implicit","refresh_token"],"issuer":"https://my.smartserver.io/openid","jwks_uri":"https://my.smartserver.io/openid/jwks","authorization_response_iss_parameter_supported":true,"response_modes_supported":["form_post","fragment","query"],"response_types_supported":["code","id_token","id_token token","code id_token","code token","code id_token token","none"],"scopes_supported":["openid","offline_access","email","profile"],"subject_types_supported":["public"],"token_endpoint_auth_methods_supported":["client_secret_basic","client_secret_jwt","client_secret_post","private_key_jwt","none"],"token_endpoint_auth_signing_alg_values_supported":["HS256","RS256","PS256","ES256","EdDSA"],"token_endpoint":"https://my.smartserver.io/openid/token","id_token_signing_alg_values_supported":["RS256"],"pushed_authorization_request_endpoint":"https://my.smartserver.io/openid/request","request_parameter_supported":false,"request_uri_parameter_supported":false,"userinfo_endpoint":"https://my.smartserver.io/openid/me","claim_types_supported":["normal"]}

In your case, it returns some html from cloudflare.

BetterWP

@girish Disabling Cloudflare is not an option, and it is unnecessary. I need to know exactly which URL I should use to whitelist. Also, Cloudflare has been operating flawlessly since the beginning, and other apps are functioning properly.

Until now, I could not find the URL you indicated in the log. Could you provide a screenshot via email?

BetterWP

I restarted the app, and now I can see the error. It is related to Super Bot Fight Mode Now, it is working after I use custom rule.

Thanks for help @girish

girish

@BetterWP awesome, thanks for updating with the solution!