Error dereference WebId

Become a Pod Provider Server Administration
1

Dear all,

I have a setup with 3 docker containers: one client, one server and one nginx to set the ssl certificate and route trafic coming on https://server.xxxxx to the solid server and https://client.xxxxx to the solid client.
I used this example setup: Redirecting…
Everything seems to work, I can reach my solid client and login, I can reach my solid server and create a pod, but when I want to get data or store data, I get the following error in the server log:

warn: Error verifying WebID via DPoP-bound access token: The WebID could not be dereferenced.
solid-server_1 | Actual: https://server.xxxxxx/frederik/profile/card#me
solid-server_1 | Expected: A dereferenceable resource

What does this exactly mean? I’m guessing something wrong with in the nginx config?

upstream docker-solid-client {
      server solid-client:80;
  }

 upstream docker-solid-server {
      server solid-server:3000;
  }

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name            server.xxxxxxxxxxxx;
  ssl_certificate       /usr/local/share/ca-certificates/solid.pem;
  ssl_certificate_key   /usr/local/share/ca-certificates/solid.pem;
  ssl_protocols         TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers           HIGH:!aNULL:!MD5;
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
  proxy_headers_hash_max_size 512;
  proxy_headers_hash_bucket_size 128; 

  location / {       

    proxy_pass http://docker-solid-server/;
     proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-Proto $scheme;
     proxy_pass_header Server;
    proxy_pass_header Set-Cookie;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }  
}

server {
  listen                443 ssl;
  listen                [::]:443 ssl;
  server_name           client.xxxxxxx;
  ssl_certificate       /usr/local/share/ca-certificates/-solid-client.pem;
  ssl_certificate_key   /usr/local/share/ca-certificates/-solid-client.pem;
  ssl_protocols         TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers           HIGH:!aNULL:!MD5;
  proxy_headers_hash_max_size 512;
  proxy_headers_hash_bucket_size 128;  

  location / {       

    proxy_pass http://docker-solid-client/;
    proxy_pass_header Server;
    proxy_pass_header Set-Cookie;
    proxy_set_header    Host $host;
    proxy_set_header    X-Real-IP           $remote_addr;
    proxy_set_header    X-Forwarded-Ssl     on;
    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto   $scheme;
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-Proto $scheme;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";

  }
 
}
2

It just means that the server tried to access https://server.xxxxxx/frederik/profile/card#me and was unable to.

In principle this involves a DNS lookup and it’s not clear to me how the server knows what the IP address of https://server.xxxxxx is?

3

The problem was that I was using a self signed certificate via nginx reverse proxy. It has been a bit of work to get a hold of the real error, because the logging of the solid server doesn’t give enough detail even with debug loggin :frowning: . I added some extra logging to get the stack trace and then I noticed:

solid-server_1  | Expected: A dereferenceable resource
solid-server_1  |     at dereferenceWebid (/community-server/node_modules/@solid/access-token-verifier/dist/algorithm/retrieveWebidTrustedOidcIssuers.js:15:15)
solid-server_1  |     at processTicksAndRejections (node:internal/process/task_queues:96:5)
solid-server_1  |     at async retrieveWebidTrustedOidcIssuers (/community-server/node_modules/@solid/access-token-verifier/dist/algorithm/retrieveWebidTrustedOidcIssuers.js:22:24)
solid-server_1  |     at async WebIDIssuersCache.getIssuers (/community-server/node_modules/@solid/access-token-verifier/dist/class/WebIDIssuersCache.js:17:34)
solid-server_1  |     at async verifySolidAccessToken (/community-server/node_modules/@solid/access-token-verifier/dist/algorithm/verifySolidAccessToken.js:39:21)
solid-server_1  |     at async DPoPWebIdExtractor.handle (/community-server/dist/authentication/DPoPWebIdExtractor.js:47:28)
solid-server_1  |     at async Promise.all (index 0)
solid-server_1  |     at async UnionCredentialsExtractor.handleSafe (/community-server/dist/util/handlers/UnionHandler.js:56:25)
solid-server_1  |     at async AuthorizingHttpHandler.handle (/community-server/dist/server/AuthorizingHttpHandler.js:27:29)
solid-server_1  |     at async ParsingHttpHandler.handle (/community-server/dist/server/ParsingHttpHandler.js:28:22)
solid-server_1  |     at async SequenceHandler.handle (/community-server/dist/util/handlers/SequenceHandler.js:27:26)
solid-server_1  |     at async Server.<anonymous> (/community-server/dist/server/BaseHttpServerFactory.js:33:17)

Then I had to npm install https://www.npmjs.com/package/rdf-dereference and I executed the call via cli getting the error:

FetchError: request to https://server.xxxxxxxxxxxxxxx/profile/card#me failed, reason: self signed certificate
    at ClientRequest.<anonymous> (XXXXXXXXXXXXXXXXXXX\npm\node_modules\rdf-dereference\node_modules\node-fetch\lib\index.js:1461:11)
    at ClientRequest.emit (events.js:400:28)
    at TLSSocket.socketErrorListener (_http_client.js:475:9)
    at TLSSocket.emit (events.js:400:28)
    at emitErrorNT (internal/streams/destroy.js:106:8)
    at emitErrorCloseNT (internal/streams/destroy.js:74:3)
    at processTicksAndRejections (internal/process/task_queues.js:82:21) {
  type: 'system',
  errno: 'DEPTH_ZERO_SELF_SIGNED_CERT',
  code: 'DEPTH_ZERO_SELF_SIGNED_CERT'
1 Like
4

It’s probably worth submitting an issue for this because the error is not clear enough and it’s not clear that self-signed certificates shouldn’t work…
It’s probably an issue for GitHub - solid/access-token-verifier: Solid access token verification. ?

1 Like
5

Thanks for the suggestion @josephguillaume. I logged the issue:

1 Like
6

Hello everybody,
We are facing the same issue. When trying to interact with the server, we can create a pod (through the registration page) and get a specific card through a GET request. However, we cannot do a PUT to our own pods. The error is:

warn: Error verifying WebID via DPoP-bound access token: The WebID could not be dereferenced.
Actual: https://solid.domain.xx/kim-test/profile/card#me

Our setup is the following: we are running the community server with NodeJS, we use nginx as a reverse proxy, and we are not signing our own certificate (we use cerbot for this).
On the client side, we get a token, a public and a private key, but still the authorization request fails.
Would you have any pointers to solve this issue? thanks a lot!

7

For anyone experiencing this issue, the problem might be around a mapping for /etc/hosts.

First check to see if you can curl from inside your server:

ssh mypodserver
curl https://my.podserver.com/user/profile/card#me

If curling hangs for a while, then produces an error like this, the problem is with /etc/hosts

curl: (28) Failed to connect to my.podserver.com port 443 after 129360 ms: Couldn't connect to server

To fix it, add the following line to /etc/hosts. Replace my.podserver.com with your Pod server’s domain.

127.0.0.1 my.podserver.com
2 Likes
8

hello,
Can anyone solve this problem? I have the same error. I’m running in a local network environment and have set up the CSS in a Docker container, configured an Nginx reverse proxy, and used an OpenSSL self-signed certificate.

@Frederik, did you get it?

thanks!

9

Hi George try to do the following to see the real error:

For me the error was that it didn’t trust the self signed certificate, which is good in production, but bad for testing :-).