run a put curl request with basic auth fails

Question

I am trying to run a curl put request but I get an unhautorized response that I fear is based on my server setup.

The request is the following:

curl  -X PUT -v -u 'admin:adminpwd' https://myexampledomain.com/cloud/ocs/v1.php/cloud/users/pinuccio -d 'key=display' -d 'value=ajeje' -H "OCS-APIRequest: true"

The response I get is an unhautorized (401). This is the verbose log:

*   Trying 127.0.1.1...
* TCP_NODELAY set
* Connected to myexampledomain.com (127.0.1.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Client hello (1):
* TLSv1.3 (OUT), TLS Unknown, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=myexampledomain.com
*  start date: May  1 17:18:35 2020 GMT
*  expire date: Jul 30 17:18:35 2020 GMT
*  subjectAltName: host "myexampledomain.com" matched cert's "myexampledomain.com"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
* Server auth using Basic with user 'admin'
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
> PUT /cloud/ocs/v1.php/cloud/users/pinuccio HTTP/1.1
> Host: mydomain.com
> Authorization: Basic YWRtaW46QzRsMW0zcjA=
> User-Agent: curl/7.58.0
> Accept: */*
> OCS-APIRequest: true
> Content-Length: 23
> Content-Type: application/x-www-form-urlencoded
> 
* upload completely sent off: 23 out of 23 bytes
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
< HTTP/1.1 401 Unauthorized
< Date: Tue, 30 Jun 2020 14:07:28 GMT
< Server: Apache/2.4.29 (Ubuntu)
< Strict-Transport-Security: max-age=15552000; includeSubDomains
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< X-Robots-Tag: none
< X-Frame-Options: SAMEORIGIN
< X-Download-Options: noopen
< X-Permitted-Cross-Domain-Policies: none
< Set-Cookie: oczw6f5q1725=a8va678tu6ifnku9qqb8ad6g9r; path=/cloud; secure; HttpOnly
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Set-Cookie: oc_sessionPassphrase=aX2nBbeRkkjX2AOsL9pWoxCcB5vvtdiR4wT9UtOAxfM61oVxCX5LvX02eZkNSfqUPekCdo20A65%2BplZBgHQo%2FyaVQdiQ42d7O4TAqyWpsx8f3gBAeNV%2B2EphYBGNxLmW; path=/cloud; secure; HttpOnly
< Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *
< Set-Cookie: oczw6f5q1725=0h8mkv831pq6aukvoivr7gf5t2; path=/cloud; secure; HttpOnly
< Set-Cookie: cookie_test=test; expires=Tue, 30-Jun-2020 15:07:28 GMT; Max-Age=3600
< Set-Cookie: oc_username=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/cloud; secure; HttpOnly
< Set-Cookie: oc_token=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/cloud; secure; HttpOnly
< Set-Cookie: oc_remember_login=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/cloud; secure; HttpOnly
< Set-Cookie: oc_username=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/cloud/; secure; HttpOnly
< Set-Cookie: oc_token=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/cloud/; secure; HttpOnly
< Set-Cookie: oc_remember_login=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/cloud/; secure; HttpOnly
< Set-Cookie: oczw6f5q1725=pi2oc8f3cgut57emv2ikflsooq; path=/cloud; secure; HttpOnly
< Set-Cookie: oczw6f5q1725=4hhk94mvb1l6j6re7qi9v68kjo; path=/cloud; secure; HttpOnly
* Authentication problem. Ignoring this.
< WWW-Authenticate: Basic realm="Authorisation Required"
< Access-Control-Allow-Origin: https://myexampledomain.com/cloud
< Content-Length: 132
< Content-Type: text/xml; charset=UTF-8
< 
* TLSv1.3 (IN), TLS Unknown, Unknown (23):

I cannot understand from the log where it fails. Can anyone help me to understand? I am running the request directly from the server the api is running on. I also added a CORS allow for mydomain.com/cloud but nothing changed.

On the same API i am able to run a POST request without basic auth. That request runs smootly. Looks like at some point TLS1.3 fails to keep authenticating...

This is the API documentation: User Provisioning API - Edit user

Answer 1

Owncloud 10 API requires TLS1.3 to be enabled. I was running Apache 2.4.29 (that is the latest version while writing on Ubuntu 18.04 server) that do not support TLS1.3 The first version to support it is 2.4.37

I updated Apache and now everything works as expected. To force the upgrade I had to:

//add the repository
sudo add-apt-repository ppa:ondrej/apache2
//get the updates
sudo apt update
//do the upgrade
sudo apt upgrade

Hope this solves someone else headache