Running Carbonio CE, carbonio-core 4.5.12-1jammy, Ubuntu 22.04.5.
Webmail/admin login fails with 502 Bad Gateway on GET /zx/login/v3/auth/config. Traced this to the carbonio-proxy upstream carbonio-auth, which routes to 127.78.0.1:20008 (an Envoy sidecar). The sidecar itself is up and listening, but nothing is registered behind it.
What I've confirmed:
consul catalog servicesshows nocarbonio-authentry at all (not unhealthy — completely absent)- No
.hclfile for it exists in/etc/zextras/service-discover/(onlycarbonio-proxy.hclreferences the name, as a destination) - No systemd unit
carbonio-auth-sidecar.serviceexists anywhere on disk dpkg -S carbonio-auth-sidecarreturns no matching packageapt-cache search carbonio | grep authandapt list -a carbonio-auth*show onlycarbonio-auth-ui(a frontend module), no backend service- Not served directly by mailboxd either (
curl localhost:8080/zx/login/v3/auth/config→ 404) - No trace of any process ever attempting to register this service name in
mailbox.log pending-setups -aruns clean, nothing pending- Full
zmcontrol restartand individual service restarts don't resolve it - Repointing the proxy upstream to
carbonio-user-management(the service that appears to actually handle auth-related SOAP requests) also didn't resolve it — reverted that change
What's healthy: everything else — mail delivery, IMAP, SMTP, LDAP, MTA, proxy itself, mailbox backend. This is isolated to the webmail/admin login flow specifically.
Found one other user with the exact same symptom (community.zextras.com/forum/carbonio-general-thread/carbonio-auth-problem/, Feb 2024) with no public resolution shown.
Is carbonio-auth supposed to be provided by a specific package? Was it possibly deprecated/replaced by carbonio-user-management in a later version and this proxy template just wasn't updated to match? Any pointers appreciated.
(sorry mods - there is a duplicate thread, i must have done that in error pls delete the other thread)
Update: Found the root cause and a working (temp) fix.
carbonio-auth (the upstream on port 20008, handling /zx/login/ and /zx/auth/) has no backing service on my system — confirmed via consul catalog services (not registered at all, not just unhealthy), no .hcl file, no systemd unit, no owning package anywhere in the repo (dpkg -S, apt-cache search). Also confirmed this endpoint doesn't exist on mailboxd itself on either of its own ports (8080, 7071 — both return 404 for these paths directly).
My working theory: carbonio-auth may be the advanced-auth-policy service (2FA/SAML/trusted-device policy management — note the CLI has separate WebUI vs ZmWebUI policy commands) that's part of paid Carbonio but not shipped in CE, while the proxy's nginx template references it unconditionally regardless of edition. If anyone from Zextras can confirm/deny this, it'd help a lot.
Workaround that's fully resolved it for me: since the legacy /service/soap/AuthRequest login path works fine independent of carbonio-auth, I edited the nginx templates to make the /zx/login/ and /zx/auth/ locations return a clean 404 instead of attempting to proxy to the missing service:
location ^~ /zx/login/
{
return 404;
}
location ^~ /zx/auth/
{
return 404;
}
(applied in /opt/zextras/conf/nginx/templates/nginx.conf.web.https.template and the matching .default.template, then zmproxyctl restart)
This let the frontend gracefully fall back instead of hard-failing on the connection reset from the missing backend. Both regular webmail and the admin console (port 6071) now log in and work normally.
Caveat: this is a workaround, not a real fix — it just disables whatever carbonio-auth was supposed to provide (likely advanced auth policy features, which may not matter for anyone not using 2FA/SSO anyway). If someone knows the actual intended fix, I'd still like to hear it.
Environment: Carbonio CE carbonio-core 4.5.12-1jammy, Ubuntu 22.04.
