Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stuck in login loop #3623

Open
kvannotten opened this issue Feb 14, 2019 · 217 comments
Open

Stuck in login loop #3623

kvannotten opened this issue Feb 14, 2019 · 217 comments

Comments

@kvannotten
Copy link

@kvannotten kvannotten commented Feb 14, 2019

After the latest update of yesterday, I can no longer login. The app keeps redirecting me to authorize my account.

@nextcloud-android-bot
Copy link
Collaborator

@nextcloud-android-bot nextcloud-android-bot commented Feb 14, 2019

GitMate.io thinks possibly related issues are #2284 (Login loop), #2032 (Login attempt just stops), #2561 (No login possible), #2143 (Login issue), and #433 (Login Error).

@alerque
Copy link

@alerque alerque commented Feb 14, 2019

I've got the same problem. The app was fine before the update (4 hours ago), just a few minutes ago I saw the play store notification that it had updated it and tried it again. My Nextcloud server is up to date with the latest stable release and I can login on the web and from the desktop client (on Linux) just fine. The Android app just looks me back to the login — after what appears to be a successful login. The user/password phase seems to work, it then prompts to grant access to the app, only then does it jump back to asking for a login.

@nextcloud-android-bot None of those issues seem to be related, they are all old 2018 login related things and this appears to be a new regression in the latest release.

@tobiasKaminsky
Copy link
Member

@tobiasKaminsky tobiasKaminsky commented Feb 14, 2019

Is this also happening with a new account?

@kvannotten
Copy link
Author

@kvannotten kvannotten commented Feb 14, 2019

just tested it with a new account, still happens.

@thrawn-sh
Copy link

@thrawn-sh thrawn-sh commented Feb 14, 2019

Same problem here. New account doesn't work either. Everything was fine before the app update. DavDroid / DavX5 still works.

@tobiasKaminsky
Copy link
Member

@tobiasKaminsky tobiasKaminsky commented Feb 14, 2019

Can you create us a test account, test if the problem occurs also there and if so send the credentials to tobias at nextcloud dot com with a reference to this issue?

@thrawn-sh
Copy link

@thrawn-sh thrawn-sh commented Feb 14, 2019

@tobiasKaminsky: I've sent you an Mail with a complete fresh account, please let me know if I can do anything else.

@scho0ck
Copy link

@scho0ck scho0ck commented Feb 14, 2019

I have the same issue with the app version 3.5.0 and Nextcloud 15.0.4 it all started to act up after the update if the android app

@alerque
Copy link

@alerque alerque commented Feb 15, 2019

I just had a look at the Apache log files for my Nextcloud instance and don't see anything particularly useful, but maybe it will mean something to a developer. I've redacted specific values using <key> syntax, all the values with the same key are the same.

First, these lines showed up when I first opened the app and was show a login screen:

- - [15/Feb/2019:06:25:23 +0000] "GET /index.php/login/flow/grant?clientIdentifier=&stateToken= HTTP/1.1" 303 -
- - [15/Feb/2019:06:25:24 +0000] "GET /index.php/login/flow/grant?clientIdentifier=&stateToken= HTTP/1.1" 303 -
- - [15/Feb/2019:06:25:24 +0000] "GET /index.php/login?redirect_url=/index.php/login/flow/grant%3FclientIdentifier%3D%26stateToken% HTTP/1.1" 200 8525
- - [15/Feb/2019:06:25:34 +0000] "GET /index.php/core/js/oc.js?v=7c4c8bc0 HTTP/1.1" 200 4797

After entering my credentials and hitting login, these lines showed up:

- - [15/Feb/2019:06:25:50 +0000] "POST /index.php/login?redirect_url=/index.php/login/flow/grant%3FclientIdentifier%3D%26stateToken% HTTP/1.1" 303 -
- - [15/Feb/2019:06:25:51 +0000] "GET /index.php/login/flow/grant?clientIdentifier=&stateToken= HTTP/1.1" 200 6749
- - [15/Feb/2019:06:25:51 +0000] "GET /index.php/core/js/oc.js?v=7c4c8bc0 HTTP/1.1" 200 4891

Here I was show the "grant" button, after which these showed up (while the app looked like it was loading a file manager for about 20 seconds, then it dumped be back at the login screen.

- - [15/Feb/2019:06:26:14 +0000] "POST /index.php/login/flow HTTP/1.1" 303 -
- - [15/Feb/2019:06:26:15 +0000] "GET /status.php HTTP/1.1" 200 137
- - [15/Feb/2019:06:26:15 +0000] "HEAD /remote.php/webdav/ HTTP/1.1" 401 -
- [15/Feb/2019:06:26:16 +0000] "HEAD /remote.php/webdav/ HTTP/1.1" 200 -
- [15/Feb/2019:06:26:16 +0000] "GET /ocs/v1.php/cloud/user?format=json HTTP/1.1" 200 684
- [15/Feb/2019:06:26:17 +0000] "GET /ocs/v1.php/cloud/users/?format=json HTTP/1.1" 401 140
- [15/Feb/2019:06:26:18 +0000] "GET /ocs/v1.php/cloud/users/?format=json HTTP/1.1" 401 140
- [15/Feb/2019:06:26:18 +0000] "GET /index.php/avatar//235 HTTP/1.1" 304 -
- [15/Feb/2019:06:26:18 +0000] "GET /status.php HTTP/1.1" 200 137
- [15/Feb/2019:06:26:18 +0000] "POST /ocs/v2.php/apps/notifications/api/v2/push?format=json&pushTokenHash=&devicePublicKey=&proxyServer=https%3A%2F%2Fpush-notifications.nextcloud.com HTTP/1.1" 401 106
- [15/Feb/2019:06:26:20 +0000] "GET /ocs/v1.php/cloud/capabilities?format=json HTTP/1.1" 200 537
- [15/Feb/2019:06:26:22 +0000] "GET /ocs/v1.php/cloud/user?format=json HTTP/1.1" 401 140
- [15/Feb/2019:06:26:26 +0000] "PROPFIND /remote.php/webdav/ HTTP/1.1" 401 343 > - - [15/Feb/2019:06:26:33 +0000] "GET /status.php HTTP/1.1" 200 137
- - [15/Feb/2019:06:26:33 +0000] "HEAD /remote.php/webdav/ HTTP/1.1" 401 -
- - [15/Feb/2019:06:26:33 +0000] "GET /status.php HTTP/1.1" 200 137
- - [15/Feb/2019:06:26:34 +0000] "HEAD /remote.php/webdav/ HTTP/1.1" 401 -
- - [15/Feb/2019:06:26:34 +0000] "GET /index.php/login/flow HTTP/1.1" 200 7293
- - [15/Feb/2019:06:26:35 +0000] "GET /index.php/core/js/oc.js?v=7c4c8bc0 HTTP/1.1" 200 4799

@matrafox
Copy link

@matrafox matrafox commented Feb 15, 2019

I have same issue . I have updated today the app , and no longer working. After login I am redirected to login again. The server is on a VPS locally

@thrawn-sh
Copy link

@thrawn-sh thrawn-sh commented Feb 16, 2019

I went to the Android account settings on my phone (LinageOS) and deleted the Nextcloud account (despite of the warning that all the messages, contacts and other data will be lost). After deleting the account I went back to nextcloud app and created a new account.

It works for me, and as far as I can tell I did not loose any files on the phone or on the server.

@shani149
Copy link

@shani149 shani149 commented Feb 17, 2019

I have same issue, stuck in login auth loop.

@RDominique
Copy link

@RDominique RDominique commented Feb 17, 2019

Me to. Removing the account and recreating the account takes care of it (thx @ trawn-sh). Though I hope a new client can be released that automagicaly fixes the issue. I have several low-IT-capable users who can't do the account-trick themselves....

@devlux

This comment has been minimized.

@shani149
Copy link

@shani149 shani149 commented Feb 17, 2019

I can login on the web but app is not working. If I remove the user it will remove all my files? Anyway to avoid loss of user files?

@RDominique
Copy link

@RDominique RDominique commented Feb 17, 2019

@shani149, remove and recreate the account on the smartphone/tablet, not on the server...

@shani149
Copy link

@shani149 shani149 commented Feb 17, 2019

@RDominique that worked, thanks for explaining.

@moorsey
Copy link

@moorsey moorsey commented Feb 17, 2019

Worked for me also, many thanks

Don't forget to re-enable any auto uploads, these were wiped for me after clearing the account

@matrafox
Copy link

@matrafox matrafox commented Feb 18, 2019

Hello
I confirm also that if you reinstall application it won't work. However if you go to apps/settings and delete data information and reinsert the account will work. Indeed you need to re-enable the auto uploads. However the information that was made between this reinstall install, I don't see it on my server yet. Is there a way to force re-scan of the phone , or to compare again files ? Or I need to copy manually and run occ files:scan

@moorsey
Copy link

@moorsey moorsey commented Feb 18, 2019

You have to manually copy anything missed from auto upload, only works on new files from when you reset the rules unfortunately

@matrafox
Copy link

@matrafox matrafox commented Feb 18, 2019

Indeed unfortunately . This will be a nice feature to have I think . Also this will be nice for first install of apps to upload existing files on phone.

@mikoladz
Copy link

@mikoladz mikoladz commented Feb 21, 2019

I am also affected by this issue. I have tried to remove application tokens, but this hasn't helped. Any solution other than removing an account (which requires setting up auto uploads again, and I have lots of them)?

@alerque
Copy link

@alerque alerque commented Feb 21, 2019

Hey guys this is a serious problem — there are a lot of people affected and we're dead in the water. There are quite a few people that have made it to the issue tracker here, but also comments in the Play Store reviews section are starting to proliferate mentioning this issue.

One common theme (but not, apparently, exclusive) is that many of them are using ActiveDirectry for their authentication backend. In my case I'm using LDAP, and a few people seem to have this issue on internally authenticated users.

Is there anything we can do to expedite finding and fixing this? I believe this is the kind of bug that warrants and urgent hotfix point-release. I'm trying not to be too alarmist here, but even just considering my own troubles –as a long time user and advocate who has turned many people on to Nextcloud and hosts it for several teams– I am having to transfer files through other channels and am wondering about alternative platforms.

@oxivanisher
Copy link

@oxivanisher oxivanisher commented Feb 26, 2019

Is there anything that we can do to help find a solution? It still bugs lots of users.
And no, re-auth every user is not really an option for lots of admins out there...

@JoCowood
Copy link

@JoCowood JoCowood commented Feb 28, 2019

I have the same problem and I have a lot of "low-IT-capable users", too, which encouter this problem.

@devlux
Copy link

@devlux devlux commented Feb 28, 2019

shouldn't this be labeled as "high"?

@aristaeus
Copy link

@aristaeus aristaeus commented Feb 28, 2019

I have this problem too. I tried reinstalling the app before coming to this thread and now I can't remove my Nextcloud account from "Accounts" because it isn't there... but I still can't login to my account. A new account works just fine. Does anyone know where any remaining data might be on my phone that I can delete manually?

@jitheshkt
Copy link

@jitheshkt jitheshkt commented Dec 16, 2020

I had the same issue. As a walk around QR code login worked. I agree with @tobiasKaminsky 's SSL theory. There is something wrong with SSL handling on the login form submit.

@monte-monte
Copy link

@monte-monte monte-monte commented Dec 22, 2020

@tobiasKaminsky can't say for @benbucksch, but I have the same problem, as I can't login even on new phones with new accounts. But I have a clue now for why can it be. I use ssl offloading on reverse proxy to access unsecure nextcloud server. So reverse proxy (haproxy in my case) uses SSL encryption of unencrypted traffic from nextcloud. I guess that's what app doesn't like.
Could try to enable ssl between proxy and nextcloud to see if it will make a difference, but is there any cons for the type of scheme I have now? I guess traffic should be encrypted anyway, and SSL offloading is an OK thing to do.

@benbucksch
Copy link

@benbucksch benbucksch commented Dec 22, 2020

In this case it looks like something with your https handling is wrong.

This is simply the stock NextCloud docker image behind a traefik. I'm not doing anything special with HTTPS.

@benbucksch
Copy link

@benbucksch benbucksch commented Dec 22, 2020

Config is simply, in NextCloud docker-compose.yml:

  app:
    image: nextcloud
    ...
    labels:
      - "traefik.backend=nextcloud"
      - "traefik.port=80"
      - "traefik.frontend.rule=Host:nextcloud.example.org"
    environment:
      ...
      - DOMAIN=nextcloud.example.org
      - NEXTCLOUD_HOSTNAME=nextcloud.example.org

and then in traefik.toml:

... (traefik config for all backend servers)
[[acme.domains]]
  main = "nextcloud.example.org"

And that makes NextCloud available under the public URL https://nextcloud.example.org .

That's all there is to it. As you can see, there is no http: URL anywhere that I configured. If there's a bug in the config, then it's in the standard docker image.

Recently (2020-11-23, after Tobias' comment), I have modified NextCloud config.php and it now has:

<?php
$CONFIG = array(
'overwritehost' => 'nextcloud.example.org',
'overwriteprotocol' => 'https',
);

... but to no avail. IIRC, this didn't fix the bug.

@monte-monte
Copy link

@monte-monte monte-monte commented Dec 22, 2020

@benbucksch

I have modified NextCloud config.php and it now has:

But have you modified docker-copose.yml ? Because there you are pointing to port 80 and not 443.

@benbucksch
Copy link

@benbucksch benbucksch commented Dec 22, 2020

Because there you are pointing to port 80 and not 443.

What I quoted above are my modifications to the docker-compose.yml file, yes. The rules

      - "traefik.backend=nextcloud"
      - "traefik.port=80"
      - "traefik.frontend.rule=Host:nextcloud.example.org"

tell traefik to accept HTTPS traffik on nextcloud.example.org from the Internet (line 3), and send it via HTTP to port 80 (line 2) on the docker container nextcloud (line 1).

Yes, of course traeffik communicates via HTTP and not HTTPS with NextCloud over the virtual docker network on the local host, because traefik is the HTTPS terminator and traefik has the SSL certificate. NextCloud doesn't have the SSL certificate (!). That's the whole purpose of traefik: To take care of HTTPS, acquire all the necessary certificates from Let's Encrypt and refresh them routinely, and accept the traffic from the Internet, and forward the traffic internally as HTTP - the classic role of a HTTPS terminator.

That's a completely standard configuration, nothing special here.

@monte-monte
Copy link

@monte-monte monte-monte commented Dec 22, 2020

@benbucksch okay, I see. But my guess is that it is the root of the problem. Like the app talks to traefik or HAproxy (in my case) or any other reverse proxy, gets SSL certificate, follows to the actual nextcloud server and it somehow signals, that it doesn't use SSL in fact.
I am no expert and can't say, how true can it be. But HAproxy for example can connect internally using even self signed cert. So INTERNET > valid cert > HAproxy > invalid cert > Nextcloud.
I will try it and report if this changes anything.

@monte-monte
Copy link

@monte-monte monte-monte commented Dec 22, 2020

Well, okay, you can't do this, because included nginx apparently does not have any SSL certificate, nor is it set to listen on port 443.
So if my theory is correct (doubtfully) then the default docker image is misconfigured for what exactly server needs.

@benbucksch
Copy link

@benbucksch benbucksch commented Dec 23, 2020

the default docker image is misconfigured

Yes, I think so as well.

(That said, if even the creators of the standard docker image made this mistake, who should be the experts, then I'd argue that the configuration of NextCloud is the trip-wire here and NextCloud should detect this situation automatically, given the severity of the effects.)

@vgdh
Copy link

@vgdh vgdh commented Dec 23, 2020

Because there you are pointing to port 80 and not 443.

What I quoted above are my modifications to the docker-compose.yml file, yes. The rules

      - "traefik.backend=nextcloud"
      - "traefik.port=80"
      - "traefik.frontend.rule=Host:nextcloud.example.org"

tell traefik to accept HTTPS traffik on nextcloud.example.org from the Internet (line 3), and send it via HTTP to port 80 (line 2) on the docker container nextcloud (line 1).

Yes, of course traeffik communicates via HTTP and not HTTPS with NextCloud over the virtual docker network on the local host, because traefik is the HTTPS terminator and traefik has the SSL certificate. NextCloud doesn't have the SSL certificate (!). That's the whole purpose of traefik: To take care of HTTPS, acquire all the necessary certificates from Let's Encrypt and refresh them routinely, and accept the traffic from the Internet, and forward the traffic internally as HTTP - the classic role of a HTTPS terminator.

That's a completely standard configuration, nothing special here.

Its work well for me.

docker-compose

Services:
nextcloud-app:
container_name: nextcloud-server
image: nextcloud:20.0.2-apache
stdin_open: true
tty: true
restart: always
depends_on:
- nextcloud-db
- onlyoffice-app
expose:
- '80'
networks:
- nextcloud_net
labels:
- traefik.enable=true
- "traefik.frontend.rule=Host:blablabla.com,localhost; ReplacePathRegex: ^/.well-known/(?:caldav|carddav)(.*) /remote.php/dav$$1"
- "traefik.frontend.headers.customResponseHeaders=Strict-Transport-Security:15552000"
traefik:
container_name: traefik
image: traefik:1.7.21
restart: always
depends_on:
- nextcloud-app
- nextcloud-db
- onlyoffice-app
ports:
- 80:80
- 443:443
networks:
- nextcloud_net

TOML

debug = false

logLevel = "ERROR"
defaultEntryPoints = ["https","http"]

[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.redirect]
regex = "^https://www.(.*)"
replacement = "https://$1"
permanent = true
[entryPoints.https.tls]
[retry]

[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "blablabla.com"
watch = true
exposedByDefault = false

[acme]
email = "blablabla@blablabla.com"
storage = "acme.json"
entryPoint = "https"
onHostRule = true
[acme.httpChallenge]
entryPoint = "http"

@RMcNeely
Copy link

@RMcNeely RMcNeely commented Jan 5, 2021

I recently set up NextCloud with Docker over the holidays and ran into this problem as well when I downloaded the Android app. I'm using the 2.x version of traefik so my setup is a little different but the same in principle (traefik with lets encrypt proxying my nextcloud instance with redirects for https). Setting up SSL redirects for the middleware in Traefik 2.x fixed the problem for me however and I was able to log in just fine without resorting to scanning a QR code.

Here's the relevant section from my docker-compose file:

75   nextcloud:
76     image: nextcloud:20-apache
77     container_name: nextcloud
78     restart: always
79     labels:
80       - "traefik.enable=true"
81       - "traefik.http.routers.nextcloud.rule=Host(`cloud.mcneely.duckdns.org`)"
82       - "traefik.http.routers.nextcloud.entrypoints=web"
83       - "traefik.http.routers.nextcloud.entrypoints=secure"
84       - "traefik.http.routers.nextcloud.tls.certresolver=duck"
85       # Middlewares for Nextcloud
86       - "traefik.http.routers.nextcloud.middlewares=nextcloud@docker"
87       - "traefik.http.routers.nextcloud.middlewares=nextcloud-caldav@docker"
88       # HTTPS redirect 
89       - "traefik.http.middlewares.nextcloud.redirectscheme.scheme=https"
90       - "traefik.http.middlewares.nextcloud.redirectscheme.permanent=true"
91       - "traefik.http.middlewares.nextcloud.headers.sslredirect=true"
92       # Redirect rules for CalDev
93       - "traefik.http.middlewares.nextcloud-caldav.redirectregex.permanent=true"
94       - "traefik.http.middlewares.nextcloud-caldav.redirectregex.regex=^https://(.*)/.well-known/(card|cal)dav"
95       - "traefik.http.middlewares.nextcloud-caldav.redirectregex.replacement=https://$${1}/remote.php/dav/"

Not listed are the ENV variables I've set for TRUSTEDPROXIES, OVERWRITEHOST, and OVERWRITEPROTOCAL. I'm not sure this is ultimate solution but it does make sense based on Traefik being the http terminator. In my logs I can now see a clean 200 response for "GET /index.php/csrftoken HTTP/1.1"

@benbucksch
Copy link

@benbucksch benbucksch commented Jan 5, 2021

FWIW, not sure whether that matters, but I entered the https: URL in the Android client, not http:.

@rfreytag1
Copy link

@rfreytag1 rfreytag1 commented Feb 19, 2021

This still seems to be an issue occasionally. Sometimes it'll say it can't connect repeatedly for no apparent reason. Other times it'll just throw you in a loop for a couple of rounds. It's kinda annoying. Sometimes I also get logged out.

NextCloud Server: 20.0.7 running behind Nginx(all configured according to the docs) with php-fpm on Arch Linux.

@mostepunk
Copy link

@mostepunk mostepunk commented Apr 26, 2021

I fixed it!

In my case I use nextcloud:apache reverse proxy nginx on vps and opened port e.g. 7443

I created ssl certificate like in this tutorial

  • Created volume .certs:/certs
  • Mount ports 7443:443
  • Change owner recursevely to www-data:www-data for these scripts and ssl certs
  • Change recursevely 777 rights (may be it's not the best solution) to /certs
  • proxy_pass from nginx vps to port 7443

    proxy_pass http://ip_address:7443/

  • and after nextcloud image starts I connect to docker and run scripts for setting ssl certs into apache for redirect

And after that I logged in by login/pass successfully

In the tutorial author used separate Dockerfile, but I don't need it at the moment. When I made like in this tutorial, I had permission denied to my database image, because I've created my users in DB and I didn't want to clean all the data and re-create it again. I'll make some script, that will run automatically after container creates

P. S. Sorry for my broken English :)

@EasyNetDev
Copy link

@EasyNetDev EasyNetDev commented Oct 29, 2021

Hi all,

Yestarday I got this anoying issue with my Nextcloud Android Client (version 3.18.0 RC1).
I'm using my server hosted on Apache2 without any proxy in front of the server. Simple setup.
I'm running Nextcloud 22.2.0 version.
Yesterday I notice a message on my Android Client which says Server not avaiable. Try to fix the issue I disconnct the client, reinstall it and try it to log in. Each time I'm ending in "Grant Access" button which shows me a circle circling forever.
If I'm pressing again "Grant Access" is returning me back to the login page.
I tried to use "Devices & sessions" and create a app pass. Even the QRCode is readed by the app and putting the correct URL, tring to go to next step is says "couldn't find the server".
I copied the link, started allover again, paste the previous link .. suprise! The link is good!
I tried to log in with user and token and the result is the same as user and pass flow.
I don't know what to do! I tried also the Nextcloud Client dev (version 20211024) form F-droid and I got the same behavior.

Ultil yesterday,everything was fine. I can't find anything suspicios in log neither.

My server is running SSL.

There is a way to fix this issue?

@mostepunk
Copy link

@mostepunk mostepunk commented Oct 29, 2021

Hi @EasyNetDev!
Did you read this article?
After that, login will work nice.

@EasyNetDev
Copy link

@EasyNetDev EasyNetDev commented Oct 29, 2021

Hi @fanishe,

Thanks for your sugestion.
I tried that tutorial and I added these SSL parameters in Apache, I restarted but not luck. Same issue.
Because I'm not using docker, I did only the SSL configuration.

I'm in a death end.

@mostepunk
Copy link

@mostepunk mostepunk commented Oct 29, 2021

@EasyNetDev what is your configuration? What is your url?

@EasyNetDev
Copy link

@EasyNetDev EasyNetDev commented Oct 29, 2021

Hi @fanishe ,

My config.php looks like this:

<?php
$CONFIG = array (
  'instanceid' => 'INSTANCE_ID',
  'passwordsalt' => 'PWDSALT',
  'secret' => 'SECRET',
  'trusted_domains' =>
  array (
    0 => 'nextcloud.MYDOMAIN.dev',
  ),
  'datadirectory' => '/var/Storage/nextcloud',
  'overwrite.cli.url' => 'https://nextcloud.MYDOMAIN.dev',
  'overwritehost' => 'nextcloud.MYDOMAIN.dev',
  'overwriteprotocol' => 'https',
  'forcessl' => true,
  'forwarded_for_headers' =>
  array (
    0 => 'HTTP_X_FORWARDED',
    1 => 'HTTP_FORWARDED_FOR',
  ),
  'trusted_proxies' =>
  array (
    0 => 'localhost',
  ),
  'dbtype' => 'mysql',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'DBUSER',
  'dbpassword' => 'DBPASS',
  'installed' => true,
  'logtimezone' => 'Europe/Bucharest',
  'log_type' => 'file',
  'logfile' => '/var/log/nextcloud/nextcloud.log',
  'loglevel' => 1,
  'maintenance' => false,
  'theme' => '',
  'version' => '22.2.0.2',
  'mail_from_address' => 'NextCloud',
  'mail_smtpmode' => 'smtp',
  'mail_sendmailmode' => 'smtp',
  'mail_domain' => 'MYDOMAIN.dev',
  'mail_smtphost' => 'smtp.MYDOMAIN.dev',
  'mail_smtpauth' => 1,
  'mail_smtpname' => 'devices_auth@MYDOMAIN.dev',
  'mail_smtppassword' => 'SMTPPASS',
  'mail_smtpsecure' => 'tls',
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'redis' =>
  array (
    'host' => 'localhost',
    'port' => 6379,
    'timeout' => 0,
    'password' => '',
    'dbindex' => 0,
  ),
  'updater.release.channel' => 'stable',
  'app_install_overwrite' =>
  array (
    0 => 'end_to_end_encryption',
    1 => 'twainwebscan',
    2 => 'files_snapshots',
  ),
  'has_rebuilt_cache' => true,
  'encryption.legacy_format_support' => false,
  'encryption.key_storage_migrated' => false,
  'default_phone_region' => 'RO',
  'csrf.optout' => array (
#        '/^WebDAVFS/', // OS X Finder
#        '/^Microsoft-WebDAV-MiniRedir/', // Windows webdav drive
        0 => '/Nextcloud-android/',
  ),
);

csrf.optout I added this morning after I read other similar issues.

And the apache config for nextcloud looks like this:

/etc/apache2/sites-enabled/nextcloud:SSL.conf :

<IfModule mod_ssl.c>

        <VirtualHost _default_:443>
                ServerAdmin noc@MYDOMAIN.dev

                ServerName nextcloud.MYDOMAIN.dev

                DocumentRoot /var/www/nextcloud
                <Directory "/var/www/nextcloud">
                    Options +FollowSymLinks
                    AllowOverride All

                    <IfModule mod_dav.c>
                      Dav off
                    </IfModule>

                    SetEnv HOME /var/www/nextcloud
                    SetEnv HTTP_HOME /var/www/nextcloud
                </Directory>

                <IfModule mod_headers.c>
                    Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
                </IfModule>

                <Directory "/var/www/nextcloud/data/">
                  # just in case if .htaccess gets disabled
                  Require all denied
                </Directory>

                <Directory "/var/lib/nextcloud/data/">
                  # just in case if .htaccess gets disabled
                  Require all denied
                </Directory>

                <FilesMatch "\.php$">
                    SetHandler "proxy:unix:/run/php/php7.4-fpm.sock|fcgi://localhost/"
                </FilesMatch>

#               <Directory /var/www/nextcloud/>
#                   Options +FollowSymLinks
#                   AllowOverride All
#                   <IfVersion < 2.3>
#                       order allow,deny
#                       allow from all
#                   </IfVersion>
#                   <IfVersion >= 2.3>
#                       Require all granted
#                   </IfVersion>
#               </Directory>

                <IfModule mod_headers.c>
                      Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
                </IfModule>

                # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
                # error, crit, alert, emerg.
                # It is also possible to configure the loglevel for particular
                # modules, e.g.
                #LogLevel info ssl:warn

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

                # For most configuration files from conf-available/, which are
                # enabled or disabled at a global level, it is possible to
                # include a line for only one particular virtual host. For example the
                # following line enables the CGI configuration for this host only
                # after it has been globally disabled with "a2disconf".
                #Include conf-available/serve-cgi-bin.conf

                #   SSL Engine Switch:
                #   Enable/Disable SSL for this virtual host.
                SSLEngine on

                SSLCertificateFile      /etc/letsencrypt/live/nextcloud.MYDOMAIN.dev/cert.pem
                SSLCertificateKeyFile   /etc/letsencrypt/live/nextcloud.MYDOMAIN.dev/privkey.pem
                SSLCertificateChainFile /etc/letsencrypt/live/nextcloud.MYDOMAIN.dev/fullchain.pem

                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory>

                BrowserMatch "MSIE [2-6]" \
                                nokeepalive ssl-unclean-shutdown \
                                downgrade-1.0 force-response-1.0
                # MSIE 7 and newer should be able to use keepalive
                BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

                # Enable HTTP2
                <IfModule mod_http2.c>
                        Protocols h2 http/1.1
                </IfModule>

        </VirtualHost>


</IfModule>

And the apache logs for access are this:

192.168.55.193 - - [29/Oct/2021:14:00:06 +0300] "POST /index.php/login/flow HTTP/1.1" 303 1372 "-" "Oneplus IN2013 (Android)"
192.168.55.193 - - [29/Oct/2021:14:00:06 +0300] "GET /status.php HTTP/1.1" 200 7250 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.18.0 RC1"
192.168.55.193 - - [29/Oct/2021:14:00:06 +0300] "HEAD /remote.php/dav HTTP/1.1" 401 983 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.18.0 RC1"
192.168.55.193 - - [29/Oct/2021:14:00:06 +0300] "GET /ocs/v2.php/cloud/user?format=json HTTP/1.1" 200 7762 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.18.0 RC1"

@mostepunk
Copy link

@mostepunk mostepunk commented Oct 29, 2021

@EasyNetDev
Show me output of the command

ls -lah  /etc/letsencrypt/live/nextcloud.MYDOMAIN.dev

@EasyNetDev
Copy link

@EasyNetDev EasyNetDev commented Oct 29, 2021

@fanishe,

Here is the output:

# ls -lah  /etc/letsencrypt/live/nextcloud.MYDOMAIN.dev/
total 12K
drwxr-xr-x 2 root root 4.0K Oct 12 22:01 .
drwx------ 5 root root 4.0K Jul 15  2020 ..
lrwxrwxrwx 1 root root   46 Oct 12 22:01 cert.pem -> ../../archive/nextcloud.MYDOMAIN.dev/cert11.pem
lrwxrwxrwx 1 root root   47 Oct 12 22:01 chain.pem -> ../../archive/nextcloud.MYDOMAIN.dev/chain11.pem
lrwxrwxrwx 1 root root   51 Oct 12 22:01 fullchain.pem -> ../../archive/nextcloud.MYDOMAIN.dev/fullchain11.pem
lrwxrwxrwx 1 root root   49 Oct 12 22:01 privkey.pem -> ../../archive/nextcloud.MYDOMAIN.dev/privkey11.pem
-rw-r--r-- 1 root root  692 Feb 16  2020 README

The certificates are good. On web I can login without issues.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            04:09:0e:09:60:c2:9d:5e:fd:38:7e:ef:0c:74:76:d4:7a:f0
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = R3
        Validity
            Not Before: Oct 12 18:01:31 2021 GMT
            Not After : Jan 10 18:01:30 2022 GMT
        Subject: CN = nextcloud.MYDOMAIN.dev
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:

@mostepunk
Copy link

@mostepunk mostepunk commented Oct 29, 2021

@EasyNetDev try to change certificate's ownership from root:root to www-data:www-data. It should work

@EasyNetDev
Copy link

@EasyNetDev EasyNetDev commented Oct 29, 2021

Hi @fanishe,

I'm 100% sure is not this. Nextcloud is not reading the certificate. Apache2 is the one which is reading the certificate.
As I mention before: 2 days ago Android Client worked the same. As you can see nothing changed in the certificate from 12 October.

Anyway I tried your suggestion to change the owner and group to www-data:www-data and still is not working. Apache should complain about permissions for the certificates, not Nextcloud. Nextcloud is running under Apache2 -> PHP.

Kind regards,
Adrian

@EasyNetDev
Copy link

@EasyNetDev EasyNetDev commented Oct 29, 2021

Hi,

The same issue I've notice also with Kaccounts Nextcloud Client:

Screenshot_20211029_185233

So I'm thinking now if is a bug in Android Client or in server.

@ketchmeup
Copy link

@ketchmeup ketchmeup commented Oct 29, 2021

same here, nextcloud client (android) and 401 auth.
+1

@LaCruz75

This comment has been minimized.

@azukaar
Copy link

@azukaar azukaar commented Jan 4, 2022

I have the same issue, I have followed the Traefik config provided in many different places (including the one provided earlier by @RMcNeely, thanks you!) I can login from Web, and From the Windows client, but the Android client seems broken and unable to login.

I have done all the usual things, OVERWRITEHOST and PROTOCOLS are set, I have the TRUSTED PROXY set too, certificate valid, my config.php reflect those too, and I have no warnings in the overview

It also eventually crashes:

https://pastebin.com/8dvx12Fp

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests