Android: Cannot authenticate to this server

I've now tried with 3 separate versions.

• The default version from Google Play
• The beta version from Google Play
• The dev build from https://download.nextcloud.com/android/dev/latest.apk

Issue remains the same on all three.

It works with NC12...

Please have a look at your bruteforce-table.
You can do that with phpmyadmin or in the terminal:
DON'T FORGET TO MAKE A DATABASE BACKUP!

mysql
USE nextcloud;
SHOW tables;
SELECT * FROM oc_bruteforce_attempts;

Lists the bruteforce entries
For removing rows:

DELETE FROM oc_bruteforce_attempts WHERE IP="nnn.nnn.nnn.nnn.";
SELECT * FROM oc_bruteforce_attempts;
exit

https://github.com/nextcloud/android/issues/433

The oc_bruteforce_attempts table is empty.
Could it have something to do with me migrating from ownCloud 10 to Nextcloud 12?

I have the same problem when I upgrade (using git) from v12.0.0beta4 to for example v12.0.0RC1.

calling server folks to the rescue. @LukasReschke do you have any idea why this might be happening assuming the only changed variable is a server upgrade?

I have the same issue after upgrade from 11.0.3 to 12.0.0 beta 3.

Don't have that issue on NC 12.0.0.28 with dev 20170521

@GnaXi @KekcuHa can you both send an email with your server url to android at nextcloud dot com?
If it happens during login, is it possible to create a test account and send those credentials too?

@tobiasKaminsky I've sent the URL via mail as requested.
It happens before login, so an account should not be required.

I have the same issue with the Android client and Nextcloud 12. The app was working fine previously on Nextcloud 10 (on a different system — I changed to a completely different machine and installed Nextcloud 12 rc2 over the weekend and upgraded to 12.0.0 stable today).

So, at least in my case, it didn't have to do with upgrading.

Possibly related: I have Nextcloud in a /nextcloud/ subdirectory changed from using index.php to pretty URLs and saw that there's some sort of bug where _some_ icons (app, the … icon, and some filter icons in sidebar of the file browser) don't show up, so I worked around it by adding some top-level redirects in .htaccess like so:

RewriteEngine On 
RewriteRule ^core/(.*)$ /nextcloud/core/$1 [L]
RewriteRule ^apps/(.*)$ /nextcloud/apps/$1 [L]

...could the redirect issue I'm having for the icons also be a problem with the URL that the Android app uses? Could it possibly be looking in /foo instead of /nextcloud/foo? (Where foo is replaced with whatever URL fragment the app is looking for...)

Could this be a problem with htaccess.RewriteBase not being used here too?

(Note: Desktop sync client works fine.)

I realized I could just look at the logs, so here's the result of tail -f /var/log/httpd/* when I tried to connect with the Android client:

==> httpd/ssl_access_log <==
192.168.1.126 - - [22/May/2017:10:54:20 +0200] "GET /nextcloud/status.php HTTP/1.1" 200 147

==> httpd/ssl_request_log <==
[22/May/2017:10:54:20 +0200] 192.168.1.126 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "GET /nextcloud/status.php HTTP/1.1" 147

==> httpd/ssl_access_log <==
192.168.1.126 - - [22/May/2017:10:54:20 +0200] "HEAD /nextcloud/remote.php/webdav/ HTTP/1.1" 401 -

==> httpd/ssl_request_log <==
[22/May/2017:10:54:20 +0200] 192.168.1.126 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "HEAD /nextcloud/remote.php/webdav/ HTTP/1.1" -

My guess above isn't correct (about this being similar to the other issue).

Hey,
same error 401 here.
Nextcloud 12, system wasn't changed.

Apache2 Access-Log:

77.* - - [22/May/2017:12:14:06 +0200] "GET /status.php HTTP/1.1" 200 1721 "-" "Mozilla/5.0 (Android) ownCloud-android/20170519"
77.* - - [22/May/2017:12:14:06 +0200] "HEAD /remote.php/webdav/ HTTP/1.1" 401 1170 "-" "Mozilla/5.0 (Android) ownCloud-android/20170519"
77.* - - [22/May/2017:12:15:12 +0200] "GET /status.php HTTP/1.1" 200 1717 "-" "Mozilla/5.0 (Android) ownCloud-android/20170519"
77.* - - [22/May/2017:12:15:13 +0200] "HEAD /remote.php/webdav/ HTTP/1.1" 401 1164 "-" "Mozilla/5.0 (Android) ownCloud-android/20170519"

Edit:
Made a fresh Nextcloud-server (new database etc.), got the same error!

Just tested: I upgraded my server from 11.0.3 to 12.0.0.29 and have no issues, so it doesn't seem to be a general issue

1. Are your installations in the root of the domain or a subfolder?
2. Did you enable pretty URLs (without index.php)?
3. Please post the output of occ config:list system
4. Does it work when you create a new empty user?
5. If new users are also affected, would you be willing to provide test credentials to me?

Same issue with NC 12.0.0.
Upgaded from OC 10.0, following the migration (upgrade) steps described on NC website.
NC desktop client is working as expected, but android NC client failed.
Android client installed from Play market (what a silly name for an app store).
The server has valid let'sencrypt SSL certificate.

1. subfolder
2. stock .htaccess file, nothing fancy, but used the original config file from OC (working config file)
3. skipped
4. it happens when I try to create a new user and I filled the URL. Nothing to do with users yet, it failed when I wrote the URL to the server, like: https://blahblahblah
5. not relevant yet, due to that, the server URL was not accepted with the error message: Cannot authenticate to this server

@nickvergessen

1. Subdomain.
2. No.
3. https://note.gnax.io/?ae70c0449d644136#mqUsa3eIfLsU5rGVLFI8bH0MrlrJ5RGTrCkPgHyuGZ4=
4. The issue is not user related, as it happens after entering the URL, before entering the username and /or password
5. Sure, even though you can reproduce the issue, by just entering the URL of my cloud.

Update:
PHP version: 7.1.4, using php-fpm

@nickvergessen

1. root
2. No, nothing changed
3. 
   { "system": { "instanceid": "ocy7luydbtro", "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "trusted_domains": [ "127.0.0.1", "oc.t-rosta.com" ], "version": "12.0.0.28", "datadirectory": "\/mnt\/raid\/owncloud\/data", "dbtype": "mysql", "dbname": "oc_base", "dbhost": "localhost", "dbtableprefix": "oc_", "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "installed": true, "enable_avatars": true, "allow_user_to_change_display_name": true, "remember_login_cookie_lifetime": 1296000, "session_lifetime": 86400, "session_keepalive": true, "mail_smtpmode": "smtp", "mail_smtpsecure": "ssl", "mail_from_address": "oc", "mail_domain": "t-rosta.com", "mail_smtphost": "***REMOVED SENSITIVE VALUE***", "mail_smtpauth": 1, "mail_smtpauthtype": "LOGIN", "mail_smtpname": "***REMOVED SENSITIVE VALUE***", "mail_smtppassword": "***REMOVED SENSITIVE VALUE***", "mail_smtpport": "465", "enable_previews": true, "preview_max_x": 2048, "preview_max_y": 2048, "preview_max_scale_factor": 1, "preview_max_filesize_image": 50, "enabledPreviewProviders": [ "OC\\Preview\\PNG", "OC\\Preview\\JPEG", "OC\\Preview\\GIF", "OC\\Preview\\BMP", "OC\\Preview\\XBitmap", "OC\\Preview\\TXT", "OC\\Preview\\MarkDown", "OC\\Preview\\Epub", "OC\\Preview\\Movie", "OC\\Preview\\OpenDocument", "OC\\Preview\\FB2", "OC\\Preview\\StarOffice", "OC\\Preview\\PDF" ], "enabled": "true", "theme": "", "logtimezone": "Europe\/Moscow", "cron_log": true, "log_rotate_size": 104857600, "loglevel": "3", "updatechecker": false, "appstore.experimental.enabled": true, "trashbin_retention_obligation": "auto", "versions_retention_obligation": "auto", "activity_expire_days": 65, "filelocking.enabled": "true", "memcache.local": "\\OC\\Memcache\\Redis", "memcache.distributed": "\\OC\\Memcache\\Redis", "memcache.locking": "\\OC\\Memcache\\Redis", "redis": { "host": "\/var\/run\/redis\/redis.sock", "port": 0, "timeout": 0, "dbindex": 0 }, "maintenance": false, "singleuser": false, "updater.release.channel": "stable", "data-fingerprint": "8372a7154d6bea8ae30f89afc3d8eafb", "updater.secret": "***REMOVED SENSITIVE VALUE***", "overwrite.cli.url": "https:\/\/oc.t-rosta.com" } }
4. it's not user related
5. It's possible if it's needed.

Not sure if it helps @nickvergessen @tobiasKaminsky... I checked @GnaXi's server and this is the (anonimzed) logcat I see using the actual master (doesn't matter though):

05-22 17:14:04.537 12530-24704/com.nextcloud.client D/GetServerInfoOperation: Trying empty authorization to detect authentication method
05-22 17:14:04.537 12530-24704/com.nextcloud.client D/OwnCloudClient #16: REQUEST HEAD /remote.php/webdav/
05-22 17:14:04.681 12530-24704/com.nextcloud.client I/AuthChallengeProcessor: basic authentication scheme selected
05-22 17:14:04.682 12530-24704/com.nextcloud.client I/HttpMethodDirector: No credentials available for BASIC 'Cloud of xxxx'@xxxx:***
05-22 17:14:04.683 12530-24704/com.nextcloud.client D/ExistenceCheckRemoteOperation: Existence check for https://xxxx/remote.php/webdav/ targeting for  existence finished with HTTP status 401(FAIL)
05-22 17:14:04.683 12530-24704/com.nextcloud.client D/DetectAuthenticationMethodOperation: Authentication method found: BEARER_TOKEN

Can you folks check if the hotfix from https://github.com/nextcloud/android/pull/1032 helps? This is caused by the combination of Nextcloud 12 supporting OAuth and the Android app having an old code path that pretends to support OAuth 🙈

This is already in play store.

Play Store Version works, thank you!

Glad to hear :-)

Confirmed, updating from play store it is working, thank you! :)

Your very welcome, glad to hear we could resolve this matter for you quickly :)

Thank you guys for resolving this issue so quickly! One of the many reasons choosing you over ownCloud! :)

Awesome! Thanks for the quick fix! It's working here too.

Hello i need your help :'(.
Nextcloud server 12 with nginx.
Nextcloud android client v1.4.3, Android 7.0, Galaxy s8+.
I try To connect on Android i get "Cannot authenticate to this server".
Web access and Windows client works.

I have almost the same combination and works for me.
Nextcloud Server v12.0.0 on nginx (1.10.2)
Nextcloud Android Client v1.4.3, Android 7.0, Sony Xperia Z5.

A problem I had before is that the IP of my client got in the bruteforce table.
Check the table "oc_bruteforce_attempts" in your database if there are any entries for your client in there.

oc_bruteforce_attempt table is empty :(

maybe my nginx configuration

You can see my (anonymized) nginx configuration here: https://pastebin.com/cXDfMwQa

I think it's mainly copy / paste from the Nextcloud documentation (https://docs.nextcloud.com/server/11/admin_manual/installation/nginx_nextcloud_9x.html).

I have exactly the same configuration. (with my domain ^^)
My question is WHY windows client working ?
The android app does not work for me !
I will use the web application on my phone.
@bitcube thank you for your help :)

Having the same issue with NextCloud android app version 1.4.1 installed from F-droid

With the version from play store it does work though

Can you guys please update the F-droid version?

Thanks!

yes with 1.4.3 from play store it works but not with the version that f-droid has (1.4.1) - I'd rather avoid play store though

If you'd like to avoid Google Play Store, just download the dev build:
https://download.nextcloud.com/android/dev/latest.apk

ah thanks! didn't know we had that option (just started using nextcloud today :)

I face the same issue. In bowser https is fine, as well as my setup. My Andorid app v1.4.3 tells me "SSL Init failed"

Using a reverse proxy based on nginx.

Ideas?

root@nextcloud:/var/www/nextcloud# sudo -u www-data php ./occ config:list system
{
    "system": {
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "localhost",
            "192.168.1.200",
            "nextcloud",
            "cloud.XXXXX.de"
        ],
        "datadirectory": "\/var\/ncdata",
        "overwrite.cli.url": "https:\\\/\\\/cloud.XXXXX.de\\\/nextcloud",
        "trusted_proxies": [
            "192.168.1.103"
        ],
        "overwriteprotocol": "https",
        "overwritecondaddr": "^192\\.168\\.1\\.103$",
        "dbtype": "mysql",
        "version": "12.0.0.29",
        "dbname": "nextcloud_db",
        "dbhost": "localhost",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "ocab8j3aaavu",
        "appstore.experimental.enabled": "true",
        "mail_smtpmode": "smtp",
        "mail_smtpauth": "1",
        "mail_smtpport": "465",
        "mail_smtphost": "smtp.gmail.com",
        "mail_smtpauthtype": "LOGIN",
        "mail_from_address": "www.techandme.se",
        "mail_domain": "gmail.com",
        "mail_smtpsecure": "ssl",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "preview_libreoffice_path": "\/usr\/bin\/libreoffice",
        "memcache.local": "\\OC\\Memcache\\Redis",
        "filelocking.enabled": true,
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "localhost",
            "port": 6379,
            "timeout": 0,
            "dbindex": 0
        },
        "htaccess.RewriteBase": "\/",
        "maintenance": false
    }
}

and proxy

server {
# The IP that you forwarded in your router (nginx proxy)
  listen 192.168.1.103:443 ssl;

 # SSL config
 ssl on;
 ssl_certificate /etc/letsencrypt/live/cloud.XXXX.de/fullchain.pem;
 ssl_certificate_key /etc/letsencrypt/live/cloud.XXXXX.de/privkey.pem;

#special ssl params
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";

add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection '1; mode=block';
add_header X-Frame-Options "SAMEORIGIN";

# Make site accessible from http://localhost/
 server_name cloud.XXXXXX.de www.cloud.XXXXX.de;

# The internal IP of the VM that hosts your Apache config
 set $upstream 192.168.1.200;



#add_header Content-Security-Policy "default-src 'self'; img-src 'self' https://cloud.XXXXX.de; base-uri 'none'";


 location / {

# add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
 proxy_pass_header Authorization;
 proxy_pass http://$upstream;
 proxy_set_header Host $host;
 proxy_set_header X-Real-IP $remote_addr;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_http_version 1.1;
 proxy_set_header Connection "";
 proxy_buffering off;
 client_max_body_size 0;
 proxy_read_timeout 36000s;
 proxy_redirect off;
 proxy_ssl_session_reuse off;

#add_header Cache-Control "public";
#proxy_hide_header Cache-Control;


 }

  # static files
  location ^~ /loleaflet {
    proxy_pass https://192.168.1.200:9980;
    proxy_set_header Host $http_host;
  }

  # WOPI discovery URL
  location ^~ /hosting/discovery {
    proxy_pass https://192.168.1.200:9980;
    proxy_set_header Host $http_host;
  }

  # websockets, download, presentation and image upload
  location ^~ /lool {
    proxy_pass https://192.168.1.200:9980;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $http_host;
}
}

Edit: It worked some days ago i think . Windows app works like a charm as well.

Edit2: mightt berelated to the cyphers
https://forum.owncloud.org/viewtopic.php?t=34599 , will check that

Edit: Its related to the cyphers. What else may I use?

You should probably create a new issue, as the error message isn't the same, this issue was resolved and closed a while ago.

The cipher issue is covered in the issue #228

This issue seems to be fixed in the play store version but not in the fdroid Version.

I can confirm that the f-droid version was affected, the offending nginx config is this:
ssl_ecdh_curve secp384r1;

other relevant ssl config lines:

ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_ecdh_curve secp384r1; ssl_session_cache shared:SSL:50m; ssl_session_timeout 5m; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on;

So with that option commented out it's working fine, I'm on 1.6.1.1-ose from f-droid and android 7.

Apparently Android 7 supports only up to secp256r1, this was supposedly fixed in 7.1.1.

Edit: Apparently i somehow ended up here from the davdroid issue i was looking into, the nextcloud app was working fine even with the above.