Desktop: SSL client certificate broken with new 2.5.0 connection wizard

Would it be possible for you to send me a test account (and cert) to verify?

Unfortunately no this is an internal Nextcloud server not connected to the internet.

Same problem here (but same issue with windows client). I will create a test instance to reproduce the issue if I have a chance that someone will look at it. Pls send me a private message with a pgp public key :-).

Problem is still present with the current version. Do you have any plan for solving this? Our access through client certificates is enforced, so I can't access nextcloud with desktop clients - however it works with browser. I could organize a temporary client certificate if you need test access.

Faced a similar problem:

When creating a new account
I entered the server adress (here "nas.fritz.box/nextcloud") and press "Next"
PopUp appears if I will trust this certificate, what I did. in my case "Let's Encrypt Authority X3" which what I created with my web adress.
Next PopUp just showed a grey box with a blue bar on top and some text above "couldn't login ..." instead of some login possibilities for the Two-factor Authentication (2FA)

solved my issue:

forced https on my web server
changed the certificate on the webserver back to the original from synology
system
client:
OS: Ubuntu 18.04
Nextcloud-client 2.5.1git
server:
Synolgy NAS DS218j
OS: DSM 6.2.1-23824 Update 6
Nextcloud Version: 15.0.4.0
PHP Version: 7.2.13
Database mysql Version: 10.3.7

@tommyhlw your issue has nothing to do with this issue. In this specific issue we are speaking about SSL _client_ certificates and not SSL "webserver" certificates.

Also having this issue on macOS. Browser works but Nextcloud client doesn't.

I'm also running into this issue. We run our Nextcloud instance behind a reverse proxy that requires connections to be validated by their Client SSL certificate. This used to work great prior to the 2.5.0 update, now it's completely broken.

Please return support for client side SSL certificates.

It seems still not to be fixed. We use Version 2.4 which works fine. Is there any progress on this ticket?

Same issue here

I'm also affected. I tried to come up with a solution (or rather workaround), though.

The attached patch adds support to WebFlowCredentials to store and load client certificate and key to keychain analogously to the implementation of HttpCredentials.
The client certificate comes from a pkcs12 file selected via the "Configure client-side TLS certificate" button when setting up a new account which requires a client certificate (no change was needed here).
The WebFlowCredentials are used for the API calls (status query, file upload/download, ...) after the account setup.

The second part of the patch extends WebView to support client certificates. It selects the first matching client certificate/key pair from the Qt system keystore.
This is the part which makes the patch a workaround. In order to make the initial authentication during the setup of a new account work, you have to add your key to the system keystore using
pk12util -i clientcert.p12 -d sql:$HOME/.pki/nssdb
I didn't perform a thorough research on QWebEngineView but it seems client certificates are handled as pet project there since the support was added rather recently (Qt 5.12) and I didn't find a way to specify a custom certificate store yet.

nextcloud-clientcert.zip

I am running NextCloud on my Mac via Docker. I am unable to log into the Mac client app as it seems to submit the request in HTTP when my server only accepts HTTPS. When I hit the log in button I get a 400 error.

Very disappointed to see that SSL client certificate is still broken with the newest Nextcloud 2.6.0 client... It used to work with older Nextcloud clients.

Hey,

we've just released 2.6.1 RC1 which is built with Qt 5.12.5 and OpenSSL 1.1.1d on all platforms, so it features TLS 1.3 :-)

You may give it a try:
https://github.com/nextcloud/desktop/releases/tag/v2.6.1-rc1

Client SSL certificates support in general was fixed in the 2.6.0 release - but not with the WebView component, shown own your screenshots. Sadly the Qt webview has a lot of issues. That's why we implemented the new Login Flow v2 in v2.6.0 which is supported from NC server 16.x and up.

Tested the 2.6.1 RC1 client on macOS Catalina with Nextcloud Server 16.0.5 and it works fine. Thank you very much!

For me it does not work. Nextcloud 16, Windows 10 using client certificates.

As I cannot reopen this issue I am afraid this problem will be ignored.

nextcloud-2.6.1-create-account.txt
nextcloud-2.6.1-after-restart.txt

@wdehoog No, you won't get ignored ;-)

I've discovered the following in your logs (very good you provided them 👍):

_nextcloud-2.6.1-create-account.txt, line 1335:_
[OCC::WebFlowCredentials::slotWriteClientCaCertsPEMJobDone Error while writing client CA cert "Credential size exceeds maximum size of 2560"

Upon restart the certs can't be read again because they are not stored, resulting in the error you're facing.

The Windows Credential Store API's have this weird limit of 2560 per entry due to historical assumptions ^^

So you must have a huuuuuuge certificate that exceeds the limit. Can you confirm that? ;)

Anyway it's an interesting case and I'll take another look at the CA cert code in the Client, think I'll add some logic to allow spreading the certs over multiple slots then.

@misch7 thanks for looking into this. Indeed we use 4K keys for our certificates.

@misch7 thanks for looking into this. Indeed we use 4K keys for our certificates.

@wdehoog You're welcome (and right on time for this because we may get the fix into 2.6.2 then) :)

Oh my, of course, 4K keys 😹

Really good you do that! 👍 The fact that it worked for everyone else so far just states we all should upgrade our certs to use 4K keys in the future 👍 Not only at the webserver🙈

Fixed by #1664, successfully tested on Windows already :)

The fix will make it into RC1 of the 2.6.2 release.

@wdehoog Thanks again for reporting! 👍

@wdehoog Here's the RC1 of 2.6.2 with the fix for the issue :)

https://github.com/nextcloud/desktop/releases/tag/v2.6.2-rc1

@misch7 I just tried it. Still the same behaviour and errors:

[OCC::WebFlowCredentials::slotWriteClientCaCertsPEMJobDone  Error while writing client CA cert "Credential size exceeds maximum size of 2560"

and

[OCC::WebFlowCredentials::slotReadClientCaCertsPEMJobDone   Unable to read client CA cert slot "0" "Password entry not found"

This is the version info I found in the log file:

[OCC::AccessManager::createRequest  2 "" "https://updates.nextcloud.org/client/?version=2.6.2.20191209&platform=win32&oem=Nextcloud&versionsuffix=rc1-Win64&channel=beta" has X-Request-ID "df9a185f-52cb-40f7-b1cd-4583454dfbe1"
[OCC::NSISUpdater::versionInfoArrived   Client is on latest version!

@wdehoog Thanks for the feedback, I'll have a look at the code again.

@wdehoog Ho ho ho! 🎅 🎉

Today's 2.6.2 release should fix the issue finally :-)

https://github.com/nextcloud/desktop/releases/tag/v2.6.2

Ho ho indeed. Impressive work @misch7 . Connection works after restarting nextcloud client.
Thanks a lot!

Thanks for your work. But I just tried the latest AppImage for Linux:

Nextcloud-client ask's for client certificate and I can import it successfully. But after that:

400 Bad Request
No required SSL certificate was sent
nginx

On command line I get:

# Nextcloud-2.6.2-x86_64.AppImage --confdir ~/.nctest
sync.configfile: Using custom config dir  "/home/jankowa/.nctest"
[5745:5790:0114/162941.778458:ERROR:nss_util.cc(748)] After loading Root Certs, loaded==false: NSS error code: -8018