Server: openssl_pkey_export(): cannot get key from parameter
Steps to reproduce
- I downloaded the new 14.0.0 Zip File and unpacked it
- copied the old config.php and startet the DB-Upgrade in the Browser
- Im now unable to login, getting an "Internal Server Error"
Expected behaviour
Login should be possible without errors in log or on webgui.
Actual behaviour
Getting an
"Internal Server Error
The server was unable to complete your request.
If this happens again, please send the technical details below to the server administrator.
More details can be found in the server log."
On the WebGui, also the Desktop Clients dont work anymore.
Server configuration
Operating system:
Ubuntu 16.04.5
Web server:
Apache/2.4.18 (Ubuntu)
Database:
mysqld Ver 5.7.23-0ubuntu0.16.04.1 for Linux on x86_64 ((Ubuntu))
PHP version:
PHP 7.0.30-0ubuntu0.16.04.1 (cli) ( NTS )
Nextcloud version: (see Nextcloud admin page)
14.0.0.19
Updated from an older Nextcloud/ownCloud or fresh install:
yes, updated from 13.0.6.1
Where did you install Nextcloud from:
Zip Package, downloaded from the offical site.
Signing status:
Signing status
Cant login to server.
List of activated apps:
App list
Enabled:
- accessibility: 1.0.1
- activity: 2.7.0
- admin_audit: 1.4.0
- cloud_federation_api: 0.0.1
- comments: 1.4.0
- dav: 1.6.0
- federatedfilesharing: 1.4.0
- federation: 1.4.0
- files: 1.9.0
- files_external: 1.5.0
- files_pdfviewer: 1.3.2
- files_sharing: 1.6.2
- files_texteditor: 2.6.0
- files_trashbin: 1.4.1
- files_versions: 1.7.1
- files_videoplayer: 1.3.0
- firstrunwizard: 2.3.0
- gallery: 18.1.0
- logreader: 2.0.0
- lookup_server_connector: 1.2.0
- nextcloud_announcements: 1.3.0
- notifications: 2.2.1
- oauth2: 1.2.1
- password_policy: 1.4.0
- provisioning_api: 1.4.0
- serverinfo: 1.4.0
- sharebymail: 1.4.0
- support: 1.0.0
- survey_client: 1.2.0
- systemtags: 1.4.0
- theming: 1.5.0
- twofactor_backupcodes: 1.3.1
- updatenotification: 1.4.1
- workflowengine: 1.4.0
Disabled:
- encryption
- user_external
- user_ldap
Nextcloud configuration:
Config report
{
"system": {
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"forcessl": true,
"asset-pipeline.enabled": true,
"maxZipInputSize": 0,
"allowZipDownload": true,
"trusted_domains": [
"xxx",
"xxx",
"xxx",
"xxx"
],
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"overwrite.cli.url": "https:\/\/xxx.de",
"dbtype": "mysql",
"version": "14.0.0.19",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbtableprefix": "oc_",
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"logtimezone": "Europe\/Berlin",
"installed": true,
"mail_from_address": "***REMOVED SENSITIVE VALUE***",
"mail_smtpmode": "php",
"mail_domain": "***REMOVED SENSITIVE VALUE***",
"logdateformat": "F d, Y H:i:s",
"log_rotate_size": 104857600,
"logfile": "\/var\/log\/nextcloud\/nextcloud.log",
"loglevel": 1,
"theme": "",
"maintenance": false,
"memcache.local": "\\OC\\Memcache\\APCu",
"appstore.experimental.enabled": true,
"instanceid": "***REMOVED SENSITIVE VALUE***",
"ldapIgnoreNamingRules": false,
"ldapProviderFactory": "\\OCA\\User_LDAP\\LDAPProviderFactory",
"mail_smtpauthtype": "LOGIN",
"mail_smtpsecure": "tls",
"mail_smtpauth": 1,
"mail_smtpname": "***REMOVED SENSITIVE VALUE***",
"mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
"mail_smtphost": "***REMOVED SENSITIVE VALUE***",
"mail_smtpport": "587",
"data-fingerprint": "xxx",
"openssl": {
"config": "\/etc\/ssl\/openssl.cnf"
}
}
}
Are you using external storage, if yes which one: no
Are you using encryption: no
Are you using an external user-backend, if yes which one: no, normal database-users
Client configuration
Browser:
dont matter
Operating system:
dont matter
Logs
Web server error log
Web server error log
nothing relevant in apache2 error log.
Nextcloud log (data/nextcloud.log)
Nextcloud log
{"reqId":"W5wPsAUJdq4AAGE@@nkAAAAG","level":3,"time":"September 14, 2018 21:44:48","remoteAddr":"xxx","user":"Marcwa19197","app":"PHP","method":"POST","url":"\/index.php\/login","message":"openssl_pkey_export(): cannot get key from parameter 1 at \/data\/www\/xxx.de\/public_data\/lib\/private\/Authentication\/Token\/PublicKeyTokenProvider.php#297","userAgent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.92 Safari\/537.36","version":"14.0.0.19"}
{"reqId":"W5wPsAUJdq4AAGE@@nkAAAAG","level":3,"time":"September 14, 2018 21:44:48","remoteAddr":"87.149.175.121","user":"Marcwa19197","app":"index","method":"POST","url":"\/index.php\/login","message":{"Exception":"TypeError","Message":"openssl_pkey_get_details() expects parameter 1 to be resource, boolean given","Code":0,"Trace":[{"file":"\/data\/www\/xxx.de\/public_data\/lib\/private\/Authentication\/Token\/PublicKeyTokenProvider.php","line":300,"function":"openssl_pkey_get_details","args":[false]},{"file":"\/data\/www\/xxx.de\/public_data\/lib\/private\/Authentication\/Token\/PublicKeyTokenProvider.php","line":69,"function":"newToken","class":"OC\\Authentication\\Token\\PublicKeyTokenProvider","type":"->","args":["*** sensitive parameter replaced ***","*** sensitive parameter replaced ***","*** sensitive parameter replaced ***","*** sensitive parameter replaced ***","*** sensitive parameter replaced ***","*** sensitive parameter replaced ***","*** sensitive parameter replaced ***"]},{"file":"\/data\/www\/xxx.de\/public_data\/lib\/private\/Authentication\/Token\/Manager.php","line":68,"function":"generateToken","class":"OC\\Authentication\\Token\\PublicKeyTokenProvider","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"\/data\/www\/xxx.de\/public_data\/lib\/private\/User\/Session.php","line":631,"function":"generateToken","class":"OC\\Authentication\\Token\\Manager","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"\/data\/www\/xxx.de\/public_data\/core\/Controller\/LoginController.php","line":322,"function":"createSessionToken","class":"OC\\User\\Session","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"\/data\/www\/xxx.de\/public_data\/lib\/private\/AppFramework\/Http\/Dispatcher.php","line":166,"function":"tryLogin","class":"OC\\Core\\Controller\\LoginController","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"\/data\/www\/xxx.de\/public_data\/lib\/private\/AppFramework\/Http\/Dispatcher.php","line":99,"function":"executeController","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[{"__class__":"OC\\Core\\Controller\\LoginController"},"tryLogin"]},{"file":"\/data\/www\/xxx.de\/public_data\/lib\/private\/AppFramework\/App.php","line":118,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[{"__class__":"OC\\Core\\Controller\\LoginController"},"tryLogin"]},{"file":"\/data\/www\/xxx.de\/public_data\/lib\/private\/AppFramework\/Routing\/RouteActionHandler.php","line":47,"function":"main","class":"OC\\AppFramework\\App","type":"::","args":["OC\\Core\\Controller\\LoginController","tryLogin",{"__class__":"OC\\AppFramework\\DependencyInjection\\DIContainer"},{"_route":"core.login.tryLogin"}]},{"function":"__invoke","class":"OC\\AppFramework\\Routing\\RouteActionHandler","type":"->","args":[{"_route":"core.login.tryLogin"}]},{"file":"\/data\/www\/xxx.de\/public_data\/lib\/private\/Route\/Router.php","line":297,"function":"call_user_func","args":[{"__class__":"OC\\AppFramework\\Routing\\RouteActionHandler"},{"_route":"core.login.tryLogin"}]},{"file":"\/data\/www\/xxx.de\/public_data\/lib\/base.php","line":989,"function":"match","class":"OC\\Route\\Router","type":"->","args":["\/login"]},{"file":"\/data\/www\/xxx.de\/public_data\/index.php","line":42,"function":"handleRequest","class":"OC","type":"::","args":[]}],"File":"\/data\/www\/xxx.de\/public_data\/lib\/private\/Authentication\/Token\/PublicKeyTokenProvider.php","Line":300,"CustomMessage":"--"},"userAgent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.92 Safari\/537.36","version":"14.0.0.19"}
Browser log
Browser log
not relevant.
Same issue is reported here: https://help.nextcloud.com/t/nextcloud-runs-into-internal-errors-after-upgrade-from-v13-to-v14/36569
i cant find similar issue here as bug, so i added it.
Marcwa19197
All 44 comments
GitMate.io thinks possibly related issues are https://github.com/nextcloud/server/issues/7288 (parameter changes should be confirmed by an U2F key instead of a password by default), https://github.com/nextcloud/server/issues/6834 (Cannot update private key ), https://github.com/nextcloud/server/issues/2964 (Master key replacement), https://github.com/nextcloud/server/pull/10614 (Do not use file as template parameter), and https://github.com/nextcloud/server/issues/9880 (Missing private key).
nextcloud-bot
on 14 Sep 2018
A new key is generated in line 296. You could add var_dump(openssl_error_string()); below and try to login again. Maybe there is a more detailed output what went wrong.
When you switch to the user running nextcloud (i guess something like www-data or a dedicated user) can you open /etc/ssl/openssl.cnf than?
kesselb
on 14 Sep 2018
Hi,
thanks for the fast reply.
tried the following: sudo -u www-data cat /etc/ssl/openssl.cnf
"cat: /etc/ssl/openssl.cnf: Permission denied"
Permissions are: "-rw-r--r-- 1 root root 10835 Feb 2 2016 /etc/ssl/openssl.cnf"
added the line, here the output of the log again.
New Log
{"reqId":"W5wUZQUJdq4AAAI8Ma8AAAAJ","level":3,"time":"September 14, 2018 22:04:53","remoteAddr":"87.149.175.121","user":"Marcwa19197","app":"PHP","method":"PROPFIND","url":"\/remote.php\/dav\/files\/Marcwa19197\/","message":"openssl_pkey_export(): cannot get key from parameter 1 at \/data\/www\/xxx.de\/public_data\/lib\/private\/Authentication\/Token\/PublicKeyTokenProvider.php#298","userAgent":"Mozilla\/5.0 (Windows) mirall\/2.3.3 (build 1) (Nextcloud)","version":"14.0.0.19"}
{"reqId":"W5wUZQUJdq4AAAI8Ma8AAAAJ","level":4,"time":"September 14, 2018 22:04:53","remoteAddr":"87.149.175.121","user":"Marcwa19197","app":"webdav","method":"PROPFIND","url":"\/remote.php\/dav\/files\/Marcwa19197\/","message":{"Exception":"Sabre\\DAV\\Exception\\ServiceUnavailable","Message":"TypeError: openssl_pkey_get_details() expects parameter 1 to be resource, boolean given","Code":0,"Trace":[{"function":"{closure}","args":["*** sensitive parameters replaced ***"]},{"file":"\/data\/www\/xxx.de\/public_data\/3rdparty\/sabre\/event\/lib\/EventEmitterTrait.php","line":105,"function":"call_user_func_array","args":[{"__class__":"Closure"},["*** sensitive parameter replaced ***","*** sensitive parameter replaced ***"]]},{"file":"\/data\/www\/xxx.de\/public_data\/3rdparty\/sabre\/dav\/lib\/DAV\/Server.php","line":466,"function":"emit","class":"Sabre\\Event\\EventEmitter","type":"->","args":["beforeMethod",["*** sensitive parameter replaced ***","*** sensitive parameter replaced ***"]]},{"file":"\/data\/www\/xxx.de\/public_data\/3rdparty\/sabre\/dav\/lib\/DAV\/Server.php","line":254,"function":"invokeMethod","class":"Sabre\\DAV\\Server","type":"->","args":["*** sensitive parameter replaced ***","*** sensitive parameter replaced ***"]},{"file":"\/data\/www\/xxx.de\/public_data\/remote.php","line":72,"function":"exec","class":"Sabre\\DAV\\Server","type":"->","args":[]},{"file":"\/data\/www\/xxx.de\/public_data\/remote.php","line":168,"function":"handleException","args":[{"__class__":"TypeError"}]}],"File":"\/data\/www\/xxx.de\/public_data\/remote.php","Line":70,"CustomMessage":"--"},"userAgent":"Mozilla\/5.0 (Windows) mirall\/2.3.3 (build 1) (Nextcloud)","version":"14.0.0.19"}
{"reqId":"W5wUZQUJdq4AAAI8Ma8AAAAJ","level":3,"time":"September 14, 2018 22:04:53","remoteAddr":"87.149.175.121","user":"Marcwa19197","app":"PHP","method":"PROPFIND","url":"\/remote.php\/dav\/files\/Marcwa19197\/","message":"Cannot modify header information - headers already sent by (output started at \/data\/www\/xxx.de\/public_data\/lib\/private\/Authentication\/Token\/PublicKeyTokenProvider.php:297) at \/data\/www\/xxx.de\/public_data\/3rdparty\/sabre\/http\/lib\/Sapi.php#58","userAgent":"Mozilla\/5.0 (Windows) mirall\/2.3.3 (build 1) (Nextcloud)","version":"14.0.0.19"}
{"reqId":"W5wUZQUJdq4AAAI8Ma8AAAAJ","level":3,"time":"September 14, 2018 22:04:53","remoteAddr":"87.149.175.121","user":"Marcwa19197","app":"PHP","method":"PROPFIND","url":"\/remote.php\/dav\/files\/Marcwa19197\/","message":"Cannot modify header information - headers already sent by (output started at \/data\/www\/xxx.de\/public_data\/lib\/private\/Authentication\/Token\/PublicKeyTokenProvider.php:297) at \/data\/www\/xxx.de\/public_data\/3rdparty\/sabre\/http\/lib\/Sapi.php#63","userAgent":"Mozilla\/5.0 (Windows) mirall\/2.3.3 (build 1) (Nextcloud)","version":"14.0.0.19"}
Well. I guess you could copy openssl.cnf to /data/www/xxx.de/ and change path in config.php? The permission for openssl.cnf looks okay.
daniel@daniel-pc:~$ ls -al /etc/ssl/ total 48 drwxr-xr-x 4 root root 4096 Jun 21 15:24 . drwxr-xr-x 139 root root 12288 Sep 14 11:42 .. drwxr-xr-x 3 root root 16384 Aug 2 15:38 certs -rw-r--r-- 1 root root 10771 Apr 25 19:03 openssl.cnf drwx--x--- 2 root ssl-cert 4096 Mai 22 19:29 private
I can open openssl.cnf from another user. For openssl_pkey_new a valid openssl.cnf is required (that includes that the file is readable)
kesselb
on 14 Sep 2018
I tried this, same errors again in the log.
The openssl.cnf is now in the xxx.de/ folder and is owned by www-data. I also adjusted the path in config.php. It is readable by the www-data user.
"-rw-r--r-- 1 www-data www-data 10835 Sep 14 23:06 openssl.cnf"
I checked some info with phpinfo() regarding my php openssl installation, here the default location seems to be "/usr/lib/ssl/openssl.cnf" which is also not readable by www-data.
Marcwa19197
on 14 Sep 2018
Ok. I guess the 'openssl' configuration from config.php is missing in this place. Could you try edit this place https://github.com/nextcloud/server/blob/47b46fa69db7d569f871e6325c2874d13f336a81/lib/private/Authentication/Token/PublicKeyTokenProvider.php#L290-L293
and add another element 'config' => 'path/to/your/readable/openssl.cnf', after 'private_key_bits' => 2048,
like the image above
kesselb
on 15 Sep 2018
$config = array_merge([
'digest_alg' => 'sha512',
'private_key_bits' => 2048,
], $this->config->getSystemValue('openssl', []));
or you try this (merge local settings with settings from config.php)
kesselb
on 15 Sep 2018
$config = array_merge([ 'digest_alg' => 'sha512', 'private_key_bits' => 2048, ], $this->config->getSystemValue('openssl', []));or you try this (merge local settings with settings from config.php)
Tried this. Log is now:
Edit: Also tried Method 1 you mentioned, same error.
New Log
{"reqId":"W5zRIwUJdq4AAG9KYMYAAAAN","level":4,"time":"September 15, 2018 11:30:12","remoteAddr":"87.149.175.121","user":"Marcwa19197","app":"webdav","method":"PROPFIND","url":"\/remote.php\/dav\/files\/Marcwa19197\/","message":{"Exception":"Sabre\\DAV\\Exception\\ServiceUnavailable","Message":"TypeError: Argument 1 passed to OC\\Authentication\\Token\\PublicKeyTokenProvider::encrypt() must be of the type string, null given, called in \/data\/www\/xxx.de\/public_data\/lib\/private\/Authentication\/Token\/PublicKeyTokenProvider.php on line 304","Code":0,"Trace":[{"function":"{closure}","args":["*** sensitive parameters replaced ***"]},{"file":"\/data\/www\/xxx.de\/public_data\/3rdparty\/sabre\/event\/lib\/EventEmitterTrait.php","line":105,"function":"call_user_func_array","args":[{"__class__":"Closure"},["*** sensitive parameter replaced ***","*** sensitive parameter replaced ***"]]},{"file":"\/data\/www\/xxx.de\/public_data\/3rdparty\/sabre\/dav\/lib\/DAV\/Server.php","line":466,"function":"emit","class":"Sabre\\Event\\EventEmitter","type":"->","args":["beforeMethod",["*** sensitive parameter replaced ***","*** sensitive parameter replaced ***"]]},{"file":"\/data\/www\/xxx.de\/public_data\/3rdparty\/sabre\/dav\/lib\/DAV\/Server.php","line":254,"function":"invokeMethod","class":"Sabre\\DAV\\Server","type":"->","args":["*** sensitive parameter replaced ***","*** sensitive parameter replaced ***"]},{"file":"\/data\/www\/xxx.de\/public_data\/remote.php","line":72,"function":"exec","class":"Sabre\\DAV\\Server","type":"->","args":[]},{"file":"\/data\/www\/xxx.de\/public_data\/remote.php","line":168,"function":"handleException","args":[{"__class__":"TypeError"}]}],"File":"\/data\/www\/xxx.de\/public_data\/remote.php","Line":70,"CustomMessage":"--"},"userAgent":"Mozilla\/5.0 (Windows) mirall\/2.3.3 (build 1) (Nextcloud)","version":"14.0.0.19"}
Marcwa19197
on 15 Sep 2018
Could you add var_dump(openssl_error_string()); exit(); and post the result?
kesselb
on 15 Sep 2018
Now string(53) "error:0200100D:system library:fopen:Permission denied" is shown on the webinterface. So maybe the www-data user has no rights to read the openssl file? But i can open it with sudo -u www-data less /var/www/xxx.de/openssl.cnf
Code is:
$config = array_merge([
'digest_alg' => 'sha512',
'private_key_bits' => 2048,
], $this->config->getSystemValue('openssl', []));
// Generate new key
$res = openssl_pkey_new($config);
openssl_pkey_export($res, $privateKey);
var_dump(openssl_error_string()); exit();
var_dump($config);
var_dump(openssl_error_string());
exit();
I can reproduce your error when i remove the permission to read openssl.cnf.
- [ ] Are u sure that you set a readable openssl.cnf?
- [ ] Is php running as www-data?
- [ ] Could you place (only for testing) openssl.cnf in the same directory as index.php and set the path in config.php?
- [ ] Is openssl.cnf file owned by www-data?
- [ ] Do you use mod_php or php-fpm?
<?php
$config = [
'digest_alg' => 'sha512',
'private_key_bits' => 2048,
];
$res = openssl_pkey_new($config);
var_dump($res);
var_dump(openssl_error_string());
Could you place the code above in a file (e.g. openssl_test.php) on your server and execute it from web and cli?
php openssl_test.php /home/vagrant/openssl_test.php:10: resource(4) of type (OpenSSL key) /home/vagrant/openssl_test.php:11: string(68) "error:0E06D06C:configuration file routines:NCONF_get_string:no value"
As long as openssl.cnf is readable it works for me.
kesselb
on 15 Sep 2018
The Permissions of /var/www/xxx.de/openssl.cnf are:
-rw-r--r-- 1 www-data www-data 10835 Sep 14 23:06 openssl.cnf
and of /etc/ssl/openssl.cnf
-rw-r--r-- 1 root root 10835 Feb 2 2016 /etc/ssl/openssl.cnf
Error shown in GUI after adding you code:
array(3) { ["digest_alg"]=> string(6) "sha512" ["private_key_bits"]=> int(2048) ["config"]=> string(46) "/var/www/xxx.de/public_data/openssl.cnf" } string(53) "error:0200100D:system library:fopen:Permission denied"
I tried to chmod 777 on openssl.cnf in /var/www/xxx.de/public_data/ without success. Same error shown.
Edit: PHP is running under www-data. www-data also is owner of all Subdirectories within "/var/www/".
Which permission do you have on your openssl.cnf file and where is it located at your machine?
Edit2:
- Im using mod_php (PHP7, installed via apt on Ubuntu 16.04)
- Output of the testfile "openssl_test.php" (File itself is owned by www-data)
CLI run via root user:
resource(4) of type (OpenSSL key)
string(68) "error:0E06D06C:configuration file routines:NCONF_get_string:no value"
CLI run via sudo -u www-data:
bool(false)
string(53) "error:0200100D:system library:fopen:Permission denied"
Web:
bool(false) string(53) "error:0200100D:system library:fopen:Permission denied"
i also added the path to openssl.cnf to the testfile, still permission denied even if the openssl.cnf file is in the same directory as the testfile and has an chmod 777 on it.
Marcwa19197
on 15 Sep 2018
Edit: PHP is running under www-data. www-data also is owner of all Subdirectories within "/var/www/".
Which permission do you have on your openssl.cnf file and where is it located at your machine?
https://github.com/nextcloud/server/issues/11227#issuecomment-421475143
CLI run via root user:
resource(4) of type (OpenSSL key) string(68) "error:0E06D06C:configuration file routines:NCONF_get_string:no value"
This is ok (no value is a warning)
kesselb
on 15 Sep 2018
Oh i see, sorry.
Any other ideas? Really strange i think.
Running sudo -u www-data cat /var/www/xxx.de/public_data/openssl.cnf runs fine.
Marcwa19197
on 15 Sep 2018
Doing an sudo -u www-data strace php openssl_test.php gives the following lines:
open("/usr/lib/ssl/openssl.cnf", O_RDONLY) = -1 EACCES (Permission denied)
open("/data/www/xxx.de/public_data/openssl.cnf", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0777, st_size=10835, ...}) = 0
read(4, "#\n# OpenSSL example configuratio"..., 4096) = 4096
read(4, "Netscape crash on BMPStrings or "..., 4096) = 4096
read(4, " this to avoid interpreting an e"..., 4096) = 2643
read(4, "", 4096) = 0
close(4)
The openssl_test.php contains:
<?php
$config = [
'digest_alg' => 'sha512',
'private_key_bits' => 2048,
'config' => '/data/www/xxx.de/public_data/openssl.cnf',
];
$res = openssl_pkey_new($config);
var_dump($res);
var_dump(openssl_error_string())
So, maybe the problem is that php is first looking on the default location and then on the one specified?
Edit:
if i look at my /etc/ssl folder permissions..
total 56
drw------- 5 root root 4096 Sep 15 21:46 ./
drwxr-xr-x 146 root root 12288 Sep 15 21:32 ../
drwxr-xr-x 2 root root 20480 Jun 9 12:52 certs/
-rw-r--r-- 1 root root 10835 Sep 15 21:44 openssl.cnf
drwx--x--- 2 root ssl-cert 4096 Mar 2 2016 private/
drw------- 5 root root 4096 May 4 19:14 xxx-certs/
So, i dont know if it is right to have only rw on root under this folder, comparing to yours you have rx on group and others.
Edit2: Got it working now. Changed the /etc/ssl/ Permissions. chmod go+rx /etc/ssl/ does the trick.
Marcwa19197
on 15 Sep 2018
Problem solved so we can close the ticket :+1:
kesselb
on 16 Sep 2018
`
$config = [
'digest_alg' => 'sha512',
'private_key_bits' => 2048,
'config' => '/etc/ssl/openssl.cnf',
];
$res = openssl_pkey_new($config);
var_dump($res);
var_dump(openssl_error_string());
`
i meet the same problem upgrade from 13.06 to 14
run the script above
root@Openwrt:/opt/wwwroot# sudo -u nobody php-cli phpopenssl.php
output:
resource(4) of type (OpenSSL key)
string(39) "error:02001002:lib(2):func(1):reason(2)"
openssl version
i have already added into config.
error log listed:
{"reqId":"E4mpumpeRrchnxzNv8rE","level":3,"time":"2018-09-30T05:25:31+00:00","remoteAddr":"2409:891e:6c40:3079:c38:519:95fd:48f0","user":"--","app":"index","method":"GET","url":"\/","message":{"Exception":"TypeError","Message":"openssl_pkey_get_details() expects parameter 1 to be resource, boolean given","Code":0,"Trace":[{"file":"\/opt\/wwwroot\/Nextcloud\/lib\/private\/Authentication\/Token\/PublicKeyTokenProvider.php","line":300,"function":"openssl_pkey_get_details","args":[false]},{"file":"\/opt\/wwwroot\/Nextcloud\/lib\/private\/Authentication\/Token\/PublicKeyTokenProvider.php","line":270,"function":"newToken","class":"OC\Authentication\Token\PublicKeyTokenProvider","type":"->",
darkrain88
on 30 Sep 2018
13.0.6
14.0.01
many files added/
darkrain88
on 30 Sep 2018
Edit2: Got it working now. Changed the /etc/ssl/ Permissions. chmod go+rx /etc/ssl/ does the trick.
Does work for you as well?
kesselb
on 30 Sep 2018
Edit2: Got it working now. Changed the /etc/ssl/ Permissions. chmod go+rx /etc/ssl/ does the trick.
Does work for you as well?
no
i have no problem with permission
run script
show error
means php-mod-openssl? have some problem?
darkrain88
on 30 Sep 2018
new log
{"reqId":"fR4sjBxGdtgFPtzLlR5l","level":3,"time":"2018-09-30T10:15:27+00:00","remoteAddr":"2409:8a1e:8fce:d5e0:bcc7:2d95:e0bf:313a","user":"wei","app":"index","method":"POST","url":"\/login?redirect_url=\/apps\/files\/","message":{"Exception":"TypeError","Message":"Argument 1 passed to OC\\Authentication\\Token\\PublicKeyTokenProvider::encrypt() must be of the type string, null given, called in \/opt\/wwwroot\/Nextcloud\/lib\/private\/Authentication\/Token\/PublicKeyTokenProvider.php on line 305","Code":0,"Trace":[{"file":"\/opt\/wwwroot\/Nextcloud\/lib\/private\/Authentication\/Token\/PublicKeyTokenProvider.php","line":305,"function":"encrypt","class":"OC\\Authentication\\Token\\PublicKeyTokenProvider","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"\/opt\/wwwroot\/Nextcloud\/lib\/private\/Authentication\/Token\/PublicKeyTokenProvider.php","line":69,"function":"newToken","class":"OC\\Authentication\\Token\\PublicKeyTokenProvider","type":"->","args":["*** sensitive parameter replaced ***","*** sensitive parameter replaced ***","*** sensitive parameter replaced ***","*** sensitive parameter replaced ***","*** sensitive parameter replaced ***","*** sensitive parameter replaced ***","*** sensitive parameter replaced ***"]},{"file":"\/opt\/wwwroot\/Nextcloud\/lib\/private\/Authentication\/Token\/Manager.php","line":68,"function":"generateToken","class":"OC\\Authentication\\Token\\PublicKeyTokenProvider","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"\/opt\/wwwroot\/Nextcloud\/lib\/private\/User\/Session.php","line":631,"function":"generateToken","class":"OC\\Authentication\\Token\\Manager","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"\/opt\/wwwroot\/Nextcloud\/core\/Controller\/LoginController.php","line":322,"function":"createSessionToken","class":"OC\\User\\Session","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"\/opt\/wwwroot\/Nextcloud\/lib\/private\/AppFramework\/Http\/Dispatcher.php","line":166,"function":"tryLogin","class":"OC\\Core\\Controller\\LoginController","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"\/opt\/wwwroot\/Nextcloud\/lib\/private\/AppFramework\/Http\/Dispatcher.php","line":99,"function":"executeController","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[{"__class__":"OC\\Core\\Controller\\LoginController"},"tryLogin"]},{"file":"\/opt\/wwwroot\/Nextcloud\/lib\/private\/AppFramework\/App.php","line":118,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[{"__class__":"OC\\Core\\Controller\\LoginController"},"tryLogin"]},{"file":"\/opt\/wwwroot\/Nextcloud\/lib\/private\/AppFramework\/Routing\/RouteActionHandler.php","line":47,"function":"main","class":"OC\\AppFramework\\App","type":"::","args":["OC\\Core\\Controller\\LoginController","tryLogin",{"__class__":"OC\\AppFramework\\DependencyInjection\\DIContainer"},{"_route":"core.login.tryLogin"}]},{"function":"__invoke","class":"OC\\AppFramework\\Routing\\RouteActionHandler","type":"->","args":[{"_route":"core.login.tryLogin"}]},{"file":"\/opt\/wwwroot\/Nextcloud\/lib\/private\/Route\/Router.php","line":297,"function":"call_user_func","args":[{"__class__":"OC\\AppFramework\\Routing\\RouteActionHandler"},{"_route":"core.login.tryLogin"}]},{"file":"\/opt\/wwwroot\/Nextcloud\/lib\/base.php","line":987,"function":"match","class":"OC\\Route\\Router","type":"->","args":["\/login"]},{"file":"\/opt\/wwwroot\/Nextcloud\/index.php","line":42,"function":"handleRequest","class":"OC","type":"::","args":[]}],"File":"\/opt\/wwwroot\/Nextcloud\/lib\/private\/Authentication\/Token\/PublicKeyTokenProvider.php","Line":220,"CustomMessage":"--"},"userAgent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.36","version":"14.0.1.1"}
darkrain88
on 30 Sep 2018
root@Openwrt:/opt/wwwroot# sudo -u nobody php-cli phpopenssl.php
output:
resource(4) of type (OpenSSL key)
string(39) "error:02001002:lib(2):func(1):reason(2)"
This looks ok. resource(4) of type (OpenSSL key) is passed to PublicKeyTokenProvider::encrypt().
kesselb
on 30 Sep 2018
@danielkesselberg
how about error it prompte
and refer to my log above how to resolve the internal server error
thanks
darkrain88
on 30 Sep 2018
Could you look for this line https://github.com/nextcloud/server/blob/1b35dc1cbafe318933ba0c11212a9c3c6b787700/lib/private/Authentication/Token/PublicKeyTokenProvider.php#L297
and add var_dump(openssl_error_string()); exit(); below, try again, copy output and remove the line again?
kesselb
on 30 Sep 2018
add
Could you look for this line
server/lib/private/Authentication/Token/PublicKeyTokenProvider.php
Line 297 in 1b35dc1
openssl_pkey_export($res, $privateKey);and add
var_dump(openssl_error_string()); exit()below, try again, copy output and remove the line again?
no output since exit();
darkrain88
on 30 Sep 2018
any problem here?
darkrain88
on 30 Sep 2018
{"reqId":"QbXJadtjq4fr1ILIUdbn","level":3,"time":"2018-09-30T14:52:47+00:00","remoteAddr":"192.168.100.240","user":"caihong","app":"index","method":"POST","url":"\/login","message":{"Exception":"TypeError","Message":"Argument 1 passed to OC\\Authentication\\Token\\PublicKeyTokenProvider::encrypt() must be of the type string, null given, called in \/opt\/wwwroot\/Nextcloud\/lib\/private\/Authentication\/Token\/PublicKeyTokenProvider.php on line 307","Code":0,"Trace":[{"file":"\/opt\/wwwroot\/Nextcloud\/lib\/private\/Authentication\/Token\/PublicKeyTokenProvider.php","line":307,"function":"encrypt","class":"OC\\Authentication\\Token\\PublicKeyTokenProvider","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"\/opt\/wwwroot\/Nextcloud\/lib\/private\/Authentication\/Token\/PublicKeyTokenProvider.php","line":69,"function":"newToken","class":"OC\\Authentication\\Token\\PublicKeyTokenProvider","type":"->","args":["*** sensitive parameter replaced ***","*** sensitive parameter replaced ***","*** sensitive parameter replaced ***","*** sensitive parameter replaced ***","*** sensitive parameter replaced ***","*** sensitive parameter replaced ***","*** sensitive parameter replaced ***"]},{"file":"\/opt\/wwwroot\/Nextcloud\/lib\/private\/Authentication\/Token\/Manager.php","line":68,"function":"generateToken","class":"OC\\Authentication\\Token\\PublicKeyTokenProvider","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"\/opt\/wwwroot\/Nextcloud\/lib\/private\/User\/Session.php","line":631,"function":"generateToken","class":"OC\\Authentication\\Token\\Manager","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"\/opt\/wwwroot\/Nextcloud\/core\/Controller\/LoginController.php","line":322,"function":"createSessionToken","class":"OC\\User\\Session","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"\/opt\/wwwroot\/Nextcloud\/lib\/private\/AppFramework\/Http\/Dispatcher.php","line":166,"function":"tryLogin","class":"OC\\Core\\Controller\\LoginController","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"\/opt\/wwwroot\/Nextcloud\/lib\/private\/AppFramework\/Http\/Dispatcher.php","line":99,"function":"executeController","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[{"__class__":"OC\\Core\\Controller\\LoginController"},"tryLogin"]},{"file":"\/opt\/wwwroot\/Nextcloud\/lib\/private\/AppFramework\/App.php","line":118,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[{"__class__":"OC\\Core\\Controller\\LoginController"},"tryLogin"]},{"file":"\/opt\/wwwroot\/Nextcloud\/lib\/private\/AppFramework\/Routing\/RouteActionHandler.php","line":47,"function":"main","class":"OC\\AppFramework\\App","type":"::","args":["OC\\Core\\Controller\\LoginController","tryLogin",{"__class__":"OC\\AppFramework\\DependencyInjection\\DIContainer"},{"_route":"core.login.tryLogin"}]},{"function":"__invoke","class":"OC\\AppFramework\\Routing\\RouteActionHandler","type":"->","args":[{"_route":"core.login.tryLogin"}]},{"file":"\/opt\/wwwroot\/Nextcloud\/lib\/private\/Route\/Router.php","line":297,"function":"call_user_func","args":[{"__class__":"OC\\AppFramework\\Routing\\RouteActionHandler"},{"_route":"core.login.tryLogin"}]},{"file":"\/opt\/wwwroot\/Nextcloud\/lib\/base.php","line":987,"function":"match","class":"OC\\Route\\Router","type":"->","args":["\/login"]},{"file":"\/opt\/wwwroot\/Nextcloud\/index.php","line":42,"function":"handleRequest","class":"OC","type":"::","args":[]}],"File":"\/opt\/wwwroot\/Nextcloud\/lib\/private\/Authentication\/Token\/PublicKeyTokenProvider.php","Line":220,"CustomMessage":"--"},"userAgent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.36","version":"14.0.1.1"}
error log still
darkrain88
on 30 Sep 2018
add
Could you look for this line
server/lib/private/Authentication/Token/PublicKeyTokenProvider.php
Line 297 in 1b35dc1openssl_pkey_export($res, $privateKey);and add
var_dump(openssl_error_string()); exit()below, try again, copy output and remove the line again?
no output since exit();
Hmm. Could you add the line, open nextcloud, try to login and see if there is any output?
kesselb
on 30 Sep 2018
I've been having a similar issue as @darkrain88. I'm using Debian Stretch. I followed the above steps and checked permissions. I added the three lines mentioned above and my browser gets this error message:
bool(false) string(68) "error:0E06D06C:configuration file routines:NCONF_get_string:no value"
In my log file for a desktop user :
{"reqId":"SomeReqId","level":3,"time":"2018-09-30T18:20:34+00:00","remoteAddr":"192.168.1.1","user":"SomeDesktopUser","app":"PHP","method":"GET","url":"\/status.php","message":"openssl_pkey_export(): cannot get key from parameter 1 at \/var\/www\/html\/nextcloud\/lib\/private\/Authentication\/Token\/PublicKeyTokenProvider.php#297","userAgent":"Mozilla\/5.0 (Linux) mirall\/2.3.3 (Nextcloud)","version":"14.0.1.1"}
for a mobile/app user:
{"reqId":"SomeReqId","level":3,"time":"2018-09-30T18:38:15+00:00","remoteAddr":"192.168.1.1","user":"SomeMobileUser","app":"PHP","method":"GET","url":"\/status.php","message":"openssl_pkey_new(): Error loading request_extensions_section section v3_req of \/usr\/lib\/ssl\/openssl.cnf at \/var\/www\/html\/nextcloud\/lib\/private\/Authentication\/Token\/PublicKeyTokenProvider.php#296","userAgent":"Mozilla\/5.0 (Linux) mirall\/2.3.3 (Nextcloud)","version":"14.0.1.1"}
I also ran @darkrain88's script and got the following output:
PHP Warning: openssl_pkey_new(): Error loading request_extensions_section section v3_req of /etc/ssl/openssl.cnf in /var/www/html/nextcloud/test.php on line 9
bool(false)
string(68) "error:0E06D06C:configuration file routines:NCONF_get_string:no value"
From my /etc/ssl/openssl.cnf here is the v3_req section:
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
tlsfeature = status_request
I commented out a line:
````
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
tlsfeature = status_request
````
This changed the output of @darkrain88's test script:
resource(4) of type (OpenSSL key)
string(68) "error:0E06D06C:configuration file routines:NCONF_get_string:no value"
I'm still getting the string(68) error, but it doesn't seem fatal.
The change in v3_req prevented the internal error screen from showing up in Nextcloud, and I can log in without issue. I'm not noticing any new errors show up in the log.
DerVerruckteFuchs
on 30 Sep 2018
but i cant login in
some internal error/
Hmm. Could you add the line, open nextcloud, try to login and see if there is any output?
add line, how to do that?
darkrain88
on 1 Oct 2018
can replace sha512 to v3_ca
`
$config = [
'digest_alg' => 'sha512',
'private_key_bits' => 2048,
'config' => '/etc/ssl/openssl.cnf',
];
$res = openssl_pkey_new($config);
var_dump($res);
var_dump(openssl_error_string());
darkrain88
on 1 Oct 2018
add line, how to do that?
Could you look for this file on your nextcloud instance and insert this code below var_dump(openssl_error_string()); exit();
Then open nextcloud with your browser and try to login. I guess you should see a white page with some output. Because openssl_pkey_export sets $privateKey to null i would like to know if there is anything helpful reported by openssl_error_string why generation failed.
kesselb
on 1 Oct 2018
@danielkesselberg
that is.nothing output
only 500 error
darkrain88
on 1 Oct 2018
Sorry @darkrain88 i have no idea what is going wrong in your case :disappointed:
kesselb
on 1 Oct 2018
add line, how to do that?
server/lib/private/Authentication/Token/PublicKeyTokenProvider.php
Line 297 in 1b35dc1
openssl_pkey_export($res, $privateKey);Could you look for this file on your nextcloud instance and insert this code below
var_dump(openssl_error_string()); exit();Then open nextcloud with your browser and try to login. I guess you should see a white page with some output. Because
openssl_pkey_exportsets$privateKeytonulli would like to know if there is anything helpful reported byopenssl_error_stringwhy generation failed.
information 'string(39) "error:02001002:lib(2):func(1):reason(2)"'
the output is same with run script above.
darkrain88
on 2 Oct 2018
@darkrain88 could you open a new issue for this? The original issue @Marcwa19197 started this ticket has been solved. There is only a little change that someone else is looking in a closes issue. Thank you :+1: and dont forget to provide as much as possible information.
kesselb
on 2 Oct 2018
@darkrain88 could you open a new issue for this? The original issue @Marcwa19197 started this ticket has been solved. There is only a little change that someone else is looking in a closes issue. Thank you 馃憤 and dont forget to provide as much as possible information.
thanks you
darkrain88
on 3 Oct 2018
use openssl_pkey_export($res, $privateKey, NULL, $config)
0xb0ba
on 7 Feb 2019
use openssl_pkey_export($res, $privateKey, NULL, $config)
This solution works for me!!
Change the code of PublicKeyTokenProvider.php
// Generate new key
$res = openssl_pkey_new($config);
// openssl_pkey_export($res, $privateKey);
openssl_pkey_export($res, $privateKey, NULL, $config);
Trexology
on 18 Mar 2019
@kesselb, found a solution here...
0xb0ba
on 18 Mar 2019
@0xb0ba I tried this but I get the same errors.
ghost
on 18 Apr 2019
i meet the same problem install version 16.0, and i added the value blew $res = openssl_pkey_new($config);:
openssl_pkey_export($res, $privateKey);
var_dump($res);
var_dump($config);
var_dump(openssl_error_string());
and get the error:
error:0E06D06C:configuration file routines:NCONF_get_string:no value
next, i added the value in config/config.php:
array (
'digest_alg' => 'sha512',
'private_key_bits' => 4096,
'config' => '/usr/local/openssl/openssl.cnf',
),
the private_key_bits i added 2048,but the same errors,
when i modified the value to 4096,and it works
tengzhaoyong
on 22 May 2019
@kesselb, found a solution here...
@0xb0ba Passing $config to openssl_pkey_export looks good. Mind to open a pull request?
if (openssl_pkey_export($res, $privateKey, null, $config) === false) {
$this->logOpensslError();
}
We should check the response and log errors again just in case. Sorry for the late reply :see_no_evil:
kesselb
on 18 Jul 2019
Fix is in #16495
MorrisJobke
on 22 Jul 2019
Related issues
Django-BOfH
路
3Comments
mfechner
路
3Comments
mama21mama
路
3Comments
ChristophWurst
路
3Comments
georgehrke
路
3Comments
Most helpful comment
Doing an sudo -u www-data strace php openssl_test.php gives the following lines:
The openssl_test.php contains:
So, maybe the problem is that php is first looking on the default location and then on the one specified?
Edit:
if i look at my /etc/ssl folder permissions..
So, i dont know if it is right to have only rw on root under this folder, comparing to yours you have rx on group and others.
Edit2: Got it working now. Changed the /etc/ssl/ Permissions. chmod go+rx /etc/ssl/ does the trick.