Server: E2E fatal error causes the client 2.5 can not connect with Nextcloud 14
Steps to reproduce
- I am using Nextcloud 14, which is upgraded from ownCloud 9 without error.
- I want to test the end_to_end encryption so I get the Windows
Nextcloud-2.5.0.61553-rc2-20181105.exe - Try to connect to Nextcloud server, but the client fails.
According to the comments, this bug affects different use cases (Windows/Linux client 2.5.x, Docker or upgraded installation, etc) Possible bypass: methods: (1) Use client 2.3.x, or (2) Disable the end-to-end encryption on the server, or (3) setup E2E encryption by Android/iOS client first, then use Windows/Linux client to connect.
Actual behavior
The client can not connect to the server. And there are error logs in server:
Error | end_to_end_encryption | Can't create public key: could not sign the CSR, please make sure to submit a valid CSR | 2018-11-08T16:01:36+0800
Error | PHP | openssl_csr_sign(): cannot get CSR from parameter 1 at /opt/nextcloud/apps/end_to_end_encryption/lib/SignatureHandler.php#60 | 2018-11-08T16:01:36+0800
The end_to_end_encryption directory is empty under nextcloud data. find:
./appdata_oc1u8svo90z0/end_to_end_encryption
./appdata_oc1u8svo90z0/end_to_end_encryption/meta-data
./appdata_oc1u8svo90z0/end_to_end_encryption/public-keys
./appdata_oc1u8svo90z0/end_to_end_encryption/private-keys
The Linux owner/permission of nextcloud data are all correct.
Server configuration
Operating system: Debian 9
Web server: Nginx
Database: MySQL 5.6
PHP version: PHP 7.0.30 (Debian)
Nextcloud version: 14.0.3
Updated from an older Nextcloud/ownCloud or fresh install: Updated from ownCloud 9 -> Nextcloud 10 -> 11 -> 12 -> 13 -> 14
Where did you install Nextcloud from: Official web site
Signing status:
Signing status
No errors have been found.
List of activated apps:
App list
Enabled:
- accessibility: 1.0.1
- activity: 2.7.0
- apporder: 0.5.0
- calendar: 1.6.3
- cloud_federation_api: 0.0.1
- comments: 1.4.0
- contacts: 2.1.6
- dav: 1.6.0
- deck: 0.4.1
- encryption: 2.2.0
- end_to_end_encryption: 1.0.5
- federatedfilesharing: 1.4.0
- federation: 1.4.0
- files: 1.9.0
- files_pdfviewer: 1.3.2
- files_sharing: 1.6.2
- files_texteditor: 2.6.0
- files_trashbin: 1.4.1
- files_versions: 1.7.1
- files_videoplayer: 1.3.0
- firstrunwizard: 2.3.0
- gallery: 18.1.0
- logreader: 2.0.0
- lookup_server_connector: 1.2.0
- nextcloud_announcements: 1.3.0
- notes: 2.4.2
- notifications: 2.2.1
- oauth2: 1.2.1
- password_policy: 1.4.0
- provisioning_api: 1.4.0
- serverinfo: 1.4.0
- sharebymail: 1.4.0
- support: 1.0.0
- survey_client: 1.2.0
- systemtags: 1.4.0
- theming: 1.5.0
- twofactor_backupcodes: 1.3.1
- updatenotification: 1.4.1
- workflowengine: 1.4.0
Disabled:
- admin_audit
- files_external
- user_external
- user_ldap
Nextcloud configuration:
Config report
Are you using external storage, if yes which one: no
Are you using encryption: yes (server-side)
Are you using an external user-backend, if yes which one: no
Client configuration
Browser: Chrome/Edge
Operating system: Windows 10
Nextcloud log (data/nextcloud.log)
Nextcloud log
{"reqId":"GLlZhzXFnNg4h2vKeyWQ","level":3,"time":"2018-11-08T08:01:36+00:00","remoteAddr":"1.2.3.4","user":"user","app":"PHP","method":"POST","url":"\/ocs\/v2.php\/apps\/end_to_end_encryption\/api\/v1\/public-key?format=json","message":"openssl_csr_sign(): cannot get CSR from parameter 1 at \/data\/nextcloud\/apps\/end_to_end_encryption\/lib\/SignatureHandler.php#60","userAgent":"Mozilla\/5.0 (Windows) mirall\/2.5.0rc2 (build 20181105) (Nextcloud)","version":"14.0.3.0"}
{"reqId":"GLlZhzXFnNg4h2vKeyWQ","level":3,"time":"2018-11-08T08:01:36+00:00","remoteAddr":"1.2.3.4","user":"user","app":"end_to_end_encryption","method":"POST","url":"\/ocs\/v2.php\/apps\/end_to_end_encryption\/api\/v1\/public-key?format=json","message":"Can't create public key: could not sign the CSR, please make sure to submit a valid CSR","userAgent":"Mozilla\/5.0 (Windows) mirall\/2.5.0rc2 (build 20181105) (Nextcloud)","version":"14.0.3.0"}
{"reqId":"F6HlIyLz20xXyVoUYwrP","level":3,"time":"2018-11-08T08:05:41+00:00","remoteAddr":"1.2.3.4","user":"user","app":"PHP","method":"POST","url":"\/ocs\/v2.php\/apps\/end_to_end_encryption\/api\/v1\/public-key?format=json","message":"openssl_csr_sign(): cannot get CSR from parameter 1 at \/data\/nextcloud\/apps\/end_to_end_encryption\/lib\/SignatureHandler.php#60","userAgent":"Mozilla\/5.0 (Windows) mirall\/2.5.0rc2 (build 20181105) (Nextcloud)","version":"14.0.3.0"}
{"reqId":"F6HlIyLz20xXyVoUYwrP","level":3,"time":"2018-11-08T08:05:41+00:00","remoteAddr":"1.2.3.4","user":"user","app":"end_to_end_encryption","method":"POST","url":"\/ocs\/v2.php\/apps\/end_to_end_encryption\/api\/v1\/public-key?format=json","message":"Can't create public key: could not sign the CSR, please make sure to submit a valid CSR","userAgent":"Mozilla\/5.0 (Windows) mirall\/2.5.0rc2 (build 20181105) (Nextcloud)","version":"14.0.3.0"}
wxiaoguang
All 28 comments
GitMate.io thinks possibly related issues are https://github.com/nextcloud/server/issues/6299 (Fatal Errors), https://github.com/nextcloud/server/issues/297 (Upgrade ownCloud 8.2.1 to Nextcloud 9 Issue), https://github.com/nextcloud/server/issues/141 (Error after updating ownCloud 9 to Nextcloud 9), https://github.com/nextcloud/server/issues/5056 (nextcloud 12 upgrade error), and https://github.com/nextcloud/server/issues/104 (NextCloud / OwnCloud).
nextcloud-bot
on 9 Nov 2018
I have the same issue here with the final 2.5 client. I can provide a log from the client in private but wouldn't post it here as it has lots of personal data in it.
janLo
on 15 Nov 2018
It happened for me after just updating the client from 2.3 without actually changing any settings.
janLo
on 15 Nov 2018
Yesterday I also made an upgrade from the last version and now the sync doesn't work.
I can login to NextCloud and choose the local folder, but then the sync is gray and client says "No connection to nextcloud"
I haven't use E2E or server side encryption at all
mraitisoja
on 15 Nov 2018
In case it is useful information: I use NC from the official docker container with a nginx proxy in front of it and postgres 9.6 as database.
janLo
on 15 Nov 2018
It also affects the Linux client 2.5.0-20181111.015125~bionic1, so please change the issue title.
awesome-manuel
on 15 Nov 2018
At least it's possible for me to connect when I disable the End-to-End Encryption app on the server. Maybe that is helpful for those who haven't used E2E yet and simply want to sync their files.
grisumedia
on 15 Nov 2018
At least it's possible for me to connect when I disable the End-to-End Encryption app on the server. Maybe that is helpful for those who haven't used E2E yet and simply want to sync their files.
Oh, that works here too, thank you.
janLo
on 15 Nov 2018
Yesterday I also made an upgrade from the last version and now the sync doesn't work.
I can login to NextCloud and choose the local folder, but then the sync is gray and client says "No connection to nextcloud"
I haven't use E2E or server side encryption at all
I can confirm that disabling the E2E encryption module from server side helped.
I had to remove the account from PC (Windows) and re-login again. Now the syncing works again
mraitisoja
on 16 Nov 2018
Workaround for me was to disconnect the desktop client, encrypt a single empty folder using the Android client and then reconnect the desktop client using the mnemonic from the Android client.
awesome-manuel
on 16 Nov 2018
Yep that workaround is working, but every client not initialized like that will fail and leave a bad ux impression.
I hope this issue gets fixed soon :+1:
mightyBroccoli
on 16 Nov 2018
I also had issues with 2.5.0 against NC13.0.7 on Solus (current, Arch based): The client didn't start at all, it just said "Aborting.". There also was a theme missing (that's warnings only, gone after installing it). While debugging this I noticed that I could no longer write files to synced directories. It turned out that user's write permission bits were unset for these files, and the directory hierarchy containing them. So I shut the client down, "chmod -R u+w" for all synced directories and files, copied these files to an unsynced place and deleted them on server and the client (while no client running), then restarted the client and voil脿 it started again. Copying back the files synced them and up to now it seems to work nicely.
nursoda
on 17 Nov 2018
This seems to be the related issue for the client: https://github.com/nextcloud/desktop/issues/560
awesome-manuel
on 20 Nov 2018
I got the same problem with server 14.0.0.19 (php 7.2.12) and client 2.5. Deactivating encryption module worked.
But another installation works like a charm (14.0.3.0 and encryption module activated; php 7.0.32).
nils-se
on 23 Nov 2018
At least it's possible for me to connect when I disable the End-to-End Encryption app on the server. Maybe that is helpful for those who haven't used E2E yet and simply want to sync their files.
Disabling E2E encryption worked for me (for now). I was able to connect after restarting the client. Nextcloud Client latest on Ubuntu 18.04 LTS with Nextcloud Server 13.x on Synology NAS.
Zw3rv3r
on 27 Nov 2018
Is there any progess on this? Can I reenable the E2E or is it still broken with NC?
janLo
on 23 Jan 2019
Still broken for me as of today.
derkweijers
on 24 Jan 2019
Yep, for me too.
basvandenbrink
on 26 Jan 2019
Same problem here with NC 15 and linux nextcloud-client 2.5.1-2
Can confirm that removing e2e app on the server and then re-adding the account and connections solved the problem - it's syncing again
papanito
on 23 Feb 2019
The problem (at least in my setup) is that the POST request that is getting sent to the server doesn't have a Content-Type header. I've worked around this by forcing the content-type to application/x-www-form-urlencoded, which works around the issue. Here is the change: https://github.com/aszlig/avonc/commit/40b5bad674b7cbda97f68da1761e1424698d1f34
aszlig
on 20 Mar 2019
Since this is still not fixed for some reason ( it does not affect everyone?)
How could one wipe current end to end setup for all users in order to restart it from scratch and hopefully not bump into the issue
muppeth
on 12 Sep 2019
The problem (at least in my setup) is that the POST request that is getting sent to the server doesn't have a
Content-Typeheader. I've worked around this by forcing the content-type toapplication/x-www-form-urlencoded, which works around the issue. Here is the change: aszlig/avonc@40b5bad
cc @nextcloud/desktop @misch7
kesselb
on 12 Sep 2019
Thanks for mentioning the desktop team. I am actually trying to safely reproduce this issue, which would be absolutely helpful to get to the root of this problem (may it be server or client side or both). However, I'm unfortunately lucky. I tried with a fresh NC16 instance (build from scratch in an isolated test environment). No proxies in between, direct access w/ https.
@wxiaoguang and @mraitisoja mentioned an upgrade installation.
@janLo @awesome-manuel @grisumedia @mightyBroccoli @nursoda @nils-se @Zw3rv3r @papanito You all don't mention the history of your NC instance. Fresh install or upgrade?
Thank you all for chiming in here!
DominiqueFuchs
on 12 Sep 2019
@DominiqueFuchs I just added the workaround from https://github.com/nextcloud/server/issues/12365#issuecomment-474682206 and it started working again. Setup is nginx + php-fpm 7.3 with fastcgi proxy_pass: https://gist.github.com/mtippmann/e2739051d3fcd36bc8ed6869e1da649b
If you comment out the location block starting on line 88 it does not work.
I've saw in the access log that the first GET request to that location gives a 404 (probably because there is no e2e key) and the second request (POST to that location) errors out with a 400 - probably due to having the wrong content-type header.
After fixing the second requests also works and the key is uploaded.
You somehow have to completly log out of the desktop client to get a fresh chance at testing this, once it fails it doesn't recover (but I'm not sure on this one).
Hope this helps at least a little bit.
It's also an updated nextcloud 16 (even migrated from owncloud 8.x?), client is 2.5.3 on Linux
mtippmann
on 13 Sep 2019
@DominiqueFuchs in my case its an old instance dating back to owncloud 7 (or even older like 4 or so. I kept updating until nextcloud fork and moved to nextcloud). I enabled the e2ee when it became available, and at some point (hard to point out atm) it prevented all users that did not setup e2ee to be able to sync with nextcloud desktop.
edit
Adding the specified above headers solves the problem but of course this is not the longterm solution imo.
muppeth
on 13 Sep 2019
OK, I can confirm this with a fresh (and thus: reproducible) docker instance.
NC 15.0.11 syncs fine when linked to the newest stable desktop client (1.5.3) directly after setup (without E2E). I quit the client, activated E2E on the server, opened it up again and the issue as described here appears.
I'll try to get my hands on a debug session with this scenario in the following days.
FTR: Yes, client 2.3.3.1 as latest stable (or similar before 2.5) works. But this is due to the absence of E2E functionality on the client side, so this is expected. Apart from this I do not recommend to use a version that old, as this will likely cause other problems and is a significant security risk.
DominiqueFuchs
on 14 Sep 2019
@muppeth @mtippmann @aszlig Fix is merged in the master branch (PR1420) - thanks a lot to the numerous helpful reports and pinpointings here. You can test the daily build that鈥榣l contain this change or build yourself. Would be great if someone has the time to report back with this fix.
DominiqueFuchs
on 15 Sep 2019
Duplicate of original issue desktop/#830 and fixed by desktop/PR#1420
DominiqueFuchs
on 25 Sep 2019
Related issues
williambargent
路
3Comments
MariusBluem
路
3Comments
rullzer
路
3Comments
ChristophWurst
路
3Comments
Django-BOfH
路
3Comments
Most helpful comment
Workaround for me was to disconnect the desktop client, encrypt a single empty folder using the Android client and then reconnect the desktop client using the mnemonic from the Android client.