App Passwords Don't Work on New Install

Greetings,
I did something stupid. I straight up killed my server dead-dead. So…Fresh install! Seriously starting from scratch. Took the time to upgrade off of Scientific Linux 6 to CentOS 8 so no more janky workarounds with old versions of PHP. :slight_smile:

I thought this would be as vanilla of an install as I could get.

Nextcloud version : 19.0
Operating system and version : CentOS 8 (fully patched/updated)
Apache or nginx version : nginx
PHP version : 7.2

The issue you are facing:

App passwords don’t work.

Is this the first time you’ve seen this error? : Y

Steps to replicate it:
If I log into the webpage with my user and pass, everything works great. However, Settings->Personal->Security->“Devices & sessions” (potentially a typo somewhere? Potentially indicative that I’ve goofed something up? :man_shrugging: ) -> App Name (box) and fill in the hostname of the desktop client -> Click “Create new app password”
It gives my user name and a password that looks like this: aaAa1-a1A1A-aaaaa-aAAAA-AAAaa (obviously it’s a mixture and fairly random). I copy that password and paste it into a text pad. Then click “Done”.

Next, open the desktop sync client. It opens a broswer and asks for a user/password. I put in the user and I copy/paste the password as given above to completely eliminate any typos. I hit “Log In” and get the message “Wrong username or password.” Baloney! I know it’s perfect!

BTW. Tried multiple machines + Android. It’s always the same. Doesn’t let me in

The output of your Nextcloud log in Admin > Logging:

{"reqId":"RandomTokenStringHere","level":2,"time":"2020-07-05T15:37:15+00:00","remoteAddr":"my.ip.is.here","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: MyUserName (Remote IP: my.ip.is.here)","userAgent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:77.0) Gecko/20100101 Firefox/77.0","version":"19.0.0.12"}

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'instanceid' => 'RandomString',
  'passwordsalt' => 'RandomString',
  'trusted_domains' => 
  array (
    0 => 'my.domain',
  ),
  'datadirectory' => '/var/www/html/nextcloud/data',
  'dbtype' => 'mysql',
  'version' => '19.0.0.12',
  'installed' => true,
  'forcessl' => true,
  'maintenance' => false,
  'trashbin_retention_obligation' => '3, auto',
  'secret' => 'RandomString',
  'forceSSLforSubdomains' => true,
  'loglevel' => 0,
  'dbname' => 'ncdb',
  'dbhost' => 'localhost',
  'dbuser' => 'ncuser',
  'dbpassword' => 'RandomString',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'theme' => '',
  'app_install_overwrite' => 
  array (
    0 => 'news',
  ),
  'overwrite.cli.url' => 'https://my.domain',
);

The output of your Apache/nginx/system log in /var/log/____:

my.ip.is.here - - [05/Jul/2020:10:43:01 -0500] "POST /login HTTP/1.1" 303 0 "https://my.domain/login?user=MyUser&redirect_url=/login/v2/grant?stateToken%RandomTokenString" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:77.0) Gecko/20100101 Firefox/77.0" "-"
my.ip.is.here - - [05/Jul/2020:10:43:01 -0500] "GET /login?user=MyUser&redirect_url=/login/v2/grant?stateToken%RandomTokenString HTTP/1.1" 200 12861 "https://my.domain/login?user=MyUser&redirect_url=/login/v2/grant?stateToken%MyTokenString" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:77.0) Gecko/20100101 Firefox/77.0" "-"

And here is my nginx.config

upstream php-handler {
    server 127.0.0.1:9000;
    #server unix:/var/run/php5-fpm.sock;
}

server {
  listen 443 ssl;
  server_name my.domain;
  ssl_certificate /etc/pki/tls/certs/ca.crt;
  ssl_certificate_key /etc/pki/tls/private/ca.key;

  add_header X-Content-Type-Options nosniff;
  add_header X-Frame-Options "SAMEORIGIN";
  add_header X-XSS-Protection "1; mode=block";
  add_header X-Robots-Tag none;
  add_header X-Download-Options noopen;
  add_header X-Permitted-Cross-Domain-Policies none;

  root /var/www/html/nextcloud/;

  location = /robots.txt {
     allow all;
     log_not_found off;
     access_log off;
  }

  location = /.well-known/carddav {
     return 301 $scheme://$host/remote.php/dav;
  }
  location = /.well-known/caldav {
     return 301 $scheme://$host/remote.php/dav;
  }
  client_max_body_size 512M;
  fastcgi_buffers 64 4K;
  gzip off;
  location / {
     rewrite ^ /index.php;
  }
  location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
     deny all;
  }
  location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
     deny all;
  }

  location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
     fastcgi_split_path_info ^(.+\.php)(/.*)$;
     try_files $fastcgi_script_name =404;
     include /etc/nginx/fastcgi_params;
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
     fastcgi_param PATH_INFO $fastcgi_path_info;
     fastcgi_param HTTPS on;
     fastcgi_param modHeadersAvailable true;
     fastcgi_param front_controller_active true;
     fastcgi_pass php-handler;
     fastcgi_intercept_errors on;
     fastcgi_request_buffering off;
  }

  location ~ ^/(?:updater|ocs-provider)(?:$|/) {
     try_files $request_uri/ =404;
     index index.php;
  }
  location ~* \.(?:css|js|woff|svg|gif)$ {
     try_files $uri /index.php$request_uri$is_args$args;
     add_header Cache-Control "public, max-age=7200";
     add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
     add_header X-Content-Type-Options nosniff;
     add_header X-Frame-Options "SAMEORIGIN";
     add_header X-XSS-Protection "1; mode=block";
     add_header X-Robots-Tag none;
     add_header X-Download-Options noopen;
     add_header X-Permitted-Cross-Domain-Policies none;
     access_log off;
  }
  location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
     try_files $uri /index.php$request_uri$is_args$args;
     access_log off;
  }
  location ^~ /.well-known { root /var/www/letsencrypt; }
}

I would really appreciate help figuring this out.
Thanks!

Hi, @stack

have you tried to log into the instance “normally” with the desktop client? It supports what NC calls “login flow”, so it will in fact automatically create an app password for you when authenticating with your server.

I guess (really only guessing here) the app password you created does not have the right to create other app passwords, so your login effectively fails.

The rest of your setup looks pretty good to me.

/S

Greetings @simonspa ,

Thanks for that information. I change my password pretty frequently and was really tired of changing it on a ton of devices, so I always set up an app password for /every/ client type as soon as this feature was introduced a few years ago. I decided to test it.

I connected my Desktop sync client, made sure it was happy and done syncing, quit, changed my password via the web interface, started up the client and it was happy! So I guess I don’t need to worry about that again.

However, I was still having issues with Android clients. So I found a list of occ commands to check and repair issues…so I ran them all… Database, files, all of em. :smiley: I figured a check and repair wouldn’t hurt anything, and even if it did…well…it’s a new install. :laughing:

That seems to have done it! The app password still doesn’t work for the client (tried that on a laptop), however, that app password worked for both the Nextcloud Android client and CalDav. :man_shrugging:

Thanks for checking and reviewing. I will mark that as the solution.