Enabling encryption and then later disabling it caused Nextcloud to completely crash - "Internal Server Error"

ℹ️ Support
, , ,
1

Hello everyone

Recently me and a friend of mine, who knows about about programming a lot, decided to setup a Nextcloud for me. Everything was working perfectly fine for me until I saw “encryption” settings in my nextcloud app for Windows. Without much thinking I enabled it and that’s where the problems started happening. I couldn’t sync and download the files. I would always get Internal Server Error when trying to open files on Nextcloud website itself. This is a snippet from my log files:

[webdav] Error: Sabre\DAV\Exception\ServiceUnavailable: Encryption not ready: Default encryption module not loaded at <<closure>>

 0. /srv/nextcloud/apps/dav/lib/Connector/Sabre/File.php line 318
    OCA\DAV\Connector\Sabre\File->convertToSabreException()
 1. /srv/nextcloud/apps/dav/lib/Connector/Sabre/Directory.php line 149
    OCA\DAV\Connector\Sabre\File->put()
 2. /srv/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php line 1098
    OCA\DAV\Connector\Sabre\Directory->createFile("*** sensitive parameters replaced ***")
 3. /srv/nextcloud/3rdparty/sabre/dav/lib/DAV/CorePlugin.php line 504
    Sabre\DAV\Server->createFile("*** sensitive parameters replaced ***")
 4. /srv/nextcloud/3rdparty/sabre/event/lib/WildcardEmitterTrait.php line 89
    Sabre\DAV\CorePlugin->httpPut()
 5. /srv/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php line 472
    Sabre\DAV\Server->emit()
 6. /srv/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php line 253
    Sabre\DAV\Server->invokeMethod()
 7. /srv/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php line 321
    Sabre\DAV\Server->start()
 8. /srv/nextcloud/apps/dav/lib/Server.php line 365
    Sabre\DAV\Server->exec()
 9. /srv/nextcloud/apps/dav/appinfo/v2/remote.php line 35
    OCA\DAV\Server->exec()
10. /srv/nextcloud/remote.php line 172
    require_once("/srv/nextcloud/ ... p")

Caused by:

OC\Encryption\Exceptions\ModuleDoesNotExistsException: Default encryption module not loaded at <<closure>>

 0. /srv/nextcloud/lib/private/Encryption/Manager.php line 171
    OC\Encryption\Manager->getDefaultEncryptionModule()
 1. /srv/nextcloud/lib/private/Files/Storage/Wrapper/Encryption.php line 1081
    OC\Encryption\Manager->getEncryptionModule()
 2. /srv/nextcloud/lib/private/Files/Storage/Wrapper/Encryption.php line 470
    OC\Files\Storage\Wrapper\Encryption->shouldEncrypt()
 3. /srv/nextcloud/lib/private/Files/Storage/Wrapper/Encryption.php line 1089
    OC\Files\Storage\Wrapper\Encryption->fopen()
 4. /srv/nextcloud/lib/private/Files/Storage/Wrapper/Wrapper.php line 644
    OC\Files\Storage\Wrapper\Encryption->writeStream()
 5. /srv/nextcloud/apps/files_accesscontrol/lib/StorageWrapper.php line 321
    OC\Files\Storage\Wrapper\Wrapper->writeStream()
 6. /srv/nextcloud/apps/dav/lib/Connector/Sabre/File.php line 248
    OCA\FilesAccessControl\StorageWrapper->writeStream()
 7. /srv/nextcloud/apps/dav/lib/Connector/Sabre/Directory.php line 149
    OCA\DAV\Connector\Sabre\File->put()
 8. /srv/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php line 1098
    OCA\DAV\Connector\Sabre\Directory->createFile("*** sensitive parameters replaced ***")
 9. /srv/nextcloud/3rdparty/sabre/dav/lib/DAV/CorePlugin.php line 504
    Sabre\DAV\Server->createFile("*** sensitive parameters replaced ***")
10. /srv/nextcloud/3rdparty/sabre/event/lib/WildcardEmitterTrait.php line 89
    Sabre\DAV\CorePlugin->httpPut()
11. /srv/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php line 472
    Sabre\DAV\Server->emit()
12. /srv/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php line 253
    Sabre\DAV\Server->invokeMethod()
13. /srv/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php line 321
    Sabre\DAV\Server->start()
14. /srv/nextcloud/apps/dav/lib/Server.php line 365
    Sabre\DAV\Server->exec()
15. /srv/nextcloud/apps/dav/appinfo/v2/remote.php line 35
    OCA\DAV\Server->exec()
16. /srv/nextcloud/remote.php line 172
    require_once("/srv/nextcloud/ ... p")

PUT /remote.php/dav/files/admin/Phone%20backup/2023/10/11/Screenshots/Screenshot_20231011_112003_Signal.jpg
from 45.87.35.128 by admin at 2023-10-12T05:03:13+00:00

PHP snippet (I hope this is what you’re looking for):

require_once __DIR__ . '/lib/versioncheck.php';

try {
        require_once __DIR__ . '/lib/base.php';

        OC::handleRequest();
} catch (\OC\ServiceUnavailableException $ex) {
        \OC::$server->getLogger()->logException($ex, ['app' => 'index']);

        //show the user a detailed error page
        OC_Template::printExceptionErrorPage($ex, 503);
} catch (\OCP\HintException $ex) {
        try {
                OC_Template::printErrorPage($ex->getMessage(), $ex->getHint(), 503);
        } catch (Exception $ex2) {
                try {
                        \OC::$server->getLogger()->logException($ex, ['app' => 'index']);
                        \OC::$server->getLogger()->logException($ex2, ['app' => 'index']);
                } catch (Throwable $e) {
                        // no way to log it properly - but to avoid a white page of death we try harder and ignore this one here
                }

                //show the user a detailed error page
                OC_Template::printExceptionErrorPage($ex, 500);
        }
} catch (\OC\User\LoginException $ex) {
        $request = \OC::$server->getRequest();
        /**
         * Routes with the @CORS annotation and other API endpoints should
         * not return a webpage, so we only print the error page when html is accepted,
         * otherwise we reply with a JSON array like the SecurityMiddleware would do.
         */
        if (stripos($request->getHeader('Accept'), 'html') === false) {
                http_response_code(401);
                header('Content-Type: application/json; charset=utf-8');
                echo json_encode(['message' => $ex->getMessage()]);
                exit();
        }
        OC_Template::printErrorPage($ex->getMessage(), $ex->getMessage(), 401);
} catch (Exception $ex) {
        \OC::$server->getLogger()->logException($ex, ['app' => 'index']);

        //show the user a detailed error page
        OC_Template::printExceptionErrorPage($ex, 500);
} catch (Error $ex) {
        try {
                \OC::$server->getLogger()->logException($ex, ['app' => 'index']);
        } catch (Error $e) {
                http_response_code(500);
                header('Content-Type: text/plain; charset=utf-8');
                print("Internal Server Error\n\n");
                print("The server encountered an internal error and was unable to complete your request.\n");
                print("Please contact the server administrator if this error reappears multiple times, please include the technical details below in your report.\n");
                print("More details can be found in the webserver log.\n");

                throw $ex;
        }
        OC_Template::printExceptionErrorPage($ex, 500);
}

Nextcloud version: 27.1.2
Operating system and version: Ubuntu 22.04
Apache or nginx version: No idea

PHP version:

$OC_Version = array(27,1,2,1);
$OC_VersionString = '27.1.2';
$OC_Edition = '';
$OC_Channel = 'stable';
$OC_VersionCanBeUpgradedFrom = array (
  'nextcloud' => 
  array (
    '26.0' => true,
    '27.0' => true,
    '27.1' => true,
  ),
  'owncloud' => 
  array (
    '10.11' => true,
  ),
);
$OC_Build = '2023-10-05T10:53:45+00:00 11b2762d3cb72af264d03dcb201eabf0463dff0b';
$vendor = 'nextcloud';

This is the first time I’m seen this error

Steps to replicate it:

  1. Setup Nextcloud
  2. Enable encryption
  3. Few hours later disable it like a fool and boom - you got a broken cloud

Do mind that I’m not an expert in this

2

Hi @bial654321

Did you read (and re- read)
→ the manual about encryption and how to decrypt the files with occ ← ?

Much luck!
ernolf

3

There are two types of “encryption” possible. One is end-to-end (client-side) and the other is server-only. Both are very different, but both must be set-up carefully and deliberately by following their respective documentation.

Did you enable End-to-End Encryption only in the Desktop client or also change some encryption related settings in the Web UI?

4

This question is unnecessary because it has already been answered by the log file entries. E2EE does not cause such problems.

ernolf

5

There is some overlap in the filecache between both types of encryption (e.g. here and here) so in theory it is still possible to have unexpected behavior or odd interactions where both have been enabled at one point or another.

I’ve seen people try to activate both (in old Issues) that didn’t realize they’re distinct features and not meant to be used together. Officially using both simultaneously is not currently supported, though some have managed to do so without perceivable problems.

So I figured I’d see what, specifically, @bial654321, means by “enabling encryption”. :slight_smile:

6

I do believe I enabled it only on Desktop only. I don’t think I was messing with settings on the server itself

Maybe I did turn it on the server aswell. I am not entirely sure but I am sure now that I turned everything off and I decrypted all the files. Now they are impossible to open

This is what I see when I download one of my photos:

image

and most (if not all) the photos on the server look like this:

image
image1430×217 4.74 KB

I cannot preview them at all. All the files (not just photos) changed their formats and I can’t open anything at all. I am not sure what happened. It kinda sucks

7
  1. How, precisely, did you “disable it” and “decrypt all your files”? That might give us some clues about where things were and where you are now.
  2. Do you have backups of your data?
  3. Do you recall when you were first setting up “encryption” if you were provided with twelve random words (mnemonics)? If so, did you retain them somewhere safe?
8
  1. It was an occ command “decrypt -all”. I disabled it on server and then I ran a command
  2. No
  3. I dont remember anything like that but I do remember it was a button that I clicked in Nextcloud app for windows. When you went to settings you could see a banner that said that the encryption has not been setup yet and I just clicked “setup” and thats when it started breaking
9

Can you post your general configuration report and installed apps list?

To get this information, execute one of the following commands (or similar) from the CLI:

Config:

sudo -u www-data php occ config:list system
php occ config:list system
./occ config:list system

And similar for the apps list:

sudo -u www-data php occ app:list
php occ app:list
./occ app:list

You also may want to ask your friend if they originally set you up with server side encryption (or client side for that matter).

10

Config:

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "194.247.187.42",
            "laggex.pl"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "27.1.2.1",
        "overwrite.cli.url": "http:\/\/194.247.187.42",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "maintenance": false,
        "mail_smtpmode": "smtp",
        "mail_smtpsecure": "ssl",
        "mail_sendmailmode": "smtp",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "memories.exiftool": "\/srv\/nextcloud\/apps\/memories\/exiftool-bin\/exiftool-amd64-glibc",
        "memories.vod.path": "\/srv\/nextcloud\/apps\/memories\/exiftool-bin\/go-vod-amd64",
        "theme": "",
        "loglevel": 2
    }
}

The apps list:

Enabled:
  - activity: 2.19.0
  - admin_audit: 1.17.0
  - bruteforcesettings: 2.7.0
  - calendar: 4.5.2
  - cloud_federation_api: 1.10.0
  - cloud_py_api: 0.1.8
  - contacts: 5.4.2
  - contactsinteraction: 1.8.0
  - dashboard: 7.7.0
  - dav: 1.27.0
  - facerecognition: 0.9.31
  - federatedfilesharing: 1.17.0
  - federation: 1.17.0
  - files: 1.22.0
  - files_accesscontrol: 1.17.1
  - files_external: 1.19.0
  - files_pdfviewer: 2.8.0
  - files_reminders: 1.0.0
  - files_rightclick: 1.6.0
  - files_sharing: 1.19.0
  - files_trashbin: 1.17.0
  - files_versions: 1.20.0
  - firstrunwizard: 2.16.0
  - groupfolders: 15.3.1
  - logreader: 2.12.0
  - lookup_server_connector: 1.15.0
  - mediadc: 0.3.6
  - nextcloud_announcements: 1.16.0
  - notifications: 2.15.0
  - oauth2: 1.15.1
  - password_policy: 1.17.0
  - photos: 2.3.0
  - privacy: 1.11.0
  - provisioning_api: 1.17.0
  - recommendations: 1.6.0
  - related_resources: 1.2.0
  - serverinfo: 1.17.0
  - settings: 1.9.0
  - sharebymail: 1.17.0
  - support: 1.10.0
  - suspicious_login: 5.0.0
  - systemtags: 1.17.0
  - text: 3.8.0
  - theming: 2.2.0
  - twofactor_backupcodes: 1.16.0
  - updatenotification: 1.17.0
  - user_status: 1.7.0
  - viewer: 2.1.0
  - weather_status: 1.7.0
  - workflowengine: 2.9.0
Disabled:
  - circles: 27.0.1 (installed 27.0.1)
  - comments: 1.17.0 (installed 1.17.0)
  - encryption: 2.15.0 (installed 2.15.0)
  - survey_client: 1.15.0 (installed 1.15.0)
  - twofactor_totp: 9.0.0
  - user_ldap: 1.17.0

PS.

I do believe that the server side encryption was enabled before we did anything else but I disabled it now after everything that happened

image
image907×193 7.75 KB