Everything works but every few weeks I need to grant access via web of some users or renew appkeys for others

ℹ️ Support
, , , ,
1
Support intro

Sorry to hear you’re facing problems. :slightly_frowning_face:

The community help forum (help.nextcloud.com) is for home and non-enterprise users. Support is provided by other community members on a best effort / “as available” basis. All of those responding are volunteering their time to help you.

If you’re using Nextcloud in a business/critical setting, paid and SLA-based support services can be accessed via portal.nextcloud.com where Nextcloud engineers can help ensure your business keeps running smoothly.

Getting help

In order to help you as efficiently (and quickly!) as possible, please fill in as much of the below requested information as you can.

Before clicking submit: Please check if your query is already addressed via the following resources:

(Utilizing these existing resources is typically faster. It also helps reduce the load on our generous volunteers while elevating the signal to noise ratio of the forums otherwise arising from the same queries being posted repeatedly).

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can. :heart:

The Basics

  • Nextcloud Server version (e.g., 29.x.x):
    • all versions including 32
  • Operating system and version (e.g., Ubuntu 24.04):
    • ubuntu 24.04
  • Web server and version (e.g, Apache 2.4.25):
    • replace apache
  • Reverse proxy and version _(e.g. nginx 1.27.2)
    • yes apache
  • PHP version (e.g, 8.3):
    • 8.3
  • Is this the first time you’ve seen this error? (Yes / No):
    • been slowly getting worse
  • When did this problem seem to first start?
    • years
  • Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
    • bare
  • Are you using CloudfIare, mod_security, or similar? (Yes / No)
    • no

  • Summary of the issue you are facing:

Every few weeks all the users logins fail and a web user need to grant access again and appkeys need to be regenerated. this seems to be getting more frequent

Steps to replicate it (hint: details matter!):slight_smile:

cant replicate it just happens. i go see a 404 for the login url in apache, which if i have read right means keys expired. Ive flushed the relivant caches passwords

Log entries

Nextcloud

Please provide the log entries from your Nextcloud log that are generated during the time of problem (via the Copy raw option from Administration settings->Logging screen or from your nextcloud.log located in your data directory). Feel free to use a pastebin/gist service if necessary.

PASTE HERE

Web Browser

If the problem is related to the Web interface, open your browser inspector Console and Network tabs while refreshing (reloading) and reproducing the problem. Provide any relevant output/errors here that appear.

PASTE

Web server / Reverse Proxy

The output of your Apache/nginx/system log in /var/log/____:

"POST /index.php/login/v2/poll HTTP/1.1" 404 4108 "-" "Mozilla/5.0 (Windows) mirall/4.0.5

Configuration

Nextcloud

The output of occ config:list system or similar is best, but, if not possible, the contents of your config.php file from /path/to/nextcloud is fine (make sure to remove any identifiable information!):

<IfModule mod_ssl.c>
<VirtualHost xxx.xxx.xxx.xxx:443>
  DocumentRoot /path/nextcloud/
  ServerName  url
  ErrorLog ${APACHE_LOG_DIR}/HTTPSerror/url.error.log
  CustomLog ${APACHE_LOG_DIR}/HTTPSaccess/url.access.log combined
  <Directory /path/nextcloud/>
    LimitRequestBody 0
    Require all granted
    AllowOverride All
    Options FollowSymLinks MultiViews

    <IfModule mod_dav.c>
      Dav off
    </IfModule>
         SetEnv HOME /path/nextcloud
        SetEnv HTTP_HOME /path/nextcloud
        Satisfy Any
  </Directory>
        Header set X-Content-Type-Options: nosniff
        Header set X-XSS-Protection: 1
        Header set X-Robots-Tag: none
        Header always unset X-Frame-Options
        Header set X-Frame-Options "SAMEORIGIN"
        Header unset ETag
        FileETag None
        Header always set X-Content-Type-Options nosniff
        Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
SSLCertificateFile /etc/letsencrypt/live/url/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/url/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>






$CONFIG = array (
  'debug' => false,
  'instanceid' => 'id',
  'passwordsalt' => 'password',
  'secret' => 'secret',
  'trusted_domains' =>
  array (
    0 => 'xxx.xxx.xxx.xxx',
    1 => 'url',
  ),
  'overwrite.cli.url' => 'http://url',
  'overwriteprotocol' => 'https',
  'datadirectory' => '/path/nextcloud/data',
  'dbtype' => 'mysql',
  'version' => '32.0.6.1',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'username',
  'dbpassword' => 'password',
  'installed' => true,
  'default_phone_region' => 'GB',
  'maintenance' => false,
  'theme' => '',
  'loglevel' => 2,
  'updater.release.channel' => 'stable',
  'twofactor_enforced' => 'false',
  'twofactor_enforced_groups' =>
  array (
  ),
  'twofactor_enforced_excluded_groups' =>
  array (
  ),
  'maintenance_window_start' => 1,
);

Apps

The output of occ app:list (if possible).

Tips for increasing the likelihood of a response

  • Use the preformatted text formatting option in the editor for all log entries and configuration output.
  • If screenshots are useful, feel free to include them.
    • If possible, also include key error output in text form so it can be searched for.
  • Try to edit log output only minimally (if at all) so that it can be ran through analyzers / formatters by those trying to help you.
2

Has no one seen this before ??? Did i miss any details ?

3

Is this for regular user passwords? Or just app passwords?

My app passwords do not expire, not sure if there is a way to make them expire, but you haven’t voluntarily turned it on?
There is, I think, a routine to remove app passwords if they haven’t been used for a long time (range of months).

From your config, there is no caching used at all. This put a significant higher load on the database. I don’t really see how this invalidates passwords. Or it just fails, when there is a large load and you saturate the database? But timeouts or connection limits should show in the logs.

4

Its both, password and app passwords. . The app passwords are used regularly every 20 mins from a nextcloudcmd sync i use for backsups. I’ve reduced the cron.php from every 5 mins to every 15 as a guess. The system is never under heavy load as its just used by a few people

5

Bruteforce protection?

6

set to allow the devices on the internal network to bypass brute force protection, and things like the app passwords are only ever accessed internally

7

by any chance are there entries in the NC-log that would hint into that direction?
any setup-messages left to solve?

8

yeah, this one doesn’t look like apache randomly breaking.

/index.php/login/v2/poll returning 404 is usually “login-flow token expired/not found”, not cert keys dying.

i’d check this in order:

  • did secret in config.php ever change? (if yes, old app passwords/tokens can break)

  • check token retention:

    • php occ config:system:get token_auth_token_retention

    • php occ config:system:get token_auth_wipe_token_retention

  • compare tokens before/after an incident:

    • php occ user:auth-tokens:list --output=json_pretty

  • check nextcloud.log at failure time for token invalidation/cleanup lines

also two quick things:

  • your user-agent shows mirall/4.0.5 (very old desktop client) → update clients

  • set overwrite.cli.url to https://… (yours is http://…)

if you post raw nextcloud.log lines from first failure window, this should be diagnosable fast.