Federated shares work only one way

vst · December 18, 2025, 1:54pm

I am trying to establish a share between two trusted servers. Server A and Server B.
In the backend both servers are marked green.

When I create a share on Server B to Server A it works flawlessly but from Server A to Server B not. It does show the share on Server B but size marked pending and does not show any content.

The Basics

Nextcloud Server version (e.g., 29.x.x):
- 32.0.3 on both servers
Operating system and version (e.g., Ubuntu 24.04):
- Debian 12 on Server A
  Debian 13 on Server B
Web server and version (e.g, Apache 2.4.25):
- Server A Apache 2.4.25
  Server B Apache 2.4.53
Reverse proxy and version _(e.g. nginx 1.27.2)
- Server A HAProxy 3
PHP version (e.g, 8.3):
- Server A PHP 8.3.28
  Server B PHP 8.4.11
Is this the first time you’ve seen this error? (Yes / No):
- yes
When did this problem seem to first start?
- replace me
Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
- Server A Proxmox
- Server B Bare Metal
Are you using CloudfIare, mod_security, or similar? (Yes / No)
- Server B mod_security

Summary of the issue you are facing:

As stated above. I can create a share but can’t access it’s content despite the share name shown in files.
It did run the cron.php manually. Sync the dav addressbook without error and federation addressbook without error on both servers.

I have testet webdav access to both servers without error and in the logfiles is no error apart from a few deprecation warnings when occ logging is turned to debug.

The only thing that is strange is that in the table oc_share the column file_target is set to NULL, item_source contains the correct fileid tho.

In HAProxy I also noticed that Server B is requesting /ocm-provider, /.well-known/ocm, /ocm but the folder that exists is ocs and ocs-provider

Nextcloud Log

“method”:“POST”,“url”:“/index.php/ocm/shares”,“message”:"error while sending notification for federated share: Client error: POST https://serverA.com/cloud/ocm/notifications resulted in a 400 Bad request response:\n{“message”:“Invalid signature”

There is also something wrong with this request.
Note the strange URL

{
  "reqId": "pntvwIdVvp0Iy6rI4j2R",
  "level": 2,
  "time": "2025-12-19T08:17:03+00:00",
  "remoteAddr": "serverB Address",
  "user": "--",
  "app": "cloud_federation_api",
  "method": "POST",
  "url": "/cloud/index.phpications",
  "message": "wrongly signed request",
  "userAgent": "Nextcloud Server Crawler",
  "version": "32.0.3.2",
  "exception": {
    "Exception": "NCU\\Security\\Signature\\Exceptions\\InvalidSignatureException",
    "Message": "signature issue",
    "Code": 0,
    "Trace": [
      {
        "file": "/srv/www/cloud/lib/private/Security/Signature/SignatureManager.php",
        "line": 157,
        "function": "verify",
        "class": "OC\\Security\\Signature\\Model\\IncomingSignedRequest",
        "type": "->"
      },
      {
        "file": "/srv/www/cloud/lib/private/Security/Signature/SignatureManager.php",
        "line": 108,
        "function": "confirmIncomingRequestSignature",
        "class": "OC\\Security\\Signature\\SignatureManager",
        "type": "->"
      },
      {
        "file": "/srv/www/cloud/apps/cloud_federation_api/lib/Controller/RequestHandlerController.php",
        "line": 456,
        "function": "getIncomingSignedRequest",
        "class": "OC\\Security\\Signature\\SignatureManager",
        "type": "->"
      },
      {
        "file": "/srv/www/cloud/apps/cloud_federation_api/lib/Controller/RequestHandlerController.php",
        "line": 372,
        "function": "getSignedRequest",
        "class": "OCA\\CloudFederationAPI\\Controller\\RequestHandlerController",
        "type": "->"
      },
      {
        "file": "/srv/www/cloud/lib/private/AppFramework/Http/Dispatcher.php",
        "line": 204,
        "function": "receiveNotification",
        "class": "OCA\\CloudFederationAPI\\Controller\\RequestHandlerController",
        "type": "->"
      },
      {
        "file": "/srv/www/cloud/lib/private/AppFramework/Http/Dispatcher.php",
        "line": 118,
        "function": "executeController",
        "class": "OC\\AppFramework\\Http\\Dispatcher",
        "type": "->"
      },
      {
        "file": "/srv/www/cloud/lib/private/AppFramework/App.php",
        "line": 153,
        "function": "dispatch",
        "class": "OC\\AppFramework\\Http\\Dispatcher",
        "type": "->"
      },
      {
        "file": "/srv/www/cloud/lib/private/Route/Router.php",
        "line": 321,
        "function": "main",
        "class": "OC\\AppFramework\\App",
        "type": "::"
      },
      {
        "file": "/srv/www/cloud/lib/base.php",
        "line": 1061,
        "function": "match",
        "class": "OC\\Route\\Router",
        "type": "->"
      },
      {
        "file": "/srv/www/cloud/index.php",
        "line": 27,
        "function": "handleRequest",
        "class": "OC",
        "type": "::"
      }
    ],
    "File": "/srv/www/cloud/lib/private/Security/Signature/Model/IncomingSignedRequest.php",
    "Line": 255,
    "message": "wrongly signed request",
    "exception": {},
    "CustomMessage": "wrongly signed request"
  }
}

wwe · December 19, 2025, 6:42am

Hello @vst,

welcome to the Nextcloud community!

do I understand you right you are talking about two different shares e.g. shareA on server A and shareB server B and you can access shareA from both servers but you can’t access shareB from server A?

vst · December 19, 2025, 6:55am

Thanks for your reply. Let me try to clarify.

Server A - Folder → Shared with fed. user from Server B - is not working
Server B - Folder → Shared with fed. user from Server A - is working

Currently I narrow it down to my HaProxy mangling the request for .well-known e.g. host-meta
But still no success

–

I modified my HAProxy conf to forward .well-known requests and they appear to work now.

Still no luck with the share

wwe · December 19, 2025, 9:24pm

you are in the best position to find the root cause:

start looking at the config
- for both servers compare application config and
- reverse proxy config
create a share on both sides
compare the logs from both sides
- when you create the share
- when you access the share

vst · January 9, 2026, 1:35pm

New year, new luck but not yet.

What I noticed, when I create a share one of the log entries reads “signature could not be verified“ and the next “wrongly signed request”.
Despite auto accept enabled, the share stays accepted = 0 in table oc_share.

I further try to debug