Invalid hash .htaccess

I run NC (v21.0.5) on Debian 10 with Apache 2.4.38 and PHP 7.3.29.
Until yesterday the integrity checks showed no errors, everything was OK.
Today the integrity check tells me that there is an invalid hash for file .htaccess.
Very interesting and astonishing because i do NOT have an .htaccess file.

Error message at the end of this post.

Some suggestions for NC integrity check:

  1. According to NC official documents integrity checks are not mandatory. OK.
  2. But in case of integrity errors they prevent updates / upgrades. Is this benefivial for NC users?.
  3. The integrity checks should be resilient, e.g. NO .htaccess file no hash check for it, hence no wrong error message (see above).
  4. NC users should have the opportunity to choose which integrity check (among many) be deployed. Please note that NC users know what they need. Hence, no prescription whatsoever is useful.

Why do I NOT use a .htaccess file?
I integrated the whole contents of the official .htaccess file into the /etc/apache2/apache2.conf.
By doing so I avoid that the contents of .htaccess be deployed every time NC is accessed.
It means I have a performance gain with my web server.

Error message:
Technical information

The following list covers which files have failed the integrity check. Please read
the previous linked documentation to learn more about the errors and how to fix
them.

Results

  • core
    • INVALID_HASH
      • .htaccess

Raw output

Array
(
[core] => Array
(
[INVALID_HASH] => Array
(
[.htaccess] => Array
(
[expected] => 1b7e58df33e22722670a77dd1f19eb863f277d5ac79d33d5f5d6e8b7a5977223cb78ba58132f991248b13d13eac744649c2d8a72cf5ec711643cf8c7aec5c456
[current] => cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
)
)
)
)

I think Nextcloud expects an .htaccess with a content not emty.
The system does not find a .htaccess and the sha512sum is an emty value (no file).

echo -n "" |sha512sum
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e  -
1 Like

Hi @DieterH

There is no need to delete the .htaccess file. Just add AllowOverride none to your Apache config / Nextcloud VirtualHost (if you know what you’re doing) then Apache will ignore the .htaccess file.

Hi devnull,

The standard installation of NC uses a .htaccess file. But it does NOT expect it. In my post I outlined the reasons for incorporating the contents of .htaccess into the main apache configuration file.

If the integrity check does not find a .htaccess file it should accept this fact and telling fake news. Chcking “nothing” cannot / should not create a checksum. But this is a phiosophical question.

Hi bb77,

From the wording “AllowOverride None” I conclude that NOBODY is allowed to change the contents of .htaccess. Nevertheless the official Apache2 documentation (v2.4) says somewhere (“hidden”) that Apache ignores the .htaccess file. However, the term should be renamed to “IgnoreHtaccess” (or something similar.

Nevertheless the problem still exists. Though my NC website is working (can be accessed), it can’t be upgraded because of this error (“false positive”) and as many other NC users I wasted a lot of time in the context of NC.

What is there to “accept”? You are free to rewrite nextcloud in any way that you see fit, including to leave out the check on that file if the error annoys you too much. Its not “fake news” for you to delete a file that is expected, that’s reality. You can see the expected hashes in core/signature.json if you like.

Now as for a blank string yielding a hash, that is NOT a philosophical question. In fact, it would be a pretty obvious failure if it didn’t yield a hash because it would make the contents of that empty string obvious. An empty string is as valid of a string as any other string.

I am not a 100% sure if this will work. But I would try to create an empty .htaccess and then execute sudo -u www-data php occ maintenance:update:htaccess. If that doesn’t work, you could try the original .htaccess file from GitHub.

Hi bb77,

I followed your suggestion. The result is a .htaccess file with two lines (except comments):
ErrorDocument 403 /nextcloud/
ErrorDocument 404 /nextcloud/

The integrity check still complains about .invalid hash of htaccess file. The solution would be that the integrity check accepts the fact that a NC administrator does not want a .htaccess file.

Sorry I don’t know how to solve this. Maybe you could upgrade from the CLI using the CLI updater or do a manual upgrade…

Yeah but that’s not gonna happen today or tomorrow :wink: You could open an issue at GitHub, if you want the developers to be aware of it. You could also use nginx instead of Apache, which ignores .htaccess files by default. But this would most likely not solve the current problem you are facing either.

Hi Larry,

is it really a future-proof solution that a user changes the NC code? How to manage all the forks? I’m a NC administrator / user and not a developer.
Is it really so difficult for a developer to insert a piece of code that accepts a missing .htaccess file and does not complain about such a fact? As already outlined in my first post I incorporated the contents of the original contents of .htaccess file into the main apache configuration file for performance reasons. Do you really want to tell me that this was a bad decision?

To be clear: I do appreciate all integrity checks which point me to real problems and thus help me to improve my configuration and to have a clean installation. I welcome even more integrity checks in NC but they should make sense.

Besides NC I always check my website with ssllabs.com and accept any recommendations from them to ensure to have always a “A+” grade.

I’m not Larry… But no it’s not imho. and you already answered your question yourself. If you don’t want to manage the code you change yourself, you have no choice but to use the product as it is intended. The solution in your case is quite simple. Use Apache with AllowOverride none or nginx and just leave the .htaccess files alone. The error that you have now can be seen as a learning experience. Discussions of principle won’t help you solve your problem with the non-functioning upgrade at the moment.

My suggestions are:

  • Try the CLI Updater
  • If that doesn’t work, try disabling the integrity check.
  • If that doesn’t work either, try a manual upgrade

…and do backups before you try any of that!

Or maybe someone else here has another " productive" idea how to solve this…

According to you, the answer is yes. After all, YOU chose to move the contents from the .htaccess into the apache config. So what happens when the next version of NC changes something in the .htaccess file? It means that you will have a broken install and have to figure that out and fix it yourself.

Maybe there is a better way to handle this issue for you; can you disable htaccess, leave the htaccess file in place, and include the actual .htaccess file into the apache config? I.e. Include /path/to/ncroot/.htaccess

The bottom line is that when YOU make a choice to change something from what is being provided to you, then the consequences of doing so are on you and nobody else.

Larry,

thank you very much for your post. I mentioned in my first post that there is a problem in the integrity check when either the .htaccess is missing or when it has been modified (e.g. by me). Leave it up to the NC administrators if they want a .htaccess file or not. They (not you) know what is best for their websites. And they are responsible for the integrity of their websites.

When a new NC version is available (with or without a modified content of .htaccess) it is MY job to integrate its contents into my main apache configuration file. Did I request that you or a NC developer should do it? Again: I will do it.

What is your problem? I don’t understand your argumentation at all. A small piece of code (provided by a skilled NC developer) which covers the fact „.htaccess is missing“ (without complaining?

As mentioned in my previous post: I do appreciate and welcome all NC integrity checks. But they should not impose problems (as it was the case with the last one).

You just proved my point.
Either do it your own way, in which case the burden is on YOU…
Or do it the standard way, in which case you do nothing special.

YOUR CHOICE.

While I partially agree with you, that it would be nice to be able to selectively skip individual integrity checks, I don’t really understand why you absolutely have to delete these files. Just make your web server ignore them and you’ll be fine. Or you could move them away and then move them back before you start an upgrade.

Anyway… GitHub would be the right place to submit your feature request. However, I doubt that this will have high priority, unless you come up with better reasons for it, than the missing .htaccess files. But I could be wrong…