Issue accessing Nextcloud via webdav (?)

gud0h · August 7, 2018, 11:00am

Hi all,

I’m looking for some help with what appears to be a webdav related issue on my new Nextcloud server.

I have a VPS hosting:

a Wordpress website at mywebsite.com
a Nextcloud server at mynextcloud.com/nc (note that Nextcloud root is hosted at a subfolder /nc although I don’t think that’s important here.)

OS: Ubuntu 16.04.5 LTS
Nextcloud version: 13.0.5.2
Server version: Apache/2.4.18
PHP version: 7.0.30
MySQL version: 5.7.23

config.php output:

<?php
$CONFIG = array (
  'instanceid' => 'xxxxxxxxxxxxxxx',
  'passwordsalt' => 'xxxxxxxxxxxxxxx',
  'secret' => 'xxxxxxxxxxxxxxxx',
  'trusted_domains' =>
  array (
    0 => 'mynextcloud.com',
  ),
  'datadirectory' => '/var/www/mynexcloud.com/nc/data',
  'overwrite.cli.url' => 'https://mynextcloud.com/nc',
  'dbtype' => 'mysql',
  'version' => '13.0.5.2',
  'dbname' => 'mydb',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'mydbuser',
  'dbpassword' => 'xxxxxxxxxxxxxx',
  'installed' => true,
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'redis' =>
  array (
    'host' => 'localhost',
    'port' => 6379,
  ),
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'htaccess.RewriteBase' => '/nc',
  'mail_from_address' => 'ncadmin',
  'mail_smtpmode' => 'sendmail',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_domain' => 'xxxxxx.com',
);

Nextcloud installation followed the guidance for manual installation at https://docs.nextcloud.com/server/13/admin_manual/installation/index.html
Both domains have Let’s Encrypt certificates
Nextcloud default encryption module is enabled

Pretty much everything seems to be working fine except for one thing. I want my Keepass password file synced on my NC instance and my various endpoints - PC, laptop, and Android devices. On Android I access it via the app Keepass2Android (the online version). This should be a simple process.

It should work like this:

Open Keepass2Android on Android device
select Open file
select OwnCloud (there is no Nextcloud option but it works for both)
enter https://mynextcloud.com/nc
enter user name
enter password

What should happen: It should then log in and show me the files on my NC instance for that account, and I should be able to navigate to the keepass.kdbx file and open it, allowing me to keep it syncronised between my device and NC server.

On the Keepass app, it should be possible to see that the app has connected to the file via the URL (this is what is seen after connecting via a snap instance rather than my manual install) :

https://mynextcloud.com/nc/remote.php/webdav/keepassfile.kdbx

What currently happens: I get this error message in the Keepass app:

Error - cannot connect to file provider service. Received unexpected response: Response{protocol=http/1.1,code=401, message=Unauthorized, url=https://mynextcloud.com/nc/remote.php/webdav}

This does not seem to be inherently a problem in Nextcloud. I have tested and confirmed this works perfectly when tested on a separate VPS instance on which the Nextcloud snap is installed. So it seems that it’s a configuration issue on my manual installation.

I have checked the apache2 logs for these access attempts

nothing is recorded in error.log
records are recorded in access.log Below are two attempts to connect via the above described process, a few minutes apart. Each attempt results in two lines (IP address and username replaced):

xx.xxx.xxx.xx - - [07/Aug/2018:09:56:01 +0000] "PROPFIND /nc/remote.php/webdav HTTP/1.1" 401 5069 "-" "okhttp/3.9.0"
xx.xxx.xxx.xx - username [07/Aug/2018:09:56:01 +0000] "PROPFIND /nc/remote.php/webdav HTTP/1.1" 401 1598 "-" "okhttp/3.9.0"

xx.xxx.xxx.xx - - [07/Aug/2018:10:05:43 +0000] "PROPFIND /nc/remote.php/webdav HTTP/1.1" 401 5073 "-" "okhttp/3.9.0"
xx.xxx.xxx.xx - username [07/Aug/2018:10:05:44 +0000] "PROPFIND /nc/remote.php/webdav HTTP/1.1" 401 1596 "-" "okhttp/3.9.0"

On the Logging page of my NC admin account, I also see this, twice:

Warning	core	Login failed: 'username' (Remote IP: 'xx.xxx.xxx.xx')	2018-08-07T11:05:44+0100
Warning	core	Login failed: 'username' (Remote IP: 'xx.xxx.xxx.xx')	2018-08-07T10:56:02+0100

As mentioned, this process works smoothly on a NC snap instance. My assumption then is that there is a configuration I need to adjust.

Can anyone advise what I might need to change to get this working?

Many thanks!

gud0h · August 7, 2018, 11:43am

In case it’s of use, here is my apache2.conf file contents (I removed all the lines #commented out

Mutex file:${APACHE_LOCK_DIR} default
PidFile ${APACHE_PID_FILE}
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
HostnameLookups Off
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
Include ports.conf

<Directory />
        Options FollowSymLinks
        AllowOverride None
        Require all denied
</Directory>

<Directory /usr/share>
        AllowOverride None
        Require all granted
</Directory>

<Directory /var/www/>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
</Directory>

AccessFileName .htaccess

<FilesMatch "^\.ht">
        Require all denied
</FilesMatch>

LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

IncludeOptional conf-enabled/*.conf

IncludeOptional sites-enabled/*.conf

and here is the virtual host .conf file for the Nextcloud domain:

<VirtualHost *:80>

    ServerAdmin xxxxx@xxxx.com
    ServerName mynextcloud.com
    ServerAlias www.mynextcloud.com
    DocumentRoot /var/www/mynextcloud.com
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

RewriteEngine on
RewriteCond %{SERVER_NAME} =mynextcloud.com [OR]
RewriteCond %{SERVER_NAME} =mynextcloud.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

<Directory /var/www/mynextcloud.com/nc/>
  Options +FollowSymlinks
  AllowOverride All

 <IfModule mod_dav.c>
  Dav off
 </IfModule>

 SetEnv HOME /var/www/mynextcloud.com/nc
 SetEnv HTTP_HOME /var/www/mynextcloud.com/nc

</Directory>

</VirtualHost>

gud0h · August 7, 2018, 6:43pm

More information: I seem to have found what was causing the problem…and it seems to be a bit more worrying than a config error. It’s related to passwords.

After looking at a few threads, I found one where someone said they could access files via webdav if logging in as the admin user, but not as a regular user.

So I tested that, and yes, I was able to log in with the admin user using the process I described above (logging in with Keepass2Android) and it worked as expected. The password for the admin user is very long and totally random with lots of special characters.

So I thought that maybe it’s a user permission thing.

I tried adding the regular user to the admin group - didn’t work.

Tried adding the regular user to a new group - didn’t work.

Finally, I tried something different - I changed the regular user’s password to contain only letters and numbers. Tried logging in from the Android device - it worked!

With a bunch of more testing, I finally realised that the issue with the regular account was fixed if I removed a £ symbol from the password of the regular user. The £ symbol caused no problems when logging in via the web, but it definitely wouldn’t log in via webdav as long as there was a £ symbol in the password.

I have set a new password without a £ character, but I thought it would be important to let people know that just because a password works in one place (web interface), doesn’t mean it will work accessing the same account from another interface. This seems unintuitive and presumably cannot be intended behaviour.