The Basics
- Nextcloud Server version :
31.0.7
- Operating system and version :
Debian GNU/Linux 12 (bookworm) aarch64Kernel: 6.12.34+rpt-rpi-v8
- Web server and version :
Apache 2.4.62-1~deb12u2 arm64
- Reverse proxy and version
not quite sure
- PHP version :
8.2.29
- Is this the first time you’ve seen this error?
It is my first install of Nextcloud, dated from 3 days ago.
- When did this problem seem to first start?
Moved the server software from /var/www/html/nextcloud/ to /var/www/mydomain.com/to configure the vhost and SSL`
- Installation method
Archive
- Are you using CloudfIare, mod_security, or similar?
Not that I know
Summary of the issue:
I moved the server files because I didn’t like going to mydomain.com/nextcloud, and I wanted to go to nextcloud.mydomain.com, especially to configure a dumb iPhone Dav access…
After fixing the data folder path in config/config.php, and fixing the warnings from the Administration > Overview tab, I checked the log errors. And here is HMAC does not match which I can’t get rid of.
I also have severe slow downs and frequent crashes, especially when trying to use password apps, might be related.
Steps to replicate it (hint: details matter!):
- Install nextcloud to a folder.
- Move the whole install to another folder.
Log entries
{
"reqId":"6uhn13ark2Iu7L2ZxlQs",
"level":3,
"time":"2025-08-07T17:51:58+00:00",
"remoteAddr":"40.87.147.198",
"user":"--",
"app":"no app in context",
"method":"GET",
"url":"/.well-known/zaza.php",
"message":"Could not decrypt or decode encrypted session data",
"userAgent":"--",
"version":"31.0.7.1",
"exception": {
"Exception":"Exception",
"Message":"HMAC does not match.",
"Code":0,
"Trace": [{
"file":"/var/www/mydomain.com/lib/private/Security/Crypto.php",
"line":98,
"function":"decryptWithoutSecret",
"class":"OC\\Security\\Crypto",
"type":"->",
"args": ["*** sensitive parameters replaced ***"]
},{
"file":"/var/www/mydomain.com/lib/private/Session/CryptoSessionData.php",
"line":70,
"function":"decrypt",
"class":"OC\\Security\\Crypto",
"type":"->",
"args":["*** sensitive parameters replaced ***"]
},{
"file":"/var/www/mydomain.com/lib/private/Session/CryptoSessionData.php",
"line":47,
"function":"initializeSession",
"class":"OC\\Session\\CryptoSessionData",
"type":"->"
},{
"file":"/var/www/mydomain.com/lib/private/Session/CryptoWrapper.php",
"line":94,
"function":"__construct",
"class":"OC\\Session\\CryptoSessionData",
"type":"->"
},{
"file":"/var/www/mydomain.com/lib/base.php",
"line":415,
"function":"wrapSession",
"class":"OC\\Session\\CryptoWrapper",
"type":"->"
},{
"file":"/var/www/mydomain.com/lib/base.php",
"line":687,
"function":"initSession",
"class":"OC",
"type":"::"
},{
"file":"/var/www/mydomain.com/lib/base.php",
"line":1171,
"function":"init",
"class":"OC",
"type":"::"
},{
"file":"/var/www/mydomain.com/index.php",
"line":22,
"args":["/var/www/mydomain.com/lib/base.php"],
"function":"require_once"
}],
"File":"/var/www/mydomain.com/lib/private/Security/Crypto.php",
"Line":162,
"message":"Could not decrypt or decode encrypted session data",
"exception":{},
"CustomMessage":"Could not decrypt or decode encrypted session data"
}
}
Web server / Reverse Proxy
There is no PHP or Apache error, not even a log, at the time of the issue.
Configuration
Nextcloud
{
"system": {
"instanceid": "***REMOVED SENSITIVE VALUE***",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
##I guess one of the three above is the problem, being hashed from the path somewhere.
"trusted_domains": [
"***REMOVED IP***",
"***mydomain.com***"
],
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"dbtype": "mysql",
"version": "31.0.7.1",
"overwrite.cli.url": "https:\/\/mydomain.com\/nextcloud", ##Huh, didn't notice this mistake.
##I don't know yet how to cause the error to happen at a given time, so I don't know if this is the error.
##Fixed the mistake though.
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbport": "",
"dbtableprefix": "oc_",
"mysql.utf8mb4": true,
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"installed": true,
"forbidden_filename_basenames": [
"con",
"prn",
"aux",
"nul",
"com0",
"com1",
"com2",
"com3",
"com4",
"com5",
"com6",
"com7",
"com8",
"com9",
"com\u00b9",
"com\u00b2",
"com\u00b3",
"lpt0",
"lpt1",
"lpt2",
"lpt3",
"lpt4",
"lpt5",
"lpt6",
"lpt7",
"lpt8",
"lpt9",
"lpt\u00b9",
"lpt\u00b2",
"lpt\u00b3"
],
"forbidden_filename_characters": [
"<",
">",
":",
"\"",
"|",
"?",
"*",
"\\",
"\/"
],
"forbidden_filename_extensions": [
" ",
".",
".filepart",
".part"
],
"enable_previews": true,
"preview_max_x": "256",
"preview_max_y": "256",
"preview_max_scale_factor": 3,
"jpeg_quality": "60",
"maintenance_window_start": "0",
"maintenance": false,
"default_phone_region": "***REMOVED SENSITIVE VALUE***",
"mail_from_address": "***REMOVED SENSITIVE VALUE***",
"mail_smtpmode": "smtp",
"mail_sendmailmode": "smtp",
"mail_domain": "***REMOVED SENSITIVE VALUE***",
"mail_smtphost": "***REMOVED SENSITIVE VALUE***",
"mail_smtpport": "465",
"mail_smtpsecure": "ssl",
"mail_smtpauth": true,
"mail_smtpname": "***REMOVED SENSITIVE VALUE***",
"mail_smtppassword": "***REMOVED SENSITIVE VALUE***"
}
}
Apps
Enabled:
- activity: 4.0.0
- app_api: 5.0.2
- bruteforcesettings: 4.0.0
- calendar: 5.3.8
- circles: 31.0.0
- cloud_federation_api: 1.14.0
- comments: 1.21.0
- contacts: 7.2.4
- contactsinteraction: 1.12.0
- dashboard: 7.11.0
- dav: 1.33.0
- federatedfilesharing: 1.21.0
- federation: 1.21.0
- files: 2.3.1
- files_antivirus: 6.0.3
- files_downloadlimit: 4.0.0
- files_pdfviewer: 4.0.0
- files_reminders: 1.4.0
- files_sharing: 1.23.1
- files_trashbin: 1.21.0
- files_versions: 1.24.0
- firstrunwizard: 4.0.0
- google_synchronization: 3.2.0
- integration_google: 4.1.0
- logreader: 4.0.0
- lookup_server_connector: 1.19.0
- mail: 5.1.10
- nextcloud_announcements: 3.0.0
- notifications: 4.0.0
- oauth2: 1.19.1
- password_policy: 3.0.0
- passwords: 2025.7.10
- photos: 4.0.0
- previewgenerator: 5.9.0
- privacy: 3.0.0
- profile: 1.0.0
- provisioning_api: 1.21.0
- recommendations: 4.0.0
- related_resources: 2.0.0
- richdocuments: 8.7.3
- richdocumentscode_arm64: 25.4.202
- serverinfo: 3.0.0
- settings: 1.14.0
- sharebymail: 1.21.0
- support: 3.0.0
- survey_client: 3.0.0
- systemtags: 1.21.1
- text: 5.0.0
- theming: 2.6.1
- twofactor_admin: 4.8.0
- twofactor_backupcodes: 1.20.0
- twofactor_totp: 13.0.0-dev.0
- updatenotification: 1.21.0
- user_status: 1.11.0
- viewer: 4.0.0
- weather_status: 1.11.0
- webhook_listeners: 1.2.0
- workflowengine: 2.13.0
Disabled:
- admin_audit: 1.21.0
- encryption: 2.19.0
- files_external: 1.23.0
- suspicious_login: 9.0.1
- twofactor_nextcloud_notification: 5.0.0
- user_ldap: 1.22.0
Nota:
I will follow this issue for a few days.
If I can fix it in that time I’ll add the whole fix here.
If not, I will reinstall the whole thing.
I am reinstalling the whole thing. Trying to ignore the problem just broke everything, I’m now getting internal server error even when restarting apache.