NC and Redis >6 - "Redis Exception. Wrongpass invalid Username-password"

Jean_C · November 22, 2023, 1:42pm

I am trying to install a new Nextcloud Server (27.1.3) and have found several Guides (in english and german), f.e. [1] and [2]. I am facing the Problem of continous error messages in the Nextcloud Log:
“Redis Exception. Wrongpass invalid Username-password” from the Apps “Core” and “WebDav”, resulting f.e. in an inabilty to delete files.

The reason seems to be the new security feature in Redis, starting with version 6, using ACLs for authentication. The “old way” using the “requirepass”-directive to set a password is mentioned as still valid for backwards-compatibility [3].

That is not the case in my setup, as i have the above mentioned errors.

Scenarios i tried:

Using the default settings in the nextcloud-config (‘host’ => ‘/var/run/redis/redis-server.sock’, ‘port’ => 6379, ‘password’ => ‘my_password’,) with the corresponding settings in the redis-config file
using the default settings in the nextcloud-config, but adding the user/password definitions as listed in “/nextcloud/config/config.sample.php” line 1449 and 1450 (‘host’ => ‘/var/run/redis/redis-server.sock’, ‘port’ => 6379, ‘user’ => ‘default’, ‘password’ => ‘my_password’,)
switched zu unix domain sockets as mentioned in several guides and adapted the redis.config as well as the Nextcloud-config accordingly, f.e. (‘host’ => ‘/var/run/redis/redis-server.sock’, ‘port’ => 0, ‘user’ => ‘default’, ‘password’ => ‘my_password’,)
additionally tried creating a user in redis via “redis-cli” with the Name “default” and “my_password” and checked the credentials by logging into redis-cli with the username/password. It worked in redis-cli bit still produces errors within Nextcloud

Does anyone has a similar Problem with a new installation and suggestions what to try next?

–

[1] “Example installation on Ubuntu 22.04.03 LTS with Apache2, APCu, redis and mariadb behind a NGINX proxy, no Docker, no Snap”

github.com

jameskimmel/Nextcloud_Ubuntu/blob/main/nextcloud_behind_NGINX_proxy.md

# Example installation on Ubuntu 22.04.03 LTS with Apache2, APCu, redis and mariadb behind a NGINX proxy, no Docker, no Snap

## Who is this for?
This is an example installation for Ubuntu users who want to host a Nextcloud instance behind a NGINX proxy. No Docker, no Snap.
It assumes that you have a working NGINX proxy server.
The goal of this guide is to have no warnings in the admin center and the instance should get a perfect security score from scan.nextcloud.com.
There are some placeholder values or variables that always start with x_. You need to replace them with your data. 
This is the structure of the setup used in this guide.

![setup](https://github.com/jameskimmel/Nextcloud_Ubuntu/assets/17176225/a5aae0e5-6560-4c4f-9a6d-cf062b1fdb8b)

## Split DNS
This guide assumes you have some kind of split DNS. Why is this necessary? 
Let's assume your WAN IPv4 is 85.29.10.1 and your NGINX Proxy has the IP 192.168.1.10 and your domain is cloud.yourdomain.com. 

If you are on the road and try to connect to your Nextcloud, your client will ask "Hey what IP is cloud.yourdomain.com?" some DNS servers will answer with 85.29.10.1.
Then traffic will go to your firewall and some kind of NAT will redirect it to your NGINX Proxy on 192.168.1.10. 

But if you are on your local network, that probably will not work, because your firewall only NATs from WAN to LAN and not LAN to LAN. 
There are two simple solutions to this.

This file has been truncated. show original

[2] “Nextcloud auf Ubuntu Server 22.04 LTS mit nginx, PostgreSQL/MariaDB, PHP, Let’s Encrypt, Redis und Fail2ban”

[3] “ACL Redis Access Control List”

ernolf · November 22, 2023, 7:21pm

I use Redis server v=7.2.3 and have no problems at all!

Why do you use password authentication? Is your redis-server not on the same box as your nextcloud, on a different server with its port 6379 exposed to the internet?

If your redis-server runs on the same box as your nextcloud, you should use unixsocket with port 0
If port 0 is specified, redis will not listen on a TCP socket, so it will not be exposed to any network. In that case you only have to add your webserver user to the redis group and your nextcloud can connect without any password authentication at all.

This is a configuration that works for all of my servers:

/etc/redis/redis.conf

bind 127.0.0.1 ::1
protected-mode no
port 0
unixsocket /run/redis/redis-server.sock
unixsocketperm 770
timeout 0
daemonize yes
pidfile /run/redis/redis-server.pid

config/config.php

 'memcache.local' => '\\OC\\Memcache\\Redis',
 'memcache.distributed' => '\\OC\\Memcache\\Redis',
 'filelocking.enabled' => true,
 'memcache.locking' => '\\OC\\Memcache\\Redis',
 'redis' => 
 array (
   'host' => '/run/redis/redis-server.sock',
   'port' => 0,
   'timeout' => 0,
 ),

I hope this helps!

Much luck,
ernolf

Jean_C · November 24, 2023, 7:28am

Hello ernolf,

thank you for your suggestions, unfortunatly they didn’t help.

Some things to note:

the path to redis-server.sock and .pid is “/var/run/redis/”,
which is a symlink to “/run/redis/”. Maybe because of my distribution (Ubuntu 22.04 LTS)
The line " ‘memcache.distributed’ => ‘\OC\Memcache\Redis’," creates a Server error and produces the log-entry “ERR AUTH called without any password configured for the default user. Are you sure your configuration is correct?”
So i had to omit that.

Other than these two issues i replicated your settings but still have the issue of not been able to delete files. Trying that produces the same error as in ä2 “ERR AUTH called without any password configured for the default user. Are you sure your configuration is correct?”, but doesn’t create a Server error.

Edit: i failed to mention that i upgraded to Redis 7.2.3 beforehand

ernolf · November 24, 2023, 10:29am

Did you add your webserver-user (propably www-data) to the group redis?

check if www-data is member of redis group:

grep "^redis" /etc/group

add www-data to group:

sudo usermod -aG redis www-data

Did you remove all password releted settings from your /etc/redis/redis.conf?

You can post your confiig here.

grep config from redis.conf:

sudo grep -Ev "(^\s*#|^\s*$)" /etc/redis/redis.conf

(Before you paste (Ctrl-v) that output here, press Ctrl-e please, to get it in a fenced code block for better readability)

Yes, /var/run is a symlink to /run for backwards compatibility. But I did not mention the /var part in my suggestion.

Much luck,
ernolf

Jean_C · December 1, 2023, 8:46am

Hello ernolf,

www-data was a member of the redis group and there was no password setting in the redis.conf.

Unfortuntly that didn’t solve the problem.

I have reinstalled the system and installed NC according to the guides i posted - this time it went through without a problem. I must have made an error durign my first install.

Thank you for your help, ernolf.