Nextcloud HPB Unable to add conversation "403 Forbidden` response: Authentication check failed"

ℹ️ Support
1
Support intro

Sorry to hear you’re facing problems. :slightly_frowning_face:

The community help forum (help.nextcloud.com) is for home and non-enterprise users. Support is provided by other community members on a best effort / “as available” basis. All of those responding are volunteering their time to help you.

If you’re using Nextcloud in a business/critical setting, paid and SLA-based support services can be accessed via portal.nextcloud.com where Nextcloud engineers can help ensure your business keeps running smoothly.

Getting help

In order to help you as efficiently (and quickly!) as possible, please fill in as much of the below requested information as you can.

Before clicking submit: Please check if your query is already addressed via the following resources:

(Utilizing these existing resources is typically faster. It also helps reduce the load on our generous volunteers while elevating the signal to noise ratio of the forums otherwise arising from the same queries being posted repeatedly).

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can. :heart:

The Basics

  • Nextcloud Server version (e.g., 29.x.x):

    • 32.0.5

  • Operating system and version (e.g., Ubuntu 24.04):

    • 24.04.3

  • Web server and version (e.g, Apache 2.4.25):

    • Apache 2.4.58

  • Reverse proxy and version _(e.g. nginx 1.27.2)

    • N/A

    PHP version (e.g, 8.3):

    • 8.3.6 (fpm)

  • Is this the first time you’ve seen this error? (Yes / No):

    • It was always like this

  • When did this problem seem to first start?

    • from the start

  • Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)

    • VM (no Docker)

  • Are you using CloudfIare, mod_security, or similar? (Yes / No)

    • no

Summary of the issue you are facing:

The nextcloud server runs just fine. However, I’ve set up a HPB in a second VM using the sunweaver script: GitHub - sunweaver/nextcloud-high-performance-backend-setup · GitHub
In the Talk admin settings on my Nextcloud server everything looks OK.
But when I try to create a conversation (or start a meeting) I get an error.

image
image1346×268 17.9 KB

image
image1303×433 18.9 KB

image
image596×237 4.83 KB

Both VM’s are behind a Firewall and are available from the outside via a public IP (and domain)
ports forwarded to the Nextcloud VM: 80, 443
ports forwarded to the HPB VM: 80, 443, 3478, 5349

Steps to replicate it (hint: details matter!):

  1. click the Talk icon

  2. click create conversation

  3. optionally add participants

  4. click Create conversation

Log entries

Nextcloud

Please provide the log entries from your Nextcloud log that are generated during the time of problem (via the Copy raw option from Administration settings->Logging screen or from your nextcloud.log located in your data directory). Feel free to use a pastebin/gist service if necessary.

{"reqId":"2PHD15i05lR5O9vFQ548","level":3,"time":"2026-03-04T14:24:05+00:00","remoteAddr":"192.168.10.7","user":"nextclouduser","app":"no app in context","method":"POST","url":"/ocs/v2.php/apps/spreed/api/v4/room","scriptName":"/ocs/v2.php","message":"Client error: `POST https://hpb.domain.nl/standalone-signaling/api/v1/room/hgpeuxqb` resulted in a `403 Forbidden` response:\nAuthentication check failed\n\n","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36","version":"32.0.5.0","exception":{"Exception":"GuzzleHttp\\Exception\\ClientException","Message":"Client error: `POST https://hpb.domain.nl/standalone-signaling/api/v1/room/hgpeuxqb` resulted in a `403 Forbidden` response:\nAuthentication check failed\n\n","Code":403,"Trace":[{"file":"/var/www/html/3rdparty/guzzlehttp/guzzle/src/Middleware.php","line":72,"function":"create","class":"GuzzleHttp\\Exception\\RequestException","type":"::","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/3rdparty/guzzlehttp/promises/src/Promise.php","line":209,"function":"GuzzleHttp\\{closure}","class":"GuzzleHttp\\Middleware","type":"::","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/3rdparty/guzzlehttp/promises/src/Promise.php","line":158,"function":"callHandler","class":"GuzzleHttp\\Promise\\Promise","type":"::"},{"file":"/var/www/html/3rdparty/guzzlehttp/promises/src/TaskQueue.php","line":52,"function":"GuzzleHttp\\Promise\\{closure}","class":"GuzzleHttp\\Promise\\Promise","type":"::","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/3rdparty/guzzlehttp/promises/src/Promise.php","line":251,"function":"run","class":"GuzzleHttp\\Promise\\TaskQueue","type":"->"},{"file":"/var/www/html/3rdparty/guzzlehttp/promises/src/Promise.php","line":227,"function":"invokeWaitFn","class":"GuzzleHttp\\Promise\\Promise","type":"->"},{"file":"/var/www/html/3rdparty/guzzlehttp/promises/src/Promise.php","line":272,"function":"waitIfPending","class":"GuzzleHttp\\Promise\\Promise","type":"->"},{"file":"/var/www/html/3rdparty/guzzlehttp/promises/src/Promise.php","line":229,"function":"invokeWaitList","class":"GuzzleHttp\\Promise\\Promise","type":"->"},{"file":"/var/www/html/3rdparty/guzzlehttp/promises/src/Promise.php","line":69,"function":"waitIfPending","class":"GuzzleHttp\\Promise\\Promise","type":"->"},{"file":"/var/www/html/3rdparty/guzzlehttp/guzzle/src/Client.php","line":189,"function":"wait","class":"GuzzleHttp\\Promise\\Promise","type":"->"},{"file":"/var/www/html/lib/private/Http/Client/Client.php","line":277,"function":"request","class":"GuzzleHttp\\Client","type":"->"},{"file":"/var/www/html/apps/spreed/lib/Signaling/BackendNotifier.php","line":59,"function":"post","class":"OC\\Http\\Client\\Client","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/apps/spreed/lib/Signaling/BackendNotifier.php","line":138,"function":"doRequest","class":"OCA\\Talk\\Signaling\\BackendNotifier","type":"->"},{"file":"/var/www/html/apps/spreed/lib/Signaling/BackendNotifier.php","line":528,"function":"backendRequest","class":"OCA\\Talk\\Signaling\\BackendNotifier","type":"->"},{"file":"/var/www/html/apps/spreed/lib/Signaling/Listener.php","line":487,"function":"sendRoomMessage","class":"OCA\\Talk\\Signaling\\BackendNotifier","type":"->"},{"file":"/var/www/html/apps/spreed/lib/Signaling/Listener.php","line":158,"function":"notifyMessageSent","class":"OCA\\Talk\\Signaling\\Listener","type":"->"},{"file":"/var/www/html/apps/spreed/lib/Signaling/Listener.php","line":98,"function":"handleExternalSignaling","class":"OCA\\Talk\\Signaling\\Listener","type":"->"},{"file":"/var/www/html/lib/private/EventDispatcher/ServiceEventListener.php","line":57,"function":"handle","class":"OCA\\Talk\\Signaling\\Listener","type":"->"},{"file":"/var/www/html/3rdparty/symfony/event-dispatcher/EventDispatcher.php","line":220,"function":"__invoke","class":"OC\\EventDispatcher\\ServiceEventListener","type":"->"},{"file":"/var/www/html/3rdparty/symfony/event-dispatcher/EventDispatcher.php","line":56,"function":"callListeners","class":"Symfony\\Component\\EventDispatcher\\EventDispatcher","type":"->"},{"file":"/var/www/html/lib/private/EventDispatcher/EventDispatcher.php","line":67,"function":"dispatch","class":"Symfony\\Component\\EventDispatcher\\EventDispatcher","type":"->"},{"file":"/var/www/html/lib/private/EventDispatcher/EventDispatcher.php","line":79,"function":"dispatch","class":"OC\\EventDispatcher\\EventDispatcher","type":"->"},{"file":"/var/www/html/apps/spreed/lib/Chat/ChatManager.php","line":271,"function":"dispatchTyped","class":"OC\\EventDispatcher\\EventDispatcher","type":"->"},{"file":"/var/www/html/apps/spreed/lib/Chat/SystemMessage/Listener.php","line":543,"function":"addSystemMessage","class":"OCA\\Talk\\Chat\\ChatManager","type":"->"},{"file":"/var/www/html/apps/spreed/lib/Chat/SystemMessage/Listener.php","line":166,"function":"sendSystemMessage","class":"OCA\\Talk\\Chat\\SystemMessage\\Listener","type":"->"},{"file":"/var/www/html/apps/spreed/lib/Chat/SystemMessage/Listener.php","line":90,"function":"sendSystemMessageAboutConversationCreated","class":"OCA\\Talk\\Chat\\SystemMessage\\Listener","type":"->"},{"file":"/var/www/html/lib/private/EventDispatcher/ServiceEventListener.php","line":57,"function":"handle","class":"OCA\\Talk\\Chat\\SystemMessage\\Listener","type":"->"},{"file":"/var/www/html/3rdparty/symfony/event-dispatcher/EventDispatcher.php","line":220,"function":"__invoke","class":"OC\\EventDispatcher\\ServiceEventListener","type":"->"},{"file":"/var/www/html/3rdparty/symfony/event-dispatcher/EventDispatcher.php","line":56,"function":"callListeners","class":"Symfony\\Component\\EventDispatcher\\EventDispatcher","type":"->"},{"file":"/var/www/html/lib/private/EventDispatcher/EventDispatcher.php","line":67,"function":"dispatch","class":"Symfony\\Component\\EventDispatcher\\EventDispatcher","type":"->"},{"file":"/var/www/html/lib/private/EventDispatcher/EventDispatcher.php","line":79,"function":"dispatch","class":"OC\\EventDispatcher\\EventDispatcher","type":"->"},{"file":"/var/www/html/apps/spreed/lib/Manager.php","line":1283,"function":"dispatchTyped","class":"OC\\EventDispatcher\\EventDispatcher","type":"->"},{"file":"/var/www/html/apps/spreed/lib/Service/RoomService.php","line":285,"function":"createRoom","class":"OCA\\Talk\\Manager","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/apps/spreed/lib/Controller/RoomController.php","line":730,"function":"createConversation","class":"OCA\\Talk\\Service\\RoomService","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/lib/private/AppFramework/Http/Dispatcher.php","line":204,"function":"createRoom","class":"OCA\\Talk\\Controller\\RoomController","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/lib/private/AppFramework/Http/Dispatcher.php","line":118,"function":"executeController","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/var/www/html/lib/private/AppFramework/App.php","line":153,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/var/www/html/lib/private/Route/Router.php","line":321,"function":"main","class":"OC\\AppFramework\\App","type":"::"},{"file":"/var/www/html/ocs/v1.php","line":61,"function":"match","class":"OC\\Route\\Router","type":"->"},{"file":"/var/www/html/ocs/v2.php","line":8,"args":["/var/www/html/ocs/v1.php"],"function":"require_once"}],"File":"/var/www/html/3rdparty/guzzlehttp/guzzle/src/Exception/RequestException.php","Line":111,"message":"Client error: `POST https://hpb.domain.nl/standalone-signaling/api/v1/room/hgpeuxqb` resulted in a `403 Forbidden` response:\nAuthentication check failed\n\n","exception":[],"CustomMessage":"Client error: `POST https://hpb.domain.nl/standalone-signaling/api/v1/room/hgpeuxqb` resulted in a `403 Forbidden` response:\nAuthentication check failed\n\n"},"id":"69a8410e6a7cd"}

Web Browser

If the problem is related to the Web interface, open your browser inspector Console and Network tabs while refreshing (reloading) and reproducing the problem. Provide any relevant output/errors here that appear.

PASTE

Web server / Reverse Proxy

The output of your Apache/nginx/system log in /var/log/____:

PASTE HERE

Configuration

Nextcloud

The output of occ config:list system or similar is best, but, if not possible, the contents of your config.php file from /path/to/nextcloud is fine (make sure to remove any identifiable information!):

PASTE HERE<?php
$CONFIG = array (
  'instanceid' => 'someID',
  'passwordsalt' => 'somesalt',
  'secret' => 'somesecret',
  'trusted_domains' => 
  array (
    0 => 'kloud.domain1.com',
    1 => 'cloud.domain1.com',
    2 => 'cloud.domain2.com',
	3 => 'cloud.domain3.com',
  ),
  'datadirectory' => '/datadir',
  'skeletondirectory' => '/var/www/html/core/skeleton/company/',
  'dbtype' => 'mysql',
  'version' => '32.0.5.0',
  'overwrite.cli.url' => 'http://localhost',
  'dbname' => 'somedb',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'someuser',
  'dbpassword' => 'dbpassword',
  'installed' => true,
  'default_phone_region' => 'NL',
  'maintenance' => false,
  'maintenance_window_start' => 1,
  'filelocking.enabled' => true,
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'redis' => 
  array (
    'host' => 'localhost',
    'port' => 6379,
  ),
  'memories.db.triggers.fcu' => true,
  'memories.exiftool' => '/var/www/html/apps/memories/bin-ext/exiftool-amd64-glibc',
  'memories.vod.path' => '/var/www/html/apps/memories/bin-ext/go-vod-amd64',
  'memories.vod.ffmpeg' => '/usr/bin/ffmpeg',
  'memories.vod.ffprobe' => '/usr/bin/ffprobe',
  'theme' => '',
  'loglevel' => 2,
  'mail_smtpmode' => 'smtp',
  'mail_smtphost' => 'domain1-com.mail.protection.outlook.com',
  'mail_sendmailmode' => 'smtp',
  'mail_smtpport' => '25',
  'mail_from_address' => 'somesender',
  'mail_domain' => 'domain1.com',
  'mail_smtpauth' => 1,
  'mail_smtpname' => 'someone@domain1.com',
  'mail_smtppassword' => 'somesmtppassword',
  'ldapProviderFactory' => 'OCA\\User_LDAP\\LDAPProviderFactory',
  'updater.release.channel' => 'stable',
  'enabledPreviewProviders' => 
  array (
    0 => 'OC\\Preview\\Image',
    1 => 'OC\\Preview\\HEIC',
    2 => 'OC\\Preview\\TIFF',
    3 => 'OC\\Preview\\Movie',
  ),
  'memories.gis_type' => 1,
  'theming_domain' => 
  array (
    'cloud.domain1.com' => 
    array (
      'variables' => 
      array (
        '--image-logo' => 'url(\'/apps/theming/logos/d1-logo.png\')',
        '--image-logoheader' => 'url(\'/apps/theming/logos/d1-header-logo.png\')',
        '--image-background' => 'url(\'/apps/theming/backgrounds/d1-background.jpg\')',
        '--image-favicon' => 'url(\'/apps/theming/logos/d1-favicon.ico\')',
      ),
    ),
    'cloud.domain2.com' => 
    array (
      'variables' => 
      array (
        '--image-logo' => 'url(\'/apps/theming/logos/d2-logo.png\')',
        '--image-logoheader' => 'url(\'/apps/theming/logos/d2-header-logo.png\')',
        '--image-background' => 'url(\'/apps/theming/backgrounds/d2-background.jpg\')',
        '--image-favicon' => 'url(\'/apps/theming/logos/d2-favicon.ico\')',
      ),
    ),
    'cloud.domain3.com' => 
    array (
      'variables' => 
      array (
        '--image-logo' => 'url(\'/apps/theming/logos/d3-logo.png\')',
        '--image-logoheader' => 'url(\'/apps/theming/logos/d3-header-logo.png\')',
        '--image-background' => 'url(\'/apps/theming/backgrounds/d3-background.jpg\')',
        '--image-favicon' => 'url(\'/apps/logos/d3-favicon.ico\')',
      ),
    ),
    'kloud.domain1.com' => 
    array (
      'variables' => 
      array (
        '--image-logo' => 'url(\'/apps/theming/logos/d1-logo.png\')',
        '--image-logoheader' => 'url(\'/apps/theming/logos/d1-header-logo.png\')',
        '--image-background' => 'url(\'/apps/theming/backgrounds/d1-background.jpg\')',
        '--image-favicon' => 'url(\'/apps/theming/logos/d1-favicon.ico\')',
      ),
    ),
  ),
  'app_install_overwrite' => 
  array (
    0 => 'webhooks',
  ),
  'twofactor_enforced' => 'true',
  'twofactor_enforced_groups' => 
  array (
    0 => 'MFA',
  ),
  'twofactor_enforced_excluded_groups' => 
  array (
  ),
  'defaultapp' => 'files,dashboard',
  'forbidden_filename_basenames' => 
  array (
    0 => 'con',
    1 => 'prn',
    2 => 'aux',
    3 => 'nul',
    4 => 'com0',
    5 => 'com1',
    6 => 'com2',
    7 => 'com3',
    8 => 'com4',
    9 => 'com5',
    10 => 'com6',
    11 => 'com7',
    12 => 'com8',
    13 => 'com9',
    14 => 'com¹',
    15 => 'com²',
    16 => 'com³',
    17 => 'lpt0',
    18 => 'lpt1',
    19 => 'lpt2',
    20 => 'lpt3',
    21 => 'lpt4',
    22 => 'lpt5',
    23 => 'lpt6',
    24 => 'lpt7',
    25 => 'lpt8',
    26 => 'lpt9',
    27 => 'lpt¹',
    28 => 'lpt²',
    29 => 'lpt³',
  ),
  'forbidden_filename_characters' => 
  array (
    0 => '<',
    1 => '>',
    2 => ':',
    3 => '"',
    4 => '|',
    5 => '?',
    6 => '*',
    7 => '\\',
    8 => '/',
  ),
  'forbidden_filename_extensions' => 
  array (
    0 => ' ',
    1 => '.',
    2 => '.filepart',
    3 => '.part',
  ),
);

Apps

The output of occ app:list (if possible).

Tips for increasing the likelihood of a response

  • Use the preformatted text formatting option in the editor for all log entries and configuration output.
  • If screenshots are useful, feel free to include them.
    • If possible, also include key error output in text form so it can be searched for.
  • Try to edit log output only minimally (if at all) so that it can be ran through analyzers / formatters by those trying to help you.
2

@flinc

Troubleshooting

connection errors

403 forbidden

TIP

make sure you have a long secretpasswordkey (min. 24 chars, better 32 chars) for each service!

TIP: create secretpasswordkey

Make sure you create a long secretpasswordkey (min. 24 chars, better 32 chars) for each service! Note down the secretpasswordkeys as you will need them for configuring HPB in Nextcloud talk.

  • issue command in host shell and repeat for each service:
openssl rand -hex 32

grafik

1. TURN_SECRET
  • create a long random secretpasswordkey, issue command in host shell:
openssl rand -hex 32
2. SIGNALING_SECRET
  • create a long random secretpasswordkey, issue command in host shell:
openssl rand -hex 32
3. INTERNAL_SECRET
  • create a long random secretpasswordkey, issue command in host shell:
openssl rand -hex 32
3

Hi scubamuc,

Thanks for responding so swiftly.
Some stuff came up so my response was a bit slow.
The sunweaver script created the keys.
The shared secret for the HPB is 32 characters in length and the Turnserver secret is 64 Charachters.
I’m not sure where to find the internal_secret you mention.

4

@flinc bar having experience with “sunweaver script” and personally using the official Docker implementation High Performance Backend for Talk on Nextcloud with Docker that’s beyond my scope.

Your mention of 403 Forbidden error seemed familiar due to troubleshooting with the Docker method. sorry for wasting your time.

suggest you create an issue with the developers or be patient, there are surely folks here who know the “sunweaver script” implementation.

5

Well, I decide to give it a go and create a new signaling secret and a new turn server secret.
The internal secret was only for the Docker container which I don’t have because I run the HPB in a separate VM.
But anyway….
…It worked!!

With the new secrets I can now create conversations as well as start meetings.
So thank you @scubamuc for pointing me in the right direction.

1 Like
6

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.