[passwords] Error: Exception: HMAC does not match

Through a series of unfortunate events, I had to rebuild my Nextcloud install from scratch. Unfortunately I lost my entire application directory in /var/www/localhost/htdocs, including my config.php. I have a good, full backup of the entire Nextcloud database using xtrabackup, so I reinstalled Nextcloud 17.0.0, did it’s setup to the point where I could log into the only admin user, then shut down apache/mysql and replaced the entire Nextcloud database with my backup. After starting mysql and apache back up I could access Nextcloud using my old user. Horray!

All of my other apps appear to work fine except my passwords app. Clicking on the passwords app in my Nextcloud bar loads the left pane, but the main right pane is just a spinning loading icon forever. The Nextcloud logs show two entries for every time I try to load the page:

[passwords] Error: Error "HMAC does not match." in OCA\Passwords\Controller\Api\FolderApiController::show

POST /nextcloud/index.php/apps/passwords/api/1.0/folder/show
from <ip_addr> by <user> at 2020-02-02T17:21:13+00:00

and

[passwords] Error: Exception: HMAC does not match. at <<closure>>

 0. /var/www/localhost/htdocs/nextcloud/apps/passwords/lib/Encryption/Object/SseV1Encryption.php line 158
    OC\Security\Crypto->decrypt("*** sensitive parameters replaced ***")
 1. /var/www/localhost/htdocs/nextcloud/apps/passwords/lib/Services/EncryptionService.php line 113
    OCA\Passwords\Encryption\Object\SseV1Encryption->decryptObject("*** sensitive parameters replaced ***")
 2. /var/www/localhost/htdocs/nextcloud/apps/passwords/lib/Helper/ApiObjects/AbstractObjectHelper.php line 142
    OCA\Passwords\Services\EncryptionService->decrypt("*** sensitive parameters replaced ***")
 3. /var/www/localhost/htdocs/nextcloud/apps/passwords/lib/Helper/ApiObjects/PasswordObjectHelper.php line 111
    OCA\Passwords\Helper\ApiObjects\AbstractObjectHelper->getRevision(OCA\Passwords\Db\Password {id: 354}, {hidden: "*** se ... "}, true)
 4. /var/www/localhost/htdocs/nextcloud/apps/passwords/lib/Helper/ApiObjects/FolderObjectHelper.php line 265
    OCA\Passwords\Helper\ApiObjects\PasswordObjectHelper->getApiObject(OCA\Passwords\Db\Password {id: 354}, "model", {hidden: "*** se ... "})
 5. /var/www/localhost/htdocs/nextcloud/apps/passwords/lib/Helper/ApiObjects/FolderObjectHelper.php line 115
    OCA\Passwords\Helper\ApiObjects\FolderObjectHelper->getPasswords("*** sensitive parameters replaced ***")
 6. /var/www/localhost/htdocs/nextcloud/apps/passwords/lib/Controller/Api/AbstractObjectApiController.php line 142
    OCA\Passwords\Helper\ApiObjects\FolderObjectHelper->getApiObject(OCA\Passwords\Db\Folder {id: 11}, "model+folders+passwords+parent")
 7. /var/www/localhost/htdocs/nextcloud/lib/private/AppFramework/Http/Dispatcher.php line 170
    OCA\Passwords\Controller\Api\AbstractObjectApiController->show("057ea52d-d8d1-4012-9bb1-a79773605cd1", "model+folders+passwords+parent")
 8. /var/www/localhost/htdocs/nextcloud/lib/private/AppFramework/Http/Dispatcher.php line 99
    OC\AppFramework\Http\Dispatcher->executeController(OCA\Passwords\Co ... {}, "show")
 9. /var/www/localhost/htdocs/nextcloud/lib/private/AppFramework/App.php line 126
    OC\AppFramework\Http\Dispatcher->dispatch(OCA\Passwords\Co ... {}, "show")
10. /var/www/localhost/htdocs/nextcloud/lib/private/AppFramework/Routing/RouteActionHandler.php line 47
    OC\AppFramework\App::main("FolderApiController", "show", OC\AppFramework\ ... {}, {_route: "passwords.folder_api.show"})
11. <<closure>>
    OC\AppFramework\Routing\RouteActionHandler->__invoke({_route: "passwords.folder_api.show"})
12. /var/www/localhost/htdocs/nextcloud/lib/private/Route/Router.php line 297
    undefinedundefinedcall_user_func(OC\AppFramework\ ... {}, {_route: "passwords.folder_api.show"})
13. /var/www/localhost/htdocs/nextcloud/lib/base.php line 997
    OC\Route\Router->match("/apps/passwords/api/1.0/folder/show")
14. /var/www/localhost/htdocs/nextcloud/index.php line 42
    OC::handleRequest()

POST /nextcloud/index.php/apps/passwords/api/1.0/folder/show
from <ip_addr> by <user> at 2020-02-02T17:21:13+00:00

Is there a way to get my passwords back? I’m really not looking forward to the literally hundreds of password resets I’m going to have to do if I can’t.

If you have the data directory from the old Nextcloud, including the app data, then yes.
Passwords usually creates a backup every day and stores it in the app data directory. You can import this backup on your new Nextcloud and restore it there following the server migration guide.

Warning: The passwords app backup will overwrite your server secret.

Do you mean the nextcloud/data/appdata_<install_id>/passwords/ directory? If so, that is gone.

Well that’s bad. You will definitely loose some data.

You can try to check if there are still some password revisions with the old SSEv1r1. This method was used before 2019.7.0 and stores all encryption keys in the database. (Replace *PREFIX* with your database prefix)

  1. Make a backup of your database because this can go wrong and you might need several attempts.
  2. Try SELECT * FROM `*PREFIX*passwords_entity_password_revision` WHERE `sse_type` = 'SSEv1r1' AND `deleted` = 0 on your database. If that statement gives you some results, some passwords might be salvageable.
  3. You can then run UPDATE `*PREFIX*passwords_entity_password_revision SET `deleted` = 1 WHERE `sse_type` != 'SSEv1r1' to mark everything else as deleted. Do the same for *PREFIX*passwords_entity_folder_revision and *PREFIX*passwords_entity_tag_revision
  4. Then run ./occ maintenance:repair from a command line or occ web and the app will try to create a consistent database state from the data that’s left. Run it twice in case folders were deleted and are now have orphaned children.
  5. Now you can look at the app. It will probably run again but there will be losses. Passwords will be missing or out of date.

Initially this looked very promising:

mysql> SELECT COUNT(*) FROM `oc_passwords_entity_password_revision` WHERE `sse_type` = 'SSEv1r1' AND `deleted` = 0;
+----------+
| COUNT(*) |
+----------+
|      244 |
+----------+
1 row in set (0.00 sec)

After doing the updates to the database you suggested (and occ maintenance:repair a couple of times) I was able to actually get the password page to load and a number of my passwords have shown up.

Thank you so much. While I don’t have everything back, I have the majority of things back which will save me many hours of work. I’ve also added /var/www/localhost/htdocs to my backups instead of just doing the database backup so this can’t happen again.

For anyone coming across the same issue more than two years later, i would like to point out that the accepted answer will no longer work. (Even for passwords stored before july 2019).

Any recent version of passwords will actively migrate passwords using SSEv1r1 to a newer encryption method. Since the fix relies on this encryption, it won’t work anymore.

  • If you have lost your config.php and all backup files, there is no way to restore the passwords on the server anymore.
  • If you still have the backup files, you can check the links in this thread to find out how to restore them.
  • If you have your config.php and database (all of your database, not just the passwords app tables), you can set up a new Nextcloud with the database and at least the “secret” from the config.php and restore your passwords this way.
  • If you used a client (Android app, iOS app, Desktop Client, Browser Extension) with an offline cache feature enabled, you might be able to recover your passwords from there by disconnecting the device from the internet (Wifi, Mobile data, Ethernet Cable, Bluethooth) before starting the app and then copying all passwords out of the app.

Sorry to dig this out but I have to ask:
The third bullet point you mentioned applies to me. I do have full CLI access to the original database as well as the config file.

Do I really have to use the entire db from the original install? My dump is almost 60k kb and the import limit for the database is 2k kb… So I would need to dump and import the entire db table by table. So it would be great to know if there are tables that I could skip or rather just import certain tables that are needed.

Thanks in advance.

EDIT: The original instance is a version 23, and the new instance is a 24. In case that is important :slight_smile:

EDIT2: For anybody coming across this: You can import huge db dumps via command line. It takes forever and might have issues but I could restore a running instance and access my passwords. Thanks to mdw for the initial post on the restore process.