[SOLVED] WebDAV error 401

Nextcloud version : 20.0.4
Operating system and version: DietPi 6.34.3
Apache or nginx version : lighttpd instead of Apache
Webserver: lighttpd/1.4.53 (fpm-fcgi)
PHP version : 7.3.19-1~deb10u1

Content of System Report generated from Settings, Admin, Support:

Server configuration detail

Operating system: Linux 5.4.79-v8+ #1373 SMP PREEMPT Mon Nov 23 13:32:41 GMT 2020 aarch64

Webserver: lighttpd/1.4.53 (fpm-fcgi)

Database: mysql 10.3.27

PHP version: 7.3.19-1~deb10u1

Modules loaded: Core, date, libxml, openssl, pcre, zlib, filter, hash, Reflection, SPL, session, sodium, standard, cgi-fcgi, mysqlnd, PDO, xml, apcu, calendar, ctype, curl, dom, mbstring, fileinfo, ftp, gd, gettext, iconv, igbinary, intl, json, exif, mysqli, pdo_mysql, Phar, posix, readline, redis, shmop, SimpleXML, sockets, sysvmsg, sysvsem, sysvshm, tokenizer, wddx, xmlreader, xmlwriter, xsl, zip, Zend OPcache

Nextcloud version: 20.0.4 - 20.0.4.0

Updated from an older Nextcloud/ownCloud or fresh install:

Where did you install Nextcloud from: unknown

Signing status

Array
(
)

The issue you are facing:
Cannot connect to WebDAV (Error 401).

I have seen this post where the solution is to use Apache.

I’m hoping to get help with solving the issue with my setup which uses lighttpd. Please see this DietPi forum post where a Nextcloud user was able to connect to WebDAV. In DietPi, Nextcloud is pre-configured so users have a working Nextcloud by simply picking it from a list.

Is this the first time you’ve seen this error? : Yes

Steps to replicate it:

  1. Use WebDAV url from Nextcloud Files, Setting to connect android app (I tried Joplin and Keepass2Android)
  2. Joplin error message - OCA\DAV\Connector\Sabre\Exception\PasswordLoginForbidden…Code 401
  3. Keepass2Android error message - Response(protocol=http/1.1, code 401,message=Unauthorized
  4. I have checked that username and password are correct.

The output of your Nextcloud log in Admin > Logging:

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

$CONFIG = array (
  'passwordsalt' => 'removedforpost',
  'secret' => 'removedforpost',
  'trusted_domains' => 
  array (
    0 => 'localhost',
    1 => '*',
  ),
  'datadirectory' => '/mnt/dietpi_userdata/nextcloud_data',
  'dbtype' => 'mysql',
  'version' => '20.0.4.0',
  'hashingThreads' => 4,
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'filelocking.enabled' => true,
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' => 
  array (
    'host' => '/run/redis/redis-server.sock',
    'port' => 0,
  ),
  'overwrite.cli.url' => 'http://localhost/nextcloud',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'removedforpost',
  'dbpassword' => 'removedforpost',
  'installed' => true,
  'instanceid' => 'ocr3jb2uwoy6',
  'maintenance' => false,
  'twofactor_enforced' => 'true',
  'twofactor_enforced_groups' =>
array (
  ),
  'twofactor_enforced_excluded_groups' => 
  array (
  ),
);

The output of your lighttpd log in /var/log/____: /var/log/lighttpd/error.log

2021-01-10 21:12:25: (mod_openssl.c.1746) SSL: 1 error:1408F10B:SSL routines:ssl3_get_record:wrong version number

Thanks in advance for any help.

The other thread in this forum you linked seems to have been an issue with the Nginx proxy that was setup in front of Nextcloud, CORS checks may fail in cases with that, but I’m no expert with proxies (aside of enabling HTTPS on the same host for web applications with their own webserver+port).

In your case, I can only assume that the 2FA enforcement might be related? Did you try it with 2FA disabled (and the enforcement setting in config.php removed)? I’m not sure how well this works with 3rd party client apps.

About the SSL error: You did enable HTTPS? Else probably a client tried to connect via SSL/TLS version that is not supported by the server. By default TLSv1/1.1/1.2 are supported on Debian Buster Lighttpd, AFAIK, SSLv3 disabled for security reasons and TLSv1.3 not yet possible.

Generally, the full URL for webdav access from the files app should work, as it does not depend on any rewrite or redirect that would come with e.g. the .htaccess. Compared to CalDAV and CardDAV, for WebDAV there is also no such rewrite/redirect foreseen in the official docs.

Thanks @MichaIng. I did come across those threads about 2FA and tried disabling it. That didn’t resolve the issue for me. I need to mention that I didn’t look at updating the config.php .

The SSL error didn’t worry me that much after seeing this post, which says it relates to forwarded ports 80 and 443, which my DietPi NextCloud instance has for No-IP and Letsencrypt .

I’ve also seen the post related to special characters in the password or logging in as regular user, which didn’t help in my case.

I can confirm that CardDAV and file (documents) syncing worked very well in DietPi.

I decided I would run a new instance of NextCloud, this time with NextCloudPi. For this new instance, CardDAV and WebDAV are both working for syncing my documents, contacts and certain app files.

With NextCloudPi, also 2FA and WebDAV works, right? Then it is likely indeed a different behaviour of Apache2 vs Lighttpd, although I cannot imagine currently which part it is, where no rewrite is involved. Probably some Lighttpd-internal security feature.

Do you still have the DietPi instance to review the Lighttpd configuration and in case test a change? I remember one part that did break Nextcloud features in the past already, at least it is worth to give it a try.

This is getting interesting. WebDAV also fails with 2FA in NextCloudPi. As soon as 2FA is disabled WebDAV works again.

My 2FA testing differed between NextCloudPi and DietPi instances in that with DietPi, I already had 2FA enabled before setting up WebDAV sync.

Sorry, I no longer have the DietPi instance.