Nextcloud version: 15.0.11.1
Operating System: SUSE Enterprise 12.4
Apache version: Apache/2.4.23 (Linux/SUSE)
PHP version: 7.0.7
The issue you are facing:
User password reset does not work.
Users can receive the password reset email.
Clicking the password reset button on the password reset form after following the link in the email does nothing at all.
Is this the first time you’ve seen this error? Yes
Steps to replicate it:
- Try to login
- Click “forgot password” link
- Click link in the password reset email
- Enter new password
- Click reset password button
The output of your Nextcloud log in Admin > Logging:
No log entries when clicking password reset
The output of your config.php file in /path/to/nextcloud :
<?php
$CONFIG = array (
'instanceid' => '1',
'passwordsalt' => '2',
'datadirectory' => '/srv/data/',
'dbtype' => 'mysql',
'version' => '15.0.11.1',
'dbname' => 'transfer',
'dbhost' => '127.0.0.1',
'dbtableprefix' => 'oc_',
'dbuser' => 'someuser',
'dbpassword' => 'somepasswd',
'installed' => true,
'default_language' => 'en',
'forcessl' => false,
'theme' => 'theme',
'skeletondirectory' => '',
'maintenance' => false,
'mail_domain' => 'domain',
'mail_smtpmode' => 'smtp',
'mail_smtphost' => 'mail.domain.com',
'mail_smtpport' => '25',
'logtimezone' => 'Europe/Berlin',
'trusted_domains' =>
array (
0 => 'externalhostname.somedomain.com',
1 => 'hostname',
2 => 'hostname.domain.com',
),
'mail_from_address' => 'some',
'secret' => '1',
'loglevel' => 2,
'filesystem_check_changes' => 1,
'updater.release.channel' => 'stable',
'overwritecondaddr' => '^ip\\.\\ip\\ip\\.ip$',
'overwritehost' => 'externalhostname.somedomain.com',
'overwriteprotocol' => 'https',
'overwrite.cli.url' => 'https://externalhostname.somedomain.com',
'simpleSignUpLink.shown' => false,
'has_internet_connection' => false,
);
The output of your Apache/nginx/system log in /var/log/____:
No log entries when clicking password reset
So I took a look at the links in the E-Mail and Form and noticed that both of them use HTTP and they both look like this:
http://externalhostname.somedomain.com/index.php/lostpassword/reset/form/token/username
We don’t use HTTP anywhere on the server so it is a little weird, that it does that in this instance.
When I open the form and use the Chrome Dev Tools to edit the link to https and then click the reset password button, it works right away.
I found these threads on github, that seem to have the same or similar issues, but the solutions didn’t work for me:
As you can see, our config.php already has overwriteprotocol and overwrite.cli.url set, though the overwrite.cli.url was set to http:// before, but I don’t know why (wasn’t set by me) and changing it to https doesn’t help.
The server sending those links as HTTP in the E-Mail has been like this for a long time it seems. I have an E-Mail from 2017 (Nextcloud 10.0.3) for password resetting my test user. I don’t know exactly when the password reset stopped working tho.