Updater.secret always wrong on hoster all-inkl.com

ff-webdesigner · October 27, 2023, 1:34pm

hi guys,

i’ve tried many times to update my nextcloud hosted at german provider all-inkl.com. problem: no matter how i hash my password (external oder internal with ssh) the update always fails with “invalid password”. sure, i just used

php -r '$password = trim(shell_exec("openssl rand -base64 48"));if(strlen($password) === 64) {$hash = password_hash($password, PASSWORD_DEFAULT) . "\n"; echo "Insert as \"updater.secret\": ".$hash; echo "The plaintext value is: ".$password."\n";}else{echo "Could not execute OpenSSL.\n";};'

saved the updater.secret in config.php
uploaded. tried the plaintext many times.

any idea how to solve this?

jtr · November 6, 2023, 6:14pm

Not sure offhand. You’re using your non-hashed password on the web form, correct?

If you’re using the CLI to generate a new secret, can’t you just run the updater from the CLI and not bother with the secret?

github.com

nextcloud/updater/blob/d2a116741b0d094789d9f934cceac6dd3b4c47ee/index.web.php#L589


      
          						<a id="back-to-nextcloud" class="button">Go back to your Nextcloud instance to finish the update</a>
          					</div>
          				</li>
          			</ul>
          		<?php else: ?>
          			<div id="login" class="section">
          				<h2>Authentication</h2>
          				<p>To login you need to provide the unhashed value of "updater.secret" in your config file.</p>
          				<p>If you don't know that value, you can access this updater directly via the Nextcloud admin screen or generate
          				your own secret:</p>
          				<code>php -r '$password = trim(shell_exec("openssl rand -base64 48"));if(strlen($password) === 64) {$hash = password_hash($password, PASSWORD_DEFAULT) . "\n"; echo "Insert as \"updater.secret\": ".$hash; echo "The plaintext value is: ".$password."\n";}else{echo "Could not execute OpenSSL.\n";};'</code>
          				<form method="post" name="login">
          					<fieldset>
          						<input type="password" name="updater-secret-input" value=""
          							   placeholder="Secret"
          							   autocomplete="on" required>
          						<button id="updater-secret-submit">Login</button>
          					</fieldset>
          				</form>
          				<?php if (isset($_POST['updater-secret-input']) && !$auth->isAuthenticated()): ?>
          				<p>Invalid password</p>