Updater.secret hash issue when using the web updater

This thread is meant to be my short guide on how to get over the following issue screen, as there are multiple threads on this issue. Hopefully someone can transfer this to the correct section as I do not have write-access to “How To”-section at the moment.
Please also check the comments for any updates

This guide is applicable to web updater.

The issue?
Web updater brings up a screen like showed in the github user jlntrt on his github thread about this issue:

To solve this issue, you need to replace the existing updater.secret-hash with a new one that you can create with the command that is on the auhthentication screen. The command looks like this

php -r '$password = trim(shell_exec("openssl rand -base64 48"));if(strlen($password) === 64) {$hash = password_hash($password, PASSWORD_DEFAULT) . "\n"; echo "Insert as \"updater.secret\": ".$hash; echo "The plaintext value is: ".$password."\n";}else{echo "Could not execute OpenSSL.\n";};'

To run this command, you need to have admin/root-level access to the Nextcloud servers OS. Most commonly this is done over SSH, and this is what I will be using. The following commands are applicable if you have on-site physical acess to the physical server as well.

If you are using a VPS, please try to check with the service provider how to access your VPS on the CLI/terminal with ssh.

Here is the step by step solution to the issue:

  1. Access the servers by SSH/some other method.
  2. Locate your config.php-file. If you are using linux, it is probably in the directory /var/www/nextcloud/config.
  3. Open the config.php-file with your cli-text-editor, I used nano.
  4. Once you can see the contects of the config.php file, check if there is already a updater.secret field. It will looks something like this
  'updater.secret' => 'Here is your current hash',
  1. Now that you have found the file, please close your text editor. For nano, the command is ctrl+x. If you are promted to save the changes to the file, please do not save the changes. For nano, it is called “save to buffer(y/n)”. If you are using nano, press n & then enter.
  2. The next step is creating the new hash on the command I showed on the top of this thread. Please copy the command from your servers Nextcloud updater authentication page. Here is what the command looked for me:
 php -r '$password = trim(shell_exec("openssl rand -base64 48"));if(strlen($password
) === 64) {$hash = password_hash($password, PASSWORD_DEFAULT) . "\n"; echo "Insert as \"updater.secret\": ".$hash; echo "The plaintext value is: ".$password."\n";}else{echo "Could not execute OpenSSL.\n";};'
  1. Once you have the following command run, you will receive a screen with a text like this
Insert as "updater.secret": $2y$10$nIRlfSdLLUpDzkMkoZi0t.P9CaIvU9cljK8ISXh.6dyakAqS7vlX2
The plaintext value is: y/+lkX4m1jOhtJ7c4WgsiTasTXfV+/wfLvJ/Su7IAho+0o0iA6bLVPDKEbxg8ZQl

You need to copy the string that is preceeded by the string "Insert as "updater.secret ":
The hash-string in this example is $2y$10$nIRlfSdLLUpDzkMkoZi0t.P9CaIvU9cljK8ISXh.6dyakAqS7vlX2
8. Copy the hashed string to your clipboard and open the config.php-file like we did in steps 2-4. Find the updater.secret-field, and replace the existing hash. Please make sure that the specific line still looks like this

  'updater.secret' => 'Here should be the hash created in step 7',
  1. Save the changed config.php-file.
  2. Copy the plaintext value from step 7 to your clipboard/transfer the string in some other way to your client computer for step 11.
  3. Open the Nextcloud servers web updater page, which has the authentication page open. Paste the plaintext value copied from the server to the password-field and press login.
  4. The authentication should work and you should be able to finish the authentication step.

This guide should now be complete, but if I have missed something, please feel free to add a comment here.

P.S.
This is my first post here, please press the like button if you have found this post useful :smile:. This was a issue I found to be quite problematic, since there are multiple dead threads on this issue that do not have the solution shown above.

If you found that I was unclear or something was wrong, please comment!

1 Like

Thanks. If you have only a webserver e.g. with shell_exec()-restriction you can use this code. But i think you get a less random value.

<?php

$password = trim(substr(base64_encode(mt_rand()), 0, 47));
$hash = password_hash($password, PASSWORD_DEFAULT);
echo "hash: " . $hash . "<br>";
echo "password: " . $password . "<br>";

?>
1 Like