We lost the access to the administration -> security

Nextcloud version (eg, 29.0.5): 29.0.4
Operating system and version (eg, Ubuntu 24.04): unknown it’s a shared hosting on a provider’s server
Apache or nginx version (eg, Apache 2.4.25): unknown
PHP version (eg, 8.3): 8.2

The issue you are facing: The security page in the administration section can’t be opened and results in an error:

grafik1144×591 40.3 KB

Is this the first time you’ve seen this error? (Y/N): Y

Steps to replicate it:

1. Open Admincenter
2. Click on security Tab

The output of your Nextcloud log in Admin > Logging:

Exception hash_hkdf(): Argument #2 ($key) cannot be empty in file '/www/htdocs/w01edd42/holagil.de/cloud/lib/private/Security/Crypto.php' line 149

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'instanceid' => 'SECRET',
  'passwordsalt' => 'SECRET',
  'secret' => 'SECRET',
  'trusted_domains' => 
  array (
    0 => 'SECRET',
  ),
  'datadirectory' => '/www/htdocs/SECRET/cloud/data',
  'dbtype' => 'mysql',
  'version' => '29.0.4.1',
  'overwrite.cli.url' => 'https://SECRET.SEC',
  'dbname' => 'SECRET',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'SECRET',
  'dbpassword' => 'SECRET',
  'installed' => true,
  'tempdirectory' => '/www/htdocs/SECRET/cloud/data/tmp',
  'profile.enabled' => true,
  'default_language' => 'de',
  'default_locale' => 'de_DE',
  'default_phone_region' => 'DE',
  'versions_retention_obligation' => '90, auto',
  'account_manager.default_property_scope' => 
  array (
    'email' => 'v2-private',
    'displayname' => 'v2-local',
  ),
  'maintenance' => false,
  'maintenance_window_start' => 1,
  'theme' => '',
  'loglevel' => 2,
  'mail_smtpmode' => 'smtp',
  'mail_smtphost' => 'SECRET',
  'mail_sendmailmode' => 'smtp',
  'mail_smtpport' => '465',
  'mail_smtpsecure' => 'ssl',
  'mail_from_address' => 'system',
  'mail_domain' => 'SECRET.SEC',
  'mail_smtpauth' => 1,
  'mail_smtpname' => 'SECRETMail',
  'mail_smtppassword' => 'SECRET',
  'updater.secret' => 'SECRET',
  'skeletondirectory' => '/www/htdocs/SECRET/cloud/data/skeleton-neu',
);

The output of your Apache/nginx/system log in /var/log/____:

- can't access that because i got no root

Output errors in nextcloud.log in /var/www/ or as admin user in top right menu, filtering for errors. Use a pastebin service if necessary.

{"reqId":"ZrDiL4YMy-IBZoZj8iJVkwAAmSc","level":3,"time":"2024-08-05T14:31:11+00:00","remoteAddr":"95.223.39.107","user":"SECRET","app":"index","method":"GET","url":"/index.php/settings/admin/security","message":"hash_hkdf(): Argument #2 ($key) cannot be empty in file '/www/htdocs/SECRET/cloud/lib/private/Security/Crypto.php' line 149","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0","version":"29.0.4.1","exception":{"Exception":"Exception","Message":"hash_hkdf(): Argument #2 ($key) cannot be empty in file '/www/htdocs/SECRET/cloud/lib/private/Security/Crypto.php' line 149","Code":0,"Trace":[{"file":"/www/htdocs/SECRET/cloud/lib/private/AppFramework/App.php","line":184,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[["OCA\\Settings\\Controller\\AdminSettingsController"],"index"]},{"file":"/www/htdocs/SECRET/cloud/lib/private/Route/Router.php","line":338,"function":"main","class":"OC\\AppFramework\\App","type":"::","args":["OCA\\Settings\\Controller\\AdminSettingsController","index",["OC\\AppFramework\\DependencyInjection\\DIContainer"],["security","settings.adminsettings.index"]]},{"file":"/www/htdocs/SECRET/cloud/lib/base.php","line":1050,"function":"match","class":"OC\\Route\\Router","type":"->","args":["/settings/admin/security"]},{"file":"/www/htdocs/SECRET/cloud/index.php","line":49,"function":"handleRequest","class":"OC","type":"::","args":[]}],"File":"/www/htdocs/SECRET/cloud/lib/private/AppFramework/Http/Dispatcher.php","Line":170,"Previous":{"Exception":"ValueError","Message":"hash_hkdf(): Argument #2 ($key) cannot be empty","Code":0,"Trace":[{"file":"/www/htdocs/SECRET/cloud/lib/private/Security/Crypto.php","line":149,"function":"hash_hkdf","args":["sha512",["SensitiveParameterValue"]]},{"file":"/www/htdocs/SECRET/cloud/lib/private/Security/Crypto.php","line":123,"function":"decryptWithoutSecret","class":"OC\\Security\\Crypto","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/www/htdocs/SECRET/cloud/apps/oauth2/lib/Settings/Admin.php","line":54,"function":"decrypt","class":"OC\\Security\\Crypto","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/www/htdocs/SECRET/cloud/apps/settings/lib/Controller/CommonSettingsTrait.php","line":140,"function":"getForm","class":"OCA\\OAuth2\\Settings\\Admin","type":"->","args":[]},{"file":"/www/htdocs/SECRET/cloud/apps/settings/lib/Controller/AdminSettingsController.php","line":93,"function":"formatSettings","class":"OCA\\Settings\\Controller\\AdminSettingsController","type":"->","args":[[[["OCA\\BruteForceSettings\\Settings\\IPWhitelist"]],[["OCA\\Settings\\Settings\\Admin\\Security"]],[["OCA\\Password_Policy\\Settings"]],[["OCA\\OAuth2\\Settings\\Admin"]]]]},{"file":"/www/htdocs/SECRET/cloud/apps/settings/lib/Controller/CommonSettingsTrait.php","line":165,"function":"getSettings","class":"OCA\\Settings\\Controller\\AdminSettingsController","type":"->","args":["security"]},{"file":"/www/htdocs/SECRET/cloud/apps/settings/lib/Controller/AdminSettingsController.php","line":77,"function":"getIndexResponse","class":"OCA\\Settings\\Controller\\AdminSettingsController","type":"->","args":["admin","security"]},{"file":"/www/htdocs/SECRET/cloud/lib/private/AppFramework/Http/Dispatcher.php","line":232,"function":"index","class":"OCA\\Settings\\Controller\\AdminSettingsController","type":"->","args":["security"]},{"file":"/www/htdocs/SECRET/cloud/lib/private/AppFramework/Http/Dispatcher.php","line":138,"function":"executeController","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[["OCA\\Settings\\Controller\\AdminSettingsController"],"index"]},{"file":"/www/htdocs/SECRET/cloud/lib/private/AppFramework/App.php","line":184,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[["OCA\\Settings\\Controller\\AdminSettingsController"],"index"]},{"file":"/www/htdocs/SECRET/cloud/lib/private/Route/Router.php","line":338,"function":"main","class":"OC\\AppFramework\\App","type":"::","args":["OCA\\Settings\\Controller\\AdminSettingsController","index",["OC\\AppFramework\\DependencyInjection\\DIContainer"],["security","settings.adminsettings.index"]]},{"file":"/www/htdocs/SECRET/cloud/lib/base.php","line":1050,"function":"match","class":"OC\\Route\\Router","type":"->","args":["/settings/admin/security"]},{"file":"/www/htdocs/SECRET/cloud/index.php","line":49,"function":"handleRequest","class":"OC","type":"::","args":[]}],"File":"/www/htdocs/SECRET/cloud/lib/private/Security/Crypto.php","Line":149},"message":"hash_hkdf(): Argument #2 ($key) cannot be empty in file '/www/htdocs/SECRET/cloud/lib/private/Security/Crypto.php' line 149","exception":{},"CustomMessage":"hash_hkdf(): Argument #2 ($key) cannot be empty in file '/www/htdocs/SECRET/cloud/lib/private/Security/Crypto.php' line 149"}}

hi @Holagil welcome to the forum

please explain little more - if I understand it right you can login successfully in general? other apps like files work and you only hit the issue when you access the security page? what happened before the issue started? any updates (maybe OS or PHP upgrades perfromed by the hosting provider)? as it is hosted I would recommend asking your hosting provider for support.

Hi @wwe!
There is no problem with anything else. We can add and manage users, apps, files etc. The login works fine and access through desktop and mobile apps are possible.
We made updates from 26.0.x. The issue first appeared in 27.0.x

We installed it in the webspace ourselves. Only the webspace and the system are managed not nextcloud itself. So if I want to get the hosters help, I would need something to look at

without logs there is no way to analyze the issue just wild guesses… if you check the upgrade notes https://docs.nextcloud.com/server/stable/admin_manual/release_notes/upgrade_to_27.html you will see .mjs support is required from nc27 which was not the case before… maybe your webserver lacks config to ship this files.

…and I would recommend recommend you upgrade earlier to benefit from the mainstream… nc27 is really kind of forgotten already…

I understand that. But we run a testserver on the same nc version and that runs fine. I can open the admin security page there with no problem.

And what does that tell us? Correct, it’s likely not a general Nextcloud issue, but a specific issue on this particular server.

Now you need to proceed methodically and narrow down the problem, and the first place to look for clues to identify a problem is usually the log files.

If you can’t find anything specific in the logs, you could start checking for any differences to the working server, like webserver/reverse proxy configuration, PHP configuration, installed apps etc…

Correct, it’s likely not a general Nextcloud issue, but a specific issue on this particular server.

Why? One instance on that server works fine, the other doesn’t. My limited knowledge led me to believe that it was due to the Nextcloud instance. Both have gone through all the updates - one is running, the other is not.
Apps are the same, there might be some smaller differences between their config, I will take a look at that.
That’s a good idea.

Do you have any sense of whether the secret value has been changed or overlooked during a server migration along the way in your environment? Or maybe that the database has been used against a difference Nextcloud instance (which would have a different secret)?

See [Bug]: hash_hkdf(): Argument #2 ($key) cannot be empty · Issue #34012 · nextcloud/server · GitHub

If there’s access to the server backend, checking logs might reveal the issue. Also, consider restoring from a recent backup if available and use pi alt code to insert it.

No, we didn’t changed the secret. And we didn’t used the database against a different nextcloud instance.
But we got an issue with Wordpress " Tim’s Nextcloud SSO OAuth2" since this issue occurs. Maybe it’s about the key we had to produce for that connection? And that’s the difference to the test instance, too.

When you backtrack through your log file, when did the error first start?

We were able to solve the problem. We created a new test instance added all apps we used in the productive instance, copied all database table content from the one productive to the test and opened security.
It failed again.
Then we opened the database tables “oc_oauth2_access_tokens” and “oc_oauth2_clients” and deleted all data from. After that the security page in the administration configuration can again be opened without an error