Windows app failing to login, complains of server running in maintenance mode which it isnt

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can.

The Basics

• Nextcloud Server version (e.g., 29.x.x):
  • Latest
• Operating system and version (e.g., Ubuntu 24.04):
  • Debian 13
• Web server and version (e.g, Apache 2.4.25):
  • Using snap so Apache
• Reverse proxy and version _(e.g. nginx 1.27.2)
  • HAProxy
• PHP version (e.g, 8.3):
  • Whatever the snap is using
• Is this the first time you’ve seen this error? (Yes / No):
  • Yes
• When did this problem seem to first start?
  • Upon trying to use the windows app today.
• Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
  • Snap
• Are you using CloudfIare, mod_security, or similar? (Yes / No)
  • No

Summary of the issue you are facing:

No matter what I try, I can not log in to the Windows app. I proceed with the oauth flow, but get stuck in an infinite loop of “Waiting for authorization” and “The server is unavailable because it is in maintenance mode. Please try again once maintenance has finished.” on the Windows side after what the webui reports as a “success”. Nextcloud is functioning as expected on Android, Antennapod, Davx5, and… strangely, Mountain Duck. So i’m trying to get out of shelling $50 bucks for a mountain duck license to use nextcloud properly on windows lol!

Steps to replicate it (hint: details matter!):

1. Open Nextcloud on Windows

2. Enter my server address (https://nextcloud.myrealdomain.org)

3. Click next and log in at the browser

4. App is stuck on errors described above

Log entries

Nextcloud

Please provide the log entries from your Nextcloud log that are generated during the time of problem (via the Copy raw option from Administration settings->Logging screen or from your nextcloud.log located in your data directory). Feel free to use a pastebin/gist service if necessary.

https://paste.opensuse.org/pastes/80712bf8c4b1

please ignore any errors about a 192.168.1.235 address. It’s leftover from when I used to have a local rss feed that I no longer run.

Web server / Reverse Proxy

The output of your Apache/nginx/system log in /var/log/____:

no idea how to get my haproxy logs

Configuration

Nextcloud

The output of occ config:list system or similar is best, but, if not possible, the contents of your config.php file from /path/to/nextcloud is fine (make sure to remove any identifiable information!):

{
    "system": {
        "apps_paths": [
            {
                "path": "\/snap\/nextcloud\/current\/htdocs\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/snap\/nextcloud\/current\/nextcloud\/extra-apps",
                "url": "\/extra-apps",
                "writable": true
            }
        ],
        "supportedDatabases": [
            "mysql"
        ],
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "memcache.local": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 0
        },
        "log_type": "file",
        "logfile": "\/var\/snap\/nextcloud\/current\/logs\/nextcloud.log",
        "logfilemode": 416,
        "maintenance_window_start": 1,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "nextcloud.ciderbh.org",
            "localhost"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "32.0.6.1",
        "overwrite.cli.url": "***REMOVED SENSITIVE VALUE***",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "maintenance": false,
        "overwriteprotocol": "https",
        "overwritehost": "***REMOVED SENSITIVE VALUE***",
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***"
    }
}

Apps

The output of occ app:list (if possible).

Enabled:
  - activity: 5.0.0
  - app_api: 32.0.0
  - bruteforcesettings: 5.0.0
  - calendar: 6.2.2
  - circles: 32.0.0
  - cloud_federation_api: 1.16.0
  - comments: 1.22.0
  - contacts: 8.3.7
  - contactsinteraction: 1.13.1
  - dashboard: 7.12.0
  - dav: 1.34.2
  - federatedfilesharing: 1.22.0
  - federation: 1.22.0
  - files: 2.4.0
  - files_downloadlimit: 5.0.0-dev.0
  - files_pdfviewer: 5.0.0
  - files_reminders: 1.5.0
  - files_sharing: 1.24.1
  - files_trashbin: 1.22.0
  - files_versions: 1.25.0
  - firstrunwizard: 5.0.0
  - gpoddersync: 3.16.0
  - logreader: 5.0.0
  - lookup_server_connector: 1.20.0
  - nextcloud_announcements: 4.0.0
  - notifications: 5.0.0
  - oauth2: 1.20.0
  - password_policy: 4.0.0
  - photos: 5.0.0
  - privacy: 4.0.0
  - profile: 1.1.0
  - provisioning_api: 1.22.0
  - recommendations: 5.0.0
  - related_resources: 3.0.0
  - repod: 4.0.0
  - richdocumentscode: 25.4.904
  - serverinfo: 4.0.0
  - settings: 1.15.1
  - sharebymail: 1.22.0
  - support: 4.0.0
  - survey_client: 4.0.0
  - systemtags: 1.22.0
  - text: 6.0.1
  - theming: 2.7.0
  - twofactor_backupcodes: 1.21.0
  - user_status: 1.12.0
  - viewer: 5.0.0
  - weather_status: 1.12.0
  - webhook_listeners: 1.3.0
  - workflowengine: 2.14.0
Disabled:
  - admin_audit: 1.22.0
  - dicomviewer: 2.3.2 (installed 2.3.2)
  - encryption: 2.20.0
  - epubviewer: 1.9.2 (installed 1.9.2)
  - files_external: 1.24.1
  - suspicious_login: 10.0.0
  - twofactor_nextcloud_notification: 6.0.0
  - twofactor_totp: 14.0.0
  - user_ldap: 1.23.0

Tips for increasing the likelihood of a response

• Use the preformatted text formatting option in the editor for all log entries and configuration output.
• If screenshots are useful, feel free to include them.
  • If possible, also include key error output in text form so it can be searched for.
• Try to edit log output only minimally (if at all) so that it can be ran through analyzers / formatters by those trying to help you.

nextcloud_W0phivx38s1048×1208 21.8 KB

Z4xfLw2IZZ2560×1368 159 KB

Hi @highergoblinfiend,

Even though this doesn’t help solve your login problem in the Nextcloud Desktop Client,

You ain’t need any cyber- or mountain duck!

You could give this a try:

I hope you like it.

ernolf

I appreciate the suggestion. I don’t think that supports offline files though, which is a key requirement I’m looking at for nextcloud and/or mountain duck

The “maintenance mode” message from the Windows app is actually misleading, it’s what the client shows when the OAuth token exchange fails, not a real maintenance state. The root cause with HAProxy is almost always missing proxy headers in Nextcloud’s config.

Since you’re using HAProxy for SSL termination, Nextcloud is likely generating OAuth redirect URLs with http:// internally because it doesn’t know it’s behind HTTPS, and the callback fails. Fix via occ (snap):

sudo nextcloud.occ config:system:set trusted_proxies 0 --value="YOUR_HAPROXY_IP"
sudo nextcloud.occ config:system:set overwriteprotocol --value="https"
sudo nextcloud.occ config:system:set overwritehost --value="your.domain.tld"

And in your HAProxy backend stanza, make sure these are set:

http-request set-header X-Forwarded-Proto https
http-request set-header X-Forwarded-For %[src]
option forwardfor

Without trusted_proxies, Nextcloud ignores X-Forwarded-* headers entirely for security reasons, so OAuth generates http:// callback URLs the Windows app can’t complete. The overwriteprotocol forces it to use https regardless of what headers arrive.

After applying, log out of the desktop app completely and re-add the account from scratch. If it still fails, check your Nextcloud log right after the attempt, you’ll likely see a redirect_uri mismatch or token endpoint error.

Thanks for the tips and explanation of the error message! I tried the haproxy changes and those didn’t seem to change anything. I already had the trusted proxy and overwrite protocols down as well. But the thing that did it was changing my overwritehost value. Earlier I had it set to my.domain.tld:443 INCLUDING the port. I think I got this from the port configuration page of the nextcloud snap wiki, which has a line about including the port if necessary, with their example as :81, which I thought to adapt to 443 (Port configuration · nextcloud-snap/nextcloud-snap Wiki · GitHub). Culling it to just my.domain.tld with no port got the windows client responding. The other 4 clients I’d been using evidently don’t care about having the port listed for the overwritehost but for some reason the windows app does not appear to handle it.

Summarizing the sources of confusion that got me here for posterity:

1. Nextcloud windows says there’s a maintenance related error despite the root cause being oauth related
2. Oauth webui reports a success in this case, but the failure occurs afterwards on the client
3. Including the port in my overwritehost, as suggested by the nextcloud snap wiki broke the windows client login.

Including the port is valid, but I think the mixup problem came up because 443 isn’t guaranteed to be normalized to nil. So if you had your URL configured on the desktop client itself without the explicit :443 appended, it could be treated as a different URL (particularly in the authentication code paths which tend to be more paranoid about URLs appearing different between transactions).

Typically the port is only explicitly included when using a non-standard port. In that case the client config would almost certainly have the exact port also embedded in its configuration.

That said, does sound like there is perhaps a difference in behavior in the desktop client versus the others maybe in this area that deserves a look.

For what it’s worth, after getting the new overwritehost (no port) to work, I decided to try explicitly typing the url with :443 in the windows app, however this resulted in some other error. In fact, iirc having :443 even on the working overwritehost had issues. Definitely an area that deserves a look as you said. Also curious whether this happens on other distributions of the server besides the setup I did (snap on Debian, which admittedly is an unsupported combination)