Unable to connect using desktop client (SSO redirect to login page)

[abon999]

The bug

Using a fresh and clean install of both updated Yunohost and Nextcloud, I'm able to connect to NC using web interface, mobile app with QR code, but not using my handwritten subdomain.

Context

• Hardware: x86 NUC-like pc @ home
• YunoHost version: stable and updated 11.2.3
• I have access to my server: Through SSH, the webadmin, direct access via keyboard / screen
• The only perk is using a Cloudflare tunnel to bypass the CGNAT, but I don't think this is the problem (both NC web insterface and mobile QR code client is working)

Steps to reproduce

• Install a fresh Nextcloud
• Can connect with web interface
• Use a desktop client to connect
• Can't connect : Unknown Error

Expected behavior

Logs

Desktop Client log

2023-08-23 23:32:31:367 [ info nextcloud.gui.wizard /usr/src/debug/nextcloud-client/nextcloud-client/src/gui/owncloudsetupwizard.cpp:203 ]: No system proxy set by OS
2023-08-23 23:32:31:368 [ info nextcloud.sync.accessmanager /usr/src/debug/nextcloud-client/nextcloud-client/src/libsync/accessmanager.cpp:78 ]:    2 "" "https://MY_NEXTCLOUD_SUBDOMAIN/status.php" has X-Request-ID "da62c6eb-1b0a-41bf-baf5-c4c9e2e144e2"
2023-08-23 23:32:31:368 [ info nextcloud.sync.networkjob /usr/src/debug/nextcloud-client/nextcloud-client/src/libsync/abstractnetworkjob.cpp:363 ]: OCC::CheckServerJob created for "https://MY_NEXTCLOUD_SUBDOMAIN" + "status.php" "OCC::OwncloudSetupWizard"
2023-08-23 23:32:31:510 [ info nextcloud.sync.networkjob /usr/src/debug/nextcloud-client/nextcloud-client/src/libsync/abstractnetworkjob.cpp:269 ]: Redirecting "GET" QUrl("https://MY_NEXTCLOUD_SUBDOMAIN/status.php") QUrl("https://MY_DOMAIN/yunohost/sso/?r=aHR0cHM6Ly9uYy5tc3NlcnZlci5mci9zdGF0dXMucGhw")
2023-08-23 23:32:31:510 [ info nextcloud.sync.accessmanager /usr/src/debug/nextcloud-client/nextcloud-client/src/libsync/accessmanager.cpp:78 ]:    2 "" "https://MY_DOMAIN/yunohost/sso/?r=aHR0cHM6Ly9uYy5tc3NlcnZlci5mci9zdGF0dXMucGhw" has X-Request-ID "baff2ec1-23b4-421a-a2c1-5343b8385c54"
2023-08-23 23:32:31:654 [ warning nextcloud.sync.networkjob.checkserver /usr/src/debug/nextcloud-client/nextcloud-client/src/libsync/networkjobs.cpp:542 ]: status.php from server is not valid JSON! "<!DOCTYPE html>\n<html>\n<head>\n  <meta charset=\"utf-8\">\n  <title>Portail YunoHost</title>\n\n  <!-- Responsive -->\n  <meta name=\"format-detection\" content=\"telephone=no\" />\n  <meta name=\"viewport\" content=\"width=device-width, height=device-height, initial-scale=1\" />\n\n  <!-- Do not index SSOWat pages -->\n  <meta name=\"robots\" content=\"noindex, nofollow\">\n\n  <!-- Stylesheets -->\n  <link rel=\"stylesheet\" href=\"assets/css/ynh_portal.css\">\n  <link rel=\"stylesheet\" href=\"assets/themes/default/custom_portal.css\">\n\n  <!-- Icons -->\n  <link rel=\"shortcut icon\" href=\"assets/icons/favicon.ico\">\n  <link rel=\"apple-touch-icon\" sizes=\"57x57\" href=\"assets/icons/apple-touch-icon-57x57.png\">\n  <link rel=\"apple-touch-icon\" sizes=\"114x114\" href=\"assets/icons/apple-touch-icon-114x114.png\">\n  <link rel=\"apple-touch-icon\" sizes=\"72x72\" href=\"assets/icons/apple-touch-icon-72x72.png\">\n  <link rel=\"apple-touch-icon\" sizes=\"144x144\" href=\"assets/icons/apple-touch-icon-144x144.png\">\n  <link rel=\"apple-touch-icon\" sizes=\"60x60\" href=\"assets/icons/apple-touch-icon-60x60.png\">\n  <link rel=\"apple-touch-icon\" sizes=\"120x120\" href=\"assets/icons/apple-touch-icon-120x120.png\">\n  <link rel=\"apple-touch-icon\" sizes=\"76x76\" href=\"assets/icons/apple-touch-icon-76x76.png\">\n  <link rel=\"apple-touch-icon\" sizes=\"152x152\" href=\"assets/icons/apple-touch-icon-152x152.png\">\n  <link rel=\"icon\" type=\"image/png\" href=\"assets/icons/favicon-196x196.png\" sizes=\"196x196\">\n  <link rel=\"icon\" type=\"image/png\" href=\"assets/icons/favicon-160x160.png\" sizes=\"160x160\">\n  <link rel=\"icon\" type=\"image/png\" href=\"assets/icons/favicon-96x96.png\" sizes=\"96x96\">\n  <link rel=\"icon\" type=\"image/png\" href=\"assets/icons/favicon-16x16.png\" sizes=\"16x16\">\n  <link rel=\"icon\" type=\"image/png\" href=\"assets/icons/favicon-32x32.png\" sizes=\"32x32\">\n  <meta name=\"msapplication-TileColor\" content=\"#41444f\">\n  <meta name=\"msapplication-TileImage\" content=\"/mstile-144x144.png\">\n</head>\n<body class=\"ynh-user-portal \">\n\n  <div id=\"ynh-logo\" class=\"ynh-logo\">\n    <span class=\"element-invisible\">Yunohost</span>\n  </div>\n\n  <div class=\"content\">\n\n\n    <div class=\"wrapper messages info\">Veuillez vous identifier pour acc\xC3\xA9""der \xC3\xA0 cette page</div>\n<div class=\"ynh-wrapper login\">\n<form class=\"login-form\" name=\"input\" action=\"\" method=\"post\">\n  <div class=\"form-group\">\n    <label class=\"icon icon-user\" for=\"user\"><span class=\"element-invisible\">Nom d\xE2\x80\x99utilisateur</span></label>\n    <input id=\"user\" type=\"text\" name=\"user\" placeholder=\"Nom d\xE2\x80\x99utilisateur\" class=\"form-text\" autocomplete=\"username\" autofocus required>\n  </div>\n  <div class=\"form-group\">\n    <label class=\"icon icon-lock\" for=\"password\"><span class=\"element-invisible\">Mot de passe</span></label>\n    <input id=\"password\" type=\"password\" name=\"password\" placeholder=\"Mot de passe\" class=\"form-text\" autocomplete=\"current-password\" required>\n  </div>\n  <input type=\"submit\" value=\"Connexion\" class=\"btn classic-btn large-btn\">\n</form>\n</div>\n\n  </div>\n\n  <!-- Scripts -->\n  <script src=\"assets/js/ynh_portal.js\"></script>\n  <script src=\"assets/themes/default/custom_portal.js\"></script>\n</body>\n</html>\n\n" QUrl("https://MY_DOMAIN/yunohost/sso/?r=aHR0cHM6Ly9uYy5tc3NlcnZlci5mci9zdGF0dXMucGhw") "la valeur n'est pas autorisée"
2023-08-23 23:32:31:654 [ info nextcloud.sync.networkjob.checkserver /usr/src/debug/nextcloud-client/nextcloud-client/src/libsync/networkjobs.cpp:545 ]:    status.php returns:  QJsonDocument()   QNetworkReply::NoError  Reply:  QNetworkReplyHttpImpl(0x55be263ebfd0)
2023-08-23 23:32:31:654 [ warning nextcloud.sync.networkjob.checkserver /usr/src/debug/nextcloud-client/nextcloud-client/src/libsync/networkjobs.cpp:549 ]: No proper answer on  QUrl("https://MY_DOMAIN/yunohost/sso/?r=aHR0cHM6Ly9uYy5tc3NlcnZlci5mci9zdGF0dXMucGhw")
2023-08-23 23:32:31:654 [ info nextcloud.sync.accessmanager /usr/src/debug/nextcloud-client/nextcloud-client/src/libsync/accessmanager.cpp:78 ]:    2 "" "https://MY_NEXTCLOUD_SUBDOMAIN" has X-Request-ID "5ed8c510-eb47-4fe0-9c4a-750b2a812fe8"
2023-08-23 23:32:31:654 [ info nextcloud.sync.networkjob /usr/src/debug/nextcloud-client/nextcloud-client/src/libsync/abstractnetworkjob.cpp:363 ]: OCC::SimpleNetworkJob created for "https://MY_NEXTCLOUD_SUBDOMAIN" + "" ""
2023-08-23 23:32:31:695 [ info nextcloud.sync.networkjob /usr/src/debug/nextcloud-client/nextcloud-client/src/libsync/abstractnetworkjob.cpp:269 ]: Redirecting "GET" QUrl("https://MY_NEXTCLOUD_SUBDOMAIN") QUrl("https://MY_DOMAIN/yunohost/sso/?r=aHR0cHM6Ly9uYy5tc3NlcnZlci5mci8=")
2023-08-23 23:32:31:695 [ info nextcloud.sync.accessmanager /usr/src/debug/nextcloud-client/nextcloud-client/src/libsync/accessmanager.cpp:78 ]:    2 "" "https://MY_DOMAIN/yunohost/sso/?r=aHR0cHM6Ly9uYy5tc3NlcnZlci5mci8=" has X-Request-ID "251e4136-203f-46b3-86d7-b9641730012b"
2023-08-23 23:32:31:736 [ info nextcloud.sync.accessmanager /usr/src/debug/nextcloud-client/nextcloud-client/src/libsync/accessmanager.cpp:78 ]:    2 "" "https://MY_NEXTCLOUD_SUBDOMAIN/status.php" has X-Request-ID "2b58a994-5231-4967-b265-9975a8f0a936"

Nginx access logs

192.168.1.97 - - [25/Aug/2023:11:53:44 +0200] "GET /yunohost/sso/?r=aHR0cHM6Ly9uYy5tc3NlcnZlci5mci9zdGF0dXMucGhw HTTP/1.1" 200 3134 "-" "Mozilla/5.0 (Linux) mirall/3.7.3git (Nextcloud, ubuntu-6.4.2-060402-generic ClientArchitecture: x86_64 OsArchitecture: x86_64)"
192.168.1.97 - - [25/Aug/2023:11:53:44 +0200] "GET /yunohost/sso/?r=aHR0cHM6Ly9uYy5tc3NlcnZlci5mci8= HTTP/1.1" 200 3134 "-" "Mozilla/5.0 (Linux) mirall/3.7.3git (Nextcloud, ubuntu-6.4.2-060402-generic ClientArchitecture: x86_64 OsArchitecture: x86_64)"
192.168.1.97 - - [25/Aug/2023:11:53:44 +0200] "GET /yunohost/sso/?r=aHR0cHM6Ly9uYy5tc3NlcnZlci5mci9zdGF0dXMucGhw HTTP/1.1" 200 3134 "-" "Mozilla/5.0 (Linux) mirall/3.7.3git (Nextcloud, ubuntu-6.4.2-060402-generic ClientArchitecture: x86_64 OsArchitecture: x86_64)"

Trying to make it works

Web interface config

The users permission manager contain good rights for visitors : nextcloud and nextcloud_api.

SSO config file

After looking for some identical bugs, I can confirm that /etc/ssowat/conf.json file contain the good options in th good sections (both nextcloud and nextcloud_api) :

"use_remote_user_var_in_nginx_conf": false

[abon999]

I have also to said that the DNS records (domain and NC subdomain) are managed with some CNAMEs and do not possess any A record.

[orhtej2]

I was able to install NextCloud on root of subdomain and it worked no problem. My VPS has direct Internet connection, do you route through Cloudflare tunnels to some machine otherwise unreachable from the outside?

This nc.domain.tld (BTW consider editing the image attached, domain shows in the error message as well), how was it configured? Is this where NextCloud resides? On the web, do you connect to the same URL?

[orhtej2]

Interestingly, when I installed NextCloud on domain.tld/nextcloud then set it as default app on subdomain.domain.tld all hell broke loose.