Invalid private key for encryption app

[tounessa]

After a new installation of Nextcloud 19 with the your script, it create the iocage jail on FreeNAS-11.3-U3.2 , I got the following error message for user admin:

"Invalid private key for encryption app. Please update your private key password in your personal settings to recover access to your encrypted files."

My nextcloud config installation file:

JAIL_IP="192.168.10.11" DEFAULT_GW_IP="192.168.10.254" POOL_PATH="/mnt/infpool" TIME_ZONE="Europe/Lisbon" HOST_NAME="XXXXXXXX" SELFSIGNED_CERT=1 CERT_EMAIL="XXXXXXXX"

How can I fix this? Thank you for your help.

[DD8372812]

Same here. Installed it on 5. July.

[argonimos]

same with me, installed on 10th of July

[danb35]

Exactly what steps are you taking to result in this error? Because with a fresh installation using the most current version of the script, I log in as admin and don't see any errors at all.

[Dellyjoe]

Yes this is still ture , I just installed a clean install on 07/11

I was doing some reading and they say to disabled “Default encryption module” & “End-to-End Encryption” Apps to get rid of the error. Link below: https://github.com/nextcloud/server/issues/8546#issuecomment-371725802

has anyone tired this.

[Ornias1993]

@danb35 This is not related to the script, as the script doesn't touch anything related and is, for all intents and purposes, a default install.

That being said: Enabling server-side file encryption on freenas is kinda stupid imho... ZFS includes much more solid ways of doing this.

Hence I think this can be closed as: Not related

[danb35]

This is not related to the script

I agree this is likely the case, but I'd still like to hear what steps are necessary to duplicate the issue, in order to confirm that it isn't anything the script is doing. It does enable encryption, in order to initialize the keys, but it then immediately disables it.

[tounessa]

I agree this is likely the case, but I'd still like to hear what steps are necessary to duplicate the issue, in order to confirm that it isn't anything the script is doing. It does enable encryption, in order to initialize the keys, but it then immediately disables it.

1- a fresh install FreeNAS 11.3-U3.2 2- execute script with this config file:

JAIL_IP="192.168.10.11/24" JAIL_NAME="Nextcloud" DEFAULT_GW_IP="192.168.10.254" POOL_PATH="/mnt/infpool" TIME_ZONE="Europe/Lisbon" HOST_NAME="aaaaa.bbbbbb.com" SELFSIGNED_CERT=1 STANDALONE_CERT=1 CERT_EMAIL="ccccccc@bbbbbb.com"

[Ornias1993]

SELFSIGNED_CERT=1 STANDALONE_CERT=1

Setting both selfsigned AND standalone seems wrong to me anyway:

DNS_CERT, STANDALONE_CERT, SELFSIGNED_CERT, and NO_CERT determine which method will be used to generate a TLS certificate (or, in the case of NO_CERT, indicate that you don't want to use SSL at all). DNS_CERT and STANDALONE_CERT indicate use of DNS or HTTP validation for Let's Encrypt, respectively. One and only one of these must be set to 1.

[danb35]

Setting both selfsigned AND standalone seems wrong to me anyway:

It is definitely wrong, though apparently the script's error checking doesn't catch it. But I wouldn't expect it would have anything to do with this error.

2- execute script with this config file:

And then what? You see the error as soon as you log in as admin? Or do you do anything else after logging in?

[tounessa]

And then what? You see the error as soon as you log in as admin? Or do you do anything else after logging in?

You will see the error on top the adim page and other users after login page

[Ornias1993]

Whats the content of your config.php file after install? And what database are you using?

@danb35 It can't be the part where the nextcloud configs are set (after database is setup), because I use the same config-setting code for Jailman and couldn't reproduce...

[tounessa]

Whats the content of your config.php file after install?

The only change to the default configuration was to edit the config.php to add the service port (4432) to:

'trusted_domains' array 'overwrite.cli.url 'overwritehost'

MY config.php: $CONFIG = array ( 'passwordsalt' => 'XXXXXXXXXXXXXXXXXXXXX', 'secret' => 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX', 'trusteddomains' => array ( 0 => 'localhost', 1 => 'XXXXXXXXXXXXX:4432', 2 => '192.168.10.11', ), 'datadirectory' => '/mnt/files', 'dbtype' => 'mysql', 'version' => '19.0.0.12', 'overwrite.cli.url' => 'https://XXXXXXXXXXXXXXX:4432/', 'dbname' => 'nextcloud', 'dbhost' => 'localhost:/tmp/mysql.sock', 'dbport' => '', 'dbtableprefix' => 'oc', 'mysql.utf8mb4' => true, 'dbuser' => 'nextcloud', 'dbpassword' => 'XXXXXXXXXXXXXXXXXXXXXXXX', 'installed' => true, 'instanceid' => 'oc90ocqetgu4', 'logtimezone' => 'Europe/Lisbon', 'log_type' => 'file', 'logfile' => '/var/log/nextcloud.log', 'loglevel' => '2', 'logrotate_size' => '104847600', 'memcache.local' => '\OC\Memcache\APCu', 'redis' => array ( 'host' => '/var/run/redis/redis.sock', 'port' => 0, ), 'memcache.locking' => '\OC\Memcache\Redis', 'overwritehost' => 'xxxxxxxxxxxxxxxxxxx:4432', 'overwriteprotocol' => 'https', 'htaccess.RewriteBase' => '/', 'app_install_overwrite' => array ( 0 => 'files_clipboard', ), 'mail_from_address' => 'cloud', 'mail_smtpmode' => 'smtp', 'mail_sendmailmode' => 'smtp', 'mail_domain' => 'XXXXXXXXXX.XXX', 'mail_smtphost' => '192.168.10.1', 'mail_smtpport' => '25', );

And what database are you using?

Mysql v. 10.3.23

[Ornias1993]

@tounessa Thanks, I see nothing wrong there... Would you mind sharing a redacted copy of your install console output?

[tounessa]

My nextcloud.log:

nextcloud.log

[Ornias1993]

Uhmm I meant the console output when installing using this script... but the nextcloud.log is also usefull, thanks! :)

[danb35]

You will see the error on top the adim page and other users after login page

In several installations, I hadn't seen that. Now, in a test installation under 11.3-U3.2, I do. Commenting out the lines that enable the encryption app, and then enable and immediately disable encryption (lines 436-438 of the script) does seem to resolve the issue on that release.

Strangely, even without those lines commented out, an installation on TrueNAS 12.0-BETA works just fine.

1 => 'XXXXXXXXXXXXX:4432',

This is wrong; a port number isn't part of a domain.

[Ornias1993]

I see a LOT of the following, are you sure redis is working correctly? Exception":"RedisException","Message":"Permission denied"

@danb35 That might explain some of the permission denied errors. I tested that part of the code on FreeNAS-11.3-U2.1 without issue....

[tounessa]

Well, it was from a fresh installation, with default settings, Freenas and your Nextcloud script

[tounessa]

1 => 'XXXXXXXXXXXXX:4432',

This is wrong; a port number isn't part of a domain.

Of course ..... find and replace :-(

[Ornias1993]

Well, it was from a fresh installation, with default settings, Freenas and your Nextcloud script

Are you sure, because I can't figure out where in the script this should be coming from....

[danb35]

I can't figure out where in the script this should be coming from.

What's curious to me is that it behaves differently under 11.3 than it does under 12.0-BETA. Under the latter, the script works fine as is. Under the former, this error appears. And under 11.3, it's directly tied to enabling the encryption app.

[tounessa]

I can't figure out where in the script this should be coming from.

What's curious to me is that it behaves differently under 11.3 than it does under 12.0-BETA. Under the latter, the script works fine as is. Under the former, this error appears. And under 11.3, it's directly tied to enabling the encryption app.

It will probably be related to the latest update nextcloud 19 (07-14-2020). Remember that with this update, your script generates the error: "502 incorrect gateway" in php73 (issue # 123). Fixed with update to php74.

[Ornias1993]

@tounessa No that 502 had another reason... Nextcloud just wasn't installed correctly at all, thats what the 502 was showing you... The actual warning in the console was showing a bug in a PHP73 module.

[kruppjunker]

Got the same problem. :/

[Ornias1993]

Still waiting for ANYONE to submit their console output...

[danb35]

Got the same problem. :/

Try doing what I suggested above:

Commenting out the lines that enable the encryption app, and then enable and immediately disable encryption (lines 436-438 of the script)

[danb35]

Still waiting for ANYONE to submit their console output...

The console output is unremarkable, specifically surrounding the three lines of the script that seem (for reasons yet unknown) to be causing this on 11.3 (but not on 12.0-BETA).

[Ornias1993]

The console output is unremarkable, specifically surrounding the three lines of the script that seem (for reasons yet unknown) to be causing this on 11.3 (but not on 12.0-BETA).

Okey, thanks for looking into it. i'll leave you all to your own devices (pun not intended)...

[kruppjunker]

Here is a workaround: 1) Disable the App "Default encryption module" 2) Install the OCC Web App (You will get a new symbol at the top bar) 3) type: encrytion:disable (You will get the message, is already disabled) 4) Go to the Apps and enable the "Default encryption module" 5) ReEnter the OCC Web App and type "enryption:enable"

Thats it. You can test it with encryption:status. After this workaround, the message dissapear and the user encryption module is activated.

I got this workaround from a german user (https://help.nextcloud.com/t/falscher-privater-schluessel-fuer-die-verschluesselungs-app-bitte-aktualisieren-sie-ihren-privaten-schluessel-in-ihren-persoenlichen-einstellungen-um-wieder-zugriff-auf-die-verschluesselten-dateien-zu-erhalten/22659/10)