[Bug]: Opening external storage produces an error: 'HMAC does not match'

leuedaniel commented 2 years ago

⚠️ This issue respects the following points: ⚠️

[X] This is a bug, not a question or a configuration/webserver/proxy issue.
[X] This issue is not already reported on Github (I've searched it).
[X] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
[X] I agree to follow Nextcloud's Code of Conduct.

Bug description

After updating to Nextcloud 24.0.0, an error message appears when opening External Storgae Support.

Steps to reproduce

Install External Storage Support
Configure external storage
Update to Nextcloud 24.0.0
Switch to settings
Switch to external storage support

Expected behavior

External storage parameters should appear

Installation method

Manual installation

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.0

Web server

Nginx

Database engine version

MariaDB

Is this bug present after an update or on a fresh install?

Updated to a major version (ex. 22.2.3 to 23.0.1)

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

[X] Default user-backend (database)
[ ] LDAP/ Active Directory
[ ] SSO - SAML
[ ] Other

Configuration report

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "***REMOVED SENSITIVE VALUE***"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "24.0.0.12",
        "overwrite.cli.url": "***REMOVED SENSITIVE VALUE***",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "mail_smtpmode": "smtp",
        "mail_sendmailmode": "pipe",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "default_language": "de",
        "force_language": "de",
        "default_locale": "de-ch",
        "force_locale": "de-ch",
        "knowledgebaseenabled": false,
        "maintenance": false,
        "theme": "",
        "loglevel": 2,
        "updater.release.channel": "beta",
        "filesystem_check_changes": 1,
        "skeletondirectory": "",
        "ldapUserCleanupInterval": 51,
        "mysql.utf8mb4": true,
        "memcache.local": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 6379
        },
        "mail_smtpauthtype": "LOGIN",
        "mail_smtpauth": 1,
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "465",
        "mail_smtpsecure": "ssl",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "app_install_overwrite": [
            "user_sql",
            "external",
            "files_trackdownloads",
            "announcementcenter",
            "bruteforcesettings",
            "theming_customcss",
            "groupfolders",
            "onlyoffice",
            "passwords",
            "previewgenerator",
            "quota_warning",
            "spreed",
            "tasks",
            "impersonate",
            "drawio",
            "login_notes",
            "suspicious_login",
            "twofactor_admin",
            "twofactor_totp",
            "files_antivirus"
        ],
        "sharing.enable_share_accept": true,
        "sharing.force_share_accept": true,
        "trashbin_retention_obligation": "auto, 90",
        "activity_use_cached_mountpoints": true,
        "default_phone_region": "CH",
        "updater.secret": "***REMOVED SENSITIVE VALUE***"
    }
}

List of activated Apps

Enabled:
  - accessibility: 1.10.0
  - activity: 2.16.0
  - admin_audit: 1.14.0
  - analytics: 4.2.1
  - announcementcenter: 6.2.0
  - bruteforcesettings: 2.4.0
  - calendar: 3.2.2
  - circles: 24.0.0
  - cloud_federation_api: 1.7.0
  - comments: 1.14.0
  - contacts: 4.1.0
  - contactsinteraction: 1.5.0
  - dashboard: 7.4.0
  - dav: 1.22.0
  - event_update_notification: 1.5.0
  - external: 4.0.0
  - federatedfilesharing: 1.14.0
  - files: 1.19.0
  - files_antivirus: 3.2.2
  - files_external: 1.16.1
  - files_pdfviewer: 2.5.0
  - files_rightclick: 1.3.0
  - files_sharing: 1.16.2
  - files_trackdownloads: 1.11.0
  - files_trashbin: 1.14.0
  - files_versions: 1.17.0
  - files_videoplayer: 1.13.0
  - groupfolders: 12.0.0-beta1
  - impersonate: 1.11.0
  - login_notes: 1.0.4
  - logreader: 2.9.0
  - lookup_server_connector: 1.12.0
  - nextcloud_announcements: 1.13.0
  - notifications: 2.12.0
  - oauth2: 1.12.0
  - password_policy: 1.14.0
  - passwords: 2022.5.20-build4475
  - previewgenerator: 4.0.0
  - privacy: 1.8.0
  - provisioning_api: 1.14.0
  - quota_warning: 1.14.0
  - richdocuments: 6.0.0
  - serverinfo: 1.14.0
  - settings: 1.6.0
  - spreed: 14.0.0
  - suspicious_login: 4.2.0-alpha.1
  - tasks: 0.14.4
  - theming: 1.15.0
  - theming_customcss: 1.11.0
  - twofactor_admin: 3.2.0
  - twofactor_backupcodes: 1.13.0
  - twofactor_email: 2.3.0
  - twofactor_nextcloud_notification: 3.4.0
  - twofactor_totp: 6.3.0
  - updatenotification: 1.14.0
  - user_sql: 4.7.1
  - user_status: 1.4.0
  - viewer: 1.8.0
  - weather_status: 1.4.0
  - welcome: 1.0.1
  - workflowengine: 2.6.0
Disabled:
  - encryption
  - federation: 1.5.0
  - firstrunwizard: 2.9.0
  - guests: 2.2.0
  - photos: 1.0.0
  - recommendations: 0.4.0
  - sharebymail: 1.9.0
  - support: 1.3.0
  - survey_client: 1.3.0
  - systemtags: 1.5.0
  - text: 3.3.0
  - user_ldap: 1.10.2

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

{"reqId":"8wTOUkY9qwBpNY5CkOJ9","level":3,"time":"2022-05-03T18:38:21+00:00","remoteAddr":"178.38.106.123","user":"admin","app":"index","method":"GET","url":"/settings/admin/externalstorages","message":"HMAC does not match.","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36","version":"24.0.0.12","exception":{"Exception":"Exception","Message":"HMAC does not match.","Code":0,"Trace":[{"file":"/var/www/ehv_cloud_test/lib/private/Security/CredentialsManager.php","line":104,"function":"decrypt","class":"OC\\Security\\Crypto","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/ehv_cloud_test/apps/files_external/lib/Lib/Auth/Password/GlobalAuth.php","line":55,"function":"retrieve","class":"OC\\Security\\CredentialsManager","type":"->"},{"file":"/var/www/ehv_cloud_test/apps/files_external/lib/Settings/Admin.php","line":71,"function":"getAuth","class":"OCA\\Files_External\\Lib\\Auth\\Password\\GlobalAuth","type":"->"},{"file":"/var/www/ehv_cloud_test/apps/settings/lib/Controller/CommonSettingsTrait.php","line":129,"function":"getForm","class":"OCA\\Files_External\\Settings\\Admin","type":"->"},{"file":"/var/www/ehv_cloud_test/apps/settings/lib/Controller/AdminSettingsController.php","line":83,"function":"formatSettings","class":"OCA\\Settings\\Controller\\AdminSettingsController","type":"->"},{"file":"/var/www/ehv_cloud_test/apps/settings/lib/Controller/CommonSettingsTrait.php","line":140,"function":"getSettings","class":"OCA\\Settings\\Controller\\AdminSettingsController","type":"->"},{"file":"/var/www/ehv_cloud_test/apps/settings/lib/Controller/AdminSettingsController.php","line":68,"function":"getIndexResponse","class":"OCA\\Settings\\Controller\\AdminSettingsController","type":"->"},{"file":"/var/www/ehv_cloud_test/lib/private/AppFramework/Http/Dispatcher.php","line":225,"function":"index","class":"OCA\\Settings\\Controller\\AdminSettingsController","type":"->"},{"file":"/var/www/ehv_cloud_test/lib/private/AppFramework/Http/Dispatcher.php","line":133,"function":"executeController","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/var/www/ehv_cloud_test/lib/private/AppFramework/App.php","line":172,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/var/www/ehv_cloud_test/lib/private/Route/Router.php","line":298,"function":"main","class":"OC\\AppFramework\\App","type":"::"},{"file":"/var/www/ehv_cloud_test/lib/base.php","line":1023,"function":"match","class":"OC\\Route\\Router","type":"->"},{"file":"/var/www/ehv_cloud_test/index.php","line":36,"function":"handleRequest","class":"OC","type":"::"}],"File":"/var/www/ehv_cloud_test/lib/private/Security/Crypto.php","Line":156,"CustomMessage":"--"}}
{"reqId":"lyNWfS0sF8vaUJenJ0V0","level":3,"time":"2022-05-03T18:39:27+00:00","remoteAddr":"178.38.106.123","user":"admin","app":"index","method":"GET","url":"/settings/admin/externalstorages","message":"HMAC does not match.","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36","version":"24.0.0.12","exception":{"Exception":"Exception","Message":"HMAC does not match.","Code":0,"Trace":[{"file":"/var/www/ehv_cloud_test/lib/private/Security/CredentialsManager.php","line":104,"function":"decrypt","class":"OC\\Security\\Crypto","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/ehv_cloud_test/apps/files_external/lib/Lib/Auth/Password/GlobalAuth.php","line":55,"function":"retrieve","class":"OC\\Security\\CredentialsManager","type":"->"},{"file":"/var/www/ehv_cloud_test/apps/files_external/lib/Settings/Admin.php","line":71,"function":"getAuth","class":"OCA\\Files_External\\Lib\\Auth\\Password\\GlobalAuth","type":"->"},{"file":"/var/www/ehv_cloud_test/apps/settings/lib/Controller/CommonSettingsTrait.php","line":129,"function":"getForm","class":"OCA\\Files_External\\Settings\\Admin","type":"->"},{"file":"/var/www/ehv_cloud_test/apps/settings/lib/Controller/AdminSettingsController.php","line":83,"function":"formatSettings","class":"OCA\\Settings\\Controller\\AdminSettingsController","type":"->"},{"file":"/var/www/ehv_cloud_test/apps/settings/lib/Controller/CommonSettingsTrait.php","line":140,"function":"getSettings","class":"OCA\\Settings\\Controller\\AdminSettingsController","type":"->"},{"file":"/var/www/ehv_cloud_test/apps/settings/lib/Controller/AdminSettingsController.php","line":68,"function":"getIndexResponse","class":"OCA\\Settings\\Controller\\AdminSettingsController","type":"->"},{"file":"/var/www/ehv_cloud_test/lib/private/AppFramework/Http/Dispatcher.php","line":225,"function":"index","class":"OCA\\Settings\\Controller\\AdminSettingsController","type":"->"},{"file":"/var/www/ehv_cloud_test/lib/private/AppFramework/Http/Dispatcher.php","line":133,"function":"executeController","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/var/www/ehv_cloud_test/lib/private/AppFramework/App.php","line":172,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/var/www/ehv_cloud_test/lib/private/Route/Router.php","line":298,"function":"main","class":"OC\\AppFramework\\App","type":"::"},{"file":"/var/www/ehv_cloud_test/lib/base.php","line":1023,"function":"match","class":"OC\\Route\\Router","type":"->"},{"file":"/var/www/ehv_cloud_test/index.php","line":36,"function":"handleRequest","class":"OC","type":"::"}],"File":"/var/www/ehv_cloud_test/lib/private/Security/Crypto.php","Line":156,"CustomMessage":"--"}}
{"reqId":"QLi31nfuQKexQg5K3wbc","level":3,"time":"2022-05-03T18:44:18+00:00","remoteAddr":"178.38.106.123","user":"admin","app":"index","method":"GET","url":"/settings/admin/externalstorages","message":"HMAC does not match.","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36","version":"24.0.0.12","exception":{"Exception":"Exception","Message":"HMAC does not match.","Code":0,"Trace":[{"file":"/var/www/ehv_cloud_test/lib/private/Security/CredentialsManager.php","line":104,"function":"decrypt","class":"OC\\Security\\Crypto","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/ehv_cloud_test/apps/files_external/lib/Lib/Auth/Password/GlobalAuth.php","line":55,"function":"retrieve","class":"OC\\Security\\CredentialsManager","type":"->"},{"file":"/var/www/ehv_cloud_test/apps/files_external/lib/Settings/Admin.php","line":71,"function":"getAuth","class":"OCA\\Files_External\\Lib\\Auth\\Password\\GlobalAuth","type":"->"},{"file":"/var/www/ehv_cloud_test/apps/settings/lib/Controller/CommonSettingsTrait.php","line":129,"function":"getForm","class":"OCA\\Files_External\\Settings\\Admin","type":"->"},{"file":"/var/www/ehv_cloud_test/apps/settings/lib/Controller/AdminSettingsController.php","line":83,"function":"formatSettings","class":"OCA\\Settings\\Controller\\AdminSettingsController","type":"->"},{"file":"/var/www/ehv_cloud_test/apps/settings/lib/Controller/CommonSettingsTrait.php","line":140,"function":"getSettings","class":"OCA\\Settings\\Controller\\AdminSettingsController","type":"->"},{"file":"/var/www/ehv_cloud_test/apps/settings/lib/Controller/AdminSettingsController.php","line":68,"function":"getIndexResponse","class":"OCA\\Settings\\Controller\\AdminSettingsController","type":"->"},{"file":"/var/www/ehv_cloud_test/lib/private/AppFramework/Http/Dispatcher.php","line":225,"function":"index","class":"OCA\\Settings\\Controller\\AdminSettingsController","type":"->"},{"file":"/var/www/ehv_cloud_test/lib/private/AppFramework/Http/Dispatcher.php","line":133,"function":"executeController","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/var/www/ehv_cloud_test/lib/private/AppFramework/App.php","line":172,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/var/www/ehv_cloud_test/lib/private/Route/Router.php","line":298,"function":"main","class":"OC\\AppFramework\\App","type":"::"},{"file":"/var/www/ehv_cloud_test/lib/base.php","line":1023,"function":"match","class":"OC\\Route\\Router","type":"->"},{"file":"/var/www/ehv_cloud_test/index.php","line":36,"function":"handleRequest","class":"OC","type":"::"}],"File":"/var/www/ehv_cloud_test/lib/private/Security/Crypto.php","Line":156,"CustomMessage":"--"}}

Additional info

No response

pto199 commented 2 years ago

I'm having the same problem. My external storage is broken. Cant access the shares or the configuration page

mcwimh commented 2 years ago

Same problem here. I have 2 servers, only on one it's a problem. I can access the users-external settings page, but not the admin-external storage-settings

patrick82439 commented 2 years ago

Same problem here. After digging around in every single directory. Uninstalling, re-installing. Nothing has worked. I can also access external settings through users but the admin external shares settings creates internal server errror.

j-ed commented 2 years ago

I'm running into the same problem after updating to NC 24.0.5. From my understanding the root cause of the problem seems to be an unset or changed 'secret' value in the configuration which has an impact on how passwords are stored. If the parameter value is changed somehow new passwords need to be created or at least stored again. This works fine e.g. for application passwords, but the external storage dialogs (personal and system) runs into an exception independently if all mounts have previously been deleted or not. I haven't found a solution how to clean-up the external storage settings in the database yet, so that the Gordian gets cut. Any hints are appreciated.

lkjshfdsdf commented 1 year ago

Same problem here with Nextcloud 25.0.2. User external shares settings are accessible, but admin external shares settings creates internal server error:

[index] Fehler: Exception: HMAC does not match. at <<closure>>

 0. /var/www/nextcloud/lib/private/Security/Crypto.php line 134
    OC\Security\Crypto->decryptWithoutSecret("*** sensitive parameters replaced ***")
 1. /var/www/nextcloud/lib/private/Security/CredentialsManager.php line 104
    OC\Security\Crypto->decrypt("*** sensitive parameters replaced ***")
 2. /var/www/nextcloud/apps/files_external/lib/Lib/Auth/Password/GlobalAuth.php line 55
    OC\Security\CredentialsManager->retrieve()
 3. /var/www/nextcloud/apps/files_external/lib/Settings/Personal.php line 79
    OCA\Files_External\Lib\Auth\Password\GlobalAuth->getAuth()
 4. /var/www/nextcloud/apps/settings/lib/Controller/CommonSettingsTrait.php line 129
    OCA\Files_External\Settings\Personal->getForm()
 5. /var/www/nextcloud/apps/settings/lib/Controller/PersonalSettingsController.php line 73
    OCA\Settings\Controller\PersonalSettingsController->formatSettings()
 6. /var/www/nextcloud/apps/settings/lib/Controller/CommonSettingsTrait.php line 149
    OCA\Settings\Controller\PersonalSettingsController->getSettings()
 7. /var/www/nextcloud/apps/settings/lib/Controller/PersonalSettingsController.php line 64
    OCA\Settings\Controller\PersonalSettingsController->getIndexResponse()
 8. /var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php line 225
    OCA\Settings\Controller\PersonalSettingsController->index()
 9. /var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php line 133
    OC\AppFramework\Http\Dispatcher->executeController()
10. /var/www/nextcloud/lib/private/AppFramework/App.php line 172
    OC\AppFramework\Http\Dispatcher->dispatch()
11. /var/www/nextcloud/lib/private/Route/Router.php line 298
    OC\AppFramework\App::main()
12. /var/www/nextcloud/lib/base.php line 1047
    OC\Route\Router->match()
13. /var/www/nextcloud/index.php line 36
    OC::handleRequest()

GET /nextcloud/settings/user/externalstorages
from xxx.xxx.xxx.xxx by admin at 2022-12-11T09:40:34+00:00

jimmiwang commented 1 year ago

Please could you schedule work on this bug. I have spent a ton of time trying to solve it.

`

Exception: HMAC does not match. --

[index] Error: Exception: hash_hkdf(): Argument #2 ($key) cannot be empty in file '/var/www/nextcloud/lib/private/Security/Crypto.php' line 160 at <>

/var/www/nextcloud/lib/private/AppFramework/App.php line 183 OC\AppFramework\Http\Dispatcher->dispatch()
/var/www/nextcloud/lib/private/Route/Router.php line 315 OC\AppFramework\App::main()
/var/www/nextcloud/lib/base.php line 1071 OC\Route\Router->match()
/var/www/nextcloud/index.php line 36 OC::handleRequest()

Caused by:

ValueError: hash_hkdf(): Argument #2 ($key) cannot be empty at <>

/var/www/nextcloud/lib/private/Security/Crypto.php line 160 hash_hkdf()
/var/www/nextcloud/lib/private/Security/Crypto.php line 134 OC\Security\Crypto->decryptWithoutSecret(" sensitive parameters replaced ")
/var/www/nextcloud/lib/private/Security/CredentialsManager.php line 104 OC\Security\Crypto->decrypt(" sensitive parameters replaced ")
/var/www/nextcloud/apps/files_external/lib/Lib/Auth/Password/GlobalAuth.php line 55 OC\Security\CredentialsManager->retrieve()
/var/www/nextcloud/apps/files_external/lib/Settings/Personal.php line 79 OCA\Files_External\Lib\Auth\Password\GlobalAuth->getAuth()
/var/www/nextcloud/apps/settings/lib/Controller/CommonSettingsTrait.php line 129 OCA\Files_External\Settings\Personal->getForm()
/var/www/nextcloud/apps/settings/lib/Controller/PersonalSettingsController.php line 73 OCA\Settings\Controller\PersonalSettingsController->formatSettings()
/var/www/nextcloud/apps/settings/lib/Controller/CommonSettingsTrait.php line 149 OCA\Settings\Controller\PersonalSettingsController->getSettings()
/var/www/nextcloud/apps/settings/lib/Controller/PersonalSettingsController.php line 64 OCA\Settings\Controller\PersonalSettingsController->getIndexResponse()
/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php line 230 OCA\Settings\Controller\PersonalSettingsController->index()
1. /var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php line 137 OC\AppFramework\Http\Dispatcher->executeController()
2. /var/www/nextcloud/lib/private/AppFramework/App.php line 183 OC\AppFramework\Http\Dispatcher->dispatch()
3. /var/www/nextcloud/lib/private/Route/Router.php line 315 OC\AppFramework\App::main()
4. /var/www/nextcloud/lib/base.php line 1071 OC\Route\Router->match()
5. /var/www/nextcloud/index.php line 36 OC::handleRequest()

GET /settings/user/externalstorages from xxxxxxxxxxxxxx by james at 2023-08-07T17:52:09+08:00`

paramazo commented 10 months ago

Same problem here after migrating database and data to a new machine, i get Internal server error if i try to configure my external storages.

This is the result of https://docs.nextcloud.com/server/latest/admin_manual/maintenance/restore.html#restore-folders

toglader commented 9 months ago

I have exactly same issue. After upgrade accessing with admin user external storage causes internal server error. With a fresh user this doesn't happen.

toglader commented 3 months ago

Issue still exists with 28.0.2. External storage is completely unusable

patchint commented 3 months ago

Hi ! I confirm the issue still exists (29.0.1)

joshtrichards commented 3 months ago

Have any of you done anything that would have caused your secret value in your config.php to be changed (e.g. lost/replaced after a reinstall) at some point in the history of your instance?

This error indicates the secret in your config.php has been changed at some point.

e.g.

migrating existing database to a new instance without also migrating your config.php from the old instance?
restoring your database (i.e. after an instance failure) without also restoring your config.php from backup?
importing your production db into a test instance which will have a different secret in its config.php from your production one

If not, I'm not sure what's going on.

If so, this is expected behavior.

Schneckenhut commented 2 months ago

@joshtrichards you are right. I have the same issue and unfortunately i have no backup of old config and the 'secret". i deleted all mount-points via occ, but the error with "internal Server error" in Nextcloud still exist. is it possible to "reset" the files_external app and mount the external drives from the scratch ? many thx.

nextcloud / server