Error with openssl_private_decrypt() after upgrade from 13.0.6 to 14.0.4

[mesomerie]

Steps to reproduce

1. Start out with an instance of nextcloud 13.0.6, running in a chroot
2. Upgrade to 14.0.4

Expected behaviour

Update results in an instance of nextcloud 14.0.4 running without internal errors.

Actual behaviour

Right after upgrade, I receive the following error message:

openssl_pkey_export(): cannot get key from parameter 1 at /var/www/lib/private/Authentication/Token/PublicKeyTokenProvider.php#298

So I followed the instructions here #11227 and ensured that

• the file /etc/ssl/openssl.cnf is available in the chroot-jail and globally readable
• that the environment variable OPENSSL_CONF points to /etc/ssl/openssl.cnf
• the config-array in lib/private/Authentication/Token/PublicKeyTokenProvider.php on line 291 looks as follows: $config = [ 'digest_alg' => 'sha512', 'private_key_bits' => 2048, 'config' => getenv('OPENSSL_CONF'), ];

This leads to a subsequent error:

Argument 1 passed to OC\Authentication\Token\PublicKeyTokenProvider::encrypt() must be of the type string, null given, called in /var/www/lib/private/Authentication/Token/PublicKeyTokenProvider.php on line 306"

To get past this error, I included above config in encrypt() on line 299 as well: openssl_pkey_export($res, $privateKey, '', $config);

With this adaptation in place, I end up with the following error, which I don't know how to deal with:

openssl_private_decrypt(): key parameter is not a valid private key at /var/www/lib/private/Authentication/Token/PublicKeyTokenProvider.php#249"

looking at var_dump($privateKey), it seems reasonable to me:

-----BEGIN ENCRYPTED PRIVATE KEY-----
'ABCD'... (length=1854)

Please help me delasing with this.

Server configuration

Operating system: Raspbian GNU/Linux 9 (stretch)

Web server: nginx version: nginx/1.10.3
built with OpenSSL 1.1.0f 25 May 2017
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-xpG2T2/nginx-1.10.3=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module --add-dynamic-module=/build/nginx-xpG2T2/nginx-1.10.3/debian/modules/nginx-auth-pam --add-dynamic-module=/build/nginx-xpG2T2/nginx-1.10.3/debian/modules/nginx-dav-ext-module --add-dynamic-module=/build/nginx-xpG2T2/nginx-1.10.3/debian/modules/nginx-echo --add-dynamic-module=/build/nginx-xpG2T2/nginx-1.10.3/debian/modules/nginx-upstream-fair --add-dynamic-module=/build/nginx-xpG2T2/nginx-1.10.3/debian/modules/ngx_http_substitutions_filter_module

Database: mariadb Ver 15.1 Distrib 10.1.23-MariaDB, for debian-linux-gnueabihf (armv7l) using readline 5.2

PHP version: PHP 7.0.30-0+deb9u1 (cli) (built: Jun 14 2018 13:50:25) ( NTS )

Nextcloud version: 14.0.4.2 (according to config.php)

Updated from an older Nextcloud/ownCloud or fresh install: updated from 13.0.6.1

Where did you install Nextcloud from: www.nextcloud.com

Signing status:

Signing status

no output due to the error described above

List of activated apps:

App list

``` Enabled: - accessibility: 1.0.1 - activity: 2.7.0 - calendar: 1.6.3 - cloud_federation_api: 0.0.1 - comments: 1.4.0 - contacts: 2.1.7 - dav: 1.6.0 - federatedfilesharing: 1.4.0 - federation: 1.4.0 - files: 1.9.0 - files_external: 1.5.0 - files_pdfviewer: 1.3.2 - files_sharing: 1.6.2 - files_texteditor: 2.6.0 - files_trashbin: 1.4.1 - files_versions: 1.7.1 - files_videoplayer: 1.3.0 - firstrunwizard: 2.3.0 - gallery: 18.1.0 - logreader: 2.0.0 - lookup_server_connector: 1.2.0 - nextcloud_announcements: 1.3.0 - notes: 2.5.0 - notifications: 2.2.1 - oauth2: 1.2.1 - ocsms: 2.0.2 - password_policy: 1.4.0 - provisioning_api: 1.4.0 - serverinfo: 1.4.0 - sharebymail: 1.4.0 - support: 1.0.0 - survey_client: 1.2.0 - systemtags: 1.4.0 - theming: 1.5.0 - twofactor_backupcodes: 1.3.1 - updatenotification: 1.4.1 - workflowengine: 1.4.0 Disabled: - admin_audit - encryption - spreed - user_external - user_ldap ```

Nextcloud configuration:

Config report

``` { "system": { "instanceid": "***REMOVED SENSITIVE VALUE***", "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "trusted_domains": [ "brockman:447", ], "datadirectory": "***REMOVED SENSITIVE VALUE***", "overwrite.cli.url": "https:\/\/brockman:447", "dbtype": "mysql", "version": "14.0.4.2", "dbname": "***REMOVED SENSITIVE VALUE***", "dbhost": "***REMOVED SENSITIVE VALUE***", "dbport": "", "dbtableprefix": "oc_", "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "installed": true, "memcache.local": "\\OC\\Memcache\\APCu", "logfile": "\/var\/log\/nextcloud.log", "maintenance": false, "theme": "", "loglevel": 2, "updater.secret": "***REMOVED SENSITIVE VALUE***" } } ```

Are you using external storage, if yes which one: none

Are you using encryption: no

Are you using an external user-backend, if yes which one: no

Client configuration

Browser: Firefox 63.0.3

Operating system: Ubuntu 18.04.1 LTS

Logs

Web server error log

Web server error log

nothing to report here ``` ```

Nextcloud log (data/nextcloud.log)

Nextcloud log

{"reqId":"osMQhAUX0JQC2JQ5Z1kT","level":3,"time":"2018-11-23T22:09:59+00:00","remoteAddr":"::ffff:192.168.0.32","user":"rainer","app":"PHP","method":"GET","url":"\/","message":"openssl_private_decrypt(): key parameter is not a valid private key at \/var\/www\/lib\/private\/Authentication\/Token\/PublicKeyTokenProvider.php#250","userAgent":"Mozilla\/5.0 (X11; Ubuntu; Linux i686; rv:63.0) Gecko\/20100101 Firefox\/63.0","version":"14.0.4.2"}
{"reqId":"osMQhAUX0JQC2JQ5Z1kT","level":3,"time":"2018-11-23T22:09:59+00:00","remoteAddr":"::ffff:192.168.0.32","user":"rainer","app":"index","method":"GET","url":"\/","message":{"Exception":"TypeError","Message":"Return value of OC\\Authentication\\Token\\PublicKeyTokenProvider::decryptPassword() must be of the type string, null returned","Code":0,"Trace":[{"file":"\/var\/www\/lib\/private\/Authentication\/Token\/PublicKeyTokenProvider.php","line":185,"function":"decryptPassword","class":"OC\\Authentication\\Token\\PublicKeyTokenProvider","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"\/var\/www\/lib\/private\/Authentication\/Token\/Manager.php","line":175,"function":"getPassword","class":"OC\\Authentication\\Token\\PublicKeyTokenProvider","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"\/var\/www\/lib\/private\/User\/Session.php","line":691,"function":"getPassword","class":"OC\\Authentication\\Token\\Manager","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"\/var\/www\/lib\/private\/User\/Session.php","line":741,"function":"checkTokenCredentials","class":"OC\\User\\Session","type":"->","args":["*** sensitive parameter replaced ***","*** sensitive parameter replaced ***"]},{"file":"\/var\/www\/lib\/private\/User\/Session.php","line":260,"function":"validateToken","class":"OC\\User\\Session","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"\/var\/www\/lib\/private\/User\/Session.php","line":235,"function":"validateSession","class":"OC\\User\\Session","type":"->","args":[]},{"file":"\/var\/www\/lib\/private\/legacy\/app.php","line":346,"function":"getUser","class":"OC\\User\\Session","type":"->","args":[]},{"file":"\/var\/www\/lib\/private\/legacy\/app.php","line":113,"function":"getEnabledApps","class":"OC_App","type":"::","args":[]},{"file":"\/var\/www\/lib\/private\/legacy\/user.php","line":126,"function":"loadApps","class":"OC_App","type":"::","args":[["prelogin"]]},{"file":"\/var\/www\/lib\/base.php","line":721,"function":"setupBackends","class":"OC_User","type":"::","args":[]},{"file":"\/var\/www\/lib\/base.php","line":1068,"function":"init","class":"OC","type":"::","args":[]},{"file":"\/var\/www\/index.php","line":40,"args":["\/var\/www\/lib\/base.php"],"function":"require_once"}],"File":"\/var\/www\/lib\/private\/Authentication\/Token\/PublicKeyTokenProvider.php","Line":252,"CustomMessage":"--"},"userAgent":"Mozilla\/5.0 (X11; Ubuntu; Linux i686; rv:63.0) Gecko\/20100101 Firefox\/63.0","version":"14.0.4.2"}

Browser log

Browser log

nothing to report here ``` ```

[nextcloud-bot]

GitMate.io thinks possibly related issues are #8754 (White page / Error 500 after Upgrade from Nextcloud 12.0.4 to 13 ), #7552 (Upgrade to 12.0.4 failed ), #7439 (Failed upgrade from 12.0.4 → 13.0.0.6), #10932 (13.0.6), and #9840 (Update failure from 13.0 to 13.0.4).

[kesselb]

#11227 (comment) would be a start.

var_dump(openssl_error_string()); exit();

[baoang]

Same problem when upgrade from 13.07 to 14.04. Guess OpenSSL is a big problem:(
Hope there could be a solution soon.
Have a good day for the weekend.

[mesomerie]

Many thanks for your quick reply!

I noted an interesting effect on this error. After a long downtime of the nextcloud-instance(several hours), it ran flawlessly for approx. 15 minutes before the error occurred.

The openssl error from openssl_private_decrypt is

error:0907B068:PEM routines:PEM_read_bio_PrivateKey:bad password read

Is there a password associated to the private key?

What I also tried instead of using openssl_private_decrypt directly is extracting the private key using $pkey=openssl_pkey_get_private($privateKey, 'my-nextcloud-pwd'); and feed that key into openssl_private_decrypt. Alas, openssl_pkey_get_private too failed with error:

error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt

Subsequently, openssl_private_decrypt fails with error

error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error

Any suggestion is highly appreciated.

[kesselb]

Do you still see this issue? We made most of the openssl_ calls more stable by adding additional checks. Thanks 👍

[ghost]

This issue has been automatically marked as stale because it has not had recent activity and seems to be missing some essential information. It will be closed if no further activity occurs. Thank you for your contributions.