openssl_pkey_export(): cannot get key from parameter

[Marcwa19197]

Steps to reproduce

1. I downloaded the new 14.0.0 Zip File and unpacked it
2. copied the old config.php and startet the DB-Upgrade in the Browser
3. Im now unable to login, getting an "Internal Server Error"

Expected behaviour

Login should be possible without errors in log or on webgui.

Actual behaviour

Getting an
"Internal Server Error
The server was unable to complete your request.

If this happens again, please send the technical details below to the server administrator.

More details can be found in the server log."

On the WebGui, also the Desktop Clients dont work anymore.

Server configuration

Operating system:
Ubuntu 16.04.5

Web server:
Apache/2.4.18 (Ubuntu)

Database:
mysqld Ver 5.7.23-0ubuntu0.16.04.1 for Linux on x86_64 ((Ubuntu))

PHP version:
PHP 7.0.30-0ubuntu0.16.04.1 (cli) ( NTS )

Nextcloud version: (see Nextcloud admin page)
14.0.0.19

Updated from an older Nextcloud/ownCloud or fresh install:
yes, updated from 13.0.6.1

Where did you install Nextcloud from:
Zip Package, downloaded from the offical site.

Signing status:

Signing status

Cant login to server.

List of activated apps:

App list

Enabled:
  - accessibility: 1.0.1
  - activity: 2.7.0
  - admin_audit: 1.4.0
  - cloud_federation_api: 0.0.1
  - comments: 1.4.0
  - dav: 1.6.0
  - federatedfilesharing: 1.4.0
  - federation: 1.4.0
  - files: 1.9.0
  - files_external: 1.5.0
  - files_pdfviewer: 1.3.2
  - files_sharing: 1.6.2
  - files_texteditor: 2.6.0
  - files_trashbin: 1.4.1
  - files_versions: 1.7.1
  - files_videoplayer: 1.3.0
  - firstrunwizard: 2.3.0
  - gallery: 18.1.0
  - logreader: 2.0.0
  - lookup_server_connector: 1.2.0
  - nextcloud_announcements: 1.3.0
  - notifications: 2.2.1
  - oauth2: 1.2.1
  - password_policy: 1.4.0
  - provisioning_api: 1.4.0
  - serverinfo: 1.4.0
  - sharebymail: 1.4.0
  - support: 1.0.0
  - survey_client: 1.2.0
  - systemtags: 1.4.0
  - theming: 1.5.0
  - twofactor_backupcodes: 1.3.1
  - updatenotification: 1.4.1
  - workflowengine: 1.4.0
Disabled:
  - encryption
  - user_external
  - user_ldap

Nextcloud configuration:

Config report

{
    "system": {
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "forcessl": true,
        "asset-pipeline.enabled": true,
        "maxZipInputSize": 0,
        "allowZipDownload": true,
        "trusted_domains": [
            "xxx",
            "xxx",
            "xxx",
            "xxx"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "overwrite.cli.url": "https:\/\/xxx.de",
        "dbtype": "mysql",
        "version": "14.0.0.19",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "logtimezone": "Europe\/Berlin",
        "installed": true,
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "php",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "logdateformat": "F d, Y H:i:s",
        "log_rotate_size": 104857600,
        "logfile": "\/var\/log\/nextcloud\/nextcloud.log",
        "loglevel": 1,
        "theme": "",
        "maintenance": false,
        "memcache.local": "\\OC\\Memcache\\APCu",
        "appstore.experimental.enabled": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "ldapIgnoreNamingRules": false,
        "ldapProviderFactory": "\\OCA\\User_LDAP\\LDAPProviderFactory",
        "mail_smtpauthtype": "LOGIN",
        "mail_smtpsecure": "tls",
        "mail_smtpauth": 1,
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "587",
        "data-fingerprint": "xxx",
        "openssl": {
            "config": "\/etc\/ssl\/openssl.cnf"
        }
    }
}

Are you using external storage, if yes which one: no

Are you using encryption: no

Are you using an external user-backend, if yes which one: no, normal database-users

Client configuration

Browser:
dont matter

Operating system:
dont matter

Logs

Web server error log

Web server error log

nothing relevant in apache2 error log.

Nextcloud log (data/nextcloud.log)

Nextcloud log

{"reqId":"W5wPsAUJdq4AAGE@@nkAAAAG","level":3,"time":"September 14, 2018 21:44:48","remoteAddr":"xxx","user":"Marcwa19197","app":"PHP","method":"POST","url":"\/index.php\/login","message":"openssl_pkey_export(): cannot get key from parameter 1 at \/data\/www\/xxx.de\/public_data\/lib\/private\/Authentication\/Token\/PublicKeyTokenProvider.php#297","userAgent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.92 Safari\/537.36","version":"14.0.0.19"}
{"reqId":"W5wPsAUJdq4AAGE@@nkAAAAG","level":3,"time":"September 14, 2018 21:44:48","remoteAddr":"87.149.175.121","user":"Marcwa19197","app":"index","method":"POST","url":"\/index.php\/login","message":{"Exception":"TypeError","Message":"openssl_pkey_get_details() expects parameter 1 to be resource, boolean given","Code":0,"Trace":[{"file":"\/data\/www\/xxx.de\/public_data\/lib\/private\/Authentication\/Token\/PublicKeyTokenProvider.php","line":300,"function":"openssl_pkey_get_details","args":[false]},{"file":"\/data\/www\/xxx.de\/public_data\/lib\/private\/Authentication\/Token\/PublicKeyTokenProvider.php","line":69,"function":"newToken","class":"OC\\Authentication\\Token\\PublicKeyTokenProvider","type":"->","args":["*** sensitive parameter replaced ***","*** sensitive parameter replaced ***","*** sensitive parameter replaced ***","*** sensitive parameter replaced ***","*** sensitive parameter replaced ***","*** sensitive parameter replaced ***","*** sensitive parameter replaced ***"]},{"file":"\/data\/www\/xxx.de\/public_data\/lib\/private\/Authentication\/Token\/Manager.php","line":68,"function":"generateToken","class":"OC\\Authentication\\Token\\PublicKeyTokenProvider","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"\/data\/www\/xxx.de\/public_data\/lib\/private\/User\/Session.php","line":631,"function":"generateToken","class":"OC\\Authentication\\Token\\Manager","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"\/data\/www\/xxx.de\/public_data\/core\/Controller\/LoginController.php","line":322,"function":"createSessionToken","class":"OC\\User\\Session","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"\/data\/www\/xxx.de\/public_data\/lib\/private\/AppFramework\/Http\/Dispatcher.php","line":166,"function":"tryLogin","class":"OC\\Core\\Controller\\LoginController","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"\/data\/www\/xxx.de\/public_data\/lib\/private\/AppFramework\/Http\/Dispatcher.php","line":99,"function":"executeController","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[{"__class__":"OC\\Core\\Controller\\LoginController"},"tryLogin"]},{"file":"\/data\/www\/xxx.de\/public_data\/lib\/private\/AppFramework\/App.php","line":118,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[{"__class__":"OC\\Core\\Controller\\LoginController"},"tryLogin"]},{"file":"\/data\/www\/xxx.de\/public_data\/lib\/private\/AppFramework\/Routing\/RouteActionHandler.php","line":47,"function":"main","class":"OC\\AppFramework\\App","type":"::","args":["OC\\Core\\Controller\\LoginController","tryLogin",{"__class__":"OC\\AppFramework\\DependencyInjection\\DIContainer"},{"_route":"core.login.tryLogin"}]},{"function":"__invoke","class":"OC\\AppFramework\\Routing\\RouteActionHandler","type":"->","args":[{"_route":"core.login.tryLogin"}]},{"file":"\/data\/www\/xxx.de\/public_data\/lib\/private\/Route\/Router.php","line":297,"function":"call_user_func","args":[{"__class__":"OC\\AppFramework\\Routing\\RouteActionHandler"},{"_route":"core.login.tryLogin"}]},{"file":"\/data\/www\/xxx.de\/public_data\/lib\/base.php","line":989,"function":"match","class":"OC\\Route\\Router","type":"->","args":["\/login"]},{"file":"\/data\/www\/xxx.de\/public_data\/index.php","line":42,"function":"handleRequest","class":"OC","type":"::","args":[]}],"File":"\/data\/www\/xxx.de\/public_data\/lib\/private\/Authentication\/Token\/PublicKeyTokenProvider.php","Line":300,"CustomMessage":"--"},"userAgent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.92 Safari\/537.36","version":"14.0.0.19"}

Browser log

Browser log

not relevant.

Same issue is reported here: https://help.nextcloud.com/t/nextcloud-runs-into-internal-errors-after-upgrade-from-v13-to-v14/36569
i cant find similar issue here as bug, so i added it.

[nextcloud-bot]

GitMate.io thinks possibly related issues are #7288 (parameter changes should be confirmed by an U2F key instead of a password by default), #6834 (Cannot update private key ), #2964 (Master key replacement), #10614 (Do not use file as template parameter), and #9880 (Missing private key).

[kesselb]

server/lib/private/Authentication/Token/PublicKeyTokenProvider.php

Line 296 in 47b46fa

$res = openssl_pkey_new($config);

A new key is generated in line 296. You could add var_dump(openssl_error_string()); below and try to login again. Maybe there is a more detailed output what went wrong.

When you switch to the user running nextcloud (i guess something like www-data or a dedicated user) can you open /etc/ssl/openssl.cnf than?

[Marcwa19197]

Hi,

thanks for the fast reply.
tried the following: sudo -u www-data cat /etc/ssl/openssl.cnf
"cat: /etc/ssl/openssl.cnf: Permission denied"

Permissions are: "-rw-r--r-- 1 root root 10835 Feb 2 2016 /etc/ssl/openssl.cnf"

added the line, here the output of the log again.

New Log

{"reqId":"W5wUZQUJdq4AAAI8Ma8AAAAJ","level":3,"time":"September 14, 2018 22:04:53","remoteAddr":"87.149.175.121","user":"Marcwa19197","app":"PHP","method":"PROPFIND","url":"\/remote.php\/dav\/files\/Marcwa19197\/","message":"openssl_pkey_export(): cannot get key from parameter 1 at \/data\/www\/xxx.de\/public_data\/lib\/private\/Authentication\/Token\/PublicKeyTokenProvider.php#298","userAgent":"Mozilla\/5.0 (Windows) mirall\/2.3.3 (build 1) (Nextcloud)","version":"14.0.0.19"}
{"reqId":"W5wUZQUJdq4AAAI8Ma8AAAAJ","level":4,"time":"September 14, 2018 22:04:53","remoteAddr":"87.149.175.121","user":"Marcwa19197","app":"webdav","method":"PROPFIND","url":"\/remote.php\/dav\/files\/Marcwa19197\/","message":{"Exception":"Sabre\\DAV\\Exception\\ServiceUnavailable","Message":"TypeError: openssl_pkey_get_details() expects parameter 1 to be resource, boolean given","Code":0,"Trace":[{"function":"{closure}","args":["*** sensitive parameters replaced ***"]},{"file":"\/data\/www\/xxx.de\/public_data\/3rdparty\/sabre\/event\/lib\/EventEmitterTrait.php","line":105,"function":"call_user_func_array","args":[{"__class__":"Closure"},["*** sensitive parameter replaced ***","*** sensitive parameter replaced ***"]]},{"file":"\/data\/www\/xxx.de\/public_data\/3rdparty\/sabre\/dav\/lib\/DAV\/Server.php","line":466,"function":"emit","class":"Sabre\\Event\\EventEmitter","type":"->","args":["beforeMethod",["*** sensitive parameter replaced ***","*** sensitive parameter replaced ***"]]},{"file":"\/data\/www\/xxx.de\/public_data\/3rdparty\/sabre\/dav\/lib\/DAV\/Server.php","line":254,"function":"invokeMethod","class":"Sabre\\DAV\\Server","type":"->","args":["*** sensitive parameter replaced ***","*** sensitive parameter replaced ***"]},{"file":"\/data\/www\/xxx.de\/public_data\/remote.php","line":72,"function":"exec","class":"Sabre\\DAV\\Server","type":"->","args":[]},{"file":"\/data\/www\/xxx.de\/public_data\/remote.php","line":168,"function":"handleException","args":[{"__class__":"TypeError"}]}],"File":"\/data\/www\/xxx.de\/public_data\/remote.php","Line":70,"CustomMessage":"--"},"userAgent":"Mozilla\/5.0 (Windows) mirall\/2.3.3 (build 1) (Nextcloud)","version":"14.0.0.19"}
{"reqId":"W5wUZQUJdq4AAAI8Ma8AAAAJ","level":3,"time":"September 14, 2018 22:04:53","remoteAddr":"87.149.175.121","user":"Marcwa19197","app":"PHP","method":"PROPFIND","url":"\/remote.php\/dav\/files\/Marcwa19197\/","message":"Cannot modify header information - headers already sent by (output started at \/data\/www\/xxx.de\/public_data\/lib\/private\/Authentication\/Token\/PublicKeyTokenProvider.php:297) at \/data\/www\/xxx.de\/public_data\/3rdparty\/sabre\/http\/lib\/Sapi.php#58","userAgent":"Mozilla\/5.0 (Windows) mirall\/2.3.3 (build 1) (Nextcloud)","version":"14.0.0.19"}
{"reqId":"W5wUZQUJdq4AAAI8Ma8AAAAJ","level":3,"time":"September 14, 2018 22:04:53","remoteAddr":"87.149.175.121","user":"Marcwa19197","app":"PHP","method":"PROPFIND","url":"\/remote.php\/dav\/files\/Marcwa19197\/","message":"Cannot modify header information - headers already sent by (output started at \/data\/www\/xxx.de\/public_data\/lib\/private\/Authentication\/Token\/PublicKeyTokenProvider.php:297) at \/data\/www\/xxx.de\/public_data\/3rdparty\/sabre\/http\/lib\/Sapi.php#63","userAgent":"Mozilla\/5.0 (Windows) mirall\/2.3.3 (build 1) (Nextcloud)","version":"14.0.0.19"}

[kesselb]

Well. I guess you could copy openssl.cnf to /data/www/xxx.de/ and change path in config.php? The permission for openssl.cnf looks okay.

daniel@daniel-pc:~$ ls -al /etc/ssl/
total 48
drwxr-xr-x   4 root root      4096 Jun 21 15:24 .
drwxr-xr-x 139 root root     12288 Sep 14 11:42 ..
drwxr-xr-x   3 root root     16384 Aug  2 15:38 certs
-rw-r--r--   1 root root     10771 Apr 25 19:03 openssl.cnf
drwx--x---   2 root ssl-cert  4096 Mai 22 19:29 private

I can open openssl.cnf from another user. For openssl_pkey_new a valid openssl.cnf is required (that includes that the file is readable)

[Marcwa19197]

I tried this, same errors again in the log.

The openssl.cnf is now in the xxx.de/ folder and is owned by www-data. I also adjusted the path in config.php. It is readable by the www-data user.
"-rw-r--r-- 1 www-data www-data 10835 Sep 14 23:06 openssl.cnf"

I checked some info with phpinfo() regarding my php openssl installation, here the default location seems to be "/usr/lib/ssl/openssl.cnf" which is also not readable by www-data.

[kesselb]

Ok. I guess the 'openssl' configuration from config.php is missing in this place. Could you try edit this place

server/lib/private/Authentication/Token/PublicKeyTokenProvider.php

Lines 290 to 293 in 47b46fa

	$config = [
	'digest_alg' => 'sha512',
	'private_key_bits' => 2048,
	];

and add another element 'config' => 'path/to/your/readable/openssl.cnf', after 'private_key_bits' => 2048,

like the image above

[kesselb]

	$config = array_merge([
		'digest_alg' => 'sha512',
		'private_key_bits' => 2048,
	], $this->config->getSystemValue('openssl', []));

or you try this (merge local settings with settings from config.php)

[Marcwa19197]

	$config = array_merge([
		'digest_alg' => 'sha512',
		'private_key_bits' => 2048,
	], $this->config->getSystemValue('openssl', []));

or you try this (merge local settings with settings from config.php)

Tried this. Log is now:
Edit: Also tried Method 1 you mentioned, same error.

New Log

{"reqId":"W5zRIwUJdq4AAG9KYMYAAAAN","level":4,"time":"September 15, 2018 11:30:12","remoteAddr":"87.149.175.121","user":"Marcwa19197","app":"webdav","method":"PROPFIND","url":"\/remote.php\/dav\/files\/Marcwa19197\/","message":{"Exception":"Sabre\\DAV\\Exception\\ServiceUnavailable","Message":"TypeError: Argument 1 passed to OC\\Authentication\\Token\\PublicKeyTokenProvider::encrypt() must be of the type string, null given, called in \/data\/www\/xxx.de\/public_data\/lib\/private\/Authentication\/Token\/PublicKeyTokenProvider.php on line 304","Code":0,"Trace":[{"function":"{closure}","args":["*** sensitive parameters replaced ***"]},{"file":"\/data\/www\/xxx.de\/public_data\/3rdparty\/sabre\/event\/lib\/EventEmitterTrait.php","line":105,"function":"call_user_func_array","args":[{"__class__":"Closure"},["*** sensitive parameter replaced ***","*** sensitive parameter replaced ***"]]},{"file":"\/data\/www\/xxx.de\/public_data\/3rdparty\/sabre\/dav\/lib\/DAV\/Server.php","line":466,"function":"emit","class":"Sabre\\Event\\EventEmitter","type":"->","args":["beforeMethod",["*** sensitive parameter replaced ***","*** sensitive parameter replaced ***"]]},{"file":"\/data\/www\/xxx.de\/public_data\/3rdparty\/sabre\/dav\/lib\/DAV\/Server.php","line":254,"function":"invokeMethod","class":"Sabre\\DAV\\Server","type":"->","args":["*** sensitive parameter replaced ***","*** sensitive parameter replaced ***"]},{"file":"\/data\/www\/xxx.de\/public_data\/remote.php","line":72,"function":"exec","class":"Sabre\\DAV\\Server","type":"->","args":[]},{"file":"\/data\/www\/xxx.de\/public_data\/remote.php","line":168,"function":"handleException","args":[{"__class__":"TypeError"}]}],"File":"\/data\/www\/xxx.de\/public_data\/remote.php","Line":70,"CustomMessage":"--"},"userAgent":"Mozilla\/5.0 (Windows) mirall\/2.3.3 (build 1) (Nextcloud)","version":"14.0.0.19"}```

[kesselb]

Could you add var_dump(openssl_error_string()); exit(); and post the result?

[Marcwa19197]

Now string(53) "error:0200100D:system library:fopen:Permission denied" is shown on the webinterface. So maybe the www-data user has no rights to read the openssl file? But i can open it with sudo -u www-data less /var/www/xxx.de/openssl.cnf

Code is:

 $config = array_merge([
                        'digest_alg' => 'sha512',
                        'private_key_bits' => 2048,
                ], $this->config->getSystemValue('openssl', []));

                // Generate new key
                $res = openssl_pkey_new($config);
                openssl_pkey_export($res, $privateKey);

                var_dump(openssl_error_string()); exit();

[kesselb]

var_dump($config);
var_dump(openssl_error_string());
exit();

I can reproduce your error when i remove the permission to read openssl.cnf.

• Are u sure that you set a readable openssl.cnf?
• Is php running as www-data?
• Could you place (only for testing) openssl.cnf in the same directory as index.php and set the path in config.php?
• Is openssl.cnf file owned by www-data?
• Do you use mod_php or php-fpm?

<?php

$config = [
	'digest_alg' => 'sha512',
	'private_key_bits' => 2048,
];

$res = openssl_pkey_new($config);

var_dump($res);
var_dump(openssl_error_string());

Could you place the code above in a file (e.g. openssl_test.php) on your server and execute it from web and cli?

php openssl_test.php 
/home/vagrant/openssl_test.php:10:
resource(4) of type (OpenSSL key)
/home/vagrant/openssl_test.php:11:
string(68) "error:0E06D06C:configuration file routines:NCONF_get_string:no value"

As long as openssl.cnf is readable it works for me.

[Marcwa19197]

The Permissions of /var/www/xxx.de/openssl.cnf are:
-rw-r--r-- 1 www-data www-data 10835 Sep 14 23:06 openssl.cnf

and of /etc/ssl/openssl.cnf
-rw-r--r-- 1 root root 10835 Feb 2 2016 /etc/ssl/openssl.cnf

Error shown in GUI after adding you code:
array(3) { ["digest_alg"]=> string(6) "sha512" ["private_key_bits"]=> int(2048) ["config"]=> string(46) "/var/www/xxx.de/public_data/openssl.cnf" } string(53) "error:0200100D:system library:fopen:Permission denied"

I tried to chmod 777 on openssl.cnf in /var/www/xxx.de/public_data/ without success. Same error shown.

Edit: PHP is running under www-data. www-data also is owner of all Subdirectories within "/var/www/".
Which permission do you have on your openssl.cnf file and where is it located at your machine?

Edit2:

• Im using mod_php (PHP7, installed via apt on Ubuntu 16.04)
• Output of the testfile "openssl_test.php" (File itself is owned by www-data)

CLI run via root user:
resource(4) of type (OpenSSL key) string(68) "error:0E06D06C:configuration file routines:NCONF_get_string:no value"

CLI run via sudo -u www-data:
bool(false) string(53) "error:0200100D:system library:fopen:Permission denied"

Web:
bool(false) string(53) "error:0200100D:system library:fopen:Permission denied"

i also added the path to openssl.cnf to the testfile, still permission denied even if the openssl.cnf file is in the same directory as the testfile and has an chmod 777 on it.

[kesselb]

Edit: PHP is running under www-data. www-data also is owner of all Subdirectories within "/var/www/".
Which permission do you have on your openssl.cnf file and where is it located at your machine?

#11227 (comment)

CLI run via root user:
resource(4) of type (OpenSSL key) string(68) "error:0E06D06C:configuration file routines:NCONF_get_string:no value"

This is ok (no value is a warning)

[Marcwa19197]

Oh i see, sorry.
Any other ideas? Really strange i think.

Running sudo -u www-data cat /var/www/xxx.de/public_data/openssl.cnf runs fine.

[Marcwa19197]

Doing an sudo -u www-data strace php openssl_test.php gives the following lines:

open("/usr/lib/ssl/openssl.cnf", O_RDONLY) = -1 EACCES (Permission denied)
open("/data/www/xxx.de/public_data/openssl.cnf", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0777, st_size=10835, ...}) = 0
read(4, "#\n# OpenSSL example configuratio"..., 4096) = 4096
read(4, "Netscape crash on BMPStrings or "..., 4096) = 4096
read(4, " this to avoid interpreting an e"..., 4096) = 2643
read(4, "", 4096)                       = 0
close(4) 

The openssl_test.php contains:

<?php

$config = [
        'digest_alg' => 'sha512',
        'private_key_bits' => 2048,
        'config' => '/data/www/xxx.de/public_data/openssl.cnf',
];

$res = openssl_pkey_new($config);

var_dump($res);
var_dump(openssl_error_string())

So, maybe the problem is that php is first looking on the default location and then on the one specified?

Edit:
if i look at my /etc/ssl folder permissions..

total 56
drw-------   5 root root      4096 Sep 15 21:46 ./
drwxr-xr-x 146 root root     12288 Sep 15 21:32 ../
drwxr-xr-x   2 root root     20480 Jun  9 12:52 certs/
-rw-r--r--   1 root root     10835 Sep 15 21:44 openssl.cnf
drwx--x---   2 root ssl-cert  4096 Mar  2  2016 private/
drw-------   5 root root      4096 May  4 19:14 xxx-certs/

So, i dont know if it is right to have only rw on root under this folder, comparing to yours you have rx on group and others.

Edit2: Got it working now. Changed the /etc/ssl/ Permissions. chmod go+rx /etc/ssl/ does the trick.

[kesselb]

Problem solved so we can close the ticket 👍

[darkrain88]

`<?php

$config = [
'digest_alg' => 'sha512',
'private_key_bits' => 2048,
'config' => '/etc/ssl/openssl.cnf',
];

$res = openssl_pkey_new($config);

var_dump($res);
var_dump(openssl_error_string());
`
i meet the same problem upgrade from 13.06 to 14
run the script above

root@Openwrt:/opt/wwwroot# sudo -u nobody php-cli phpopenssl.php
output:
resource(4) of type (OpenSSL key)
string(39) "error:02001002:lib(2):func(1):reason(2)"

openssl version

i have already added into config.

error log listed:

{"reqId":"E4mpumpeRrchnxzNv8rE","level":3,"time":"2018-09-30T05:25:31+00:00","remoteAddr":"2409:891e:6c40:3079:c38:519:95fd:48f0","user":"--","app":"index","method":"GET","url":"/","message":{"Exception":"TypeError","Message":"openssl_pkey_get_details() expects parameter 1 to be resource, boolean given","Code":0,"Trace":[{"file":"/opt/wwwroot/Nextcloud/lib/private/Authentication/Token/PublicKeyTokenProvider.php","line":300,"function":"openssl_pkey_get_details","args":[false]},{"file":"/opt/wwwroot/Nextcloud/lib/private/Authentication/Token/PublicKeyTokenProvider.php","line":270,"function":"newToken","class":"OC\Authentication\Token\PublicKeyTokenProvider","type":"->",

[darkrain88]

13.0.6

14.0.01

many files added/

[kesselb]

Edit2: Got it working now. Changed the /etc/ssl/ Permissions. chmod go+rx /etc/ssl/ does the trick.

Does work for you as well?

[darkrain88]

Edit2: Got it working now. Changed the /etc/ssl/ Permissions. chmod go+rx /etc/ssl/ does the trick.

Does work for you as well?

no

i have no problem with permission

run script

show error

means php-mod-openssl? have some problem?

[darkrain88]

new log
{"reqId":"fR4sjBxGdtgFPtzLlR5l","level":3,"time":"2018-09-30T10:15:27+00:00","remoteAddr":"2409:8a1e:8fce:d5e0:bcc7:2d95:e0bf:313a","user":"wei","app":"index","method":"POST","url":"\/login?redirect_url=\/apps\/files\/","message":{"Exception":"TypeError","Message":"Argument 1 passed to OC\\Authentication\\Token\\PublicKeyTokenProvider::encrypt() must be of the type string, null given, called in \/opt\/wwwroot\/Nextcloud\/lib\/private\/Authentication\/Token\/PublicKeyTokenProvider.php on line 305","Code":0,"Trace":[{"file":"\/opt\/wwwroot\/Nextcloud\/lib\/private\/Authentication\/Token\/PublicKeyTokenProvider.php","line":305,"function":"encrypt","class":"OC\\Authentication\\Token\\PublicKeyTokenProvider","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"\/opt\/wwwroot\/Nextcloud\/lib\/private\/Authentication\/Token\/PublicKeyTokenProvider.php","line":69,"function":"newToken","class":"OC\\Authentication\\Token\\PublicKeyTokenProvider","type":"->","args":["*** sensitive parameter replaced ***","*** sensitive parameter replaced ***","*** sensitive parameter replaced ***","*** sensitive parameter replaced ***","*** sensitive parameter replaced ***","*** sensitive parameter replaced ***","*** sensitive parameter replaced ***"]},{"file":"\/opt\/wwwroot\/Nextcloud\/lib\/private\/Authentication\/Token\/Manager.php","line":68,"function":"generateToken","class":"OC\\Authentication\\Token\\PublicKeyTokenProvider","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"\/opt\/wwwroot\/Nextcloud\/lib\/private\/User\/Session.php","line":631,"function":"generateToken","class":"OC\\Authentication\\Token\\Manager","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"\/opt\/wwwroot\/Nextcloud\/core\/Controller\/LoginController.php","line":322,"function":"createSessionToken","class":"OC\\User\\Session","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"\/opt\/wwwroot\/Nextcloud\/lib\/private\/AppFramework\/Http\/Dispatcher.php","line":166,"function":"tryLogin","class":"OC\\Core\\Controller\\LoginController","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"\/opt\/wwwroot\/Nextcloud\/lib\/private\/AppFramework\/Http\/Dispatcher.php","line":99,"function":"executeController","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[{"__class__":"OC\\Core\\Controller\\LoginController"},"tryLogin"]},{"file":"\/opt\/wwwroot\/Nextcloud\/lib\/private\/AppFramework\/App.php","line":118,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[{"__class__":"OC\\Core\\Controller\\LoginController"},"tryLogin"]},{"file":"\/opt\/wwwroot\/Nextcloud\/lib\/private\/AppFramework\/Routing\/RouteActionHandler.php","line":47,"function":"main","class":"OC\\AppFramework\\App","type":"::","args":["OC\\Core\\Controller\\LoginController","tryLogin",{"__class__":"OC\\AppFramework\\DependencyInjection\\DIContainer"},{"_route":"core.login.tryLogin"}]},{"function":"__invoke","class":"OC\\AppFramework\\Routing\\RouteActionHandler","type":"->","args":[{"_route":"core.login.tryLogin"}]},{"file":"\/opt\/wwwroot\/Nextcloud\/lib\/private\/Route\/Router.php","line":297,"function":"call_user_func","args":[{"__class__":"OC\\AppFramework\\Routing\\RouteActionHandler"},{"_route":"core.login.tryLogin"}]},{"file":"\/opt\/wwwroot\/Nextcloud\/lib\/base.php","line":987,"function":"match","class":"OC\\Route\\Router","type":"->","args":["\/login"]},{"file":"\/opt\/wwwroot\/Nextcloud\/index.php","line":42,"function":"handleRequest","class":"OC","type":"::","args":[]}],"File":"\/opt\/wwwroot\/Nextcloud\/lib\/private\/Authentication\/Token\/PublicKeyTokenProvider.php","Line":220,"CustomMessage":"--"},"userAgent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.36","version":"14.0.1.1"}

[kesselb]

root@Openwrt:/opt/wwwroot# sudo -u nobody php-cli phpopenssl.php
output:
resource(4) of type (OpenSSL key)
string(39) "error:02001002:lib(2):func(1):reason(2)"

This looks ok. resource(4) of type (OpenSSL key) is passed to PublicKeyTokenProvider::encrypt().

[darkrain88]

@danielkesselberg

how about error it prompte

and refer to my log above how to resolve the internal server error

thanks

[kesselb]

Could you look for this line

server/lib/private/Authentication/Token/PublicKeyTokenProvider.php

Line 297 in 1b35dc1

openssl_pkey_export($res, $privateKey);

and add var_dump(openssl_error_string()); exit(); below, try again, copy output and remove the line again?

[darkrain88]

add

Could you look for this line

server/lib/private/Authentication/Token/PublicKeyTokenProvider.php

Line 297 in 1b35dc1

  openssl_pkey_export($res, $privateKey); 

and add var_dump(openssl_error_string()); exit() below, try again, copy output and remove the line again?

no output since exit();

[darkrain88]

any problem here?

[darkrain88]

{"reqId":"QbXJadtjq4fr1ILIUdbn","level":3,"time":"2018-09-30T14:52:47+00:00","remoteAddr":"192.168.100.240","user":"caihong","app":"index","method":"POST","url":"\/login","message":{"Exception":"TypeError","Message":"Argument 1 passed to OC\\Authentication\\Token\\PublicKeyTokenProvider::encrypt() must be of the type string, null given, called in \/opt\/wwwroot\/Nextcloud\/lib\/private\/Authentication\/Token\/PublicKeyTokenProvider.php on line 307","Code":0,"Trace":[{"file":"\/opt\/wwwroot\/Nextcloud\/lib\/private\/Authentication\/Token\/PublicKeyTokenProvider.php","line":307,"function":"encrypt","class":"OC\\Authentication\\Token\\PublicKeyTokenProvider","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"\/opt\/wwwroot\/Nextcloud\/lib\/private\/Authentication\/Token\/PublicKeyTokenProvider.php","line":69,"function":"newToken","class":"OC\\Authentication\\Token\\PublicKeyTokenProvider","type":"->","args":["*** sensitive parameter replaced ***","*** sensitive parameter replaced ***","*** sensitive parameter replaced ***","*** sensitive parameter replaced ***","*** sensitive parameter replaced ***","*** sensitive parameter replaced ***","*** sensitive parameter replaced ***"]},{"file":"\/opt\/wwwroot\/Nextcloud\/lib\/private\/Authentication\/Token\/Manager.php","line":68,"function":"generateToken","class":"OC\\Authentication\\Token\\PublicKeyTokenProvider","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"\/opt\/wwwroot\/Nextcloud\/lib\/private\/User\/Session.php","line":631,"function":"generateToken","class":"OC\\Authentication\\Token\\Manager","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"\/opt\/wwwroot\/Nextcloud\/core\/Controller\/LoginController.php","line":322,"function":"createSessionToken","class":"OC\\User\\Session","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"\/opt\/wwwroot\/Nextcloud\/lib\/private\/AppFramework\/Http\/Dispatcher.php","line":166,"function":"tryLogin","class":"OC\\Core\\Controller\\LoginController","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"\/opt\/wwwroot\/Nextcloud\/lib\/private\/AppFramework\/Http\/Dispatcher.php","line":99,"function":"executeController","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[{"__class__":"OC\\Core\\Controller\\LoginController"},"tryLogin"]},{"file":"\/opt\/wwwroot\/Nextcloud\/lib\/private\/AppFramework\/App.php","line":118,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[{"__class__":"OC\\Core\\Controller\\LoginController"},"tryLogin"]},{"file":"\/opt\/wwwroot\/Nextcloud\/lib\/private\/AppFramework\/Routing\/RouteActionHandler.php","line":47,"function":"main","class":"OC\\AppFramework\\App","type":"::","args":["OC\\Core\\Controller\\LoginController","tryLogin",{"__class__":"OC\\AppFramework\\DependencyInjection\\DIContainer"},{"_route":"core.login.tryLogin"}]},{"function":"__invoke","class":"OC\\AppFramework\\Routing\\RouteActionHandler","type":"->","args":[{"_route":"core.login.tryLogin"}]},{"file":"\/opt\/wwwroot\/Nextcloud\/lib\/private\/Route\/Router.php","line":297,"function":"call_user_func","args":[{"__class__":"OC\\AppFramework\\Routing\\RouteActionHandler"},{"_route":"core.login.tryLogin"}]},{"file":"\/opt\/wwwroot\/Nextcloud\/lib\/base.php","line":987,"function":"match","class":"OC\\Route\\Router","type":"->","args":["\/login"]},{"file":"\/opt\/wwwroot\/Nextcloud\/index.php","line":42,"function":"handleRequest","class":"OC","type":"::","args":[]}],"File":"\/opt\/wwwroot\/Nextcloud\/lib\/private\/Authentication\/Token\/PublicKeyTokenProvider.php","Line":220,"CustomMessage":"--"},"userAgent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.36","version":"14.0.1.1"}

error log still

[kesselb]

add

Could you look for this line
server/lib/private/Authentication/Token/PublicKeyTokenProvider.php
Line 297 in 1b35dc1

  openssl_pkey_export($res, $privateKey); 

and add var_dump(openssl_error_string()); exit() below, try again, copy output and remove the line again?

no output since exit();

Hmm. Could you add the line, open nextcloud, try to login and see if there is any output?

[DerVerruckteFuchs]

I've been having a similar issue as @darkrain88. I'm using Debian Stretch. I followed the above steps and checked permissions. I added the three lines mentioned above and my browser gets this error message:

bool(false) string(68) "error:0E06D06C:configuration file routines:NCONF_get_string:no value"

In my log file for a desktop user :

{"reqId":"SomeReqId","level":3,"time":"2018-09-30T18:20:34+00:00","remoteAddr":"192.168.1.1","user":"SomeDesktopUser","app":"PHP","method":"GET","url":"\/status.php","message":"openssl_pkey_export(): cannot get key from parameter 1 at \/var\/www\/html\/nextcloud\/lib\/private\/Authentication\/Token\/PublicKeyTokenProvider.php#297","userAgent":"Mozilla\/5.0 (Linux) mirall\/2.3.3 (Nextcloud)","version":"14.0.1.1"}

for a mobile/app user:

{"reqId":"SomeReqId","level":3,"time":"2018-09-30T18:38:15+00:00","remoteAddr":"192.168.1.1","user":"SomeMobileUser","app":"PHP","method":"GET","url":"\/status.php","message":"openssl_pkey_new(): Error loading request_extensions_section section v3_req of \/usr\/lib\/ssl\/openssl.cnf at \/var\/www\/html\/nextcloud\/lib\/private\/Authentication\/Token\/PublicKeyTokenProvider.php#296","userAgent":"Mozilla\/5.0 (Linux) mirall\/2.3.3 (Nextcloud)","version":"14.0.1.1"}

I also ran @darkrain88's script and got the following output:

PHP Warning:  openssl_pkey_new(): Error loading request_extensions_section section v3_req of /etc/ssl/openssl.cnf in /var/www/html/nextcloud/test.php on line 9
bool(false)
string(68) "error:0E06D06C:configuration file routines:NCONF_get_string:no value"

From my /etc/ssl/openssl.cnf here is the v3_req section:

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
tlsfeature = status_request

I commented out a line:

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
#subjectAltName = @alt_names
tlsfeature = status_request

This changed the output of @darkrain88's test script:

resource(4) of type (OpenSSL key)
string(68) "error:0E06D06C:configuration file routines:NCONF_get_string:no value"

I'm still getting the string(68) error, but it doesn't seem fatal.

The change in v3_req prevented the internal error screen from showing up in Nextcloud, and I can log in without issue. I'm not noticing any new errors show up in the log.

[darkrain88]

but i cant login in

some internal error/

Hmm. Could you add the line, open nextcloud, try to login and see if there is any output?

add line, how to do that?

[darkrain88]

can replace sha512 to v3_ca

`<?php

$config = [
'digest_alg' => 'sha512',
'private_key_bits' => 2048,
'config' => '/etc/ssl/openssl.cnf',
];

$res = openssl_pkey_new($config);

var_dump($res);
var_dump(openssl_error_string());

[kesselb]

add line, how to do that?

server/lib/private/Authentication/Token/PublicKeyTokenProvider.php

Line 297 in 1b35dc1

openssl_pkey_export($res, $privateKey);

Could you look for this file on your nextcloud instance and insert this code below var_dump(openssl_error_string()); exit();

Then open nextcloud with your browser and try to login. I guess you should see a white page with some output. Because openssl_pkey_export sets $privateKey to null i would like to know if there is anything helpful reported by openssl_error_string why generation failed.

[darkrain88]

@danielkesselberg

that is.nothing output

only 500 error

[kesselb]

Sorry @darkrain88 i have no idea what is going wrong in your case 😞

[darkrain88]

add line, how to do that?

server/lib/private/Authentication/Token/PublicKeyTokenProvider.php

Line 297 in 1b35dc1

  openssl_pkey_export($res, $privateKey); 

Could you look for this file on your nextcloud instance and insert this code below var_dump(openssl_error_string()); exit();

Then open nextcloud with your browser and try to login. I guess you should see a white page with some output. Because openssl_pkey_export sets $privateKey to null i would like to know if there is anything helpful reported by openssl_error_string why generation failed.

information 'string(39) "error:02001002:lib(2):func(1):reason(2)"'

the output is same with run script above.

[kesselb]

@darkrain88 could you open a new issue for this? The original issue @Marcwa19197 started this ticket has been solved. There is only a little change that someone else is looking in a closes issue. Thank you 👍 and dont forget to provide as much as possible information.

[darkrain88]

@darkrain88 could you open a new issue for this? The original issue @Marcwa19197 started this ticket has been solved. There is only a little change that someone else is looking in a closes issue. Thank you 👍 and dont forget to provide as much as possible information.

thanks you

[0xb0ba]

use openssl_pkey_export($res, $privateKey, NULL, $config)

[Trexology]

use openssl_pkey_export($res, $privateKey, NULL, $config)

This solution works for me!!

Change the code of PublicKeyTokenProvider.php

// Generate new key
$res = openssl_pkey_new($config);
// openssl_pkey_export($res, $privateKey);
openssl_pkey_export($res, $privateKey, NULL, $config);

[0xb0ba]

@kesselb, found a solution here...

[ghost]

@0xb0ba I tried this but I get the same errors.

[tengzhaoyong]

i meet the same problem install version 16.0, and i added the value blew $res = openssl_pkey_new($config);:

openssl_pkey_export($res, $privateKey);
var_dump($res);
var_dump($config);
var_dump(openssl_error_string());

and get the error:

error:0E06D06C:configuration file routines:NCONF_get_string:no value

next, i added the value in config/config.php:

array (
'digest_alg' => 'sha512',
'private_key_bits' => 4096,
'config' => '/usr/local/openssl/openssl.cnf',
),

the private_key_bits i added 2048,but the same errors,
when i modified the value to 4096,and it works

[kesselb]

@kesselb, found a solution here...

@0xb0ba Passing $config to openssl_pkey_export looks good. Mind to open a pull request?

if (openssl_pkey_export($res, $privateKey, null, $config) === false) {
    $this->logOpensslError();
}

We should check the response and log errors again just in case. Sorry for the late reply 🙈

[MorrisJobke]

Fix is in #16495

[awaisjavaid930]

For Window System
Click on the Window Button and Search

1. ENVIRONMENT VARIABLES
2. Under "System Variables" click on "NEW"
3. Enter the "Variable name" OPENSSL_CONF
4. Enter the "Variable value" as - C:\wamp\bin\apache\Apache2.2.17\conf\openssl.cnf For Wampp in C Drive
5. Enter the "Variable value" as - D:\xampp\apache\conf\openssl.cnf For Wampp in C Drive For Xampp in D Drive
6. Click "OK" and close all the windows and RESTART your Xampp.