[Bug]: 3.15.x asks to log in on every start (PKCS#12 client certificate)

[brdns]

⚠️ Before submitting, please verify the following: ⚠️

• This is a bug, not a question or a configuration issue.
• This issue is not already reported on Github (I've searched it).
• Nextcloud Server and Desktop Client are up to date. See Server Maintenance and Release Schedule and Desktop Releases for supported versions.
• I agree to follow Nextcloud's Code of Conduct

Bug description

Hello, I am also experiencing this issue with desktop client 3.15.3 on Windows 11. There’s probably a link with the recent migration to Qt6 and the previous QtKeychain implementation in the client. That feature has not been updated since the first release so I’m tagging the most recent contributor to the file httpcredentials.cpp @mgallien and the original contributor @ckamm.

The initial connection works well while providing the PKCS#12 client certificate and the password. It seems there’s a mismatch where the certificate bundle is either not properly saved in the keychain or is not fetched correctly on the next login :

https://github.com/nextcloud/desktop/blob/master/src/libsync/creds/httpcredentials.cpp#L440

It seems the client certificate is found, but its password was not correctly saved and can’t be found on following attempts to login.

[ warning qt.core.qobject.connect unknown:0 ]:	QObject::connect(QNetworkInformation, OCC::Application): invalid nullptr parameter
[ warning qt.qml.context unknown:0 ]:	qrc:/qml/src/gui/tray/CurrentAccountHeaderButton.qml:84:13 Parameter "index" is not declared. Injection of parameters into signal handlers is deprecated. Use JavaScript functions with formal parameters instead.
[ warning qt.qml.context unknown:0 ]:	qrc:/qml/src/gui/tray/CurrentAccountHeaderButton.qml:85:13 Parameter "object" is not declared. Injection of parameters into signal handlers is deprecated. Use JavaScript functions with formal parameters instead.
[ info nextcloud.gui.account.state C:\Users\User\AppData\Local\Temp\windows-27802\client-building\desktop\src\gui\accountstate.cpp:285 ]:	check connectivity
[ info nextcloud.sync.credentials.webflow C:\Users\User\AppData\Local\Temp\windows-27802\client-building\desktop\src\gui\creds\webflowcredentials.cpp:139 ]:	Fetch from keychain!
[ info nextcloud.gui.folder.navigationpane C:\Users\User\AppData\Local\Temp\windows-27802\client-building\desktop\src\gui\navigationpanehelper.cpp:110 ]:	Explorer Cloud storage provider: saving path "C:\\Users\\User\\Nextcloud" to CLSID "{myid}"
[ warning nextcloud.sync.credentials.keychainchunk C:\Users\User\AppData\Local\Temp\windows-27802\client-building\desktop\src\libsync\creds\keychainchunk.cpp:360 ]:	Unable to read "Nextcloud__clientCertificatePEM:https://myserver.com/:0" chunk "0" "Password entry not found"
[ info nextcloud.gui.folderwatcher C:\Users\User\AppData\Local\Temp\windows-27802\client-building\desktop\src\gui\folderwatcher.cpp:252 ]:	Detected changes in paths: QSet("C:/Users/User/Nextcloud/.nextcloudsync.log")
[ warning nextcloud.sync.credentials.keychainchunk C:\Users\User\AppData\Local\Temp\windows-27802\client-building\desktop\src\libsync\creds\keychainchunk.cpp:360 ]:	Unable to read "Nextcloud__clientKeyPEM:https://myserver.com/:0" chunk "0" "Password entry not found"
[ warning nextcloud.sync.credentials.webflow C:\Users\User\AppData\Local\Temp\windows-27802\client-building\desktop\src\gui\creds\webflowcredentials.cpp:463 ]:	Unable to read client key "Password entry not found"
[ warning nextcloud.sync.credentials.keychainchunk C:\Users\User\AppData\Local\Temp\windows-27802\client-building\desktop\src\libsync\creds\keychainchunk.cpp:360 ]:	Unable to read "Nextcloud__clientCaCertificatePEM0:https://myserver.com/:0" chunk "0" "Password entry not found"
[ warning nextcloud.sync.credentials.webflow C:\Users\User\AppData\Local\Temp\windows-27802\client-building\desktop\src\gui\creds\webflowcredentials.cpp:504 ]:	Unable to read client CA cert slot "0" "Password entry not found"
[ warning nextcloud.sync.credentials C:\Users\User\AppData\Local\Temp\windows-27802\client-building\desktop\src\libsync\creds\abstractcredentials.cpp:42 ]:	Error: User is empty!
[ warning nextcloud.sync.credentials.webflow C:\Users\User\AppData\Local\Temp\windows-27802\client-building\desktop\src\gui\creds\webflowcredentials.cpp:537 ]:	Strange: User is empty!

[ warning nextcloud.sync.networkjob C:\Users\User\AppData\Local\Temp\windows-27802\client-building\desktop\src\libsync\abstractnetworkjob.cpp:223 ]:	QNetworkReply::UnknownNetworkError "Erreur lors de la lecture : error:0A00045C:SSL routines::tlsv13 alert certificate required" QVariant(Invalid)
[ warning nextcloud.sync.credentials.webflow C:\Users\User\AppData\Local\Temp\windows-27802\client-building\desktop\src\gui\creds\webflowcredentials.cpp:207 ]:	QNetworkReply::UnknownNetworkError
[ warning nextcloud.sync.credentials.webflow C:\Users\User\AppData\Local\Temp\windows-27802\client-building\desktop\src\gui\creds\webflowcredentials.cpp:208 ]:	"Erreur lors de la lecture : error:0A00045C:SSL routines::tlsv13 alert certificate required"
[ info nextcloud.sync.accessmanager C:\Users\User\AppData\Local\Temp\windows-27802\client-building\desktop\src\libsync\accessmanager.cpp:67 ]:	2 "" "https://myserver.com/status.php" has X-Request-ID "mysecretid"
[ info nextcloud.sync.networkjob C:\Users\User\AppData\Local\Temp\windows-27802\client-building\desktop\src\libsync\abstractnetworkjob.cpp:365 ]:	OCC::CheckServerJob created for "https://myserver.com" + "status.php" "OCC::ConnectionValidator"
[ info nextcloud.sync.credentials.webflow C:\Users\User\AppData\Local\Temp\windows-27802\client-building\desktop\src\gui\creds\webflowcredentials.cpp:405 ]:	request finished
[ warning nextcloud.sync.networkjob C:\Users\User\AppData\Local\Temp\windows-27802\client-building\desktop\src\libsync\abstractnetworkjob.cpp:223 ]:	QNetworkReply::UnknownNetworkError "Erreur lors de la lecture : error:0A00045C:SSL routines::tlsv13 alert certificate required" QVariant(Invalid)
[ warning nextcloud.sync.credentials.webflow C:\Users\User\AppData\Local\Temp\windows-27802\client-building\desktop\src\gui\creds\webflowcredentials.cpp:207 ]:	QNetworkReply::UnknownNetworkError
[ warning nextcloud.sync.credentials.webflow C:\Users\User\AppData\Local\Temp\windows-27802\client-building\desktop\src\gui\creds\webflowcredentials.cpp:208 ]:	"Erreur lors de la lecture : error:0A00045C:SSL routines::tlsv13 alert certificate required"
[ warning nextcloud.sync.networkjob.checkserver C:\Users\User\AppData\Local\Temp\windows-27802\client-building\desktop\src\libsync\networkjobs.cpp:546 ]:	error: status.php replied  0 ""
[ warning nextcloud.sync.connectionvalidator C:\Users\User\AppData\Local\Temp\windows-27802\client-building\desktop\src\gui\connectionvalidator.cpp:163 ]:	QNetworkReply::UnknownNetworkError "Erreur lors de la lecture : error:0A00045C:SSL routines::tlsv13 alert certificate required" "Erreur lors de la lecture : error:0A00045C:SSL routines::tlsv13 alert certificate required" ""
[ warning nextcloud.sync.credentials.webflow C:\Users\User\AppData\Local\Temp\windows-27802\client-building\desktop\src\gui\creds\webflowcredentials.cpp:207 ]:	QNetworkReply::UnknownNetworkError
[ warning nextcloud.sync.credentials.webflow C:\Users\User\AppData\Local\Temp\windows-27802\client-building\desktop\src\gui\creds\webflowcredentials.cpp:208 ]:	"Erreur lors de la lecture : error:0A00045C:SSL routines::tlsv13 alert certificate required"
[ info nextcloud.gui.folder.manager C:\Users\User\AppData\Local\Temp\windows-27802\client-building\desktop\src\gui\folderman.cpp:813 ]:	Account "Me@myserver" disconnected or paused, terminating or descheduling sync folders

Steps to reproduce

1. Successful login with a client certificate
2. Restart the client or reboot the device
3. App has forgotten the client certificate password and does not prompt for it, account is disconnected
4. Removing the account and connecting again results in the app asking for the client certificate password as successful login

Expected behavior

Client certificate file and password should be stored across client restarts and device reboots.

Which files are affected by this bug

httpcredentials.cpp

Operating system

Windows

Which version of the operating system you are running.

Windows 11 24h2

Package

Official Windows MSI

Nextcloud Server version

30.0.5

Nextcloud Desktop Client version

3.15.3

Is this bug present after an update or on a fresh install?

Fresh desktop client install

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

Are you using an external user-backend?

• Default internal user-backend
• LDAP/ Active Directory
• SSO - SAML
• Other

Nextcloud Server logs

No server logs since the reverse proxy forbids connection to Nextcloud server because it is not presented with a client certificate.

Additional info

Thank you so much for this great piece of software !!!

[mgallien]

@brdns sorry for the trouble
can you check if the entry for password exists in the windows credentials manager ?
that would be nice to check and would help me narrow down the problem and find the best way to solve the issue

[brdns]

@mgallien thanks for having a look at this !

Fortunately I’ve got a 3.14.x client on another desktop which I have not yet updated. Here’s how the windows credentials manager look like on a working client that keeps the credentials even after reboot :

And here’s a 3.15.x client. The windows credentials manager only has one entry regarding Nextcloud, even before reboot while the client certificate is still somehow working :

Let me know if you need any further logs or feedback.

[naifqarni]

same issue here

[mxsrm]

Arch Linux and MacOS newest clients on both machines and latest stable v30 Nextcloud same problem. Every restart both Arch Linux and MacOS need re-authorization of the sync client. Re-installed both MacOS and Arch Linux and fresh install have this problem.

[PhysicsIsAwesome]

Arch Linux and MacOS newest clients on both machines and latest stable v30 Nextcloud same problem. Every restart both Arch Linux and MacOS need re-authorization of the sync client.

Same here on EndeavourOS. Clicking on log-in to re-authenticate does nothing. I need to remove and re-add the account in the nextcloud desktop client including setting up every sync folder pairs on every reboot/user logout. Makes it basically unusable.

[mxsrm]

Arch Linux and MacOS newest clients on both machines and latest stable v30 Nextcloud same problem. Every restart both Arch Linux and MacOS need re-authorization of the sync client.

Same here on EndeavourOS. Clicking on log-in to re-authenticate does nothing. I need to remove and re-add the account in the nextcloud desktop client including setting up every sync folder pairs on every reboot/user logout. Makes it basically unusable.

I just gave up on Nextcloud. Tried it multiple times over the past 3 years, but you just can't use it.

I switched to to owncloud OCIS for files, radicale for DAV, Immich for photos and hope this system works better in the long run. So far everything is great.

[brdns]

@naifqarni @PhysicsIsAwesome Hello, can you also provide logs (preferably anonymized) ? So the Nextcloud devs can narrow down the issue, it might be different for you guys since you’re using different platforms. I’m also running a nextcloud client on a linux distro (Fedora) and so far that one is going smooth, I’m only having an issue with my Windows nextcloud client. Also is your bug related to the PKCS#12 client certificate login method specifically like in this issue ?

I just gave up on Nextcloud. Tried it multiple times over the past 3 years, but you just can't use it. I switched to to owncloud OCIS for files, radicale for DAV, Immich for photos and hope this system works better in the long run. So far everything is great.

@mxsrm Hello, please keep comments on this issue strictly related to providing information that can help the devs fix it. I’ve used OCIS myself and it’s great software too but lacks the PKCS#12 client certificate login in their apps which I need. I’m glad the Nextcloud devs are working on it even though it still needs improvements.

[PhysicsIsAwesome]

Also is your bug related to the PKCS#12 client certificate login method specifically like in this issue ?

Yes

can you also provide logs (preferably anonymized) ?

Version 3.15.3daily, Erstellt aus der Git-Revision a595d5 auf Jan 7 2025, 13:56:30 unter Verwendung von Qt 6.8.1, OpenSSL 3.4.0 22 Oct 2024.

Found the following warning level log entries multiple times:

2025-02-06 22:22:45:325 [ warning nextcloud.sync.networkjob /usr/src/debug/nextcloud-client/nextcloud-client/src/libsync/abstractnetworkjob.cpp:223 ]:	QNetworkReply::UnknownNetworkError "Beim Lesen ist ein Fehler aufgetreten: error:0A00045C:SSL routines::tlsv13 alert certificate required" QVariant(Invalid)
2025-02-06 22:22:45:325 [ warning nextcloud.sync.credentials.webflow /usr/src/debug/nextcloud-client/nextcloud-client/src/gui/creds/webflowcredentials.cpp:207 ]:	QNetworkReply::UnknownNetworkError
2025-02-06 22:22:45:325 [ warning nextcloud.sync.credentials.webflow /usr/src/debug/nextcloud-client/nextcloud-client/src/gui/creds/webflowcredentials.cpp:208 ]:	"Beim Lesen ist ein Fehler aufgetreten: error:0A00045C:SSL routines::tlsv13 alert certificate required"
2025-02-06 22:22:45:325 [ warning nextcloud.sync.networkjob.checkserver /usr/src/debug/nextcloud-client/nextcloud-client/src/libsync/networkjobs.cpp:546 ]:	error: status.php replied  0 ""
2025-02-06 22:22:45:325 [ warning nextcloud.sync.connectionvalidator /usr/src/debug/nextcloud-client/nextcloud-client/src/gui/connectionvalidator.cpp:163 ]:	QNetworkReply::UnknownNetworkError "Beim Lesen ist ein Fehler aufgetreten: error:0A00045C:SSL routines::tlsv13 alert certificate required" "Beim Lesen ist ein Fehler aufgetreten: error:0A00045C:SSL routines::tlsv13 alert certificate required" ""
2025-02-06 22:22:45:325 [ warning nextcloud.sync.credentials.webflow /usr/src/debug/nextcloud-client/nextcloud-client/src/gui/creds/webflowcredentials.cpp:207 ]:	QNetworkReply::UnknownNetworkError
2025-02-06 22:22:45:325 [ warning nextcloud.sync.credentials.webflow /usr/src/debug/nextcloud-client/nextcloud-client/src/gui/creds/webflowcredentials.cpp:208 ]:	"Beim Lesen ist ein Fehler aufgetreten: error:0A00045C:SSL routines::tlsv13 alert certificate required"

[PhysicsIsAwesome]

It has been quite some time since the desktop client has gone unusable for mTLS users. Anyone working on this?