[Bug]: SSL client certificate broken with 3.12.2 connection wizard

[k-neon]

⚠️ Before submitting, please verify the following: ⚠️

• [X] This is a bug, not a question or a configuration issue.
• [X] This issue is not already reported on Github (I've searched it).
• [X] Nextcloud Server and Desktop Client are up to date. See Server Maintenance and Release Schedule and Desktop Releases for supported versions.
• [X] I agree to follow Nextcloud's Code of Conduct

Bug description

The Nextcloud Connection Wizard can't proceed with the account creation because it shows a 400 Bad Request error where the web server does not receive the SSL client certificate. It ist not possible to add the account. This worked perfectly with the previous 3.9.3 client, but now with 3.12.2 it no longer works.

Steps to reproduce

1. Add a new account (Account -> Add new)
2. Click "Log In" button
3. Add Server Address
4. Click on "Configure client-side TLS certificate"
5. Load pkcs12 client-side cert and enter cert password
6. Now appears the error
   • Failed to connect to Nextcloud at https://????.com Server replied “400 Bad Request” to GET https://????.com/status.php”
   • Could not load certificate. Maybe wrong password?

Expected behavior

It should be possible to add a new account to the client through the Nextcloud Connection Wizard which has an SSL client certificate in order connect to the Nextcloud server which requires client certificate authentication.

Which files are affected by this bug

not files

Operating system

Windows

Which version of the operating system you are running.

Win 11

Package

Other

Nextcloud Server version

27.1.7

Nextcloud Desktop Client version

3.12.2

Is this bug present after an update or on a fresh install?

Fresh desktop client install

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

Are you using an external user-backend?

• [ ] Default internal user-backend
• [ ] LDAP/ Active Directory
• [ ] SSO - SAML
• [ ] Other

Nextcloud Server logs

No response

Additional info

No response

[e-cite]

Could this be related to https://github.com/nextcloud/desktop/issues/863 ?

[freebeat]

Same issue here, except that I don't see the 400 Bad Request error. I tried this on 3.12.3stable-Win64 and also on 3.12.3 on ubuntu.

[camilasan]

I assigned myself to investigate this, didn't reproduce this yet.

[functionpointer]

Should pretty easy to reproduce. All that's needed is nginx with TLS client authentication. Then try to add an account:

[functionpointer]

I found another bug: When HSTS is configured, the dialog for entering client certificate doesn't appear at all.

[WinkelB]

#6493 Yesterday, I had no problems logging into the desktop app with mTLS settings enabled. However, I can confirm that I'm also experiencing issues with HSTS enabled.

[pepramon]

Same here with Arch Linux client (version 3.15.2) working with gnome.

I can connect if I disable HSTS from the server. The client asks for the client key, connects, syncs, etc...

BUT when I restart the computer or Nexcloud client sync app, can not connect and appears the error I have configured if the auth fails. Is like not store client key and certificate.

Any idea?

It's necessary I open a new issue? (different version, different oss, etc...)

[WinkelB]

Same here with Arch Linux client (version 3.15.2) working with gnome.

I can connect if I disable HSTS from the server. The client asks for the client key, connects, syncs, etc...

BUT when I restart the computer or Nexcloud client sync app, can not connect and appears the error I have configured if the auth fails. Is like not store client key and certificate.

Any idea?

It's necessary I open a new issue? (different version, different oss, etc...)

Same behavior on Windows 3.15.3 With disabled HSTS i can connect, but after a Restart its not connecting again didnt found any logs about that, is there something we can provide to support?

[WinkelB]

Ok so interestingly on my laptop its working On Laptop i connected the Client without active mTLS and activated mTLS after, this is working like a charm now On PC i connected the client with active mTLS and inserted the Certificate in the Pop-Up and there its not working after a reboot both Version 3.15.3

[r0000t]

+1, while the mobile apps work great the desktop apps only connect successfully right after setting up an account. After restarting the app or even just suspending the computer the connection fails with the 400 Bad Request error, just like when you try to access the server without a client certificate.

[banban525]

I found a workaround for this issue.

Install the older version of the client application, sync using the client certificate, and then upgrade. The sync will continue even after the upgrade.

I used ver.3.3.6 to sync. Then it worked fine with ver.3.16.2. However, I don't know which version will work fine.

[Gunni]

I found a workaround for this issue.

Install the older version of the client application, sync using the client certificate, and then upgrade. The sync will continue even after the upgrade.

I used ver.3.3.6 to sync. Then it worked fine with ver.3.16.2. However, I don't know which version will work fine.

Workaround confirmed, I installed 3.3.6, finished syncing, then upgraded. Works so far.

Please fix the bug though, mTLS makes attacking/exploiting the login of Nextcloud practically impossible despite being exposed to the internet, making VPN unnecessary to reach a private Nextcloud.

[nilsding]

out of curiosity I just tried out a local setup with mTLS enabled (using nginx with certs generated via mkcert). Interestingly enough that seems to work fine on my (Linux) system using a recent commit... (added a new account connecting to that nginx setup, got asked for the p12 cert+pass, synced once, restarted, still online)

Would be good to get some more insights about your setups (mainly OS and client versions, if any of you uses nginx I'd be interested in which ssl_* directives are in use), and whether the client logs mention anything related to (Open)SSL/TLS/keychain/...

It's very likely that I missed something during my attempt at reproducing this 😄

[e-cite]

We used the described mTLS setup with nginx and public S/MIME certs for years in a productive environment < 50 users. SSL settings for nginx are nothing special, except we used HTTP return code 400 instead of 401 if mTLS auth is not successful.

Unfortunately we have had to disable mTLS client auth recently because it's not working with the newer versions of the windows desktop agent, but these versions are required on windows clients for nextcloud server >= v30.

So all in all we are also very interested in proper mTLS support in the nextcloud desktop agent. Thanks 👍

[banban525]

@nilsding

Would be good to get some more insights about your setups (mainly OS and client versions, if any of you uses nginx I'd be interested in which ssl_* directives are in use), and whether the client logs mention anything related to (Open)SSL/TLS/keychain/...

It's very likely that I missed something during my attempt at reproducing this 😄

I provide more details about my environment where I'm experiencing the mTLS (client certificate) issue. I'm hoping for a swift resolution to this issue, as I'm concerned that my current workaround might become unusable in the future. Although my client certificate is somewhat old, Google Chrome on Windows correctly uses this same certificate (when it's installed in the Windows certificate store) without any issues for mTLS authentication.

Here is the information about my environment:

Client Environment:

• OS: Windows 11 Pro ver.22H2
• NextCloud Client: ver.3.16.4

Server Environment:

• Nginx: ver.1.27.0
• Client Certificate: Generated with OpenSSL (details are unclear as it was created a long time ago)

Nginx Configuration: (Hostname has been changed to a dummy one: example.com)

server {
    listen 80;
    server_name *.example.com;
    access_log  /var/log/nginx/access.log  custom1;
    return 301 https://$host$request_uri;
}

server {
    listen       443 ssl;
    ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    server_name nextcloud.example.com;

    access_log  /var/log/nginx/access.log  custom1;

    proxy_ssl_verify off;

    add_header Strict-Transport-Security 'max-age=15552000; includeSubDomains';
    location /.well-known/carddav {
        return 301 $scheme://$host/remote.php/dav;
    }
    location /.well-known/caldav { 
        return 301 $scheme://$host/remote.php/dav; 
    }
    location /.well-known/webdav {
        return 301 $scheme://$host/remote.php/dav; 
    }

    location / {
        proxy_pass http://192.168.0.254:20080/;  # This is my NextCloud application upstream
    }
    proxy_http_version 1.1;
    proxy_set_header Host $host;
    proxy_set_header Upgrade $http_upgrade; 
    proxy_set_header Connection $connection_upgrade;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Host $http_host;
    proxy_set_header X-Forwarded-Server $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    ssl_client_certificate "/etc/nginx/client_certificates/ca.crt";
    ssl_crl "/etc/nginx/client_certificates/crl.pem";
    ssl_verify_client on;

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
}

Client Logs: I found the client log at C:\Users[MyUserName]\AppData\Roaming\Nextcloud\logs\20250517_1131_nextcloud.log.0. Here are the relevant excerpts from around the time the issue occurred. The operations and behavior at this time are the same as those reported by k-neon at the beginning of this issue.

2025-05-17 11:44:33:961 [ info nextcloud.gui.folder.manager C:\Users\User\AppData\Local\Temp\windows-30350\client-building\desktop\src\gui\folderman.cpp:1023 ]:	Number of folders that don't use push notifications: 0
2025-05-17 11:45:03:955 [ info nextcloud.gui.folder.manager C:\Users\User\AppData\Local\Temp\windows-30350\client-building\desktop\src\gui\folderman.cpp:1009 ]:	Etag poll timer timeout
2025-05-17 11:45:03:955 [ info nextcloud.gui.folder.manager C:\Users\User\AppData\Local\Temp\windows-30350\client-building\desktop\src\gui\folderman.cpp:1013 ]:	Folders to sync: 0
2025-05-17 11:45:03:955 [ info nextcloud.gui.folder.manager C:\Users\User\AppData\Local\Temp\windows-30350\client-building\desktop\src\gui\folderman.cpp:1023 ]:	Number of folders that don't use push notifications: 0
2025-05-17 11:45:33:966 [ info nextcloud.gui.folder.manager C:\Users\User\AppData\Local\Temp\windows-30350\client-building\desktop\src\gui\folderman.cpp:1009 ]:	Etag poll timer timeout
2025-05-17 11:45:33:966 [ info nextcloud.gui.folder.manager C:\Users\User\AppData\Local\Temp\windows-30350\client-building\desktop\src\gui\folderman.cpp:1013 ]:	Folders to sync: 0
2025-05-17 11:45:33:966 [ info nextcloud.gui.folder.manager C:\Users\User\AppData\Local\Temp\windows-30350\client-building\desktop\src\gui\folderman.cpp:1023 ]:	Number of folders that don't use push notifications: 0
2025-05-17 11:46:01:049 [ info nextcloud.gui.application C:\Users\User\AppData\Local\Temp\windows-30350\client-building\desktop\src\gui\application.cpp:746 ]:	Running for 897.44 sec
2025-05-17 11:46:01:053 [ warning default unknown:0 ]:	QLayout::addChildLayout: layout QHBoxLayout "lVirtualFileSync" already has a parent
2025-05-17 11:46:01:053 [ info nextcloud.gui.wizard.webviewpage C:\Users\User\AppData\Local\Temp\windows-30350\client-building\desktop\src\gui\wizard\webviewpage.cpp:25 ]:	Time for a webview!
2025-05-17 11:46:01:053 [ warning default unknown:0 ]:	QWebEngineUrlScheme::registerScheme: Scheme "nc" already registered
2025-05-17 11:46:03:964 [ info nextcloud.gui.folder.manager C:\Users\User\AppData\Local\Temp\windows-30350\client-building\desktop\src\gui\folderman.cpp:1009 ]:	Etag poll timer timeout
2025-05-17 11:46:03:964 [ info nextcloud.gui.folder.manager C:\Users\User\AppData\Local\Temp\windows-30350\client-building\desktop\src\gui\folderman.cpp:1013 ]:	Folders to sync: 0
2025-05-17 11:46:03:964 [ info nextcloud.gui.folder.manager C:\Users\User\AppData\Local\Temp\windows-30350\client-building\desktop\src\gui\folderman.cpp:1023 ]:	Number of folders that don't use push notifications: 0
2025-05-17 11:46:10:976 [ info nextcloud.gui.wizard C:\Users\User\AppData\Local\Temp\windows-30350\client-building\desktop\src\gui\owncloudsetupwizard.cpp:207 ]:	No system proxy set by OS
2025-05-17 11:46:10:976 [ info nextcloud.sync.accessmanager C:\Users\User\AppData\Local\Temp\windows-30350\client-building\desktop\src\libsync\accessmanager.cpp:75 ]:	2 "" "https://nextcloud.example.com/status.php" has X-Request-ID "9808d53f-2e92-4872-b455-2a105d8df2b7"
2025-05-17 11:46:10:976 [ info nextcloud.sync.networkjob C:\Users\User\AppData\Local\Temp\windows-30350\client-building\desktop\src\libsync\abstractnetworkjob.cpp:364 ]:	OCC::CheckServerJob created for "https://nextcloud.example.com" + "status.php" "OCC::OwncloudSetupWizard"
2025-05-17 11:46:10:993 [ warning nextcloud.sync.networkjob C:\Users\User\AppData\Local\Temp\windows-30350\client-building\desktop\src\libsync\abstractnetworkjob.cpp:223 ]:	QNetworkReply::ProtocolInvalidOperationError "サーバーは \"400 Bad Request\"を \"GET https://nextcloud.example.com/status.php\"に応答しました" QVariant(int, 400)
2025-05-17 11:46:10:993 [ warning nextcloud.sync.networkjob.checkserver C:\Users\User\AppData\Local\Temp\windows-30350\client-building\desktop\src\libsync\networkjobs.cpp:546 ]:	error: status.php replied  400 "<html>\r\n<head><title>400 No required SSL certificate was sent</title></head>\r\n<body>\r\n<center><h1>400 Bad Request</h1></center>\r\n<center>No required SSL certificate was sent</center>\r\n<hr><center>nginx/1.27.0</center>\r\n</body>\r\n</html>\r\n"
2025-05-17 11:46:10:994 [ info nextcloud.sync.accessmanager C:\Users\User\AppData\Local\Temp\windows-30350\client-building\desktop\src\libsync\accessmanager.cpp:75 ]:	2 "" "https://nextcloud.example.com" has X-Request-ID "7d59e2d1-014f-4076-8491-2b980f270b47"
2025-05-17 11:46:10:994 [ info nextcloud.sync.networkjob C:\Users\User\AppData\Local\Temp\windows-30350\client-building\desktop\src\libsync\abstractnetworkjob.cpp:364 ]:	OCC::SimpleNetworkJob created for "https://nextcloud.example.com" + "" ""
2025-05-17 11:46:10:999 [ warning nextcloud.sync.networkjob C:\Users\User\AppData\Local\Temp\windows-30350\client-building\desktop\src\libsync\abstractnetworkjob.cpp:223 ]:	QNetworkReply::ProtocolInvalidOperationError "サーバーは \"400 Bad Request\"を \"GET https://nextcloud.example.com\"に応答しました" QVariant(int, 400)
2025-05-17 11:46:10:999 [ info nextcloud.sync.accessmanager C:\Users\User\AppData\Local\Temp\windows-30350\client-building\desktop\src\libsync\accessmanager.cpp:75 ]:	2 "" "https://nextcloud.example.com/status.php" has X-Request-ID "54c5332f-00dd-48a0-9845-7b4ebf6332af"
2025-05-17 11:46:11:000 [ info nextcloud.sync.networkjob C:\Users\User\AppData\Local\Temp\windows-30350\client-building\desktop\src\libsync\abstractnetworkjob.cpp:364 ]:	OCC::CheckServerJob created for "https://nextcloud.example.com" + "status.php" "OCC::OwncloudSetupWizard"
2025-05-17 11:46:11:005 [ warning nextcloud.sync.networkjob C:\Users\User\AppData\Local\Temp\windows-30350\client-building\desktop\src\libsync\abstractnetworkjob.cpp:223 ]:	QNetworkReply::ProtocolInvalidOperationError "サーバーは \"400 Bad Request\"を \"GET https://nextcloud.example.com/status.php\"に応答しました" QVariant(int, 400)
2025-05-17 11:46:11:005 [ warning nextcloud.sync.networkjob.checkserver C:\Users\User\AppData\Local\Temp\windows-30350\client-building\desktop\src\libsync\networkjobs.cpp:546 ]:	error: status.php replied  400 "<html>\r\n<head><title>400 No required SSL certificate was sent</title></head>\r\n<body>\r\n<center><h1>400 Bad Request</h1></center>\r\n<center>No required SSL certificate was sent</center>\r\n<hr><center>nginx/1.27.0</center>\r\n</body>\r\n</html>\r\n"

[nilsding]

@banban525 many thanks for providing the nginx config and the logs :)

I don't see anything odd in the logs (other than the connection attempt failing -- seems like it really doesn't use the certificate)

I'll try to reproduce this on a Windows system then