[Bug]: 3.15.x asks to log in on every start (client certificate)

[brdns]

⚠️ Before submitting, please verify the following: ⚠️

• This is a bug, not a question or a configuration issue.
• This issue is not already reported on Github (I've searched it).
• Nextcloud Server and Desktop Client are up to date. See Server Maintenance and Release Schedule and Desktop Releases for supported versions.
• I agree to follow Nextcloud's Code of Conduct

Bug description

Hello, I am also experiencing this issue with desktop client 3.15.3 on Windows 11. There’s probably a link with the recent migration to Qt6 and the previous QtKeychain implementation in the client. That feature has not been updated since the first release so I’m tagging the most recent contributor to the file httpcredentials.cpp @mgallien and the original contributor @ckamm.

The initial connection works well while providing the PKCS#12 client certificate and the password. It seems there’s a mismatch where the certificate bundle is either not properly saved in the keychain or is not fetched correctly on the next login :

https://github.com/nextcloud/desktop/blob/master/src/libsync/creds/httpcredentials.cpp#L440

It seems the client certificate is found, but its password was not correctly saved and can’t be found on following attempts to login.

[ warning qt.core.qobject.connect unknown:0 ]:	QObject::connect(QNetworkInformation, OCC::Application): invalid nullptr parameter
[ warning qt.qml.context unknown:0 ]:	qrc:/qml/src/gui/tray/CurrentAccountHeaderButton.qml:84:13 Parameter "index" is not declared. Injection of parameters into signal handlers is deprecated. Use JavaScript functions with formal parameters instead.
[ warning qt.qml.context unknown:0 ]:	qrc:/qml/src/gui/tray/CurrentAccountHeaderButton.qml:85:13 Parameter "object" is not declared. Injection of parameters into signal handlers is deprecated. Use JavaScript functions with formal parameters instead.
[ info nextcloud.gui.account.state C:\Users\User\AppData\Local\Temp\windows-27802\client-building\desktop\src\gui\accountstate.cpp:285 ]:	check connectivity
[ info nextcloud.sync.credentials.webflow C:\Users\User\AppData\Local\Temp\windows-27802\client-building\desktop\src\gui\creds\webflowcredentials.cpp:139 ]:	Fetch from keychain!
[ info nextcloud.gui.folder.navigationpane C:\Users\User\AppData\Local\Temp\windows-27802\client-building\desktop\src\gui\navigationpanehelper.cpp:110 ]:	Explorer Cloud storage provider: saving path "C:\\Users\\User\\Nextcloud" to CLSID "{myid}"
[ warning nextcloud.sync.credentials.keychainchunk C:\Users\User\AppData\Local\Temp\windows-27802\client-building\desktop\src\libsync\creds\keychainchunk.cpp:360 ]:	Unable to read "Nextcloud__clientCertificatePEM:https://myserver.com/:0" chunk "0" "Password entry not found"
[ info nextcloud.gui.folderwatcher C:\Users\User\AppData\Local\Temp\windows-27802\client-building\desktop\src\gui\folderwatcher.cpp:252 ]:	Detected changes in paths: QSet("C:/Users/User/Nextcloud/.nextcloudsync.log")
[ warning nextcloud.sync.credentials.keychainchunk C:\Users\User\AppData\Local\Temp\windows-27802\client-building\desktop\src\libsync\creds\keychainchunk.cpp:360 ]:	Unable to read "Nextcloud__clientKeyPEM:https://myserver.com/:0" chunk "0" "Password entry not found"
[ warning nextcloud.sync.credentials.webflow C:\Users\User\AppData\Local\Temp\windows-27802\client-building\desktop\src\gui\creds\webflowcredentials.cpp:463 ]:	Unable to read client key "Password entry not found"
[ warning nextcloud.sync.credentials.keychainchunk C:\Users\User\AppData\Local\Temp\windows-27802\client-building\desktop\src\libsync\creds\keychainchunk.cpp:360 ]:	Unable to read "Nextcloud__clientCaCertificatePEM0:https://myserver.com/:0" chunk "0" "Password entry not found"
[ warning nextcloud.sync.credentials.webflow C:\Users\User\AppData\Local\Temp\windows-27802\client-building\desktop\src\gui\creds\webflowcredentials.cpp:504 ]:	Unable to read client CA cert slot "0" "Password entry not found"
[ warning nextcloud.sync.credentials C:\Users\User\AppData\Local\Temp\windows-27802\client-building\desktop\src\libsync\creds\abstractcredentials.cpp:42 ]:	Error: User is empty!
[ warning nextcloud.sync.credentials.webflow C:\Users\User\AppData\Local\Temp\windows-27802\client-building\desktop\src\gui\creds\webflowcredentials.cpp:537 ]:	Strange: User is empty!

[ warning nextcloud.sync.networkjob C:\Users\User\AppData\Local\Temp\windows-27802\client-building\desktop\src\libsync\abstractnetworkjob.cpp:223 ]:	QNetworkReply::UnknownNetworkError "Erreur lors de la lecture : error:0A00045C:SSL routines::tlsv13 alert certificate required" QVariant(Invalid)
[ warning nextcloud.sync.credentials.webflow C:\Users\User\AppData\Local\Temp\windows-27802\client-building\desktop\src\gui\creds\webflowcredentials.cpp:207 ]:	QNetworkReply::UnknownNetworkError
[ warning nextcloud.sync.credentials.webflow C:\Users\User\AppData\Local\Temp\windows-27802\client-building\desktop\src\gui\creds\webflowcredentials.cpp:208 ]:	"Erreur lors de la lecture : error:0A00045C:SSL routines::tlsv13 alert certificate required"
[ info nextcloud.sync.accessmanager C:\Users\User\AppData\Local\Temp\windows-27802\client-building\desktop\src\libsync\accessmanager.cpp:67 ]:	2 "" "https://myserver.com/status.php" has X-Request-ID "mysecretid"
[ info nextcloud.sync.networkjob C:\Users\User\AppData\Local\Temp\windows-27802\client-building\desktop\src\libsync\abstractnetworkjob.cpp:365 ]:	OCC::CheckServerJob created for "https://myserver.com" + "status.php" "OCC::ConnectionValidator"
[ info nextcloud.sync.credentials.webflow C:\Users\User\AppData\Local\Temp\windows-27802\client-building\desktop\src\gui\creds\webflowcredentials.cpp:405 ]:	request finished
[ warning nextcloud.sync.networkjob C:\Users\User\AppData\Local\Temp\windows-27802\client-building\desktop\src\libsync\abstractnetworkjob.cpp:223 ]:	QNetworkReply::UnknownNetworkError "Erreur lors de la lecture : error:0A00045C:SSL routines::tlsv13 alert certificate required" QVariant(Invalid)
[ warning nextcloud.sync.credentials.webflow C:\Users\User\AppData\Local\Temp\windows-27802\client-building\desktop\src\gui\creds\webflowcredentials.cpp:207 ]:	QNetworkReply::UnknownNetworkError
[ warning nextcloud.sync.credentials.webflow C:\Users\User\AppData\Local\Temp\windows-27802\client-building\desktop\src\gui\creds\webflowcredentials.cpp:208 ]:	"Erreur lors de la lecture : error:0A00045C:SSL routines::tlsv13 alert certificate required"
[ warning nextcloud.sync.networkjob.checkserver C:\Users\User\AppData\Local\Temp\windows-27802\client-building\desktop\src\libsync\networkjobs.cpp:546 ]:	error: status.php replied  0 ""
[ warning nextcloud.sync.connectionvalidator C:\Users\User\AppData\Local\Temp\windows-27802\client-building\desktop\src\gui\connectionvalidator.cpp:163 ]:	QNetworkReply::UnknownNetworkError "Erreur lors de la lecture : error:0A00045C:SSL routines::tlsv13 alert certificate required" "Erreur lors de la lecture : error:0A00045C:SSL routines::tlsv13 alert certificate required" ""
[ warning nextcloud.sync.credentials.webflow C:\Users\User\AppData\Local\Temp\windows-27802\client-building\desktop\src\gui\creds\webflowcredentials.cpp:207 ]:	QNetworkReply::UnknownNetworkError
[ warning nextcloud.sync.credentials.webflow C:\Users\User\AppData\Local\Temp\windows-27802\client-building\desktop\src\gui\creds\webflowcredentials.cpp:208 ]:	"Erreur lors de la lecture : error:0A00045C:SSL routines::tlsv13 alert certificate required"
[ info nextcloud.gui.folder.manager C:\Users\User\AppData\Local\Temp\windows-27802\client-building\desktop\src\gui\folderman.cpp:813 ]:	Account "Me@myserver" disconnected or paused, terminating or descheduling sync folders

Steps to reproduce

1. Successful login with a client certificate
2. Restart the client or reboot the device
3. App has forgotten the client certificate password and does not prompt for it, account is disconnected
4. Removing the account and connecting again results in the app asking for the client certificate password as successful login

Expected behavior

Client certificate file and password should be stored across client restarts and device reboots.

Which files are affected by this bug

httpcredentials.cpp

Operating system

Windows

Which version of the operating system you are running.

Windows 11 24h2

Package

Official Windows MSI

Nextcloud Server version

30.0.5

Nextcloud Desktop Client version

3.15.3

Is this bug present after an update or on a fresh install?

Fresh desktop client install

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

Are you using an external user-backend?

• Default internal user-backend
• LDAP/ Active Directory
• SSO - SAML
• Other

Nextcloud Server logs

No server logs since the reverse proxy forbids connection to Nextcloud server because it is not presented with a client certificate.

Additional info

Thank you so much for this great piece of software !!!

[mgallien]

@brdns sorry for the trouble
can you check if the entry for password exists in the windows credentials manager ?
that would be nice to check and would help me narrow down the problem and find the best way to solve the issue

[brdns]

@mgallien thanks for having a look at this !

Fortunately I’ve got a 3.14.x client on another desktop which I have not yet updated. Here’s how the windows credentials manager look like on a working client that keeps the credentials even after reboot :

And here’s a 3.15.x client. The windows credentials manager only has one entry regarding Nextcloud, even before reboot while the client certificate is still somehow working :

Let me know if you need any further logs or feedback.

[naifqarni]

same issue here