Steps to reproduce
- Provision virtual server.
- I’m using Vultr, so it will let me provision an Owncloud app server.
- Log in to new server via the IP address only
- Verify access. Just looked at the admin page and version.
- Log in to the new server via the domain name, which is already provisioned as the system hostname by Vultr. It exists before Owncloud is installed. It will ask me of course to add the domain name to the approved list, and once doing so proceeds with the login.
- CSRF Check Failed - I get an error page informing me of this and no account can log in anymore.
Expected behaviour
CSRF Check should not be happening at all.
Actual behaviour
I get the CSRF check notice and I can never log in to the Owncloud instance ever again, from anywhere, ever.
Server configuration
Operating system: Centos 6
Web server: Nginx
Database: Probably MySQL, whatever was provisioned by Vultr.
PHP version: 2.6.0
ownCloud version (see ownCloud admin page): Owncloud Version 9.1.1 ($OC_VersionString = ‘9.1.1’
Updated from an older ownCloud or fresh install: Fresh Install
Special configuration (external storage, external authentication, reverse proxy, server-side-encryption): None
ownCloud log (data/owncloud.log)
Nothing there except some squawking about MySQL, but the very first login shows a working Owncloud so it can probably be disregarded as installation errors that were corrected.
Integrity status for oC9+
I can’t log in at all. Period.
It’s worth noting that I’m running an older app server with Owncloud and it is running just fine. I’ve set it up with Letsencrypt and hardened the SSL. I have no problems with any of that. It’s just this CSRF check that instantly fails and kills the Owncloud platform before I can begin to install certificates or do anything.
Last I checked this was a bug being seen in upgrades and I’ve waited patiently for a fix, but nothing is fixing this error I have. I would appreciate any help as I promised somebody I would deliver them an Owncloud about 2 weeks ago, and all Owncloud instances are dead on arrival at Vultr.
Update
I destroyed the server and had a complete reinstallation from Vultr. After logging into console the very first time:
-
yum update && yum upgrade
-
Letsencrypt provisioning steps (This included modifications to the nginx configuration)
-
Tested with Mozilla Observatory-- A-
-
In /var/www/owncloud/config/config.php, I removed the IP address from trusted domains and added the domain I have for this server.
-
Attempted to access Owncloud via the website and login
-
CSRF failure occurred instantly
<?php $CONFIG = array ( 'memcache.local' => '\\OC\\memcache\\Redis', 'redis' => array ( 'host' => 'localhost', 'port' => 6379, 'timeout' => 0, 'dbindex' => 0, ), 'instanceid' => 'ocy29uw8x0wn', 'passwordsalt' => 'C/opXt19IQVQl9ZVCzKOJxSdNVaTSG', 'secret' => 'zLMK3XIELVdn7ul4Y55f0IBVTTNM7drmOnN1RHDQGHAeTnIq', 'trusted_domains' => array ( 0 => '' ), 'datadirectory' => '/var/www/owncloud_data/', 'overwrite.cli.url' => 'https://127.0.0.1', 'dbtype' => 'mysql', 'version' => '9.1.1.3', 'dbname' => 'owncloud', 'dbhost' => 'localhost', 'dbtableprefix' => '', 'dbuser' => 'owncloud79831', 'dbpassword' => 'xxxxxxxxxxxxxxxxxxxxxxxxxxx', 'logtimezone' => 'UTC', 'installed' => true, );listen 443 ssl;
server_name xxxxxxxxxxxxxxx;ssl on;
ssl_certificate /etc/letsencrypt/live/xxxxxxxxxxx/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/xxxxxxxxxxxxxxx/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/xxxxxxxxxxxxxx/chain.pem;ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1.1 TLSv1.2;ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+$
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=86400;
resolver_timeout 10;ssl_dhparam /root/dhparams.pem;
Is there a way to get an older version of Owncloud? I can install it myself instead of allowing Vultr to install the latest. Anything to get this working.
