TOTP always shows 'not verified'

Steps to reproduce

  1. Install app ( 2-Factor Authentication app | ownCloud Marketplace
  2. Scan QR Code
  3. Insert verification code (tried using google Authenticator and FreeOTP)
  4. ‘Not verified’

Expected behaviour

Tell us what should happen
TOTP should be verified

Actual behaviour

Tell us what happens instead
Not verified (even if I try multiple times using Authenticator & FreeOTP on all different users)

Server configuration

Operating system: Oracle Linux 8.4

Web server:

Database: 10.3.27-MariaDB

PHP version: PHP 7.4.6

ownCloud version: (see ownCloud admin page) ownCloud 10.9.1 (stable)

Updated from an older ownCloud or fresh install: fresh install

Where did you install ownCloud from: Download Server Packages - ownCloud

Signing status (ownCloud 9.0 and above):

The content of config/config.php:

List of activated apps:

Are you using external storage, if yes which one: nfs

Are you using encryption: no

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/…

Client configuration

Browser: Edge 101.0.1210.39 (Official build)

Operating system: Windows Version 10.0.19042 Build 19042

Logs

Web server error log

[Thu May 12 14:28:43.878629 2022] [mpm_event:notice] [pid 1583990:tid 139666520512832] AH00489: Apache/2.4.37 (Oracle Linux) configured -- resuming normal operations
[Thu May 12 14:28:43.878678 2022] [core:notice] [pid 1583990:tid 139666520512832] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Thu May 12 14:31:17.986764 2022] [mpm_event:notice] [pid 1583990:tid 139666520512832] AH00492: caught SIGWINCH, shutting down gracefully
[Thu May 12 14:32:00.440065 2022] [core:notice] [pid 1584457:tid 140527843670336] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Thu May 12 14:32:00.441966 2022] [suexec:notice] [pid 1584457:tid 140527843670336] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using fe80::a00:27ff:fe94:4821. Set the 'ServerName' directive globally to suppress this message
[Thu May 12 14:32:00.481378 2022] [lbmethod_heartbeat:notice] [pid 1584457:tid 140527843670336] AH02282: No slotmem from mod_heartmonitor
[Thu May 12 14:32:00.483028 2022] [http2:warn] [pid 1584457:tid 140527843670336] AH02951: mod_ssl does not seem to be enabled
[Thu May 12 14:32:00.489037 2022] [mpm_event:notice] [pid 1584457:tid 140527843670336] AH00489: Apache/2.4.37 (Oracle Linux) configured -- resuming normal operations
[Thu May 12 14:32:00.489104 2022] [core:notice] [pid 1584457:tid 140527843670336] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'

ownCloud log (data/owncloud.log)

Browser log

jquery-migrate.min.js?v=843b0499ae125a84ca945b3adef4d2d9:2 JQMIGRATE: Migrate is installed, version 1.4.0

We don’t recommend running fpm with ownCloud.

what web server are you running?

I’m using Apache 2.4.37

Maybe this might help:
I’ve never scanned the dot matrix code, always transferred the secret manually. To verify your issue, I tried scanning with my app (bitwarden). At the first try, it didn’t work, same as you wrote. But after I saved the inserted URL in the app, the authentication code is verified as expected.

1 Like