Re: deskutils/nextcloudclient Cannot connect securely to

In reply to: Per olof Ljungmark : "Re: deskutils/nextcloudclient Cannot connect securely to"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Guido Falsi <madpilot_at_FreeBSD.org>
Date: Mon, 25 Oct 2021 09:10:41 UTC

On 25/10/21 10:02, Per olof Ljungmark wrote:
> 
> On 10/25/21 09:51, Guido Falsi wrote:
>> On 25/10/21 08:14, Per olof Ljungmark wrote:
>>> FreeBSD 12-STABLE from Oct 15
>>> nextcloudclient 3.3.5
>>>
>>> I get popup messages from the client stating "Untrusted Certificate 
>>> Cannot connect securely to [server-name]".
>>>
>>> Browser access to the server is fine, no errors.
>>>
>>> Using truss, it seems it looks for and finds
>>> fstatat(AT_FDCWD,"/etc/ssl/certs//2e5ac55d.0",{ mode=-r--r--r-- 
>>> ,inode=192371,size=4665,blksize=5120 },0x0) = 0 (0x0)
>>> open("/etc/ssl/certs//2e5ac55d.0",O_RDONLY,0666) = 106535 (0x1a027)
>>>
>>> But 2e5ac55d.0 (DST_Root_CA_X3.pem) has expired.
>>>
>>> It also looks for 8d33f237.0, but it does not exist:
>>> fstatat(AT_FDCWD,"/etc/ssl/certs//8d33f237.0",0x7fffdf5f70a0,0x0) 
>>> ERR#2 'No such file or directory'
>>>
>>> How do I convince it to instead look for 4042bcee.0 which is the 
>>> ISRG_Root_X1.pem used by Letsencrypt?
>>
>> Ref: 
>> https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
>>
>> What version of openssl are you using? versions before 1.1.0 show this 
>> behavior.
>>
>> Maybe a possible workaround is to manually remove the expired 
>> certificate from the list of trusted ones.
>>
>> I guess you are using the ones installed by security/ca_root_nss, in 
>> which case you'll need to modify their list.
> 
> OpenSSL 1.1.1l-freebsd  24 Aug 2021
> 
> I will try to remove the expired cert and see what happens.
> 
> The server (v.20.0.13) uses security/ca_root_nss, the client apparently 
> does not, it does not look in /usr/local/share/certs or /usr/local/etc/ssl

Yes rereading your post looks like the client is using FreeBSD base cert 
store.

> 
> And, Windows and Mac clients does not exhibit this behaviour.
Windows and mac have a different cert store mechanism AFAIK.

Also my nextcloud server also has a letsencrypt cert and is working 
fine, so I'm not sure why yours is causing problems.


-- 
Guido Falsi <madpilot@FreeBSD.org>