NEXTCLOUD_TRUSTED_CACERTS_DIR - Not mounted in notify_push container #8322

weimdall · 2026-06-13T04:10:39Z

weimdall
Jun 13, 2026

Steps to reproduce

Configure nextcloud all in one with a private certificate authority though the NEXTCLOUD_TRUSTED_CACERTS_DIR environment variable

Actual behavior

I configured nextcloud all in one with the following environment variable, pointing to a folder containing my CA: NEXTCLOUD_TRUSTED_CACERTS_DIR=/mnt/certs

As a result, the CA was successfully mounted and accepted by nextcloud container:

docker exec -it nextcloud-aio-nextcloud ls -l /usr/local/share/ca-certificates/
total 4
-rw-r--r-- 1 1000 1000 1025 May 15 13:18 root-ca.crt

But not mounted in the notify-push container:

> docker exec -it nextcloud-aio-notify-push ls -l /usr/local/share/ca-certificates/
total 0

Making it fail to connect back to nextcloud with the following error (loop):

[2026-06-12 23:59:46.884063 -04:00] ERROR [rustls_platform_verifier::verification::others] /nix/store/0z2r3kypvq12cl33jkaabbifpi8jhd9z-crates-io-dependencies/rustls-platform-verifier-0.6.2-1d99feebc72bae7ab76ba994bb5e121b8d83d910ca40b36e0921f53becc41784/src/verification/others.rs:150: failed to verify TLS certificate: invalid peer certificate: UnknownIssuer
[2026-06-12 23:59:46.884156 -04:00] WARN [notify_push::connection] /build/source/src/connection.rs:99: Error while sending authentication request to nextcloud: Error while connecting to nextcloud: error sending request for url (https://*********/index.php/apps/notify_push/uid)

Expected behavior

I was expecting notify-push container to also trust my CA, and successfully connect to nextcloud.

Answered by szaimen

Jun 15, 2026

Hi, generally AIO does not support self-signed certs: https://github.com/nextcloud/all-in-one#are-self-signed-certificates-supported-for-nextcloud. https://github.com/nextcloud/all-in-one#how-to-trust-user-defined-certification-authorities-ca is mainy intended for connections from Nextcloud to the outside.

However I'll accept a PR that also allows to mount the certs into the notify-push containers so that it can use that in there. I've also added this to #5251 in the meantime.

View full answer

szaimen · 2026-06-15T09:24:05Z

szaimen
Jun 15, 2026
Maintainer

Hi, generally AIO does not support self-signed certs: https://github.com/nextcloud/all-in-one#are-self-signed-certificates-supported-for-nextcloud. https://github.com/nextcloud/all-in-one#how-to-trust-user-defined-certification-authorities-ca is mainy intended for connections from Nextcloud to the outside.

However I'll accept a PR that also allows to mount the certs into the notify-push containers so that it can use that in there. I've also added this to #5251 in the meantime.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

NEXTCLOUD_TRUSTED_CACERTS_DIR - Not mounted in notify_push container #8322

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Select a reply

Uh oh!

NEXTCLOUD_TRUSTED_CACERTS_DIR - Not mounted in notify_push container #8322

Uh oh!

weimdall Jun 13, 2026

Steps to reproduce

Actual behavior

Expected behavior

Replies: 1 comment

Uh oh!

Uh oh!

szaimen Jun 15, 2026 Maintainer

weimdall
Jun 13, 2026

szaimen
Jun 15, 2026
Maintainer