New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ISRG Root X1 Certificate not trusted #3858
Comments
Happening here as well (also german Windows 10 Systems). Version 2.6.2stable-Win64 (build 20191224) and 3.2.3 seem unaffected. |
Ich have the same issue. Only with the nextcloud client. I use the certificate in Browsers, Mail Clients, FTP Servers with no issues. But Nextcloud client prints this warning. My Workaround is to remove the old DST Root CA X3 Certificate from the Chain (WARNING: This breaks the compatibility with older client see here for more details: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ ) If you use acme.sh you can re issue the certificate with the --preferes-chain "ISRG Root X1" argument. See here: https://github.com/acmesh-official/acme.sh/wiki/Preferred-Chain Example |
On my windows machines, I see the same problem. Interestingly, on my Ubuntu desktop with Nextcloud Client 3.3.4 it still works. |
Same here. My workaround - after verifying the fingerprint - was to trust the certificate anyway (needs to be done for every client installation and for every linked account therein separately). SHA256-Fingerprint of the cross signed certificate can be done as follows:
|
I have the same problem on my Windows machine with client version 3.3.4 and we don't even use Let's Encrypt on our server installation. We have a valid DigiCert wildcard certificate for our domain. Access via browser works fine with that certificate. I also found a workaround for an older version (2.x.y-ish) of the desktop client in the german help forum (see https://help.nextcloud.com/t/ungultiges-zertifikat-nextcloud-client/45327) describing the exact same problem with another certificate that broke. The workaround did the trick for me this morning, so may be the bug is also related to a similar problem like the one in 2019? |
Same here. Since yesterday, my NextCloud client (3.3.4) on Windows 10 display an error regarding my (Let's Encrypt) certificate. I tried to force renew the certificate, reboot the server (Debian 9), install the last updates... but nothing works. In the meantime, the web UI of NextCloud works without warning and so for the Android app. |
on the website, there is now an new version 3.3.5 which seems to fix the issue |
This only fixed the issue on one PC for me, on the other I still get the error... |
Updating to 3.3.5 didn't fix the issue for me. |
Issue seems only to appear on windows clients. |
Just to let you know. We are working on a fix for that. |
This also breaks the auto updater. The domain "updates.nextcloud.org" is also signed using an LE certificate rooted in ISRG Root X1. You won't be able to push the update to affected Windows users, unless you temporarily switch to another trusted certificate on at least the domain "updates.nextcloud.org" |
The people having problems, do you have the ISRG Root X1 certificate installed in your certificate store on Windows? You can find out if you type certmgr into the Windows search and then open the folder "Trusted Root Certification Authorities" -> Certificates and then look after the ISRG Root X1 certificate. |
Yes. |
I don't have a trusted root CA named "ISRG Root X1" (or anything with ISRG for that matter) in my trusted root CAs, but I have the same problem with the nextcloud client. This certificate, however, is there in Firefox. Might this have any influence? |
Firefox ships with its own certificate storage. The Windows system store isn't used by Firefox. |
I had the problem but it is gone now after installing Windows updates. However I think I can tell what changed so maybe this is helpful:
|
That seems to solve the issue here, too. |
Yes, you're right. It's suddenly fixed now without even restarting Windows. If it was a Windows update, then it was applied automatically in background for me. Edit: I did need to restart the Nextcloud Client though. |
I may have looked into the system store during/shortly after the application of the update. I did not need to restart the Nextcloud Client. |
The Windows updates may be a red herring though: ISRG Root lazy loading problem + missing from (random) updated Windows 10 versions. Basically what is said in the Let's Encrypt forum is that the ISRG root certificate can be lazy-loaded into the "Trusted Root Certification Authorities" and that can be triggered with various applications. From what I read just using Microsoft Edge to access any modern Let's Encrypt site could trigger the inclusion of the X1 root? |
@FelixSchwarz I think I can approve what you just said: I did not have ISGR Root X1 in |
@FelixSchwarz I checked my windows update history and you are correct. There were no recent updates applied. |
Just took a look at my affected laptop (was shut down overnight, not rebooted): |
I suppose that's what this page is supposed to do. |
I agree that the fix is to use Edge to browse to https://valid-isrgrootx1.letsencrypt.org/ which causes the new root certificate to be trusted. I believe its the "Cryptographic Services" service which updates the trusted root store dynamically |
@FelixSchwarz @UeliDeSchwert and others thanks a lot for your help in better understanding the issue |
@mgallien Well, if Edge can trigger the migration maybe the desktop client could do that as well? |
We at https://portknox.net (Nextcloud hosting provider) decided to remove the "DST Root CA X3" certificate from our chain. Looks like this solves the issues with clients (and the Joplin app - all Electron apps?), but could make problems on older devices/software. On Debian:
Our customers reported no further problems.. |
My 2 cents: I had the same issue and after visiting the https://valid-isrgrootx1.letsencrypt.org/, the certificate was installed but I had to restart the nextcloud desktop client to get it working again. |
Same for me. I think it would be worth trying to find out how the nextcloud client could trigger the same effect by itself. |
Thank you for the explanation. |
@EVOTk, great but you didn't say the link has to be fetched with Edge to be sure to download the certificate (e.g. it won't work with Firefox) |
Hello, |
I was referring to some comments above saying that Firefox is not using the windows certificate store but it's own one |
Interesting. Even after Updating Windows, restarting etc. the Problem was not resolved. This was a PITA! Now its working again and no Untrusted Certificate message in the Nexcloud Desktop Client anymore.! Thank you for discussing and finding the culprit! |
Thanks for letting us know about your procedure |
hard to say |
What about pinning this issue for a month or so? So users of the client will find this issue quicker. And also adding the solution as a note to the original question? |
Thanks @splitt3r: I update the original question as suggested |
Im desperately waiting for a fix. |
The provided solutions didn't work for me (the website https://valid-isrgrootx1.letsencrypt.org/ was displaying correctly though) For a Windows 10 client, I ended up manually installing the cert by going directly to https://letsencrypt.org/certs/lets-encrypt-r3.der (see https://letsencrypt.org/certificates/ for more info) |
Background for lazy loading + some technical background how to trigger loading the certificate (without user interaction) in the Let's Encrypt community: https://community.letsencrypt.org/t/microsoft-windows-root-certificate-lazy-loading/160389/4 |
Hello, on Windows 10 OS I have follow the solution in the head but the problem was persist. I resolved after I have install the follow R3 CA as trusted CA on my Windows system. https://letsencrypt.org/certs/lets-encrypt-r3.der Thanks you. |
|
let's close this as I do not think we can do anything meaning full here |
For those that run Debian and have the same problem, note that Debian bug 1016085 has as consequence the same symptoms if you have libssl-dev installed in any other version than 3.something AND you have libqt5network5 version 5.15.4. If you do, either uninstall libssl-dev or upgrade it to version 3. I think you'll also get the version if you have libqt5network5 version 5.15.2 and libssl-dev any other version than 1.1.something. Fix accordingly. |
Looks like this started happening again today for me. |
Hi,
for some reasons, Nextcloud Desktop started throwing errors today about being unable to securely connect to my server that uses a valid Let's Encrypt certificate signed by R3 (intermediate) and ISRG Root X1 (root certificate).
Visiting Nextcloud via Browsers (Firefox, Edge, Internet Explorer) all works on the same PC.
On a different PC, the issue resolved itself after updating to Nextcloud Desktop 3.3.5, but on this PC that did not help.
I am aware of Let's Encrypt switching to a new root CA: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
The errors started showing up today, after the previously used cross signed intermediate/root expired: https://letsencrypt.org/certificates/
The problem seems to be, that the certificate of the issuer DST Root CA X3 expired and therefore the certificate ISRG Root X1 can't be validated, even though it should be trusted on its own.
ISRG Root X1: https://crt.sh/?id=3958242236
DST Root CA X3: https://crt.sh/?id=8395 (expired September 30)
Solution:
See: #3858 (comment)
Client configuration
Client version: 3.3.3, 3.3.4, 3.3.5
All three versions show this error
Operating system: Windows 10
OS language: German
Full error message (sorry, German only):
The text was updated successfully, but these errors were encountered: