Nextcloud and Onlyoffice: Error when trying to connect (cURL error 60: SSL certificate problem: unable to get local issuer certificate (see http://curl.haxx.se/libcurl/c/libcurl-errors.html))

[H4M1O]

Steps to reproduce

1. Upgrade Nextcloud to the latest 16.0.7 (Production)
2. Go to Settings --> Onlyoffice
3. Press the button Save and the error will appear on the top of the page

Expected behaviour

It should connect to Onlyoffice instead is giving me a certificate error and before upgrading Nextcloud, Onlyoffice was working without issues.

Actual behaviour

After the upgrade Onlyoffice is not working anymore, I can open the documents but I can't save them and when I checked the configuration I found out that if I try to save it I am receiving a certificate error

Server configuration

Operating system:
Ubuntu 16.04.6 LTS
Web server:
Apache 2.4 --> 2.4.41-1+ubuntu16.04.1+deb.sury.org+5
Database:
MySQL 5.7 --> 5.7.28-0ubuntu0.16.04.2
PHP version:
PHP 7.0 --> 7.0.33-11+ubuntu16.04.1+deb.sury.org+1
Nextcloud version: (see Nextcloud admin page)
16.0.7 (Production)
Updated from an older Nextcloud/ownCloud or fresh install:
Upgraded regurarly since version 13
Where did you install Nextcloud from:
Nextcloud website
Signing status:

Signing status

Login as admin user into your Nextcloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results here.

No errors have been found.

List of activated apps:

App list

If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your Nextcloud installation folder


Enabled:
  - accessibility: 1.2.0
  - activity: 2.9.1
  - admin_audit: 1.6.0
  - announcementcenter: 3.5.1
  - apporder: 0.9.0
  - audioplayer: 2.8.4
  - bruteforcesettings: 1.4.0
  - checksum: 0.4.3
  - cloud_federation_api: 0.2.0
  - comments: 1.6.0
  - data_request: 1.3.0
  - dav: 1.9.2
  - deck: 0.6.6
  - drawio: 0.9.4
  - extract: 1.2.2
  - federatedfilesharing: 1.6.0
  - federation: 1.6.0
  - files: 1.11.0
  - files_3d: 0.1.0
  - files_accesscontrol: 1.6.0
  - files_automatedtagging: 1.6.0
  - files_downloadactivity: 1.5.0
  - files_external: 1.7.0
  - files_fulltextsearch: 1.3.6
  - files_pdfviewer: 1.5.0
  - files_retention: 1.5.1
  - files_rightclick: 0.15.1
  - files_sharing: 1.8.0
  - files_texteditor: 2.8.0
  - files_trashbin: 1.6.0
  - files_versions: 1.9.0
  - files_videoplayer: 1.5.0
  - firstrunwizard: 2.5.0
  - flowupload: 0.1.7
  - gallery: 18.3.0
  - groupfolders: 4.1.5
  - logreader: 2.1.0
  - lookup_server_connector: 1.4.0
  - metadata: 0.10.0
  - nextcloud_announcements: 1.5.0
  - notifications: 2.4.1
  - oauth2: 1.4.2
  - onlyoffice: 4.0.0
  - password_policy: 1.6.0
  - polls: 0.10.4
  - privacy: 1.0.0
  - provisioning_api: 1.6.0
  - rainloop: 6.0.4
  - recommendations: 0.4.0
  - serverinfo: 1.6.0
  - sharebymail: 1.6.0
  - spreed: 6.0.4
  - support: 1.0.0
  - survey_client: 1.4.0
  - systemtags: 1.6.0
  - terms_of_service: 1.2.3
  - theming: 1.7.0
  - twofactor_backupcodes: 1.5.0
  - twofactor_totp: 3.0.1
  - updatenotification: 1.6.0
  - uploaddetails: 0.1.2
  - viewer: 1.2.0
  - w2g2: 2.2.8
  - workflowengine: 1.6.0
Disabled:
  - calendar
  - contacts
  - encryption
  - files_snapshots
  - fulltextsearch
  - notes
  - quicknotes
  - user_ldap

Nextcloud configuration:

Config report

If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your Nextcloud installation folder

or 

Insert your config.php content here. 
Make sure to remove all sensitive content such as passwords. (e.g. database password, passwordsalt, secret, smtp password, …)


{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trashbin_retention_obligation": "7, auto",
        "versions_retention_obligation": "7, auto",
        "trusted_domains": [
            "***REMOVED SENSITIVE VALUE***",
            "***REMOVED SENSITIVE VALUE***"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "tempdirectory": "\/nc-drive\/temp",
        "logfile": "\/nc-data\/nextcloud.log",
        "loglevel": 2,
        "overwrite.cli.url": "http:\/\/cloud.tecnostudiambiente.it",
        "dbtype": "mysql",
        "version": "16.0.7.1",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "logtimezone": "UTC",
        "installed": true,
        "mail_smtpmode": "smtp",
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 6379
        },
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpauthtype": "LOGIN",
        "mail_smtpauth": 1,
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpsecure": "ssl",
        "mail_smtpport": "465",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "maintenance": false,
        "theme": "",
        "updater.release.channel": "production",
        "mysql.utf8mb4": true,
        "app_install_overwrite": [
            "files_reader"
        ]
    }
}

Are you using external storage, if yes which one: local/smb/sftp/...
No
Are you using encryption: yes/no
No
Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...
No

Client configuration

Browser:
Chrome, Brave, Firefox, Edge.
Operating system:
Windows 10, Linux (different flavours), OSX Catalina.

Logs

Web server error log

Web server error log

No errors

[kesselb]

Are you suggesting to ignore certificate errors? Is it a self signed?

[H4M1O]

Hi @kesselb,
I am using a paid wildcard certificate with 1 year expiration from Trustico, the same I was using before the update. The certificate is valid and not expired.

Since I updated Nextcloud, Onlyoffice (that is using the same certificate as Nextcloud) is not allowing me to save my files (stored in Nextcloud) so I tried to check the configuration of Nextcloud and under the Onlyoffice integration when I click on Save I am receiving the weird error that I left as a subject of this issue.

I have no idea on why it's doing this, before the update was working fine, and NO I am not suggesting to ignore certificate errors, I am asking help to understand why since the upgrade I am receiving that error considering that the certificate is the same as before and it's a valid certificate.
Thanks

[kesselb]

OK. Please don't use the bug tracker for questions ;)

Nextcloud uses a copy of https://curl.haxx.se/docs/caextract.html for certificate validation. Copy is updated from time to time. The list contains the certificates we trust.

1. You (Client) -> Server: Client (e.g. Chrome / Firefox / whatever) will validate the certificate. That's you using Nextcloud or OnlyOffice.

2. Server (Client) -> Server: Server will validate the certificate. That's OnlyOffice trying to save file to Nextcloud or Nextcloud fetching data from OnlyOffice.

If 1 works but 2 fails usually the server fails to validate the certificate. Why does it fail? The list of certificates contains only the big certificate companies. A reseller like Trustico pays another certificate company for a intermediate certificate. With this intermediate certificate Trustico is able to sign certificates (like the one you bought) without being on the list (but the big companies are also using intermediates).

Solution A) Configure the webserver to deliver the certificate chain. Right now your webserver only sends the certificate for the domain not the intermediate. A tool like https://www.ssllabs.com/ssltest/analyze.html is handy to check for such issues. But curl also works:

curl -I https://cloud.tecnoxxxxxxx.it
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl --cacert SectigoRSADVBundle.pem -I https://cloud.tecnoxxxxxxx.it
HTTP/2 302 
date: Tue, 14 Jan 2020 21:08:58 GMT
server: tecnoxxxxxxx
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache

--cacert will use the provided file to validate the certificate.
SectigoRSADVBundle.pem https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA01N000000rfBO

Solution B) Otherwise you can fix this problem by adding the certificate to your systems certificate storage. For Nextcloud (because we use our own files) via occ security:certificates:import. You need to trust either your certificate or the intermediate certificate.

[kesselb]

@H4M1O you were able to fix the issue?

[H4M1O]

Hi @kesselb, yes sorry but I was extremely busy and was abroad so I couldn't answer earlier.
The issue was related to the SSL certs apparently.
We re-issued new ones and they worked.
Thanks

[takenp]

I resolved this by putting our internal self-issued ca.crt into /usr/share/ca-certificates/
and then dpkg-reconfigure ca-certificates

[wolf4914]

I have the same issue but I run Nextcloud on TrueNAS-12.0-U5.1 in a jail. I tried solution B to no avail. Would love to get rid of this error and get onlyoffice to work
Steps to reproduce:

1 Install Nextcloud 22.2.0
2 Go to Settings --> Onlyoffice
3 Press the button Save and the error will appear on the top of the page

Expected behaviour:

It should connect to Onlyoffice instead is giving me a certificate error

Actual behaviour: Just does not work at all

Server configuration:

Operating system:
TrueNAS-12.0-U5.1

Web server:
nginx v 1.20.1

Database:
mysql 8.0.26

PHP version:
7.4.23
Nextcloud version: (see Nextcloud admin page)
22.2.0
Updated from an older Nextcloud/ownCloud or fresh install:
upgrade ===>from 22.1.0
Where did you install Nextcloud from:
TrueNas IX Systems plugin
Signing status: ?
``

1. `<?php
2. $CONFIG = array (
3. 'apps_paths' =>
4. array (

5. 0 => 
   

6. array (
   

7.   'path' => '/usr/local/www/nextcloud/apps',
   

8.   'url' => '/apps',
   

9.   'writable' => true,
   

10. ),
    

11. 1 => 
    

12. array (
    

13.   'path' => '/usr/local/www/nextcloud/apps-pkg',
    

14.   'url' => '/apps-pkg',
    

15.   'writable' => false,
    

16. ),
    

17. ),
18. 'logfile' => '/var/log/nextcloud/nextcloud.log',
19. 'memcache.local' => '\OC\Memcache\APCu',
20. 'one-click-instance' => true,
21. 'one-click-instance.user-limit' => 100,
22. 'memcache.distributed' => '\OC\Memcache\Redis',
23. 'memcache.locking' => '\OC\Memcache\Redis',
24. 'allow_local_remote_servers' => true,
25. 'redis' =>
26. array (

27. 'host' => 'localhost',
    

28. ),
29. 'passwordsalt' => 'XXXXXXXXXXXXXX',
30. 'secret' => '{{{{{{{',
31. 'trusted_domains' =>
32. array (

33. 0 => 'localhost',
    

34. 2 => '192.168.50.XXX',
    

35. 4 => 'vadim.com.ru',
    

36. ),
37. 'datadirectory' => '/usr/local/www/nextcloud/data',
38. 'dbtype' => 'mysql',
39. 'version' => '22.2.0.2',
40. 'overwrite.cli.url' => 'http://localhost',
41. 'dbname' => 'nextcloud',
42. 'dbhost' => 'localhost',
43. 'dbport' => '',
44. 'dbtableprefix' => 'oc_',
45. 'mysql.utf8mb4' => true,
46. 'dbuser' => 'oc_ncadmin',
47. 'dbpassword' => 'TgM4bd1aStRE94kjKapV9DOzAIHCSE',
48. 'installed' => true,
49. 'instanceid' => 'oca4kj3cing2',
50. 'mail_smtpmode' => 'smtp',
51. 'mail_smtpsecure' => 'ssl',
52. 'mail_sendmailmode' => 'smtp',
53. 'mail_from_address' => XXX',
54. 'mail_domain' => 'vadim.world',
55. 'mail_smtpauthtype' => 'LOGIN',
56. 'mail_smtpauth' => 1,
57. 'mail_smtphost' => 'smtp.XXX',
58. 'mail_smtpport' => '465',
59. 'mail_smtpname' => 'vadim@vadim.world',
60. 'mail_smtppassword' => 'password',
61. 'maintenance' => false,
62. 'theme' => '',
63. 'loglevel' => 2,
64. );`

Are you using external storage, if yes which one: smb

Are you using encryption: yes/no
No
Are you using an external user-backend, if yes which one: Webdav
yes

Client configuration

Browser:
Chrome, Firefox
Operating system:
Linux ubuntu 21.10 Arcolinux, Manjaro
Logs
Web server error log
error.log