User external storage & dropbox wont work

[MTRichards]

Transferred from Bug Genie
http://bugs.owncloud.org/thebuggenie/owncloud/issues/oc-2054

Confirmed with the following on today's build:
Error configuring Dropbox storage
Fetching request tokens failed. Verify that your Dropbox app key and secret are correct.

Description:
after enabling user external storage and entering all the information for dropbox app access nothing happens and the external storage entry is not shown after granting access and returning from the oauth page. this happens both with a precreated folder as a mountpoint or a new one on OC 4.5.

i am using 2factor authentication with dropbox (which should not interfere with dev app access though)

Reproduction steps:
enable user external storage and try to connect to dropbox

[MTGap]

I realized that I made the mistake of changing the dropbox library to not add the ssl certificate to the curl opts, because it was failing to find the file and I didn't realize its importance. This is what is causing the problem in this issue.

@schiesbn I believe you have some experience with this, you did the ssl certificates upload for webdav. Curl is having trouble finding the certificate if I uncomment the line and add the rootca file to the same directory. Could you help me out?

https://github.com/owncloud/3rdparty/blob/master/Dropbox/OAuth/Curl.php#L87
https://github.com/Dropbox-PHP/dropbox-php/blob/d1763b80a096b0b011a658bbd7777338f1ccd884/tests/rootca

[VicDeo]

@MTGap Have you tried it this way?

    curl_setopt($ch, CURLOPT_CAINFO,  dirname(__FILE__) . "/rootca");

[MTGap]

@VicDeo I think it finds the certificate now with that change, but I get this new error:

Curl error: (60) SSL certificate problem, verify that the CA cert is OK. Details:\nerror:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

[karlitschek]

@schiesbn Could you have a look and help @MTGap here?

[VicDeo]

@MTGap error 60 means that peer certificate is not trusted

Check the host you are trying to connect to with any SSL diagnosis service like http://www.sslshopper.com/ssl-checker.html
It might miss an intermediate certificate in its chain.

[MTGap]

It's dropbox, of course their ssl is good.

[VicDeo]

@MTGap try with cacert.pem at this page http://curl.haxx.se/docs/caextract.html

[VicDeo]

@MTGap dropbox has SSL certificate issued by Go Daddy. This thread seems to be outdated but it might be the clue http://curl.haxx.se/mail/archive-2008-02/0000.html

[MTGap]

The cacert.pem seems to work.

I'm a little confused about what's going on now. I think I need to also do something similar with the Google Drive storage backend, I'm not sure if I'm using ssl with it right now. Could you take a look at that one as well @VicDeo ?

[VicDeo]

@MTGap Curl just trusts no one except the list of the cert issuers in the specified cert file.
I see that Dropbox PHP library has cert file from Mozilla, so recent Mozilla cert should work Ok. https://github.com/BenTheDesigner/Dropbox/blob/7cd31fb15ed8b1743091ac85d49725c26103c60a/Dropbox/OAuth/Consumer/ca-bundle.pem

According to https://github.com/owncloud/3rdparty/blob/master/Google/common.inc.php#L46
and
https://github.com/owncloud/core/blob/stable45/3rdparty/Google/common.inc.php#L49

no peer validation is used with Google drive currently.

[MTGap]

We're actually using a different dropbox library than the one you linked.

So, should I use that cacert.pem for both Dropbox and Google Drive backends?

[VicDeo]

@MTGap I know, but this one is listed at the dev section on dropbox site. It doesn't matter anyway since the cert file they use is provided by Mozilla, as stated in line #9 it's origin is
http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1

It should work with Google drive as soon as Google Drive SDK uses cert bundle from Mozilla too https://code.google.com/p/google-drive-sdk-samples/source/browse/php/libs/gd-v2-php/io/cacerts.pem

[MTGap]

@VicDeo Could you explain to me what I should do? Where should I put the cacert.pem?

[Rid]

Isn't this a local problem? I thought error 60 meant curl cannot find the ca bundle on the local system

[MTGap]

I need to figure out how to include the ssl cert in 3rdparty properly.

[Rid]

If I save https://code.google.com/p/google-drive-sdk-samples/source/browse/php/libs/gd-v2-php/io/cacerts.pem as 3rdparty/Dropbox/OAuth/rootca and set curl_setopt($ch, CURLOPT_CAINFO, "3rdparty/Dropbox/OAuth/rootca"); it fixes the issue.

[VicDeo]

@MTGap I think the best option is to put the cert file under 3rdparty/ssl, 3rdparty/Mozilla/ssl or something similar. In that case it would be possible to reuse it wherever it needed and update without much pain

[karlitschek]

I don't think we should ship cert files. This opens a can of worms. I think the correct solution is to update the server os to a newer version that contains the proper certs.