Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug]: Nextcloud calls S3 (Primary Storage) API disregarding custom certificates installed to /etc/ssl/certs #50098

Open
4 of 8 tasks
rriemann opened this issue Jan 8, 2025 · 2 comments
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap 30-feedback bug

Comments

@rriemann
Copy link
Contributor

rriemann commented Jan 8, 2025

⚠️ This issue respects the following points: ⚠️

Bug description

My Nextcloud is using an S3 instance with an SSL certificate from an organisation-internal CA imported to the container image.

While certain API calls to S3 work, others don't. The bug here is that Nextcloud seems to use different CA stores depending on how API calls are made: fopen() HTTPgazztle, curl?

Steps to reproduce

  1. configure Nextcloud to use S3 object storage as primary storage with a host using a custom CA
  2. launch nextcloud and notice that login does not work: error 50x
  3. add a custom CA to the docker image (or host OS): /usr/local/share/ca-certificates/my-ca.crt
  4. run update-ca-certificates
  5. configure nextcloud to use S3 primary storage with a host using the custom CA
  6. launch nextcloud and notice that login now works (also some avatar pictures are uploaded to the S3 objetc storage)
  7. upload a file and notice that it does not end up in S3

Errors in the log:

Image

Expected behavior

I expect that all nextcloud components apply consistently the same SSL settings unless explicitly stated otherwise (e.g. using the smtp stream options)

Nextcloud Server version

30

Operating system

Other

PHP engine version

None

Web server

None

Database engine version

None

Is this bug present after an update or on a fresh install?

None

Are you using the Nextcloud Server Encryption module?

None

What user-backends are you using?

  • Default user-backend (database)
  • LDAP/ Active Directory
  • SSO - SAML
  • Other

Configuration report

List of activated Apps

Nextcloud Signing status

Nextcloud Logs

Additional info

No response

@rriemann rriemann added 0. Needs triage Pending check for reproducibility or if it fits our roadmap bug labels Jan 8, 2025
@rriemann
Copy link
Contributor Author

rriemann commented Jan 8, 2025

This seems to be related to issue #32726 .
It seems the advice in #32726 would not be enough.

@rriemann
Copy link
Contributor Author

rriemann commented Jan 8, 2025

@icewind1991 @come-nc @kesselb I see you touched code related to the certification bundle before. Can you please tell me which cert bundle fopen() in the S3 classes is eventually using?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap 30-feedback bug
Projects
None yet
Development

No branches or pull requests

2 participants