Sabre\HTTP\ClientException: SSL certificate problem: unable to get local issuer certificate

[ThaDaVos]

### Steps to reproduce 1. Enable External Storage Support 2. Add certificates for same Nextcloud server (through GUI and OCC command) 3. Try to add Nextcloud as external storage for another user, for example you are userA and you're trying to add userB's nextcloud as external storage to your own. 4. Admin checks logs and sees above error PS: the certificates are from GeoTrust/RapidSSL and I've tried above with TransIP's stack and it just works... ### Expected behaviour The Nextcloud of userB will be added as External Storage to userA's Nextcloud ### Actual behaviour Above error is thrown and a red square is shown ### Server configuration **Operating system**: Result of following command: cat /etc/*-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=16.04 DISTRIB_CODENAME=xenial DISTRIB_DESCRIPTION="Ubuntu 16.04.3 LTS" NAME="Ubuntu" VERSION="16.04.3 LTS (Xenial Xerus)" **Web server:** Apache2 **Database:** MariaDB/MySQL **PHP version:** PHP 7.0.22-0ubuntu0.16.04.1 **Nextcloud version:** (see Nextcloud admin page) 12.0.2 (about to upgrade to 12.0.3) **Updated from an older Nextcloud/ownCloud or fresh install:** Upgraded from Nextcloud 11 **Where did you install Nextcloud from:** Installed using the Admin Manual, don't remember exactly how but it wasn't manual **Signing status:**

Signing status

``` Login as admin user into your Nextcloud and access http://example.com/index.php/settings/integrity/failed paste the results here. ``` No errors have been found.

**List of activated apps:**

App list

``` If you have access to your command line run e.g.: sudo -u www-data php occ app:list from within your Nextcloud installation folder PHP 7.0.22-0ubuntu0.16.04.1 (cli) ( NTS ) Copyright (c) 1997-2017 The PHP Group Zend Engine v3.0.0, Copyright (c) 1998-2017 Zend Technologies with Zend OPcache v7.0.22-0ubuntu0.16.04.1, Copyright (c) 1999-2017, by Zend Technologies root@VS-Cloud:/var/www# sudo -u www-data php occ app:list Enabled: - activity: 2.5.2 - admin_audit: 1.2.0 - admin_notifications: 1.0.0 - audioplayer: 2.1.0 - bruteforcesettings: 1.0.2 - calendar: 1.5.5 - circles: 0.12.4 - comments: 1.2.0 - contacts: 1.5.3 - dav: 1.3.0 - encryption: 1.6.0 - federatedfilesharing: 1.2.0 - federation: 1.2.0 - files: 1.7.2 - files_accesscontrol: 1.2.5 - files_automatedtagging: 1.2.2 - files_downloadactivity: 1.1.1 - files_external: 1.3.0 - files_pdfviewer: 1.1.1 - files_sharing: 1.4.0 - files_texteditor: 2.4.1 - files_trashbin: 1.2.0 - files_versions: 1.5.0 - files_videoplayer: 1.1.0 - firstrunwizard: 2.1 - gallery: 17.0.0 - groupfolders: 1.1.0 - impersonate: 1.0.1 - logreader: 2.0.0 - lookup_server_connector: 1.0.0 - mail: 0.7.3 - nextcloud_announcements: 1.1 - notifications: 2.0.0 - oauth2: 1.0.5 - password_policy: 1.2.2 - provisioning_api: 1.2.0 - serverinfo: 1.2.0 - sharebymail: 1.2.0 - socialsharing_email: 1.0.1 - spreed: 2.0.1 - survey_client: 1.0.0 - systemtags: 1.2.0 - twofactor_backupcodes: 1.1.1 - updatenotification: 1.2.0 - weather: 1.5.0 - workflowengine: 1.2.0 Disabled: - theming - user_external - user_ldap ```

**Nextcloud configuration:**

Config report

``` If you have access to your command line run e.g.: sudo -u www-data php occ config:list system from within your Nextcloud installation folder { "system": { "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "trusted_domains": [ "localhost", "cloud.vossystems.nl" ], "htaccess.RewriteBase": "\/", "memcache.local": "\\OC\\Memcache\\APCu", "datadirectory": "\/mnt\/data", "overwrite.cli.url": "http:\/\/cloud.vossystems.nl", "dbtype": "mysql", "version": "12.0.2.0", "dbname": "NEXTCLOUD", "dbhost": "localhost", "dbport": "", "dbtableprefix": "oc_", "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "logtimezone": "UTC", "installed": true, "instanceid": "ocqpnvzhbv3q", "mail_from_address": "cloud", "mail_smtpmode": "sendmail", "mail_domain": "vossystems.nl", "default_language": "nl", "session_keepalive": "true", "enable_previews": "true", "share_folder": "\/Gedeeld\/", "updater.release.channel": "stable", "maintenance": false, "theme": "VosCloud", "loglevel": 0, "mail_smtphost": "smtp.office365.com", "mail_smtpport": "587", "mail_smtpauth": 1, "mail_smtpsecure": "tls", "mail_smtpname": "***REMOVED SENSITIVE VALUE***", "mail_smtppassword": "***REMOVED SENSITIVE VALUE***", "app.mail.smtp.timeout": 20 } } ```

**Are you using external storage, if yes which one:** local/smb/sftp/... Yes trying to use Nextcloud one **Are you using encryption:** yes/no yes **Are you using an external user-backend, if yes which one:** LDAP/ActiveDirectory/Webdav/... no ### Client configuration **Browser:** Firefox **Operating system:** Windows 10 ### Logs #### Web server error log

Web server error log

``` Insert your webserver log here Not found.... ```

#### Nextcloud log (data/nextcloud.log)

Nextcloud log

``` Insert your Nextcloud log here No log found in data or /var/log/nextcloud.log ```

[MorrisJobke]

PS: the certificates are from GeoTrust/RapidSSL and I've tried above with TransIP's stack and it just works...

We use those CAs: https://github.com/nextcloud/server/blob/master/resources/config/ca-bundle.crt

@LukasReschke Maybe it's time to update the bundle again?

[j-ed]

Maybe it would be worth to implement an update function for the root certificate bundle. Here you will find an example script which is used to download the bundle for a curl installation. Maybe the script logic can be adapted for Nextcloud too:

https://github.com/curl/curl/blob/master/lib/mk-ca-bundle.pl

[ThaDaVos]

So the problem isn't with my domain specific certificates or what?

[j-ed]

@dvdbot The message "unable to get local issue certificate" usually means that the system was not able to verify the validity of a certificate because the certificate chain check has failed. For a successful certificate chain check the server certificate, possible intermediate certificate(s) and the root certificate need to be available. The last one is usually delivered with the mentioned certificate bundle.

[ThaDaVos]

How do I import this bundle? The same way as I did with my own certificates? Using occ (something):certificates:import {path to certificate} ?

[ThaDaVos]

Even after importing the ca-bundle.crt using sudo -u www-data php occ security:certificates:import {NEXTCLOUD_ROOT}/resources/config/ca-bundle.crt still getting the same error, how can I fix this?

EDIT: I also added it using the gui

[j-ed]

Have you checked the whole certificate chain of the server you want to access? It might be possible than an intermediate certificate is missing. If you don't know how this can be done you need to tell us the server address you want to access.

[ThaDaVos]

the server address is: https://cloud.vossystems.nl OR http://voscloud.nl (redirects to cloud.vossystems.nl)

I don't know why it's not working, try adding all certificates I've got

[j-ed]

As far as I can see the web server https://cloud.vossystems.nl only provides the server certificate (1) and the GeoTrust Global CA certificate (3) if you connect to it, but not the RapidSSL SHA256 CA certificate. It might be possible that this is the reason for your problem. Please make sure that both intermediate (2+3) and the root certificate (1) are in your certificate cache/bundle.

This is the full certificate chain which need to be available for verification:

(1) certificate : cloud.vossystems.nl.pem (aaeb2111)
 |  subject     : /CN=cloud.vossystems.nl
 |  issuer      : /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
 |  MD5 f-print : A6:CB:C2:CF:FD:BC:AB:9A:2F:CB:0D:C8:C7:65:4A:36
 |  SHA1 f-print: 3F:84:06:1B:D1:78:B5:53:0A:4C:DB:FB:91:40:4D:DA:B4:02:B2:24                                                              
 |
 +-> (2) certificate : rapidssl_sha256_ca.pem (80ecc636)
      |  subject     : /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
      |  issuer      : /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
      |  MD5 f-print : 90:11:03:DB:64:90:BC:BA:38:2E:65:F9:65:38:65:19
      |  SHA1 f-print: C8:6E:DB:C7:1A:B0:50:78:F6:1A:CD:F3:D8:DC:5D:B6:1E:B7:5F:B6                                                          
      |
      +-> (3) certificate : geotrust_global_ca.pem (2c543cd1)
           |  subject     : /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
           |  issuer      : /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
           |  MD5 f-print : 2E:7D:B2:A3:1D:0E:3D:A4:B2:5F:49:B9:54:2A:2E:1A
           |  SHA1 f-print: 73:59:75:5C:6D:F9:A0:AB:C3:06:0B:CE:36:95:64:C8:EC:45:42:A3
           |                                                     
           +->(4) certificate : equifax_secure_certificate_authority.pem (578d5c04)
               |  subject     : /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
               |  issuer      : /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
               |  MD5 f-print : 67:CB:9D:C0:13:24:8A:82:9B:B2:17:1E:D1:1B:EC:D4
               |  SHA1 f-print: D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A
               |
               +-> end of chain!

[ThaDaVos]

I know there are three lines about certificates in my Apache Virtualhost, have to check what's wrong, can you give me an example of what you would expect to have in a virtual host in which this should work?

[j-ed]

I think this is the wrong location to discuss general web server configuration issues. You should follow e.g. this information: https://www.digicert.com/ssl-certificate-installation-ubuntu-server-with-apache2.htm

[ThaDaVos]

Thanks, I'll report back if my problem can be solved by above link

[ThaDaVos]

Reporting back as promissed, the missing of the RapidSSL SHA256 CA intermediate certificate was the problem, it works, thanks for all the help :) Stupid that GeoGlobalTrust doesn't supply this certificate when downloading the bundle...

[skjnldsv]

Reporting back as promissed, the missing of the RapidSSL SHA256 CA intermediate certificate was the problem, it works, thanks for all the help :)

Closing as resolved

[fvillena]

I have this same problem with https://sasiba.uchile.cl