Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 29 Oct 2021 14:16:32 +0200
From:      Michael Gmelin <freebsd@grem.de>
To:        Per olof Ljungmark <peo@nethead.se>
Cc:        Guido Falsi <madpilot@freebsd.org>, ports@freebsd.org
Subject:   Re: deskutils/nextcloudclient Cannot connect securely to
Message-ID:  <7B941E4A-A66E-4B8A-B599-4F01492C8259@grem.de>
In-Reply-To: <b63d42a0-dd46-9b82-ef23-20d012ca2bc1@nethead.se>
References:  <b63d42a0-dd46-9b82-ef23-20d012ca2bc1@nethead.se>
next in thread | previous in thread | raw e-mail | index | archive | help 


> On 29. Oct 2021, at 14:12, Per olof Ljungmark <peo@nethead.se> wrote:
>=20
> =EF=BB=BFOn 10/25/21 16:22, Per olof Ljungmark wrote:
>>> On 10/25/21 09:51, Guido Falsi wrote:
>>> On 25/10/21 08:14, Per olof Ljungmark wrote:
>>>> FreeBSD 12-STABLE from Oct 15
>>>> nextcloudclient 3.3.5
>>>>=20
>>>> I get popup messages from the client stating "Untrusted Certificate Can=
not connect securely to [server-name]".
>>>>=20
>>>> Browser access to the server is fine, no errors.
>>>>=20
>>>> Using truss, it seems it looks for and finds
>>>> fstatat(AT_FDCWD,"/etc/ssl/certs//2e5ac55d.0",{ mode=3D-r--r--r-- ,inod=
e=3D192371,size=3D4665,blksize=3D5120 },0x0) =3D 0 (0x0)
>>>> open("/etc/ssl/certs//2e5ac55d.0",O_RDONLY,0666) =3D 106535 (0x1a027)
>>>>=20
>>>> But 2e5ac55d.0 (DST_Root_CA_X3.pem) has expired.
>>>>=20
>>>> It also looks for 8d33f237.0, but it does not exist:
>>>> fstatat(AT_FDCWD,"/etc/ssl/certs//8d33f237.0",0x7fffdf5f70a0,0x0) ERR#2=
 'No such file or directory'
>>>>=20
>>>> How do I convince it to instead look for 4042bcee.0 which is the ISRG_R=
oot_X1.pem used by Letsencrypt?
>>>=20
>>> Ref: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-20=
21/
>>>=20
>>> What version of openssl are you using? versions before 1.1.0 show this b=
ehavior.
>>>=20
>>> Maybe a possible workaround is to manually remove the expired certificat=
e from the list of trusted ones.
>>>=20
>>> I guess you are using the ones installed by security/ca_root_nss, in whi=
ch case you'll need to modify their list.
>>>=20
>> Deleting the link /etc/ssl/certs did the trick it see,s, no more popups s=
ince an hour.
>> Still wondering why this happens though...
>=20
> As a final note, I just updated my laptop to latest 12-STABLE and nextclou=
dclient 3.3.5 and no problem with certificates. So the reason remains unknow=
n but at least everything works as expected.
>=20

This was certainly related to the letsencrypt issuing CA expiry (seen the sa=
me on a nextcloud windows client).

-m

> Per

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7B941E4A-A66E-4B8A-B599-4F01492C8259>