Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 25 Oct 2021 10:02:50 +0200
From:      Per olof Ljungmark <peo@nethead.se>
To:        Guido Falsi <madpilot@FreeBSD.org>, ports@FreeBSD.org
Subject:   Re: deskutils/nextcloudclient Cannot connect securely to
Message-ID:  <c3dcfcf1-47f1-0cad-db9f-cb4721695e3f@nethead.se>
In-Reply-To: <b6e0a667-7e55-0a07-294c-355ca7a4b522@FreeBSD.org>
References:  <a96b4bd4-14c5-e60d-87c1-77aa474cc0eb@nethead.se> <b6e0a667-7e55-0a07-294c-355ca7a4b522@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

On 10/25/21 09:51, Guido Falsi wrote:
> On 25/10/21 08:14, Per olof Ljungmark wrote:
>> FreeBSD 12-STABLE from Oct 15
>> nextcloudclient 3.3.5
>>
>> I get popup messages from the client stating "Untrusted Certificate 
>> Cannot connect securely to [server-name]".
>>
>> Browser access to the server is fine, no errors.
>>
>> Using truss, it seems it looks for and finds
>> fstatat(AT_FDCWD,"/etc/ssl/certs//2e5ac55d.0",{ mode=-r--r--r-- 
>> ,inode=192371,size=4665,blksize=5120 },0x0) = 0 (0x0)
>> open("/etc/ssl/certs//2e5ac55d.0",O_RDONLY,0666) = 106535 (0x1a027)
>>
>> But 2e5ac55d.0 (DST_Root_CA_X3.pem) has expired.
>>
>> It also looks for 8d33f237.0, but it does not exist:
>> fstatat(AT_FDCWD,"/etc/ssl/certs//8d33f237.0",0x7fffdf5f70a0,0x0) 
>> ERR#2 'No such file or directory'
>>
>> How do I convince it to instead look for 4042bcee.0 which is the 
>> ISRG_Root_X1.pem used by Letsencrypt?
> 
> Ref: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
> 
> What version of openssl are you using? versions before 1.1.0 show this 
> behavior.
> 
> Maybe a possible workaround is to manually remove the expired 
> certificate from the list of trusted ones.
> 
> I guess you are using the ones installed by security/ca_root_nss, in 
> which case you'll need to modify their list.

OpenSSL 1.1.1l-freebsd  24 Aug 2021

I will try to remove the expired cert and see what happens.

The server (v.20.0.13) uses security/ca_root_nss, the client apparently 
does not, it does not look in /usr/local/share/certs or /usr/local/etc/ssl

And, Windows and Mac clients does not exhibit this behaviour.

Thanks,
Per

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?c3dcfcf1-47f1-0cad-db9f-cb4721695e3f>