Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 29 Oct 2021 14:11:01 +0200
From:      Per olof Ljungmark <peo@nethead.se>
To:        Guido Falsi <madpilot@FreeBSD.org>, ports@FreeBSD.org
Subject:   Re: deskutils/nextcloudclient Cannot connect securely to
Message-ID:  <b63d42a0-dd46-9b82-ef23-20d012ca2bc1@nethead.se>
In-Reply-To: <8c393a71-78fc-c057-2be7-37fc551e630d@nethead.se>
References:  <a96b4bd4-14c5-e60d-87c1-77aa474cc0eb@nethead.se> <b6e0a667-7e55-0a07-294c-355ca7a4b522@FreeBSD.org> <8c393a71-78fc-c057-2be7-37fc551e630d@nethead.se>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 10/25/21 16:22, Per olof Ljungmark wrote:
> On 10/25/21 09:51, Guido Falsi wrote:
>> On 25/10/21 08:14, Per olof Ljungmark wrote:
>>> FreeBSD 12-STABLE from Oct 15
>>> nextcloudclient 3.3.5
>>>
>>> I get popup messages from the client stating "Untrusted Certificate 
>>> Cannot connect securely to [server-name]".
>>>
>>> Browser access to the server is fine, no errors.
>>>
>>> Using truss, it seems it looks for and finds
>>> fstatat(AT_FDCWD,"/etc/ssl/certs//2e5ac55d.0",{ mode=-r--r--r-- 
>>> ,inode=192371,size=4665,blksize=5120 },0x0) = 0 (0x0)
>>> open("/etc/ssl/certs//2e5ac55d.0",O_RDONLY,0666) = 106535 (0x1a027)
>>>
>>> But 2e5ac55d.0 (DST_Root_CA_X3.pem) has expired.
>>>
>>> It also looks for 8d33f237.0, but it does not exist:
>>> fstatat(AT_FDCWD,"/etc/ssl/certs//8d33f237.0",0x7fffdf5f70a0,0x0) 
>>> ERR#2 'No such file or directory'
>>>
>>> How do I convince it to instead look for 4042bcee.0 which is the 
>>> ISRG_Root_X1.pem used by Letsencrypt?
>>
>> Ref: 
>> https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
>>
>> What version of openssl are you using? versions before 1.1.0 show this 
>> behavior.
>>
>> Maybe a possible workaround is to manually remove the expired 
>> certificate from the list of trusted ones.
>>
>> I guess you are using the ones installed by security/ca_root_nss, in 
>> which case you'll need to modify their list.
>>
> 
> Deleting the link /etc/ssl/certs did the trick it see,s, no more popups 
> since an hour.
> 
> Still wondering why this happens though...
> 

As a final note, I just updated my laptop to latest 12-STABLE and 
nextcloudclient 3.3.5 and no problem with certificates. So the reason 
remains unknown but at least everything works as expected.

Per

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b63d42a0-dd46-9b82-ef23-20d012ca2bc1>