Solved Nextcloud backup failure, self-signed certs

[qinohe]

Hi guys,

A while ago, a feature was added to (19.1.7), namely

adding local CAs to the trusted SSL certificates for most of the system download capabilities, plugin-based PAM authentication rework for IPsec and the web proxy as well as third party fixes for hostapd / wpa_supplicant 2.8 and Suricata 4.1.4

If you are a Nextcloud user using self-signed certs., like me, your backup may be failing, check this! If this is the case, the solution is to still add your self-signed CA to 'ca-root-nss.crt', after this the backup to your cloud will continue to work.

@franco, in forum post https://forum.opnsense.org/index.php?topic=12615.msg58252#msg58252 you said in #4 this feature was added, though, I'm experiecing the opposite and using the above solution. ;)

Thanks, mark

[franco]

Hi mark,

Self-signed CA or certificate? There's a difference, because only the former works for this feature.


Cheers,
Franco

[qinohe]

Hi franco,

Thanks for the super-fast response  8), so if I understand correctly, one still needs to add the CRT to 'ca-root-nss' even though I am using a chain?

Greetings, mark

[franco]

Hmm, well, so is it a self-signed cert, or a self-signed CA with a cert? Is it a sub-ca?

[qinohe]

It's the CA I have added to the store, the chain is CA -> LEAF -> CRT.

edit: sorry, I meant INTERMEDIATE, not LEAF

[franco]

Does the NextCloud server send the intermediate? If not you need to add this one as well to authority section.


Cheers,
Franco

[qinohe]

Thanks, you mean add it to 'ca-root-nss'?

[franco]

If CA and intermediate are under System: Trust: Authorities this should start working automatically.

It may miss a sync trigger when editing trust entries... I'm not sure.

# configctl firmware configure

There's no reason the CA and intermediate won't turn up in the crt file then.


Cheers,
Franco

[qinohe]

Yes, you see, there lies the problem, both ca & intermediate are added to 'etc/ssl/cert.pem', but it seems they are not used aince I still need to add the ca to 'ca-root-nss', or I'm missing something terribly  ;D

I did run 'configctl firmware configure' OK

Thanks, mark

[franco]

The funny thing is ca-root-nss.crt is not for editing because it is the upstream root bundle, not the system root bundle. Case in point is the health audit:

# pkg check -s ca_root_nss
Checking ca_root_nss:   0%
ca_root_nss-3.44.1: checksum mismatch for /usr/local/share/certs/ca-root-nss.crt
Checking ca_root_nss: 100%

Whatever tries to verify your SSL bounces it against the wrong file, but the feature is supposedly working as intended.


Cheers,
Franco

[franco]

(I'll try to look at this when 19.7-RC1 is out.)

[fabian]

@franco: does curl default in the port still point on the wrong location?

[franco]

Yes, it seems that way. Need to find out if this is libcurl or PHP's doing...

[franco]

Oh lord, that makes no sense whatsoever as a default.

https://github.com/opnsense/ports/blob/master/ftp/curl/Makefile#L72

[qinohe]

The funny thing is ca-root-nss.crt is not for editing because it is the upstream root bundle, not the system root bundle. Case in point is the health audit:

# pkg check -s ca_root_nss
Checking ca_root_nss:   0%
ca_root_nss-3.44.1: checksum mismatch for /usr/local/share/certs/ca-root-nss.crt
Checking ca_root_nss: 100%

Whatever tries to verify your SSL bounces it against the wrong file, but the feature is supposedly working as intended.


Cheers,
Franco

Well, need not to worry about the health check, I run my own, notified by tmux on it's bar, see link in #1 , #3 on that link. It's a remnant from when we did need to add it, but still works..
No worries, I will see when all the pieces make a puzzle again, until then, I have a working situation  ;)

Greetings, mark