Nextcloud with Collabora CODE: cURL-Error 60

Apps & App Center
,
1

Hello,
yesterday I upgraded my UCS 5.0-2 to 5.0-8 errata 1109 and also did upgrade Collabora CODE to 24.04.6.2 and Nextcloud to 28.0.7-0 as the latest versions

But now I get an error “Failed to connect to the remote server: cURL error 60: SSL certificate problem: unable to get local issuer certificate (see libcurl - Error Codes) for https://ucs.mydomain.de/hosting/discovery”, if I try to open an office document.

The linked page curl.haxx.se tells nothing but only lists the possible error codes and a sort explanation without hints to solution.
The page https://ucs.mydomain.de/hosting/discovery shows the mime-types listed in an xml-file.

All my certificates (Letsencrypt and CA) are up-to-date.

At the moment I must activate not to check the certificate:

grafik
grafik1190×628 37.5 KB

otherwise I get an error message:

grafik
grafik1616×646 41.5 KB

I did no changes in the Apache proxy-settings(default-ssl.conf):


ProxyPass /nextcloud http://127.0.0.1:40000/nextcloud retry=0
ProxyPassReverse /nextcloud http://127.0.0.1:40000/nextcloud

Apache log:

POST /nextcloud/index.php/apps/richdocuments/ajax/admin.php HTTP/1.1" 500 1192 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0”

I could not find any solution in this forum as well as in Nextcloud-forum how to fix it.

Nextcloud.log:

{“reqId”:“fmnXnGdwKlyJSOwyEhG6”,“level”:3,“time”:“2024-08-29T15:33:05+00:00”,“remoteAddr”:“84.xxx.yyy.61”,“user”:“< username >”,“app”:“richdocuments”,“method”:“GET”,“url”:“/nextcloud/apps/richdocuments/settings/check”,“message”:“cURL error 60: SSL certificate problem: unable to get local issuer certificate (see libcurl - Error Codes) for https://ucs.mydomain.de/hosting/discovery",“userAgent”:"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0”,“version”:“28.0.7.4”,“exception”:{“Exception”:“GuzzleHttp\Exception\RequestException”,“Message”:“cURL error 60: SSL certificate problem: unable to get local issuer certificate (see libcurl - Error Codes) for https://ucs.mydomain.de/hosting/discovery",“Code”:0,“Trace”:[{“file”:“/var/www/html/3rdparty/guzzlehttp/guzzle/src/Handler/CurlFactory.php”,“line”:158,“function”:“createRejection”,“class”:“GuzzleHttp\\Handler\\CurlFactory”,“type”:“::”,“args”:["*** sensitive parameters replaced “]},{“file”:”/var/www/html/3rdparty/guzzlehttp/guzzle/src/Handler/CurlFactory.php",“line”:110,“function”:“finishError”,“class”:“GuzzleHttp\Handler\CurlFactory”,“type”:“::”},{“file”:“/var/www/html/3rdparty/guzzlehttp/guzzle/src/Handler/CurlHandler.php”,“line”:47,“function”:“finish”,“class”:“GuzzleHttp\Handler\CurlFactory”,“type”:“::”},{“file”:“/var/www/html/3rdparty/guzzlehttp/guzzle/src/Middleware.php”,“line”:137,“function”:“__invoke”,“class”:“GuzzleHttp\Handler\CurlHandler”,“type”:“->”},{“file”:“/var/www/html/lib/private/Http/Client/DnsPinMiddleware.php”,“line”:121,“function”:“GuzzleHttp\{closure}”,“class”:“GuzzleHttp\Middleware”,“type”:“::”,“args”:[" sensitive parameters replaced “]},{“file”:”/var/www/html/3rdparty/guzzlehttp/guzzle/src/PrepareBodyMiddleware.php",“line”:35,“function”:“OC\Http\Client\{closure}”,“class”:“OC\Http\Client\DnsPinMiddleware”,“type”:“->”,“args”:[" sensitive parameters replaced “]},{“file”:”/var/www/html/3rdparty/guzzlehttp/guzzle/src/Middleware.php",“line”:31,“function”:“__invoke”,“class”:“GuzzleHttp\PrepareBodyMiddleware”,“type”:“->”},{“file”:“/var/www/html/3rdparty/guzzlehttp/guzzle/src/RedirectMiddleware.php”,“line”:71,“function”:“GuzzleHttp\{closure}”,“class”:“GuzzleHttp\Middleware”,“type”:“::”,“args”:[" sensitive parameters replaced “]},{“file”:”/var/www/html/3rdparty/guzzlehttp/guzzle/src/Middleware.php",“line”:63,“function”:“__invoke”,“class”:“GuzzleHttp\RedirectMiddleware”,“type”:“->”},{“file”:“/var/www/html/3rdparty/guzzlehttp/guzzle/src/HandlerStack.php”,“line”:75,“function”:“GuzzleHttp\{closure}”,“class”:“GuzzleHttp\Middleware”,“type”:“::”,“args”:[" sensitive parameters replaced “]},{“file”:”/var/www/html/3rdparty/guzzlehttp/guzzle/src/Client.php",“line”:331,“function”:“__invoke”,“class”:“GuzzleHttp\HandlerStack”,“type”:“->”},{“file”:“/var/www/html/3rdparty/guzzlehttp/guzzle/src/Client.php”,“line”:168,“function”:“transfer”,“class”:“GuzzleHttp\Client”,“type”:“->”},{“file”:“/var/www/html/3rdparty/guzzlehttp/guzzle/src/Client.php”,“line”:187,“function”:“requestAsync”,“class”:“GuzzleHttp\Client”,“type”:“->”,“args”:[" sensitive parameters replaced ***”]},{“file”:“/var/www/html/lib/private/Http/Client/Client.php”,“line”:230,“function”:“request”,“class”:“GuzzleHttp\Client”,“type”:“->”},{“file”:“/var/www/html/apps/richdocuments/lib/Service/DiscoveryService.php”,“line”:109,“function”:“get”,“class”:“OC\Http\Client\Client”,“type”:“->”},{“file”:“/var/www/html/apps/richdocuments/lib/Service/ConnectivityService.php”,“line”:44,“function”:“fetchFromRemote”,“class”:“OCA\Richdocuments\Service\DiscoveryService”,“type”:“->”},{“file”:“/var/www/html/apps/richdocuments/lib/Controller/SettingsController.php”,“line”:70,“function”:“testDiscovery”,“class”:“OCA\Richdocuments\Service\ConnectivityService”,“type”:“->”},{“file”:“/var/www/html/lib/private/AppFramework/Http/Dispatcher.php”,“line”:230,“function”:“checkSettings”,“class”:“OCA\Richdocuments\Controller\SettingsController”,“type”:“->”},{“file”:“/var/www/html/lib/private/AppFramework/Http/Dispatcher.php”,“line”:137,“function”:“executeController”,“class”:“OC\AppFramework\Http\Dispatcher”,“type”:“->”},{“file”:“/var/www/html/lib/private/AppFramework/App.php”,“line”:184,“function”:“dispatch”,“class”:“OC\AppFramework\Http\Dispatcher”,“type”:“->”},{“file”:“/var/www/html/lib/private/Route/Router.php”,“line”:315,“function”:“main”,“class”:“OC\AppFramework\App”,“type”:“::”},{“file”:“/var/www/html/lib/base.php”,“line”:1069,“function”:“match”,“class”:“OC\Route\Router”,“type”:“->”},{“file”:“/var/www/html/index.php”,“line”:39,“function”:“handleRequest”,“class”:“OC”,“type”:“::”}],“File”:“/var/www/html/3rdparty/guzzlehttp/guzzle/src/Handler/CurlFactory.php”,“Line”:211,“message”:“cURL error 60: SSL certificate problem: unable to get local issuer certificate (see libcurl - Error Codes) for https://ucs.mydomain.de/hosting/discovery",“exception”:[],“CustomMessage”:"cURL error 60: SSL certificate problem: unable to get local issuer certificate (see libcurl - Error Codes) for https://ucs.mydomain.de/hosting/discovery"},“id”:"66d1beeeb3715”}

2

Hi @Mornsgrans

I don’t think it will fix the error but nextcloud on UCS is “Nextcloud Hub 7” (28.0.7) now.
You have to update nextcloud twice.

Best,
Bernd

3

Sorry, it was a mistype. 28.0.7 already is installed. I di correct it in my posting above.

4

After several updates to

  • UCS 5.0-9 errata1204
  • Nextcloud 28.0.14
  • Collabora CODE 24.04.11.2
    the issue still persists.

openssl -showcerts gives back this result:

root@ucs:/# openssl s_client -connect ucs.myucs.de:443 -showcerts
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R10
verify return:1
depth=0 CN = ucs.myucs.de
verify return:1
---
Certificate chain
 0 s:CN = ucs.myucs.de
   i:C = US, O = Let's Encrypt, CN = R10
-----BEGIN CERTIFICATE-----
MIIGXTCCBUWgAwIBAgISA9qHAeL3e5GIaRQnfb9DZdiKMA0GCSqGSIb3DQEBCwUA
...
H6HGCDY8Kc2FyGmvohO2s268iEcmVD8oJYZ/RhHDCeRqGJ0Qb/wum8/fnXeMmzQ7
/g==
-----END CERTIFICATE-----
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
...
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
---
Server certificate
subject=CN = ucs.myucs.de

issuer=C = US, O = Let's Encrypt, CN = R10

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3760 bytes and written 386 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: B74Axxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx1A7
    Session-ID-ctx:
    Resumption PSK: CACAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx7B34
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 55 17 9f 70 bd d1 cb 61-7e 48 67 ba 83 88 9b 8e   U..p...a~Hg.....
    ...
    00e0 - ae cb 03 48 15 12 07 58-7c 62 49 81 ad 9f fe f5   ...H...X|bI.....

    Start Time: 1738229678
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 14Exxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx597D
    Session-ID-ctx:
    Resumption PSK: 47ED2xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx316D9C
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 55 17 9f 70 bd d1 cb 61-7e 48 67 ba 83 88 9b 8e   U..p...a~Hg.....
    ...
    00e0 - c5 ab 85 e0 51 1c eb e0-3d 9d 79 b4 ba d9 74 4f   ....Q...=.y...tO

    Start Time: 1738229678
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
closed
root@ucs:/#

At stackoverflow I found this suggestion:

I actually had this kind of problem and I solve it by these steps:

    Get the bundle of root CA certificates from here: https://curl.haxx.se/ca/cacert.pem and save it on local

    Find the php.ini file

    Set the curl.cainfo to be the path of the certificates. So it will something like:

curl.cainfo = /path/of/the/keys/cacert.pem

but I don’t want to manipulate the config files on my UCS-system to prevent from unexpected behavior.