ownCloud update to 10.0.9: Integrity check for ca-bundle failed

owncloud

#1

Hi all,
after upgrading ownCloud to version 10.0.9. this morning, I’m facing this warning message now:

Technical information
=====================
The following list covers which files have failed the integrity check. Please read
the previous linked documentation to learn more about the errors and how to fix
them.

Results
=======
- core
	- INVALID_HASH
		- resources/config/ca-bundle.crt

Raw output
==========
Array
(
    [core] => Array
        (
            [INVALID_HASH] => Array
                (
                    [resources/config/ca-bundle.crt] => Array
                        (
                            [expected] => e33e630c79005c3151522f1c3b840d07e7ee36b6a13f66d616b5046b1bb1e02208a375b046dd05b82121ff444c2af3f71ad6c97e52f32b42a022916adbeda92c
                            [current] => ecd588c735c24e3f933b9edb594d2d558de9b25641d6c7ce650b938d69cf14d1814036c56ce5693afcf6dcf00e6f158ffa144a33bb2cc28fab5d57313903c1f1

Besides this warning everything else seems to be working as expected. Not sure what is the correct way to fix this - any hint would be much appreciated.

thx
Thomas


#2

Sorry for bringing this up again.
I’m aware that this is not a big thing (as stated before, everything works as expected), but is there really no way to get this fixed?

thx
Thomas


#3

Where do you see this warning?
I tried to reproduce it and installed 10.8 followed by upgrading the app.

I have not sen the usual yellow warning or anything in the admin section. The only way I have seen the warning was using occ (install sudo into the container first)

root@owncl-49034667: /var/www/owncloud # sudo -u www-data ./occ integrity:check-core
  - core:
    - INVALID_HASH:
      - resources/config/ca-bundle.crt:
        - expected: e33e630c79005c3151522f1c3b840d07e7ee36b6a13f66d616b5046b1bb1e02208a375b046dd05b82121ff444c2af3f71ad6c97e52f32b42a022916adbeda92c
        - current: 767150d79d5d02daac483969c6947496dfd04aad9c7a26866b9f70c3dc1b067bb0f0ba317d785a9e0e19c3b4c4ef9789f551e65da4c82d32adbfff91371a4427

IMO it is caused by the “collabora-cert” which is actually /etc/univention/ssl/ucsCA/CAcert.pem that is appended to /var/www/owncloud/resources/config/ca-bundle.crt (inside the container, I havent checked if it also accessible outside). As soon the last certificate in the chain is removed the warning disappears.

According to https://doc.owncloud.org/server/9.0/admin_manual/issues/code_signing.html#fixing-invalid-code-integrity-messages the INVALID_HASH can only be avoided if

  • ca-bundle.crt is untouched or
  • signature.json is adjusted

The last one can only be fixed by the vendor. @ngulden: can you please point them to this thread?

I am not sure which technical implications will follow a removal of the UCS-CA certificate. I only remember that we added it to the bundle back in time with earlier versions when the trust-check was not yet implemented.

hth, Dirk


#4

Dirk, thank you for feedback!

Sorry for not beeing clear in my previous posting, I see this warning on the ownCloud-webpage when I’m logged in as admin (ownCloud user - see also attached screenshot):
ownCloud-Warning

Integrity-check from command-line gives me the same result.

Your explaination sounds absolut plausible to me. But as I’m using Collabora as well on my system the ca-bundle.crt is accordingly not untouched, therefore a quick and simple soultion seems not be feasible

Just wondering what has been changed with version 10.0.9, as I have never seen this warning on previous ownCloud versions.

thx, Thomas


#5

According to the sources of the setup routine this change was introduced with 10.0.8-20180604


#6

Hello @ahrnke,

thanks for reaching out.

@dmitry: Can you please have look on this discussion? Thank you very much.

Best regards,
Nico


#7

Hi,

you can add this to your config.php to remove this warning message:

'integrity.check.disabled' => true

or you can try exclude specific directories

'excluded_directories' =>
        array (
                '.snapshot',
                '~snapshot',
        ),

for more informations please visit doc.owncloud.com


#8

This explains it … thanks

Disabling the integrity-check in general seems not to be the right approach for me. I will wait for a solution that really fixes the root cause - But thank you anyway dmitry, for having a look!

thx, Thomas


#9

well, that’s complicated.

Root cause is - to simplify the process of connecting collabora / onlyoffice to the appliance and to have it working out of the box we need this certificate. This certificate is being put inside ownCloud. This is causing the integrity check to sound alarms because this file is not supposed to be there. Integrity check should protect you against people editing your files and you not noticing it.

If you just install onlyoffice in univention app center you will notice that there is a code box in the description after the installation process - “Do this if you want ownCloud / Nextcloud to work with collabora”. That would mean you would have to log in to the command line / connect via ssh, log in to the appliance, copy the command, paste the command, execute the command. This is not optimal.

That’s why we created the process that does this for you.

We will try to figure out how we can improve this process that you will not see the integrity check message but in the mean time, if you want to use 10.0.9 I advise you to edit your config.php.


#10

that would be great :slight_smile:

In the meantime I will leave the system as it is - like I said before, everything is working …

Thanks for your efforts dmitry!

Best regads
Thomas