Api.nextcloud.com fails Certificate [ mitigated ]

Certificate misconfiguration of api.nextcloud.com OR misnoming api.nextcloud.com

$ curl -v https://api.nextcloud.com/v1/

  • Trying 2a01:4f9:2b:29dc::153:443…
  • Connected to api.nextcloud.com (2a01:4f9:2b:29dc::153) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
    CApath: /etc/ssl/certs
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (IN), TLS handshake, Server key exchange (12):
  • TLSv1.2 (IN), TLS handshake, Server finished (14):
  • TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
  • TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
  • TLSv1.2 (OUT), TLS handshake, Finished (20):
  • TLSv1.2 (IN), TLS handshake, Finished (20):
  • SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
  • ALPN, server accepted to use http/1.1
  • Server certificate:
  • subject: CN=www.nextcloud.at
  • start date: Feb 8 04:00:33 2020 GMT
  • expire date: May 8 04:00:33 2020 GMT
  • subjectAltName does not match api.nextcloud.com
  • SSL: no alternative certificate subject name matches target host name ‘api.nextcloud.com
  • Closing connection 0
  • TLSv1.2 (OUT), TLS alert, close notify (256):
    curl: (60) SSL: no alternative certificate subject name matches target host name ‘api.nextcloud.com
    More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

I have NO IDEA where to post this issue, when posting on the github for the server people it is close as it is an operational issue, not server software.
It blocks changing/updating apps.

I guess it’s okay to post infrastructure issues at https://github.com/nextcloud/server/.

Regarding your problem / report at: https://github.com/nextcloud/server/issues/19783

  1. It’s always bad to not use the issue template. It makes triaging much harder than necessary.

  2. Yes the certificate for api.nextcloud.com is wrong. Curiously no one else is complaining here or at GitHub. I’m able to update apps on my instance.

  3. Why your instance is sending requests to api.nextcloud.com at all. The appstore use a different url. You probably changed the app store url. Fix that.

A certificate error is something quite obvious, it’s a problem no matter what configuration you are using (if verified by a different system to exclude it’s something related just to your system).

Ok that comment 3 actually helped…

for some reason in the config.php the line:
appstoreurl => https://api.nextcloud.com/v1
was written.
This line is removed.

This config & setup once started as a Owncloud v3 instance and was converted to nextcloud when nextcloud was created.
I have no recollection of ever setting that config line.