Certificate has expired for apps.nextcloud and nextcloud.com

ℹ️ Support
1

After trying to update my test system via updater with the Message: The connection to the app store could not be established or the app store did not return any apps. Check for updates yourself or make sure that your server has access to the Internet and can connect to the app store.
Okay I updated manually and realized that i cant update any apps.
So here are the Errors and Warnings frpm the Log:
[internet_connection_check] Error: GuzzleHttp\Exception\RequestException: cURL error 60: SSL certificate problem: certificate has expired (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://www.nextcloud.com/ at <>

  1. /var/www/nextcloud/3rdparty/guzzlehttp/guzzle/src/Handler/CurlFactory.php line 158
    GuzzleHttp\Handler\CurlFactory::createRejection(GuzzleHttp\Handl … l}, {0: "And 36 more … l})
  2. /var/www/nextcloud/3rdparty/guzzlehttp/guzzle/src/Handler/CurlFactory.php line 110
    GuzzleHttp\Handler\CurlFactory::finishError(GuzzleHttp\Handler\CurlHandler {}, GuzzleHttp\Handl … l}, GuzzleHttp\Handler\CurlFactory {})
  3. /var/www/nextcloud/3rdparty/guzzlehttp/guzzle/src/Handler/CurlHandler.php line 47
    GuzzleHttp\Handler\CurlFactory::finish(GuzzleHttp\Handler\CurlHandler {}, GuzzleHttp\Handl … l}, GuzzleHttp\Handler\CurlFactory {})
  4. /var/www/nextcloud/3rdparty/guzzlehttp/guzzle/src/Handler/Proxy.php line 28
    GuzzleHttp\Handler\CurlHandler->__invoke("*** sensitive parameter replaced ", " sensitive parameter replaced ***")
  5. /var/www/nextcloud/3rdparty/guzzlehttp/guzzle/src/Handler/Proxy.php line 48
    GuzzleHttp\Handler\Proxy::GuzzleHttp\Handler{closure}("*** sensitive parameters replaced ***")
  6. /var/www/nextcloud/3rdparty/guzzlehttp/guzzle/src/PrepareBodyMiddleware.php line 35
    GuzzleHttp\Handler\Proxy::GuzzleHttp\Handler{closure}("*** sensitive parameters replaced ***")
  7. /var/www/nextcloud/3rdparty/guzzlehttp/guzzle/src/Middleware.php line 31
    GuzzleHttp\PrepareBodyMiddleware->__invoke("*** sensitive parameter replaced ", " sensitive parameter replaced ***")
  8. /var/www/nextcloud/3rdparty/guzzlehttp/guzzle/src/RedirectMiddleware.php line 71
    GuzzleHttp\Middleware::GuzzleHttp{closure}("*** sensitive parameters replaced ***")
  9. /var/www/nextcloud/3rdparty/guzzlehttp/guzzle/src/RedirectMiddleware.php line 99
    GuzzleHttp\RedirectMiddleware->__invoke("*** sensitive parameter replaced ", " sensitive parameter replaced ***")
  10. /var/www/nextcloud/3rdparty/guzzlehttp/guzzle/src/RedirectMiddleware.php line 73
    GuzzleHttp\RedirectMiddleware->checkRedirect(GuzzleHttp\Psr7\Request {}, “*** sensitive parameter replaced ", " sensitive parameter replaced ***”)
  11. /var/www/nextcloud/3rdparty/guzzlehttp/promises/src/FulfilledPromise.php line 41
    GuzzleHttp\RedirectMiddleware->GuzzleHttp{closure}("*** sensitive parameters replaced ***")
  12. /var/www/nextcloud/3rdparty/guzzlehttp/promises/src/TaskQueue.php line 48
    GuzzleHttp\Promise\FulfilledPromise::GuzzleHttp\Promise{closure}("*** sensitive parameters replaced ***")
  13. /var/www/nextcloud/3rdparty/guzzlehttp/promises/src/Promise.php line 248
    GuzzleHttp\Promise\TaskQueue->run(true)
  14. /var/www/nextcloud/3rdparty/guzzlehttp/promises/src/Promise.php line 224
    GuzzleHttp\Promise\Promise->invokeWaitFn()
  15. /var/www/nextcloud/3rdparty/guzzlehttp/promises/src/Promise.php line 269
    GuzzleHttp\Promise\Promise->waitIfPending()
  16. /var/www/nextcloud/3rdparty/guzzlehttp/promises/src/Promise.php line 226
    GuzzleHttp\Promise\Promise->invokeWaitList()
  17. /var/www/nextcloud/3rdparty/guzzlehttp/promises/src/Promise.php line 62
    GuzzleHttp\Promise\Promise->waitIfPending()
  18. /var/www/nextcloud/3rdparty/guzzlehttp/guzzle/src/Client.php line 187
    GuzzleHttp\Promise\Promise->wait()
  19. /var/www/nextcloud/lib/private/Http/Client/Client.php line 236
    GuzzleHttp\Client->request(“get”, “http://www.nextcloud.com/”, {verify: "/var/w … e})
  20. /var/www/nextcloud/apps/settings/lib/Controller/CheckSetupController.php line 178
    OC\Http\Client\Client->get(“http://www.nextcloud.com/”)
  21. /var/www/nextcloud/apps/settings/lib/Controller/CheckSetupController.php line 161
    OCA\Settings\Controller\CheckSetupController->isSiteReachable(“www.nextcloud.com”)
  22. /var/www/nextcloud/apps/settings/lib/Controller/CheckSetupController.php line 742
    OCA\Settings\Controller\CheckSetupController->hasInternetConnectivityProblems()
  23. /var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php line 218
    OCA\Settings\Controller\CheckSetupController->check()
  24. /var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php line 127
    OC\AppFramework\Http\Dispatcher->executeController(OCA\Settings\Con … {}, “check”)
  25. /var/www/nextcloud/lib/private/AppFramework/App.php line 157
    OC\AppFramework\Http\Dispatcher->dispatch(OCA\Settings\Con … {}, “check”)
  26. /var/www/nextcloud/lib/private/Route/Router.php line 302
    OC\AppFramework\App::main(“OCA\Settings\ … r”, “check”, OC\AppFramework\ … {}, {_route: “settings.CheckSetup.check”})
  27. /var/www/nextcloud/lib/base.php line 993
    OC\Route\Router->match("/settings/ajax/checksetup")
  28. /var/www/nextcloud/index.php line 37
    OC::handleRequest()

[appstoreFetcher] Warning: GuzzleHttp\Exception\RequestException: cURL error 60: SSL certificate problem: certificate has expired (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://apps.nextcloud.com/api/v1/apps.json at <>

  1. /var/www/nextcloud/3rdparty/guzzlehttp/guzzle/src/Handler/CurlFactory.php line 158
    GuzzleHttp\Handler\CurlFactory::createRejection(GuzzleHttp\Handl … l}, {0: "And 36 more … l})
  2. /var/www/nextcloud/3rdparty/guzzlehttp/guzzle/src/Handler/CurlFactory.php line 110
    GuzzleHttp\Handler\CurlFactory::finishError(GuzzleHttp\Handler\CurlHandler {}, GuzzleHttp\Handl … l}, GuzzleHttp\Handler\CurlFactory {})
  3. /var/www/nextcloud/3rdparty/guzzlehttp/guzzle/src/Handler/CurlHandler.php line 47
    GuzzleHttp\Handler\CurlFactory::finish(GuzzleHttp\Handler\CurlHandler {}, GuzzleHttp\Handl … l}, GuzzleHttp\Handler\CurlFactory {})
  4. /var/www/nextcloud/3rdparty/guzzlehttp/guzzle/src/Handler/Proxy.php line 28
    GuzzleHttp\Handler\CurlHandler->__invoke("*** sensitive parameter replaced ", " sensitive parameter replaced ***")
  5. /var/www/nextcloud/3rdparty/guzzlehttp/guzzle/src/Handler/Proxy.php line 48
    GuzzleHttp\Handler\Proxy::GuzzleHttp\Handler{closure}("*** sensitive parameters replaced ***")
  6. /var/www/nextcloud/3rdparty/guzzlehttp/guzzle/src/PrepareBodyMiddleware.php line 35
    GuzzleHttp\Handler\Proxy::GuzzleHttp\Handler{closure}("*** sensitive parameters replaced ***")
  7. /var/www/nextcloud/3rdparty/guzzlehttp/guzzle/src/Middleware.php line 31
    GuzzleHttp\PrepareBodyMiddleware->__invoke("*** sensitive parameter replaced ", " sensitive parameter replaced ***")
  8. /var/www/nextcloud/3rdparty/guzzlehttp/guzzle/src/RedirectMiddleware.php line 71
    GuzzleHttp\Middleware::GuzzleHttp{closure}("*** sensitive parameters replaced ***")
  9. /var/www/nextcloud/3rdparty/guzzlehttp/guzzle/src/Middleware.php line 63
    GuzzleHttp\RedirectMiddleware->__invoke("*** sensitive parameter replaced ", " sensitive parameter replaced ***")
  10. /var/www/nextcloud/3rdparty/guzzlehttp/guzzle/src/HandlerStack.php line 75
    GuzzleHttp\Middleware::GuzzleHttp{closure}("*** sensitive parameters replaced ***")
  11. /var/www/nextcloud/3rdparty/guzzlehttp/guzzle/src/Client.php line 331
    GuzzleHttp\HandlerStack->__invoke("*** sensitive parameter replaced ", " sensitive parameter replaced ***")
  12. /var/www/nextcloud/3rdparty/guzzlehttp/guzzle/src/Client.php line 168
    GuzzleHttp\Client->transfer("*** sensitive parameter replaced ", " sensitive parameter replaced ***")
  13. /var/www/nextcloud/3rdparty/guzzlehttp/guzzle/src/Client.php line 187
    GuzzleHttp\Client->requestAsync(“get”, GuzzleHttp\Psr7\Uri {}, {0: "And 6 more … }})
  14. /var/www/nextcloud/lib/private/Http/Client/Client.php line 236
    GuzzleHttp\Client->request(“get”, “https://apps.ne … n”, {verify: "/var/w … e})
  15. /var/www/nextcloud/lib/private/App/AppStore/Fetcher/Fetcher.php line 116
    OC\Http\Client\Client->get(“https://apps.ne … n”, {timeout: 60})
  16. /var/www/nextcloud/lib/private/App/AppStore/Fetcher/AppFetcher.php line 88
    OC\App\AppStore\Fetcher\Fetcher->fetch("", “”)
  17. /var/www/nextcloud/lib/private/App/AppStore/Fetcher/Fetcher.php line 188
    OC\App\AppStore\Fetcher\AppFetcher->fetch("", “”, false)
  18. /var/www/nextcloud/lib/private/Installer.php line 444
    OC\App\AppStore\Fetcher\Fetcher->get(false)
  19. /var/www/nextcloud/apps/settings/lib/Controller/AppSettingsController.php line 256
    OC\Installer->isUpdateAvailable(“user_status”)
  20. <>
    OCA\Settings\Controller\AppSettingsController->OCA\Settings\Controller{closure}("*** sensitive parameters replaced ***")
  21. /var/www/nextcloud/apps/settings/lib/Controller/AppSettingsController.php line 248
    array_map(Closure {}, {0: "And 43 more … }})
  22. /var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php line 218
    OCA\Settings\Controller\AppSettingsController->listApps()
  23. /var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php line 127
    OC\AppFramework\Http\Dispatcher->executeController(OCA\Settings\Con … {}, “listApps”)
  24. /var/www/nextcloud/lib/private/AppFramework/App.php line 157
    OC\AppFramework\Http\Dispatcher->dispatch(OCA\Settings\Con … {}, “listApps”)
  25. /var/www/nextcloud/lib/private/Route/Router.php line 302
    OC\AppFramework\App::main(“OCA\Settings\ … r”, “listApps”, OC\AppFramework\ … {}, {_route: “settings.AppSettings.listApps”})
  26. /var/www/nextcloud/lib/base.php line 993
    OC\Route\Router->match("/settings/apps/list")
  27. /var/www/nextcloud/index.php line 37
    OC::handleRequest()

i can wget to both urls but nextcloud is not excepting the certificate.
I hope someone can help me.

2

No, the certificate for apps.nextcloud.com:443 doesn’t expire.

  • Since 30.09.2021 the DST_Root_CA_X3 root expired
  • apps.nextcloud.com:443 delivers two certificate chains
    • This is the default from lets encrypt. letsencrypt.org:443 does the same.
    • The idea of two chains: one is valid and the other remain for higher compatibility with older android devices (older android devices do not check the expiration date of the root certificate if the intermedia is still valid)
  • See also: SSL Server Test: apps.nextcloud.com (Powered by Qualys SSL Labs)

Comparison letsencrypt.org vs. apps.nextcloud.com:

$ openssl s_client -connect apps.nextcloud.com:443 -servername apps.nextcloud.com < /dev/null 2>/dev/null | grep "Certificate chain" -A7
Certificate chain
 0 s:/CN=apps.nextcloud.com
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

$ openssl s_client -connect letsencrypt.org:443 -servername letsencrypt.org < /dev/null 2>/dev/null | grep "Certificate chain" -A7      
Certificate chain
 0 s:/CN=lencr.org
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

But older Linux distros are bothered (with newer ones this is no longer a problem) when a chain leads to an expired root although another chain leads to a correct root. In this case, you can simply remove the expired root certificate.

For Debian:

$ curl https://community.letsencrypt.org/
curl: (60) SSL certificate problem: certificate has expired
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

$ rm /etc/ssl/certs/DST_Root_CA_X3.pem 

$ curl -i https://community.letsencrypt.org/
HTTP/1.1 200 OK

This affects e.g. Debian 8. However, if you use debian 8, you should also consider upgrading Debian. Version 8 is end of life and no longer receives security updates.

However, if the ISRG_Root_X1 certificate is missing on your local system, then this is of no use. Then you should upgrade your linux distro.

1 Like
3

I’m running Debian 10. After removing the “DST_Root_CA_X3.pem” cert its working again. Thank you very much. You are my hero, after weeks of investigating and looking for the issue it’s finally solved :slight_smile:

1 Like
4

I’m running Debian 10 but also encountered this problem, and rm /etc/ssl/certs/DST_Root_CA_X3.pem cannot solve my problem. Finally I solve it by manually update ca-bundle.crt.

4 Likes
5

This worked for me. Nextcloud version 21.0.5 and previous versions will hold the expired DST Root CA X3 cert. Manually replace the ca-bundle.crt file could fix this. Update to the latest version may also fix.(22.1.0 didn’t).

1 Like
6

I AM ubuntu 20.14 .
it dosen’t have DST_Root_CA_X3.pem

7

Perhaps you have another error. Post details and logs.

8

Hi,

with a Nextcloud 21.0.4 jail installation on a TrueNas server i had to replace the jail file

/etc/ssl/cert.pem

here are the commands:

jls 1 sh
sudo su
mv /etc/ssl/cert.pem /etc/ssl/cert.pem.bkp
curl https://curl.se/ca/cacert.pem >> /etc/ssl/cert.pem

hope this help!

9

On “Ubuntu Server 20.04 LTS” I had to edit the /etc/ca-certificates.conf file and then update the ca certificates. I executed these steps:

$ sudo vi /etc/ca-certificates.conf   # <-- Search for "mozilla/ISRG_Root_X1.crt" and remove the leading !, then save the file and exit
$ sudo update-ca-certificates # <-- This updates the ca certificates. After this step, my web-updater worked again.
10

This is what helped for me on the Qnap-NAS:

cd /share/

curl --silent --location --remote-name --insecure https://curl.haxx.se/ca/cacert.pem

mkdir certs

cat cacert.pem | awk 'split_after==1{n++;split_after=0} /-----END CERTIFICATE-----/ {split_after=1} {if(length($0) > 0) print > "certs/cert" n ".pem"}'

cd certs

for filename in cert*pem;do mv $filename `openssl x509 -hash -noout -in $filename`.0; done;

cp *.0 /etc/ssl/certs/

A very smart user in Qnapclub-Forum (LHSei) found this solution.

1 Like
11

This topic was automatically closed after 10 days. New replies are no longer allowed.