Cron failing due to SSL CA Bundle issue

ℹ️ Support
1

Nextcloud version (eg, 20.0.5): 27.1.3
Operating system and version (eg, Ubuntu 20.04): Debian 12.2
Apache or nginx version (eg, Apache 2.4.25): nginx/1.22.1
PHP version (eg, 7.4): 8.2

The issue you are facing:
Cron appears to be failing causing several issues. I started by trying to track down some issues where I can’t upload any files because they’re all locked. Looking into that led me to this post that mentions to make sure cron is working.

The CA Bundle path changes with each invocation of cron.php.

Is this the first time you’ve seen this error? (Y/N): Yes

The output of your Nextcloud log in Admin > Logging:

[dav] Warning: InvalidArgumentException: SSL CA bundle not found: /tmp/oc_tmp_5htuWM-.crt at <<closure>>

 0. /var/www/nextcloud/3rdparty/guzzlehttp/guzzle/src/Handler/CurlFactory.php line 59
    GuzzleHttp\Handler\CurlFactory->applyHandlerOptions()
 1. /var/www/nextcloud/3rdparty/guzzlehttp/guzzle/src/Handler/CurlHandler.php line 43
    GuzzleHttp\Handler\CurlFactory->create("*** sensitive parameters replaced ***")
 2. /var/www/nextcloud/3rdparty/guzzlehttp/guzzle/src/Handler/Proxy.php line 28
    GuzzleHttp\Handler\CurlHandler->__invoke()
 3. /var/www/nextcloud/3rdparty/guzzlehttp/guzzle/src/Handler/Proxy.php line 48
    GuzzleHttp\Handler\Proxy::GuzzleHttp\Handler\{closure}("*** sensitive parameters replaced ***")
 4. /var/www/nextcloud/3rdparty/guzzlehttp/guzzle/src/Middleware.php line 256
    GuzzleHttp\Handler\Proxy::GuzzleHttp\Handler\{closure}("*** sensitive parameters replaced ***")
 5. /var/www/nextcloud/3rdparty/guzzlehttp/guzzle/src/Middleware.php line 240
    GuzzleHttp\Middleware::GuzzleHttp\{closure}("*** sensitive parameters replaced ***")
 6. /var/www/nextcloud/3rdparty/guzzlehttp/guzzle/src/PrepareBodyMiddleware.php line 35
    GuzzleHttp\Middleware::GuzzleHttp\{closure}("*** sensitive parameters replaced ***")
 7. /var/www/nextcloud/3rdparty/guzzlehttp/guzzle/src/Middleware.php line 31
    GuzzleHttp\PrepareBodyMiddleware->__invoke()
 8. /var/www/nextcloud/3rdparty/guzzlehttp/guzzle/src/RedirectMiddleware.php line 71
    GuzzleHttp\Middleware::GuzzleHttp\{closure}("*** sensitive parameters replaced ***")
 9. /var/www/nextcloud/3rdparty/guzzlehttp/guzzle/src/Middleware.php line 63
    GuzzleHttp\RedirectMiddleware->__invoke()
10. /var/www/nextcloud/3rdparty/guzzlehttp/guzzle/src/HandlerStack.php line 75
    GuzzleHttp\Middleware::GuzzleHttp\{closure}("*** sensitive parameters replaced ***")
11. /var/www/nextcloud/3rdparty/guzzlehttp/guzzle/src/Client.php line 331
    GuzzleHttp\HandlerStack->__invoke()
12. /var/www/nextcloud/3rdparty/guzzlehttp/guzzle/src/Client.php line 168
    GuzzleHttp\Client->transfer()
13. /var/www/nextcloud/3rdparty/guzzlehttp/guzzle/src/Client.php line 187
    GuzzleHttp\Client->requestAsync("*** sensitive parameters replaced ***")
14. /var/www/nextcloud/lib/private/Http/Client/Client.php line 230
    GuzzleHttp\Client->request()
15. /var/www/nextcloud/apps/dav/lib/CalDAV/WebcalCaching/RefreshWebcalService.php line 214
    OC\Http\Client\Client->get()
16. /var/www/nextcloud/apps/dav/lib/CalDAV/WebcalCaching/RefreshWebcalService.php line 86
    OCA\DAV\CalDAV\WebcalCaching\RefreshWebcalService->queryWebcalFeed()
17. /var/www/nextcloud/apps/dav/lib/BackgroundJob/RefreshWebcalJob.php line 115
    OCA\DAV\CalDAV\WebcalCaching\RefreshWebcalService->refreshSubscription()
18. /var/www/nextcloud/lib/public/BackgroundJob/Job.php line 81
    OCA\DAV\BackgroundJob\RefreshWebcalJob->run()
19. /var/www/nextcloud/lib/public/BackgroundJob/Job.php line 67
    OCP\BackgroundJob\Job->start()
20. /var/www/nextcloud/apps/dav/lib/BackgroundJob/RefreshWebcalJob.php line 108
    OCP\BackgroundJob\Job->execute()
21. /var/www/nextcloud/cron.php line 152
    OCA\DAV\BackgroundJob\RefreshWebcalJob->execute()

at 2023-11-02T20:30:03+00:00

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'instanceid' => '***',
  'passwordsalt' => '***',
  'secret' => '***',
  'trusted_domains' => 
  array (
    0 => '***',
    1 => '***',
  ),
  'datadirectory' => '/var/www/nextcloud/data',
  'dbtype' => 'pgsql',
  'version' => '27.1.3.2',
  'overwrite.cli.url' => 'https://***', // Support note: This redacted value is trusted_domains[0]
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'nextcloud',
  'dbpassword' => '***',
  'default_phone_region' => 'US',
  'installed' => true,
  'objectstore' => 
  array (
    'class' => '\\OC\\Files\\ObjectStore\\S3',
    'arguments' => 
    array (
      'bucket' => '***',
      'autocreate' => true,
      'key' => '***',
      'secret' => '***',
      'hostname' => '***',
      'use_ssl' => true,
      'use_path_style' => true,
    ),
  ),
  'log_type' => 'file',
  'logfile' => '/var/log/nextcloud/nextcloud.log',
  'loglevel' => 2,
  'logdateformat' => 'F d, Y H:is',
  'log_rotate_size' => 104857600,
  'maintenance' => false,
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'theme' => '',
  'updater.release.channel' => 'beta',
  'app_install_overwrite' => 
  array (
    0 => 'cookbook',
    1 => 'ocdownloader',
    2 => 'apporder',
    3 => 'checksum',
    4 => 'unsplash',
    5 => 'files_linkeditor',
    6 => 'camerarawpreviews',
    7 => 'workflow_ocr',
    8 => 'bruteforcesettings',
    9 => 'theming_customcss',
    10 => 'files_downloadlimit',
  ),
  'twofactor_enforced' => 'true',
  'twofactor_enforced_groups' => 
  array (
  ),
  'twofactor_enforced_excluded_groups' => 
  array (
  ),
  'mail_from_address' => 'noreply',
  'mail_smtpmode' => 'smtp',
  'mail_sendmailmode' => 'smtp',
  'mail_domain' => '***',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_smtpauth' => 1,
  'mail_smtpname' => '***',
  'mail_smtppassword' => '***',
  'mail_smtpsecure' => 'ssl',
  'mail_smtphost' => 'smtp.***',
  'mail_smtpport' => '465',
  'trashbin_retention_obligation' => '30, 90',
);

I don’t think the web server logs are relevant for this, but I can share them if they would me. What does seem at least a little useful is watching /tmp with inotifywait, and it produces some interesting results:

$ sudo inotifywait -m /tmp --include oc_\* -e create -e modify |
while read dir action file; do
echo "'$file' appeared in '$dir' via '$action'"
ls -l $file
head $file
done
Setting up watches.
Watches established.
'oc_tmp_asLYi3' appeared in '/tmp/' via 'CREATE'
ls: cannot access 'oc_tmp_asLYi3': No such file or directory
head: cannot open 'oc_tmp_asLYi3' for reading: No such file or directory
'oc_tmp_asLYi3-.crt' appeared in '/tmp/' via 'CREATE'
ls: cannot access 'oc_tmp_asLYi3-.crt': No such file or directory
head: cannot open 'oc_tmp_asLYi3-.crt' for reading: No such file or directory
'oc_tmp_asLYi3-.crt' appeared in '/tmp/' via 'MODIFY'
ls: cannot access 'oc_tmp_asLYi3-.crt': No such file or directory
head: cannot open 'oc_tmp_asLYi3-.crt' for reading: No such file or directory
...
# followed by many, many more MODIFY actions
...

In case it is a permissions issue, I watched again but this time used sudo ls -l and sudo head, it produced the same results.

$ sudo inotifywait -m /tmp --include oc_\* -e create -e modify |
while read dir action file; do
echo "'$file' appeared in '$dir' via '$action'"
sudo ls -l $file
sudo head $file
done
...
2

@prplecake Do you have the files_external app disabled? It seems from your config.php file you are using S3, is that right?

3

Hi tcit,

I found that thread because I have exactly the same warning message and I am using S3 Bucket on Wasabi.

What is that message about and how can I avoid it?

Greeting
Christian

4

It shouldn’t be a big issue. The following PR should fix it in the future.

1 Like