cURL error 35: TLS connect error: error:0A000438:SSL routines::tlsv1 alert internal error (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://github.com/nextcloud/firstrunwizard/raw/master/img/Nextcloud.webm

ℹ️ Support
, , ,
1

Hello,

I have completely reinstalled my Nextcloud instance but am still getting this message…

Example:
cURL error 35: TLS connect error: error:0A000438:SSL routines::tlsv1 alert internal error (see libcurl - Error Codes) for https://github.com/nextcloud/firstrunwizard/raw/master/img/Nextcloud.webm

The curl command works fine using curl -v url in the command line both as sudo -u nextcloud and sudo -u http. This message only appears within nextcloud when attempting to add an app or load anything from github.com. attempts to add an app using occ results in the same error.

The Basics

  • Nextcloud Server version (e.g., 29.x.x):
    • 31.0.6
  • Operating system and version (e.g., Ubuntu 24.04):
    • Arch Linux LXC inside Proxmox
  • Web server and version (e.g, Apache 2.4.25):
    • nginx-mainline 1.29.0-1
  • Reverse proxy and version _(e.g. nginx 1.27.2)
    • Caddy 2.0.0 built into OPNSense
  • PHP version (e.g, 8.3):
    • php-legacy 8.2.29-1
  • Is this the first time you’ve seen this error? (Yes / No):
    • yes
  • When did this problem seem to first start?
    • about 1 week ago
  • Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
    • Bare Metal in an Arch based LXC on Proxmox
  • Are you using CloudfIare, mod_security, or similar? (Yes / No)
    • no

Summary of the issue you are facing:

Any time I try to install an app or when nextcloud makes a call to github, results in the cURL error 35: TLS connect error: error:0A000438:SSL routines::tlsv1 alert internal error (see libcurl - Error Codes) for https://github.com/… error.

Steps to replicate it (hint: details matter!):

  1. open Nextcloud
  2. Navigate to Apps
  3. Attempt to install any App
  4. generates error

Log entries

Nextcloud

Please provide the log entries from your Nextcloud log that are generated during the time of problem (via the Copy raw option from Administration settings->Logging screen or from your nextcloud.log located in your data directory). Feel free to use a pastebin/gist service if necessary.

{"reqId":"e1OKhpTkeMFRK5ghTogM","level":2,"time":"2025-07-04T02:37:20+00:00","remoteAddr":"2600:8800:710b:500::1137","user":"admin","app":"settings","method":"GET","url":"/settings/api/apps/media?fileName=https%3A%2F%2Fgithub.com%2Fnextcloud%2Ffirstrunwizard%2Fraw%2Fmaster%2Fimg%2FNextcloud.mp4","message":"Could not load media file for app discover section","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36","version":"31.0.6.2","exception":{"Exception":"GuzzleHttp\\Exception\\ConnectException","Message":"cURL error 35: TLS connect error: error:0A000438:SSL routines::tlsv1 alert internal error (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://github.com/nextcloud/firstrunwizard/raw/master/img/Nextcloud.mp4","Code":0,"Trace":[{"file":"/usr/share/webapps/nextcloud/3rdparty/guzzlehttp/guzzle/src/Handler/CurlFactory.php","line":205,"function":"createRejection","class":"GuzzleHttp\\Handler\\CurlFactory","type":"::","args":["*** sensitive parameters replaced ***"]},{"file":"/usr/share/webapps/nextcloud/3rdparty/guzzlehttp/guzzle/src/Handler/CurlFactory.php","line":157,"function":"finishError","class":"GuzzleHttp\\Handler\\CurlFactory","type":"::"},{"file":"/usr/share/webapps/nextcloud/3rdparty/guzzlehttp/guzzle/src/Handler/CurlHandler.php","line":47,"function":"finish","class":"GuzzleHttp\\Handler\\CurlFactory","type":"::"},{"file":"/usr/share/webapps/nextcloud/3rdparty/guzzlehttp/guzzle/src/Middleware.php","line":142,"function":"__invoke","class":"GuzzleHttp\\Handler\\CurlHandler","type":"->"},{"file":"/usr/share/webapps/nextcloud/lib/private/Http/Client/DnsPinMiddleware.php","line":149,"function":"GuzzleHttp\\{closure}","class":"GuzzleHttp\\Middleware","type":"::","args":["*** sensitive parameters replaced ***"]},{"file":"/usr/share/webapps/nextcloud/3rdparty/guzzlehttp/guzzle/src/PrepareBodyMiddleware.php","line":35,"function":"OC\\Http\\Client\\{closure}","class":"OC\\Http\\Client\\DnsPinMiddleware","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/usr/share/webapps/nextcloud/3rdparty/guzzlehttp/guzzle/src/Middleware.php","line":31,"function":"__invoke","class":"GuzzleHttp\\PrepareBodyMiddleware","type":"->"},{"file":"/usr/share/webapps/nextcloud/3rdparty/guzzlehttp/guzzle/src/RedirectMiddleware.php","line":71,"function":"GuzzleHttp\\{closure}","class":"GuzzleHttp\\Middleware","type":"::","args":["*** sensitive parameters replaced ***"]},{"file":"/usr/share/webapps/nextcloud/3rdparty/guzzlehttp/guzzle/src/Middleware.php","line":66,"function":"__invoke","class":"GuzzleHttp\\RedirectMiddleware","type":"->"},{"file":"/usr/share/webapps/nextcloud/3rdparty/guzzlehttp/guzzle/src/HandlerStack.php","line":75,"function":"GuzzleHttp\\{closure}","class":"GuzzleHttp\\Middleware","type":"::","args":["*** sensitive parameters replaced ***"]},{"file":"/usr/share/webapps/nextcloud/3rdparty/guzzlehttp/guzzle/src/Client.php","line":333,"function":"__invoke","class":"GuzzleHttp\\HandlerStack","type":"->"},{"file":"/usr/share/webapps/nextcloud/3rdparty/guzzlehttp/guzzle/src/Client.php","line":169,"function":"transfer","class":"GuzzleHttp\\Client","type":"->"},{"file":"/usr/share/webapps/nextcloud/3rdparty/guzzlehttp/guzzle/src/Client.php","line":189,"function":"requestAsync","class":"GuzzleHttp\\Client","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/usr/share/webapps/nextcloud/lib/private/Http/Client/Client.php","line":206,"function":"request","class":"GuzzleHttp\\Client","type":"->"},{"file":"/usr/share/webapps/nextcloud/apps/settings/lib/Controller/AppSettingsController.php","line":163,"function":"get","class":"OC\\Http\\Client\\Client","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/usr/share/webapps/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":200,"function":"getAppDiscoverMedia","class":"OCA\\Settings\\Controller\\AppSettingsController","type":"->"},{"file":"/usr/share/webapps/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":114,"function":"executeController","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/usr/share/webapps/nextcloud/lib/private/AppFramework/App.php","line":161,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/usr/share/webapps/nextcloud/lib/private/Route/Router.php","line":307,"function":"main","class":"OC\\AppFramework\\App","type":"::"},{"file":"/usr/share/webapps/nextcloud/lib/base.php","line":1040,"function":"match","class":"OC\\Route\\Router","type":"->"},{"file":"/usr/share/webapps/nextcloud/index.php","line":24,"function":"handleRequest","class":"OC","type":"::"}],"File":"/usr/share/webapps/nextcloud/3rdparty/guzzlehttp/guzzle/src/Handler/CurlFactory.php","Line":275,"message":"Could not load media file for app discover section","media_src":"https://github.com/nextcloud/firstrunwizard/raw/master/img/Nextcloud.mp4","exception":[],"CustomMessage":"Could not load media file for app discover section"},"id":"68673e6a9d4ee"}

Web Browser

If the problem is related to the Web interface, open your browser inspector Console and Network tabs while refreshing (reloading) and reproducing the problem. Provide any relevant output/errors here that appear.

GET https://my.domain.net/settings/api/apps/media?fileName=https%3A%2F%2Fgithub.com%2Fnextcloud%2Ffirstrunwizard%2Fraw%2Fmaster%2Fimg%2FNextcloud.webm 404 (Not Found)Understand this error
api/apps/media?fileName=https%3A%2F%2Fgithub.com%2Fnextcloud%2Ffirstrunwizard%2Fraw%2Fmaster%2Fimg%2FNextcloud.mp4:1  GET https://my.domain.net/settings/api/apps/media?fileName=https%3A%2F%2Fgithub.com%2Fnextcloud%2Ffirstrunwizard%2Fraw%2Fmaster%2Fimg%2FNextcloud.mp4 net::ERR_ABORTED 404 (Not Found)

Web server / Reverse Proxy

The output of your Apache/nginx/system log in /var/log/____:

No entry in /var/log/nginx/access.log

Configuration

Nextcloud

The output of occ config:list system or similar is best, but, if not possible, the contents of your config.php file from /path/to/nextcloud is fine (make sure to remove any identifiable information!):

{
    "system": {
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "logfile": "\/var\/log\/nextcloud\/nextcloud.log",
        "default_phone_region": "US",
        "trusted_domains": [
            "localhost",
            "my.domain.net",
            "192.168.1.XX"
        ],
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 0,
            "dbindex": 0,
            "password": "***REMOVED SENSITIVE VALUE***",
            "timeout": 1.5
        },
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "maintenance_window_start": 0,
        "overwrite.cli.url": "https:\/\/my.domain.net\/",
        "htaccess.RewriteBase": "\/",
        "apps_paths": [
            {
                "path": "\/usr\/share\/webapps\/nextcloud\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/lib\/nextcloud\/apps",
                "url": "\/wapps",
                "writable": true
            }
        ],
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "31.0.6.2",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "maintenance": false,
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_sendmailmode": "smtp",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpauth": true,
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "587",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***"
    }
}

Apps

  • activity: 4.0.0
  • app_api: 5.0.2
  • bruteforcesettings: 4.0.0
  • circles: 31.0.0
  • cloud_federation_api: 1.14.0
  • comments: 1.21.0
  • contactsinteraction: 1.12.0
  • dashboard: 7.11.0
  • dav: 1.33.0
  • federatedfilesharing: 1.21.0
  • federation: 1.21.0
  • files: 2.3.1
  • files_downloadlimit: 4.0.0
  • files_pdfviewer: 4.0.0
  • files_reminders: 1.4.0
  • files_sharing: 1.23.1
  • files_trashbin: 1.21.0
  • files_versions: 1.24.0
  • firstrunwizard: 4.0.0
  • logreader: 4.0.0
  • lookup_server_connector: 1.19.0
  • nextcloud_announcements: 3.0.0
  • notifications: 4.0.0
  • oauth2: 1.19.1
  • password_policy: 3.0.0
  • photos: 4.0.0-dev.1
  • privacy: 3.0.0
  • profile: 1.0.0
  • provisioning_api: 1.21.0
  • recommendations: 4.0.0
  • related_resources: 2.0.0
  • serverinfo: 3.0.0
  • settings: 1.14.0
  • sharebymail: 1.21.0
  • support: 3.0.0
  • survey_client: 3.0.0
  • systemtags: 1.21.1
  • text: 5.0.0
  • theming: 2.6.1
  • twofactor_backupcodes: 1.20.0
  • updatenotification: 1.21.0
  • user_status: 1.11.0
  • viewer: 4.0.0
  • weather_status: 1.11.0
  • webhook_listeners: 1.2.0
  • workflowengine: 2.13.0
    Disabled:
  • admin_audit: 1.21.0
  • encryption: 2.19.0
  • files_external: 1.23.0
  • suspicious_login: 9.0.1
  • twofactor_nextcloud_notification: 5.0.0
  • twofactor_totp: 13.0.0-dev.0
  • user_ldap: 1.22.0
2

Can your system access the Internet directly (i.e. outgoing port 443 open) or are you using an HTTP proxy? It sounds to me as if your PHP cannot access the Internet.

3

Thank you for the reply! Yes the outgoing port is open and the system can access the internet directly. I can wget and curl -v to the addresses in question, it is only nextcloud that throws the curl error.

4

As a test: If you create a PHP file (e.g. test.php) with the following content and open it in the browser, do you see this image? If not, something is wrong with your PHP installation.

<?php
$ch = curl_init('https://raw.githubusercontent.com/nextcloud/firstrunwizard/refs/heads/master/img/androidBadge.png');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$data = curl_exec($ch);
header('Content-Type: image/png');
echo $data;
5

I looked at your error again:

cURL error 35: TLS connect error: error:0A000438:SSL routines::tlsv1 alert internal error

github.com does not support TLS 1.0. Your cURL needs at least support for TLS 1.2.

You write that you are using Arch Linux LXC inside Proxmox. But how old is your Arch Linux? Which version? And when was the last time you updated it? To me it gives the impression that either a dependency is missing or you use a old outdated software.

1 Like
6

Hello, I have the same problem.nextcloud cURL error 35: TLS connect error: error:0A000458:SSL routines::tlsv1 unrecognized name (see libcurl - Error Codes) for nextcloud-releases · GitHub

The given system and the NextCloud container have free access to the internet, both IPv4 and IPv6. Direct download using wget works without issues. The problem is with cURL. From the logs, it is evident that cURL is trying to connect using tlsv1.

Version NextCloud: 31.0.8 (Docker Container amd64)
Curl -V: “curl 8.14.1 (x86_64-pc-linux-gnu) libcurl/8.14.1 OpenSSL/3.5.1 zlib/1.3.1 brotli/1.1.0 zstd/1.5.7 libidn2/2.3.8 libpsl/0.21.2 libssh2/1.11.1 nghttp2/1.64.0 nghttp3/1.8.0 librt mp/2.3 OpenLDAP/2.6.10
Release-Date: 2025-06-04, security patched: 8.14.1-2”

7

This is also happening to me, using the nextcloud:apache docker image.

The test.php sample code (above) successfully displays the image.

curl on the commandline can also successfully retrieve one of the files in the error log (note: -L required to follow the redirect)

$ curl -LO https://github.com/nextcloud-releases/calendar/releases/download/v5.5.5/calendar-v5.5.5.tar.gz
$ ls -l calendar-v5.5.5.tar.gz
-rw-r–r-- 1 root www-data 17883945 Sep 24 06:21 calendar-v5.5.5.tar.gz

Modifying the test.php sample to fetch the calendar app update required setting CURLOPT_FOLLOWLOCATION.

<?php
$ch = curl_init('https://github.com/nextcloud-releases/calendar/releases/download/v5.5.5/calendar-v5.5.5.tar.gz');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
$data = curl_exec($ch);
header('Content-Type: application/octet-stream');
echo $data;

It looks like nextcloud is using something called “Guzzle” as a wrapper around Curl. I believe the docs suggest it follows redirects by default.

All these tests were completed by running an interactive shell in the nextcloud:apache container.