cURL error 60 with Let's Encrypt and no Collabora

kreativmonkey · February 26, 2017, 2:58pm

Nextcloud version (eg, 10.0.2): 11.0.1 and previous
Operating system and version (eg, Ubuntu 16.04): Arch Linux
Apache or nginx version (eg, Apache 2.4.25): Nginx 1.10.3
PHP version (eg, 5.6): php 7.1.2

In my errror log i have only one error all the time. “cURL error 60: SSL certificate problem: self signed certificate in certificate chain”. I use Lets Encrypt and have spend a lot of time to fix this error without success. The most Topics hear are tell this problem in combination with collabora but i don’t use collabora. So i can’t set any wohi_url ore anything else from collabora.

What i tryed:

I’ve download the cacert.pem from Curl Website
Setup the curl.cainfo Path to the file in php.ini
add ssl_trusted_certificate path to nginx.conf
reboot server more than one time

nginx.conf:

ssl_certificate /etc/letsencrypt/live/domain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache  shared:SSL:50m;
ssl_session_tickets off;                                                                                                                                                                

# Deffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/ssl/certs/dhparam.pem;

# modern configuration. tweak to your needs.
ssl_protocols TLSv1.2; 
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;

## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/ssl/cacert.pem;

The output of your Nextcloud log in Admin > Logging:

Error	core	cURL error 60: SSL certificate problem: self signed certificate in certificate chain	2017-02-26T10:27:26+0100
Error	core	cURL error 60: SSL certificate problem: self signed certificate in certificate chain	2017-02-26T10:27:26+0100
Error	core	cURL error 60: SSL certificate problem: self signed certificate in certificate chain	2017-02-26T10:27:25+0100
Error	core	cURL error 60: SSL certificate problem: self signed certificate in certificate chain	2017-02-26T10:27:23+0100
Error	core	cURL error 60: SSL certificate problem: self signed certificate in certificate chain	2017-02-26T10:27:23+0100
.....

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
'instanceid' => '*****',
'passwordsalt' => '****',
'secret' => '****',
'trusted_domains' => 
array (
  0 => 'www.oc4.de',
),
'datadirectory' => '/srv/data',
'overwrite.cli.url' => 'https://www.oc4.de',
'version' => '11.0.1.2',
'dbtype' => 'mysql',
'dbname' => 'd018dc86',
'dbhost' => '10.0.1.5',
'dbtableprefix' => 'nx_',
'dbuser' => 'd018dc86',
'dbpassword' => '****',
'logtimezone' => 'UTC',
'installed' => true,
'mail_from_address' => 'nextcloud',
'mail_smtpmode' => 'php',
'mail_domain' => 'oc4.de',
'loglevel' => 2,
'theme' => '',
'maintenance' => false,
'htaccess.RewriteBase' => '/',
'memcache.local' => '\\OC\\Memcache\\APCu',
'redis' => 
array (
  'host' => 'localhost',
  'port' => 6379,
),
'updater.release.channel' => 'stable',
'updater.secret' => '********"',
);

i don’t know what i can do to fix this error! Pleas help me.

powerpaul · March 26, 2017, 1:28pm

Unfortunately I have the same problem, also tried all of the above methods. My certificate is issued by StartCOM and should be valid but the nextcloud.log shows an error for all accessed files and methods.

Maybe the developers could point out where to find more information about the root of this error since it is really annoying if the log file gets bloated by these messages.

tflidd · March 26, 2017, 1:58pm

Go to https://www.ssllabs.com/ssltest/ to test your whole SSL setup. They provide more detailed information and there you should be able to see where a self signed certificate is used in the certificate chain.

powerpaul · April 24, 2017, 9:41pm

Got A-. Certificate is valid (apparently) but still a “cURL 60” error for every “PROPFIND” in the logs, also checked external storage.

Mack_Baise · December 17, 2017, 6:48am

Same problem here. The test got me an A, but I’m still getting this error when trying to edit a document using collabora online. Anyone find a solution?

tflidd · December 17, 2017, 11:01am

And no error about the certificate chain? You don’t use any external storage?

Can you open your website via curl from command line? Run it on verbose mode (-vvvv) and look if there is any problem.

Sorry, this topic is explicitly saying that it is different from all the other topics where collabora is involved.

kundansingh27feb · December 28, 2017, 8:56am

I think your system clock is set in the past. check your system time and if it is set in the past date then change it to present. Like:

#date //to check the date
#timedatectl set-time “2017-12-28 14:15:55” // To set the date

Note: Enter the current date at “2017-12-28 14:15:55”.