Erorr: self-signed certificate in chain when connecting to nc services

Hello,

I’ve installed nextcloud 18.0 with docker (apache version) and mariadb 10.5 + an nginx reverse proxy. Everything works fine up to a point: because I’m behind a firewall which does deep packet inspection and offers its own certificate, nextcloud is telling me that it cannot connect to the internet - so that it cannot initialize connections and that translates in my case in my not being able to install any other non-core apps, because it cannot search for them.
The error is:

This server has no working Internet connection: Multiple endpoints could not be reached. This means that some of the features like mounting external storage, notifications about updates or installation of third-party apps will not work. Accessing files remotely and sending of notification emails might not work, either. Establish a connection from this server to the Internet to enjoy all features.

In the logging I get the following error:

[internet_connection_check] Error: GuzzleHttp\Exception\RequestException: cURL error 60: SSL certificate problem: self signed certificate in certificate chain (see http://curl.haxx.se/libcurl/c/libcurl-errors.html) at <>
0. /var/www/html/3rdparty/guzzlehttp/guzzle/src/Handler/CurlFactory.php line 149
GuzzleHttp\Handler\CurlFactory::createRejection(GuzzleHttp\Handl … l}, {errno: 60,error … 4})

  1. /var/www/html/3rdparty/guzzlehttp/guzzle/src/Handler/CurlFactory.php line 102
    GuzzleHttp\Handler\CurlFactory::finishError(GuzzleHttp\Handler\CurlHandler {}, GuzzleHttp\Handl … l}, GuzzleHttp\Handler\CurlFactory {})
  2. /var/www/html/3rdparty/guzzlehttp/guzzle/src/Handler/CurlHandler.php line 43
    GuzzleHttp\Handler\CurlFactory::finish(GuzzleHttp\Handler\CurlHandler {}, GuzzleHttp\Handl … l}, GuzzleHttp\Handler\CurlFactory {})
  3. /var/www/html/3rdparty/guzzlehttp/guzzle/src/Handler/Proxy.php line 28
    GuzzleHttp\Handler\CurlHandler->__invoke("*** sensitive parameter replaced ", " sensitive parameter replaced ***")
  4. /var/www/html/3rdparty/guzzlehttp/guzzle/src/Handler/Proxy.php line 51
    GuzzleHttp\Handler\Proxy::GuzzleHttp\Handler{closure}("*** sensitive parameters replaced ***")
  5. /var/www/html/3rdparty/guzzlehttp/guzzle/src/PrepareBodyMiddleware.php line 37
    GuzzleHttp\Handler\Proxy::GuzzleHttp\Handler{closure}("*** sensitive parameters replaced ***")
  6. /var/www/html/3rdparty/guzzlehttp/guzzle/src/Middleware.php line 30
    GuzzleHttp\PrepareBodyMiddleware->__invoke("*** sensitive parameter replaced ", " sensitive parameter replaced ***")
  7. /var/www/html/3rdparty/guzzlehttp/guzzle/src/RedirectMiddleware.php line 70
    GuzzleHttp\Middleware::GuzzleHttp{closure}("*** sensitive parameters replaced ***")
  8. /var/www/html/3rdparty/guzzlehttp/guzzle/src/RedirectMiddleware.php line 107
    GuzzleHttp\RedirectMiddleware->__invoke("*** sensitive parameter replaced ", " sensitive parameter replaced ***")
  9. /var/www/html/3rdparty/guzzlehttp/guzzle/src/RedirectMiddleware.php line 72
    GuzzleHttp\RedirectMiddleware->checkRedirect(GuzzleHttp\Psr7\Request {}, “*** sensitive parameter replaced ", " sensitive parameter replaced ***”)
  10. /var/www/html/3rdparty/guzzlehttp/promises/src/FulfilledPromise.php line 39
    GuzzleHttp\RedirectMiddleware->GuzzleHttp{closure}("*** sensitive parameters replaced ***")
  11. /var/www/html/3rdparty/guzzlehttp/promises/src/TaskQueue.php line 47
    GuzzleHttp\Promise\FulfilledPromise::GuzzleHttp\Promise{closure}("*** sensitive parameters replaced ***")
  12. /var/www/html/3rdparty/guzzlehttp/promises/src/Promise.php line 246
    GuzzleHttp\Promise\TaskQueue->run(true)
  13. /var/www/html/3rdparty/guzzlehttp/promises/src/Promise.php line 223
    GuzzleHttp\Promise\Promise->invokeWaitFn()
  14. /var/www/html/3rdparty/guzzlehttp/promises/src/Promise.php line 267
    GuzzleHttp\Promise\Promise->waitIfPending()
  15. /var/www/html/3rdparty/guzzlehttp/promises/src/Promise.php line 225
    GuzzleHttp\Promise\Promise->invokeWaitList()
  16. /var/www/html/3rdparty/guzzlehttp/promises/src/Promise.php line 62
    GuzzleHttp\Promise\Promise->waitIfPending()
  17. /var/www/html/3rdparty/guzzlehttp/guzzle/src/Client.php line 131
    GuzzleHttp\Promise\Promise->wait()
  18. /var/www/html/lib/private/Http/Client/Client.php line 149
    GuzzleHttp\Client->request(“get”, “http://www.edri.org/”, {proxy: null,ver … e})
  19. /var/www/html/apps/settings/lib/Controller/CheckSetupController.php line 157
    OC\Http\Client\Client->get(“http://www.edri.org/”)
  20. /var/www/html/apps/settings/lib/Controller/CheckSetupController.php line 140
    OCA\Settings\Controller\CheckSetupController->isSiteReachable(“www.edri.org”)
  21. /var/www/html/apps/settings/lib/Controller/CheckSetupController.php line 682
    OCA\Settings\Controller\CheckSetupController->hasInternetConnectivityProblems()
  22. /var/www/html/lib/private/AppFramework/Http/Dispatcher.php line 170
    OCA\Settings\Controller\CheckSetupController->check()
  23. /var/www/html/lib/private/AppFramework/Http/Dispatcher.php line 99
    OC\AppFramework\Http\Dispatcher->executeController(OCA\Settings\Con … {}, “check”)
  24. /var/www/html/lib/private/AppFramework/App.php line 125
    OC\AppFramework\Http\Dispatcher->dispatch(OCA\Settings\Con … {}, “check”)
  25. /var/www/html/lib/private/AppFramework/Routing/RouteActionHandler.php line 47
    OC\AppFramework\App::main(“OCA\Settings\ … r”, “check”, OC\AppFramework\ … {}, {_route: “settings.CheckSetup.check”})
  26. <>
    OC\AppFramework\Routing\RouteActionHandler->__invoke({_route: “settings.CheckSetup.check”})
  27. /var/www/html/lib/private/Route/Router.php line 299
    call_user_func(OC\AppFramework\ … {}, {_route: “settings.CheckSetup.check”})
  28. /var/www/html/lib/base.php line 1008
    OC\Route\Router->match("/settings/ajax/checksetup")
  29. /var/www/html/index.php line 38
    OC::handleRequest()

GET /settings/ajax/checksetup
from 172.19.0.3 by root at 2020-06-06T08:51:00+00:00

What I’ve tried to do was install the certificate of the firewall by placing it under /usr/share/local/share/ca-certificates, but that doesn’t really seem to make any difference.
Does nextcloud make use of the OS certificates? Is it necessary that I whiteliste the domains nextcloud is trying to connect to? If so, what are those?

Thanks in advance!