Federation and Self-signed Certificates / libcurl

ℹ️ Support
, , ,
1

Dear Nextcloud-Community!

Hi to you all and a big thank you to the devs of Nextcloud - what a magnificent piece sof software! I have a question concerning federation between two Nextcloud-Servers.

Overview

I am trying to get federation between two Nextcloud-Servers working. One NC-Server is my Standard-Nextcloud, running behind a Nginx Proxy Manager and reachable from the internet (.com). The other server is a newly setup one, only reachable internally (.lan) by design.

In a first step, I set up nc2 unencrypted (access via HTTP). Federation between the two servers worked perfectly fine. (So no problems with DNS, etc)

In the second step, I created a self-signed certificate with openssl to have HTTPS working. Access to the now encrypted Dashboard, etc all works. Apache-Conf is valid.

Therefore my Setup is as follows:

Server 1:
nc1.com - LetsEncrypt-Certificate on NPM. NPM accesses nc1 via http. NPM-Config, etc all working fine for several years.

Server 2:
nc2.lan - Only internal. Therefore only a self-signed certificate by openssl.

The Basics

  • Nextcloud Server version (e.g., 29.x.x):
    • both: 30.0.4
  • Operating system and version (e.g., Ubuntu 24.04):
    • nc1: Ubuntu 22.04
    • nc2: Raspbian OS
  • Web server and version (e.g, Apache 2.4.25):
    • both: Apache2.4
  • Reverse proxy and version _(e.g. nginx 1.27.2)
    • nc1: NPM
    • nc2: none
  • PHP version (e.g, 8.3):
    • both: 8.3
  • Is this the first time you’ve seen this error? (Yes / No):
    • yes - first time trying to get federation working
  • When did this problem seem to first start?
    • today
  • Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
    • both: Bare Metal
  • Are you using CloudfIare, mod_security, or similar? (Yes / No)
    • no

Log entries

On nc1:
-RequestException cURL error 60: SSL certificate problem: self-signed certificate (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://nc2.lan/ocm-provider/

-OCMProviderException error while requesting remote ocm provider Failed to send notification for share from https://nc2.lan, received OCMProviderException

Summary

It is possible to add nc1 as trusted server to nc2. Adding nc2 to trusted servers on nc1 does not work.

libcurl does not accept the self-signed certificate.
The same applies for talk (federation allowed) and file-shares.

I can successfully invite a user of nc1 in Talk on nc2.
But on nc1, i cannot accept the invitation.

Using HTTP on nc2 is no option - Apps Talk and Passwords rely on HTTPS.

Possible solution? - Question?

How can I get libcurl / Nextcloud on nc1 to accept the self-signed certificate on nc2?
Is there any way to make this work? Or is federation using a self-signed certificate not possible at all?

Best regards!

2

You need to import the certificate to trust it: Using the occ command — Nextcloud latest Administration Manual latest documentation

3

Thank you!

I now did the following:

sudo openssl s_client -connect nc2.lan:443 -servername nc2 > /tmp/nc2.cert

sudo openssl s_client -showcerts -connect nc2.lan:443 </dev/null 2>/dev/null|openssl x509 -outform PEM >nc2.pem

sudo -u www-data php /var/www/nextcloud/occ security:certificates:import /tmp/nc2.cert

sudo -u www-data php /var/www/nextcloud/occ security:certificates:import /tmp/nc2.pem

sudo -u www-data php /var/www/nextcloud/occ security:certificates

+------------------+-------------------+--------------------------+-----------------+-------------------+
| File Name        | Common Name       | Organization             | Valid Until     | Issued By         |
+------------------+-------------------+--------------------------+-----------------+-------------------+
| nc2.cert         | nc2.lan           | ABC                      | January 3, 2035 | nc2.lan |
| nc2.pem          | nc2.lan           | ABC                      | January 3, 2035 | nc2.lan |
+------------------+-------------------+--------------------------+-----------------+-------------------+

sudo service apache2 restart

I used both Certs just to make sure.

Nevertheless, it is not possible to add a federated user from nc2 to a nc1-talk and I still receive the following error message:

RequestException cURL error 60: SSL certificate problem: self-signed certificate (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://nc2.lan/ocm-provider/ error while discovering ocm provider

OCMProviderException error while requesting remote ocm provider Failed sharing [TALKID] with [USERID]@https://nc2.lan, received OCMProviderException

What am I doing wrong?

Best regards!