FTPS with self-signed certificate - verification failed

Nextcloud version: 20.0.1.1
External storage app version: 1.11.1
Operating system and version: CentOS 7
Apache or nginx version: Apache 2.4.39
PHP version: 7.4.12

The issue you are facing:

I try to connect my external storage via FTPS (not SFTP!). This works with non-secure FTP, but when forcing SSL (“Secure ftps://”) the connection can not be established. The NAS uses a self-signed certificate, which is added via occ (php occ security:certificates - listed with correct file name, host name, issued by and validation until).

Is this the first time you’ve seen this error? (Y/N): Y

Steps to replicate it:

  1. Add FTP server + credentials
  2. Select “Secure ftps://”
  3. Add self-signed certificate via occ
  4. Try to connect external storage

The output of your Nextcloud log in Admin > Logging:

[PHP] Error: Error: stat(): stat failed for ftps://xxx:xxx@xxx:PORT/ at /var/www/virtual/xxx/xxx/apps/files_external/lib/Lib/Storage/StreamWrapper.php#127 at <<closure>>

 0. <<closure>>
    OC\Log\ErrorHandler::onError(2, "stat(): stat fa ... /", "/var/www/virtua ... p", 127, {path: ""})
 1. /var/www/virtual/xxx/xxx/apps/files_external/lib/Lib/Storage/StreamWrapper.php line 127
    stat("ftps://xxxxxx ... /")
 2. /var/www/virtual/xxx/xxx/lib/private/Files/Storage/Common.php line 458
    OCA\Files_External\Lib\Storage\StreamWrapper->stat("")
 3. /var/www/virtual/xxx/xxx/apps/files_external/lib/MountConfig.php line 264
    OC\Files\Storage\Common->test("*** sensitive parameter replaced ***", "*** sensitive parameter replaced ***")
 4. /var/www/virtual/xxx/xxx/apps/files_external/lib/Controller/StoragesController.php line 258
    OCA\Files_External\MountConfig::getBackendStatus("*** sensitive parameters replaced ***")
 5. /var/www/virtual/xxx/xxx/apps/files_external/lib/Controller/StoragesController.php line 330
    OCA\Files_External\Controller\StoragesController->updateStorageStatus("*** sensitive parameters replaced ***")
 6. /var/www/virtual/xxx/xxx/lib/private/AppFramework/Http/Dispatcher.php line 169
    OCA\Files_External\Controller\StoragesController->show(6, "*** sensitive parameter replaced ***")
 7. /var/www/virtual/xxx/xxx/lib/private/AppFramework/Http/Dispatcher.php line 100
    OC\AppFramework\Http\Dispatcher->executeController(OCA\Files_Extern ... {}, "show")
 8. /var/www/virtual/xxx/xxx/lib/private/AppFramework/App.php line 152
    OC\AppFramework\Http\Dispatcher->dispatch(OCA\Files_Extern ... {}, "show")
 9. /var/www/virtual/xxx/xxx/lib/private/Route/Router.php line 308
    OC\AppFramework\App::main("OCA\\Files_Exte ... r", "show", OC\AppFramework\ ... {}, {action: null,id ... "})
10. /var/www/virtual/xxx/xxx/lib/base.php line 1009
    OC\Route\Router->match("/apps/files_external/globalstorages/6")
11. /var/www/virtual/xxx/xxx/index.php line 37
    OC::handleRequest()

GET /index.php/apps/files_external/globalstorages/6?testOnly=true
from IPv6 by xxx at 2020-11-14T20:18:08+00:00
[PHP] Error: Error: stat(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed at /var/www/virtual/xxx/xxx/apps/files_external/lib/Lib/Storage/StreamWrapper.php#127 at <<closure>>

 0. <<closure>>
    OC\Log\ErrorHandler::onError(2, "stat(): SSL ope ... d", "/var/www/virtua ... p", 127, {path: ""})
 1. /var/www/virtual/xxx/xxx/apps/files_external/lib/Lib/Storage/StreamWrapper.php line 127
    stat("ftps://bernhard ... /")
 2. /var/www/virtual/xxx/xxx/lib/private/Files/Storage/Common.php line 458
    OCA\Files_External\Lib\Storage\StreamWrapper->stat("")
 3. /var/www/virtual/xxx/xxx/apps/files_external/lib/MountConfig.php line 264
    OC\Files\Storage\Common->test("*** sensitive parameter replaced ***", "*** sensitive parameter replaced ***")
 4. /var/www/virtual/xxx/xxx/apps/files_external/lib/Controller/StoragesController.php line 258
    OCA\Files_External\MountConfig::getBackendStatus("*** sensitive parameters replaced ***")
 5. /var/www/virtual/xxx/xxx/apps/files_external/lib/Controller/GlobalStoragesController.php line 180
    OCA\Files_External\Controller\StoragesController->updateStorageStatus("*** sensitive parameters replaced ***")
 6. /var/www/virtual/xxx/xxx/lib/private/AppFramework/Http/Dispatcher.php line 169
    OCA\Files_External\Controller\GlobalStoragesController->update("*** sensitive parameters replaced ***")
 7. /var/www/virtual/xxx/xxx/lib/private/AppFramework/Http/Dispatcher.php line 100
    OC\AppFramework\Http\Dispatcher->executeController(OCA\Files_Extern ... {}, "update")
 8. /var/www/virtual/xxx/xxx/lib/private/AppFramework/App.php line 152
    OC\AppFramework\Http\Dispatcher->dispatch(OCA\Files_Extern ... {}, "update")
 9. /var/www/virtual/xxx/xxx/lib/private/Route/Router.php line 308
    OC\AppFramework\App::main("OCA\\Files_Exte ... r", "update", OC\AppFramework\ ... {}, {action: null,id ... "})
10. /var/www/virtual/xxx/xxx/lib/base.php line 1009
    OC\Route\Router->match("/apps/files_external/globalstorages/6")
11. /var/www/virtual/xxx/xxx/index.php line 37
    OC::handleRequest()

PUT /index.php/apps/files_external/globalstorages/6
from IPv6 by xxx at 2020-11-14T20:35:06+00:00

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

$CONFIG = array (
  'instanceid' => ‘xxx’,
  'passwordsalt' => ‘xxx’,
  'secret' => ‘xxx’,
  'trusted_domains' =>
  array (
    0 => ‘xxx’,
    1 => ‘xxx’,
  ),
  'datadirectory' => '/home/xxx/nextcloud/data',
  'dbtype' => 'mysql',
  'version' => '20.0.1.1',
  'overwrite.cli.url' => 'https://xxx/nextcloud',
  'overwriteprotocol' => 'https',
  'dbname' => ‘xxx’,
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => ‘xxx’,
  'dbpassword' => ‘xxx’,
  'installed' => true,
  'mail_domain' => ‘xxx’,
  'mail_from_address' => ‘xxx’,
  'mail_smtpmode' => 'sendmail',
  'mail_sendmailmode' => 'pipe',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'maintenance' => false,
);

The output of your Apache/nginx/system log in /var/log/____:

can’t access, hosting provider is not allowing this :-/

Solves this by adding openssl.cafile="/home/USER/etc/ssl/certs/MY_CERT.cer" to my php.ini. Unfortunatly I can’t use openssl.capath, because there seems to be an hash problem and I am not allowed to rehash on my webspace.

Nevertheless it should not be necessary to add this to the php.ini, but Nextcloud should handle the added certificate in it’s stream wrapper. I don’t know if this behavior is not included as a feature or if this is a bug.