Installation issue. cmd Curl is successful but fails from gui SSL issue connecting to openproject url

Nextcloud version 29.0.0
Operating system and version: Almalinux 9.4
Apache 2.4.57
PHP version 8.3.6

The issue you are facing:

I’m trying to set up Openproject in an isolated environment with Nextcloud. They are running on separate VMs on the same subnet, and are NOT running in containers. I’m following the integration instructions found here: https://www.openproject.org/docs/system-admin-guide/integrations/nextcloud/ They are using an internal self signed certificate and there is a copy of the certificate bundle in /etc/ssl/certs/ca-bundle.crt (this is a symlink to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem).

When I enter the OpenPoject host url in the nectcloud openproject app I receive a curl error.

cURL error 60: SSL certificate problem: unable to get local issuer certificate (see libcurl - Error Codes) for https://openproject.my.domain/api/v3/

Trouble shooting steps so far.

  • I have already set nextcloud to allow local remote servers.
    • “occ config:system:set allow_local_remote_servers --value 1”
  • The openoffice url was added as a trusted domain in nextclouds config.php file
  • I can successfully curl from the nextcloud host cmd line to the openproject url.
  • Checking with openssl s_client -connect openproject.my.domain:443 also works.
  • Disabled selinux and the firewall for testing, on both hosts
  • Following advice from topics from this forum I also ran “update-ca-trust -f”
  • The only journalctl logs during the request from the gui is a successful dns lookup.

Is there another location the certificate bundle needs to be placed? Any advice is appreciated

Is there another location the certificate bundle needs to be placed? Any advice is appreciated

Nc uses its own (well, sort of: it’s from cURL, technically). The commands are here. The documentation on this topic could probably use some improvement.

1 Like

Thanks jtr. I appreciate the info. I’ll give this a try and update this thread with the results.

Hi again. This is solved.

For future reference. I first had to make the ca-bundle.crt file available to occ. In my test I copied it to a new folder in /var/www/nextcloud/resources/ssl and updated its ownership and file permissions. Then I ran sudo -u apache php occ security:certificates:import /var/www/nextcloud/resouces/ssl/ca-bundle.crt and verified that it was imported by listing the ssl certs, occ security:certificate.

I was then able to connect to my openproject instance in the GUI.

2 Likes

Created a tracker to review and improve the docs: https://github.com/nextcloud/documentation/issues/11906

It’s not a high priority item for me personally so I’m unlikely to pick it up anytime in the near future. But maybe someone else feels like getting into it.

P.S. Docs can be contributed to by anyone. Just click “Edit on GitHub” while viewing. Maybe someone reading this post one day in the future feels like getting the ball rolling. :slight_smile:

1 Like

I would be very surprised if you didn’t run into the very same issue on the side of OpenProject. I.e. the OpenProject integration trying to make requests against NextCloud will fail all the same if you are using a self-signed certificate.

To fix that you will have to configure the ca bundle for OpenProject as well.
This done via the SSL_CERT_FILE environment variable.
So if you are using a VM with OpenProject’s package installation, you could set that as follows.

sudo openproject config:set SSL_CERT_FILE=/etc/ssl/certs/custom-ca.pem

This will require a restart (e.g. sudo openproject restart) of the OpenProject process to become effective.

2 Likes

Thank you for the additional information. I’m sure you just saved me several hours of banging my head against the proverbial brick wall.

1 Like

Follow up question since you’ve all been so helpful. I was surprised that occ wasnt able to import the ca-bundle when it was located in /etc/pki/tls/certs/. The import command returns " Certificate not found, please provide a path accessible by the web server user"

I tried updating file permissions to 777 and giving apache explicit access using setfacl -m -u :apache:rw /etc/pki/tls/certs/ca-bundle.crt, but the import still fails. Does occ have a more limited view of the filesystem then I’m expecting? Any thoughts?

Not sure offhand. A quick glance at the code doesn’t turn up anything special. It’s just a standard PHP file_exists() call.

https://www.php.net/manual/en/function.file-exists.php

EDIT: You can manually try test this in your environment:

php -r 'var_dump(file_exists("/etc/pki/tls/certs/FILENAME"));'
1 Like

Thanks jtr, heres what I found. It looks like there is a constraint set.

PHP Warning:  file_exists(): open_basedir restriction in effect. File(/etc/pki/tls/certs/ca-bundle.crt) is not within the allowed path(s): (/var/www/nextcloud:/var/www/ncdata:/run/redis/redis.sock:/proc/cpuinfo:/proc/meminfo:/dev/urandom:/tmp:/usr/bin/clamscan:/dev/dri:/run/docker.sock) in Command line code on line 1
bool(false)

I don’t have a lot of experience working with php but I did find the following constraint in the /etc/php.ini file.

; open_basedir, if set, limits all file operations to the defined directory
; and below.  This directive makes most sense if used in a per-directory
; or per-virtualhost web server configuration file.
; Note: disables the realpath cache
; https://php.net/open-basedir
open_basedir = /var/www/nextcloud:/var/www/ncdata:/run/redis/redis.sock:/proc/cpuinfo:/proc/meminfo:/dev/urandom:/tmp:/usr/bin/clamscan:/dev/dri:/run/docker.sock

Yes, that will do it. Since it was a one-off use of the command you can likely ignore it rather than modify your open_basedir.

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.