Let's Encrypt certificate expiry + snap server installation = security issue, solution needed

ā„¹ļø Support šŸ“¦ Appliances (Docker, Snappy, VM, NCP, AIO)
, ,
1

Nextcloud version: 22.1.1
Operating system and version: Xubuntu 20.04.2.0 LTS
Apache or nginx version: Apache (fpm-fcgi)
PHP version: 7.4.23

The issue you are facing:
Since the Letā€™s Encrypt certificate expired none of the clients have worked, nor can I access the service in a web browser because they come back with a security error.

I have tried Windows and Linux PCs and browsers including Firefox, Waterfox, Edge and Chrome. All browsers give some form of error about the certificate having expired and will not go any further because HSTS is set, not allowing an exception to be made either. The NextCloud client can be told to trust the certificate, but I donā€™t want to have to contact every user to tell them to accept an expired certificate; it is not good practice. I want to fix it at the server end.

I tried to remove DST_Root_CA_X3.pem but cannot just delete it as I have installed the NextCloud server using snap. I tried using unsquashfs, remove squashfs-root/etc/ssl/certs/DST_Root_CA_X3.pem, then mksquashfs again to rebuild the core18 snap file that holds it, but then the core18 snap file is considered ā€˜brokenā€™ and wonā€™t work.

Iā€™ve applied all operating system and snap updates.

Any suggestions?

Is this the first time youā€™ve seen this error? (Y/N): Y

$ snap list
Name               Version             Rev    Tracking         Publisher   Notes
core18             20210722            2128   latest/stable    canonicalāœ“  base
nextcloud          22.1.1snap2         28549  latest/stable    nextcloudāœ“  -
2

Do I need to just wait for the snap developers to remove this duff Letā€™s Encrypt certificate from the snap file? I cannot work out what I need to do to remove this certificate for myself because it is embedded in the Linux core18 snap file, so I cannot get NextCloud working.

3

It seems rebuilding core18 snap is not as straightforward as just using mksquashfs and the instructions are of no help.

Iā€™ve logged an issue with the core18 snap file on GitHub about the expired Letā€™s Encrypt certificate.

4

After being given some advice, I changed the core18 snap from the stable version to a new beta version, which does not contain the expired Letā€™s Encrypt DST_Root_CA_X3 certificate.

That has made no difference. Quite why that has worked for other peopleā€™s NextCloud sites and not mine, I do not understand.