Nextcloud 19.09 Ubuntu 18.04 Curl error 60 unable to update any apps

bomweb · April 7, 2021, 7:32am

Hello,

I’m having a very stubborn issue updating the apps on my NC 19.09 install. I’m running Ubuntu 18.04. And no matter the method I use, I cannot update, or install any apps. I’ve tried using the admin area and I’ve also tried using the occ command: sudo -u www-data php occ app:update --all.

Here’s an excerpt of the nextcloud.log:

Exception":“GuzzleHttp\Exception\RequestException”,“Message”:"cURL error 60: SSL certificate problem: unable to get local issuer certificate (see http://curl.haxx.se/libcurl/c/libcurl-errors.html)

Since the error is related to cURL not being able to get the local issuer certificate, I also modified the php.ini file by pointing it at a hard-coded location on the server, curl.cainfo = “/etc/ssl/certs/cacert.pem” The cacert.pem file was just downloaded from curl - Extract CA Certs from Mozilla, so I know it’s up to date. (I tried a .crt file as well, with no luck) I also know that I’m editing the correct php.ini file, because I ran the following command to confirm: php -i | grep “Loaded Configuration File”

The server has a valid TLS certificate, issued by Digicert.

I thought that maybe cURL was corrupted or something, so I reinstalled that as well, but again, no luck. Any ideas?

Thank you very much in advance!!

Mark

CFelix · April 7, 2021, 8:39am

Hi bomweb,

please could you post the output of the following command?

php -i | grep "curl"

bomweb · April 8, 2021, 3:49am

/etc/php/7.2/cli/conf.d/20-curl.ini,
curl

And the contents of the 20-curl.ini file is:
; configuration for php curl module
; priority=20
extension=curl.so

CFelix · April 8, 2021, 9:00am

This may seem to be a stupid question, but did you restart your Apache Webserver, after you changed the curl.cainfo parameter in your php.ini ?

The above command should have returned the parameter as well, which it hasn’t.

Restarting the Apache webserver on Ubuntu:

$ apachectl restart

# OR

$ /etc/init.d/apache2 restart

bomweb · April 8, 2021, 4:19pm

Thanks for the reply. Not a stupid question, since you never know the level of expertise someone has on these forums. Anyway, yes, I have restarted apache, and rebooted the server multiple times. Is there another avenue to force curl to use the local CA cert file?

Thanks,
Mark

bomweb · April 8, 2021, 11:46pm

CFelix,

I think I may have figured this out, at least partially. In our Apache config we had set specific Diffie Hellman parameters that OpenSSL was supposed to use. One of those params refereed to a file called dhparams.pem. I don’t completely understand what that file does, but it looks like a shortened version of a certificate file. Anyway, when I commented out the reference to that file in Apache config, and then restarted Apache, everything started working again.

I’m going to do some additional research on why curl didn’t like that dhparams file, and whether it’s a necessary thing to include, to enhance our security. If I find any useful information, I’ll post it here.

Thank you for your help!!!