Nextcloud App untrusted certificate, OK in browser

Hello,

I have an issue where my LE certificate on the firewall updated, browser is showing the correct certificate, but the app under windows does not, and gives me untrusted certificate error.
Nextcloud is running on the Ubuntu server.
App is on windows.
Both are the latest version: 22.1.1 and 3.3.4.
I tried reinstall/repair of the app, that didn’t help, also tried logging out of the account and logging back in, same error.
Can someone help please?
Thank you

Hi,

i can confirm the same thing since today, on two different sites … Web is ok, Android App is ok, but the Win Client fails the connection due to a Certificate Validation error.

But the error is popping for an LetsEncypt intermediate CA certficate which expired yesterday evening. Is the Win Client using its own Root CA list to trust and not the systems one?
2021-09-30_08-36-43

Had a quick look in the install folder of the Client but found nothing.

I have the exact same issue on multiple systems, at first it was both internal and external accesses but I fixed the internal by updating the intermediate certificate for R3, but this hasn’t helped for external access so far but that could be because it’s using the firewall’s own copy of the certificates as it’s going through HAProxy whereas internal it’s direct to the Nextcloud server.

I found this for you:
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
https://scotthelme.co.uk/lets-encrypt-old-root-expiration/

But sorry i have got no solution for your problem.

Found also this: https://docs.certifytheweb.com/docs/kb/kb-202109-letsencrypt/

Windows PC

On windows PCs, simply browsing to a website using Chrome, Edge etc with updated the client trust store with the required certificates. Browsing to https://valid-isrgrootx1.letsencrypt.org/ will prompt Windows to include ISRG Root X1 in its trust store automatically.

Sorry does not work for me. No message to include something.

So check with the firewall, how to update certificates there. Does it just cache the certificates? Perhaps they have tutorials like they did for pfsense:
https://blog.tastatursport.de/2021/09/pfsense-2-5-x-letsencrypt-haproxy-proper-mitigation-of-expiring-le-intermediate-ca/

So I have resolved the issue, but it was made more confusing because all the browsers I tested access with whether internal and external, on PC or mobile, all showed the newer server certificate, but what the NC Windows client was actually showing was the LE intermediate CA certificate - it’s obviously not just me that didn’t spot that at first.

Also the firewall running my HAProxy and also managing the LE certificates was still using the older intermediate CA certificate when renewing my certificates even though I had a while back installed the new one that has now taken over. After deleting the expired one and then forcefully renewing all 20+ certificates which had to be done one at a time, the Windows NC client was happy again.

I hope that makes sense and that it helps anyone else with similar problems, so for me all is back to normal.

1 Like

7 posts were split to a new topic: Letsencrypt ISRG Root X1 local lookup not found

I have the same issue. I solve the problem like this: close app nexcloud on your PC and from default browser (edge/chrome/firefox/etc) enter on this site https://valid-isrgrootx1.letsencrypt.org/ . It works.

This is a bug in the NextCloud Windows client: ISRG Root X1 Certificate not trusted · Issue #3858 · nextcloud/desktop · GitHub

They are working on a fix right now.

1 Like

Is there any progress on this?

Read this

Hello, I’m having the same issue. I moved my reverse proxy on unraid from SWAG (which had no certificate problem) to Nginx Proxy Manager. I am using Lets Encrypt for my domain nextcloud.server.com and it works great on all browsers, but not the desktop apps. I get the same error you mentioned. I have never messed with certificates. I do not know where to find them to delete the old one. I’m using unraid 6.9.2 for my nextcloud. Any advice or directions would be appreciated. Thanks