Overwrite provided ca-bundle

ℹ️ Support
1

The Basics

  • Nextcloud Server version (e.g., 29.x.x):
    • 32.0.6
  • Operating system and version (e.g., Ubuntu 24.04):
    • Red Hat Enterprise Linux 8.10 (Ootpa)
  • Web server and version (e.g, Apache 2.4.25):
    • Apache/2.4.37
  • Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
    • Bare Metal

Nextcloud uses it’s own ca-bundle.cer. Why?
My problem is, our Nextcloud server connect through a proxy to the internet. This proxy uses a company signed certificate. The companies CA is not listed in Nextclouds ca-bundle. And this is why I have to copy the certificate of our certificate to Nextclouds ca-bundle.cer after each update.

Is there a way to tell Nextcloud to use another ca-bundle? The one of the operating system it’s running on for example? Or an easier way to make Nextcloud trust my companies ca?

2

Hi, have you checked Configuration Parameters — Nextcloud latest Administration Manual latest documentation?

3

Ahhhh, come on! Yes, I did. Over a million times in the last 10+ years. Because I always had the feeling, there has to be a configuration option. And I’m using a lot of “all other” configuration options from exactly this page. Never found this one :man_facepalming:

Thanks for pointing me to the right section!

4

Added the following configuration entry to the config:

'default_certificates_bundle_path' => '/etc/pki/tls/certs/ca-bundle.crt'

Then “removed” Nextclouds ca-bundle.crt

mv /data/vhosts/nextcloud/resources/config/ca-bundle.crt /data/vhosts/nextcloud/resources/config/ca-bundle.crt.bak

After that I checked everything with

occ setupchecks

and the result was:
Internetverbindung: Dieser Server hat keine funktionierende Internetverbindung
(no working connection to the internet)

I then restarted Apache. After that the whole machine. But no changes.

What did I do wrong?

5

Is this the same issue with the AppAPI?