Sorry to hear you’re facing problems
It’s OK. We’ll get it done. That one is tricky.
It is my first post, so hi everyone.
I blocked outgoing http(s) traffic on my application VM, which includes Nextcloud instance. I’m using e2guardian as proxy http trought port 8080. It goes like this:
appserver → http(s) → e2guardian → internet → e2guardian with SSL termination → appserver
Now I have trouble with Nextcloud updates.
I can curl update server with no trouble:
sudo -u ncappuser curl -Is https://updates.nextcloud.com/
HTTP/1.1 200 Connection established
HTTP/1.1 200 OK
Date: Sun, 24 Mar 2024 12:27:59 GMT
Server: Apache
Strict-Transport-Security: max-age=15768000; includeSubDomains; preload
Content-Security-Policy: default-src 'none'
Connection: close
Content-Type: text/html; charset=UTF-8
with e2guardian saying:
1711283279.344 - ip.ip.ip.ip ip.ip.ip.ip https://updates.nextcloud.com HEAD 200 0 text/html -- 69 - 602 *TRUSTED* Site match: updates.nextcloud.com 0 - group1 1 - 8080:PM::def
1711283868.588 - ip.ip.ip.ip ip.ip.ip.ip https://apps.nextcloud.com HEAD 200 0 text/html -- 826 - 602 *TRUSTED* Site match: apps.nextcloud.com 0 - group1 1 - 8080:PM::def
This is working, because I have http_proxy, https_proxy, HTTP_PROXY and HTTPS_PROXY in my profile and set
Defaults env_keep += "http_proxy https_proxy ftp_proxy no_proxy HTTP_PROXY HTTPS_PROXY FTP_PROXY NO_PROXY"
in sudoers file.
I also added e2guardian root ca to /etc/ssl/certs/ca-bundle.crt file, so curl doesn’t complain about untrasted certificate.
Now Nextcloud:
sudo -u ncappuser /usr/bin/php /path/to/nextcloud/public_html/occ update:check
Everything up to date
but it’s not and e2guardian says:
1711283758.409 - ip.ip.ip.ip ip.ip.ip.ip https://apps.nextcloud.com:443 CONNECT 403 0 - - -58 - 154 *DENIED* Failed to negotiate ssl connection to client 0 SSL SITE group1 1 - 8080:PS::def
Nextcloud is logging failed update attempts:
{"reqId":"zZ9QRtIoz6x1Yl7kPPVl","level":2,"time":"2024-03-24T12:35:58+00:00","remoteAddr":"","user":"--","app":"appstoreFetcher","method":"","url":"--","message":"cURL error 60: SSL certificate problem: unable to get local issuer certificate (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://apps.nextcloud.com/api/v1/apps.json","userAgent":"--","version":"28.0.3.2","exception":{"Exception":"GuzzleHttp\\Exception\\RequestException","Message":"cURL error 60: SSL certificate problem: unable to get local issuer certificate (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://apps.nextcloud.com/api/v1/apps.json","Code":200,"Trace":[{"file":"/path/to/nextcloud/public_html/3rdparty/guzzlehttp/guzzle/src/Handler/CurlFactory.php","line":158,"function":"createRejection","class":"GuzzleHttp\\Handler\\CurlFactory","type":"::","args":["*** sensitive parameters replaced ***"]},{"file":"/path/to/nextcloud/public_html/3rdparty/guzzlehttp/guzzle/src/Handler/CurlFactory.php","line":110,"function":"finishError","class":"GuzzleHttp\\Handler\\CurlFactory","type":"::"},{"file":"/path/to/nextcloud/public_html/3rdparty/guzzlehttp/guzzle/src/Handler/CurlHandler.php","line":47,"function":"finish","class":"GuzzleHttp\\Handler\\CurlFactory","type":"::"},{"file":"/path/to/nextcloud/public_html/3rdparty/guzzlehttp/guzzle/src/Middleware.php","line":137,"function":"__invoke","class":"GuzzleHttp\\Handler\\CurlHandler","type":"->"},{"file":"/path/to/nextcloud/public_html/lib/private/Http/Client/DnsPinMiddleware.php","line":161,"function":"GuzzleHttp\\{closure}","class":"GuzzleHttp\\Middleware","type":"::","args":["*** sensitive parameters replaced ***"]},{"file":"/path/to/nextcloud/public_html/3rdparty/guzzlehttp/guzzle/src/PrepareBodyMiddleware.php","line":35,"function":"OC\\Http\\Client\\{closure}","class":"OC\\Http\\Client\\DnsPinMiddleware","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/path/to/nextcloud/public_html/3rdparty/guzzlehttp/guzzle/src/Middleware.php","line":31,"function":"__invoke","class":"GuzzleHttp\\PrepareBodyMiddleware","type":"->"},{"file":"/path/to/nextcloud/public_html/3rdparty/guzzlehttp/guzzle/src/RedirectMiddleware.php","line":71,"function":"GuzzleHttp\\{closure}","class":"GuzzleHttp\\Middleware","type":"::","args":["*** sensitive parameters replaced ***"]},{"file":"/path/to/nextcloud/public_html/3rdparty/guzzlehttp/guzzle/src/Middleware.php","line":63,"function":"__invoke","class":"GuzzleHttp\\RedirectMiddleware","type":"->"},{"file":"/path/to/nextcloud/public_html/3rdparty/guzzlehttp/guzzle/src/HandlerStack.php","line":75,"function":"GuzzleHttp\\{closure}","class":"GuzzleHttp\\Middleware","type":"::","args":["*** sensitive parameters replaced ***"]},{"file":"/path/to/nextcloud/public_html/3rdparty/guzzlehttp/guzzle/src/Client.php","line":331,"function":"__invoke","class":"GuzzleHttp\\HandlerStack","type":"->"},{"file":"/path/to/nextcloud/public_html/3rdparty/guzzlehttp/guzzle/src/Client.php","line":168,"function":"transfer","class":"GuzzleHttp\\Client","type":"->"},{"file":"/path/to/nextcloud/public_html/3rdparty/guzzlehttp/guzzle/src/Client.php","line":187,"function":"requestAsync","class":"GuzzleHttp\\Client","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/path/to/nextcloud/public_html/lib/private/Http/Client/Client.php","line":230,"function":"request","class":"GuzzleHttp\\Client","type":"->"},{"file":"/path/to/nextcloud/public_html/lib/private/App/AppStore/Fetcher/Fetcher.php","line":123,"function":"get","class":"OC\\Http\\Client\\Client","type":"->"},{"file":"/path/to/nextcloud/public_html/lib/private/App/AppStore/Fetcher/AppFetcher.php","line":86,"function":"fetch","class":"OC\\App\\AppStore\\Fetcher\\Fetcher","type":"->"},{"file":"/path/to/nextcloud/public_html/lib/private/App/AppStore/Fetcher/Fetcher.php","line":193,"function":"fetch","class":"OC\\App\\AppStore\\Fetcher\\AppFetcher","type":"->"},{"file":"/path/to/nextcloud/public_html/lib/private/App/AppStore/Fetcher/AppFetcher.php","line":187,"function":"get","class":"OC\\App\\AppStore\\Fetcher\\Fetcher","type":"->"},{"file":"/path/to/nextcloud/public_html/lib/private/Installer.php","line":423,"function":"get","class":"OC\\App\\AppStore\\Fetcher\\AppFetcher","type":"->"},{"file":"/path/to/nextcloud/public_html/apps/updatenotification/lib/Command/Check.php","line":83,"function":"isUpdateAvailable","class":"OC\\Installer","type":"->"},{"file":"/path/to/nextcloud/public_html/3rdparty/symfony/console/Command/Command.php","line":298,"function":"execute","class":"OCA\\UpdateNotification\\Command\\Check","type":"->"},{"file":"/path/to/nextcloud/public_html/3rdparty/symfony/console/Application.php","line":1040,"function":"run","class":"Symfony\\Component\\Console\\Command\\Command","type":"->"},{"file":"/path/to/nextcloud/public_html/3rdparty/symfony/console/Application.php","line":301,"function":"doRunCommand","class":"Symfony\\Component\\Console\\Application","type":"->"},{"file":"/path/to/nextcloud/public_html/3rdparty/symfony/console/Application.php","line":171,"function":"doRun","class":"Symfony\\Component\\Console\\Application","type":"->"},{"file":"/path/to/nextcloud/public_html/lib/private/Console/Application.php","line":213,"function":"run","class":"Symfony\\Component\\Console\\Application","type":"->"},{"file":"/path/to/nextcloud/public_html/console.php","line":100,"function":"run","class":"OC\\Console\\Application","type":"->"},{"file":"/path/to/nextcloud/public_html/occ","line":11,"args":["/path/to/nextcloud/public_html/console.php"],"function":"require_once"}],"File":"/path/to/nextcloud/public_html/3rdparty/guzzlehttp/guzzle/src/Handler/CurlFactory.php","Line":211,"message":"cURL error 60: SSL certificate problem: unable to get local issuer certificate (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://apps.nextcloud.com/api/v1/apps.json","exception":{},"CustomMessage":"cURL error 60: SSL certificate problem: unable to get local issuer certificate (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://apps.nextcloud.com/api/v1/apps.json"}}
and indeed complains about invalid SSL certificate.
This is my config.php
<?php
$CONFIG = array (
'instanceid' => 'xxxxxxxxxxx',
'passwordsalt' => xxxxxxxxx',
'secret' => 'xxxxxxxxxxxx',
'trusted_domains' =>
array (
0 => ''my.site.com
),
'trusted_proxies' =>
array (
0 => 'ip.ip.ip.ip',
1 => 'ip.ip.ip.ip',
),
'memcache.distributed' => '\\OC\\Memcache\\Redis',
'redis' =>
array (
'host' => 'my.database.server',
'port' => 6379,
),
'datadirectory' => '/path/to/nextcloud/public_html/data',
'dbtype' => 'mysql',
'version' => '28.0.3.2',
'overwrite.cli.url' => 'https://my.site.com',
'overwriteprotocol' => 'https',
'dbname' => 'mysitecom',
'dbhost' => 'my.database.server:3306',
'dbport' => '',
'dbtableprefix' => 'oc_',
'mysql.utf8mb4' => true,
'dbuser' => 'mysitecom',
'dbpassword' => 'xxxxxxxxx',
'installed' => true,
'trashbin_retention_obligation' => 'auto, 33',
'maintenance' => false,
'theme' => '',
'loglevel' => 2,
'mail_smtpmode' => 'smtp',
'mail_sendmailmode' => 'smtp',
'updater.release.channel' => 'stable',
'proxy' => 'http://my.proxy.server:8080',
'proxyexclude' => ['my.site.com'],
);
And additionaly. Is it really necessary to poke eff.org, startpage.com and edri.org by my.site.com/index.php/settings/admin/overview ? I wonder how many requests from nextcloud instances those guys have every hour.
Take care and have fun!