I’d like to warm up a thread by @emrah which has been posted some years ago.
I created my own CA certificate recently and used it to sign the certificate of my Nextcloud server. I’m using Linux Mint on my desktop machine with Nextcloud client 3.4.1 installed. I integrated the CA certificate in the system’s CA store which is /etc/ssl/certs/ca-certificates.crt. Using curl, I can verify that the certificate chain is evaluated correctly for accessing the Nextcloud server.
Unfortunately, the Nextcloud desktop client doesn’t seem to take the above-mentioned CA store into account. After starting the client, I’m always confronted with a popup dialog which tells me that the certificate of the CA cannot be found. I have the possibility to manually trust the host certificate – but obviously, this is what I wanted to avoid by creating an own CA.
I had a look at the source code of the client and tried to understand what’s going on. Unfortunately, I’m neither a C++ nor a Qt expert. I understand that accessing the CA store is handled by Qt internally and that it’s configured using the QSslConfiguration class. I was not able to find any information to which certificate store the Qt implementation defaults on Linux.
My next try was using strace to find out which files are accessed during startup of the client. Interestingly, the client actually accesses directory /etc/ssl/certs/ and reads a single (apparently arbitrary) .crt file in there (not ca-certificates.crt). I was wondering why the client is only reading a single .crt file, but I would guess that the whole operation might be aborted due to an error.
Desperately, I decided to start a debug build of the client and see what’s really going on. After spending some more hours trying to resolve build dependencies, I finally quit when the client threw a “symbol error” on start. Apparently, there was an inconsistency with my installed libraries that was beyond my ability to resolve.
When I was just giving up hope, I stumbled over the entry “0\General\CaCertificates” in nextcloud.cfg (section [Accounts]). I gave it a try and pasted my CA certificate there… and was rewarded by the client which finally was able to verify the certificate chain.
Nevertheless, I’d really be interested to get some background information how the client actually works in this matter. I’m of the opinion that the client should definitely take the system’s CA store into account when trying to evaluate certificate chains. So if anybody is able to shed some light on this (perhaps by having a working debug build), I’d be very thankful!