Describe the bug
error generating certificate: openssl_csr_sign(): Argument #1 ($csr) must be of type OpenSSLCertificateSigningRequest|string, false given
To reproduce
Summary
I cannot complete LibreSign OpenSSL configuration on Oracle Linux 9.
Running occ libresign:configure:openssl always fails with a TypeError in OpenSslHandler.php because openssl_csr_sign() receives false instead of a valid CSR, even though OpenSSL and the OpenSSL config work correctly from the CLI (including when run as user apache).
Commands and output
From /var/www/html/nextcloud:
sudo -u apache php occ libresign:configure:check
--------- ------------------- ------------------------------------------------------------------------------------------------------------------------- -------------------------------------
Status Resource Message Tip
--------- ------------------- ------------------------------------------------------------------------------------------------------------------------- -------------------------------------
success java Java version: openjdk version "21.0.8" 2025-07-15 LTS
success java Java binary: /var/www/html/nextcloud/data/appdata_oc2dci802tok/libresign/aarch64/linux/java/jdk-21.0.8+9-jre/bin/java
success pdftk PDFtk version: 3.3.3
success pdftk PDFtk path: /var/www/html/nextcloud/data/appdata_oc2dci802tok/libresign/aarch64/pdftk/pdftk.jar
success jsignpdf JSignPdf version: 2.3.0
success jsignpdf JSignPdf path: /var/www/html/nextcloud/data/appdata_oc2dci802tok/libresign/aarch64/jsignpdf/jsignpdf-2.3.0/JSignPdf.jar
success pdfsig pdfsig version: 21.01.0
success pdfinfo pdfinfo version: 21.01.0
error openssl-configure OpenSSL (root certificate) not configured. Run occ libresign:configure:openssl
--help
--------- ------------------- ------------------------------------------------------------------------------------------------------------------------- -------------------------------------
Then:
bash
sudo -u apache php occ libresign:configure:openssl
--cn="LibreSign Root CA"
-o="Infrastructure Nextcloud"
--ou="DevOps"
-c="FR"
-s="Provence-Alpes-Côte d'Azur"
-l="Salon-de-Provence"
-vvv
Always fails with:
An unhandled exception has been thrown:
TypeError: openssl_csr_sign(): Argument #1 ($csr) must be of type OpenSSLCertificateSigningRequest|string, false given in /var/www/html/nextcloud/apps/libresign/lib/Handler/CertificateEngine/OpenSslHandler.php:100
Stack trace:
#0 /var/www/html/nextcloud/apps/libresign/lib/Handler/CertificateEngine/OpenSslHandler.php(100): openssl_csr_sign()
#1 /var/www/html/nextcloud/apps/libresign/lib/Service/Install/InstallService.php(777): OCA\Libresign\Handler\CertificateEngine\OpenSslHandler->generateRootCert()
#2 /var/www/html/nextcloud/apps/libresign/lib/Command/Configure/OpenSsl.php(86): OCA\Libresign\Service\Install\InstallService->generate()
#3 /var/www/html/nextcloud/3rdparty/symfony/console/Command/Command.php(326): OCA\Libresign\Command\Configure\OpenSsl->execute()
#4 /var/www/html/nextcloud/core/Command/Base.php(220): Symfony\Component\Console\Command\Command->run()
#5 /var/www/html/nextcloud/3rdparty/symfony/console/Application.php(1083): OC\Core\Command\Base->run()
#6 /var/www/html/nextcloud/3rdparty/symfony/console/Application.php(324): Symfony\Component\Console\Application->doRunCommand()
#7 /var/www/html/nextcloud/3rdparty/symfony/console/Application.php(175): Symfony\Component\Console\Application->doRun()
#8 /var/www/html/nextcloud/lib/private/Console/Application.php(187): Symfony\Component\Console\Application->run()
#9 /var/www/html/nextcloud/console.php(92): OC\Console\Application->run()
#10 /var/www/html/nextcloud/occ(33): require_once('...')
#11 {main}
So openssl_csr_sign() is called with $csr = false, i.e. openssl_csr_new() failed silently.
OpenSSL config
System default config:
bash
php -i | grep -i openssl.cnf
Openssl default config => /etc/pki/tls/openssl.cnf
Relevant parts of /etc/pki/tls/openssl.cnf:
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extensions to add to the self signed cert
string_mask = utf8only
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = XX
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
localityName_default = Default City
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Default Company Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, your name or your server's hostname)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:true
# keyUsage = cRLSign, keyCertSign
I also tried adding explicitly:
text
[ v3_ca ]
basicConstraints = critical,CA:TRUE
keyUsage = critical, keyCertSign, cRLSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
OpenSSL works fine from CLI (including as apache)
As root:
bash
openssl req -new -x509 -days 1 -nodes
-keyout /tmp/test.key
-out /tmp/test.crt
-subj "/CN=test"
-config /etc/pki/tls/openssl.cnf
-extensions v3_ca
openssl x509 -in /tmp/test.crt -text -noout | grep -A5 "CA:TRUE"
Shows:
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
LibreSign PKI folder
content of folder /var/www/html/nextcloud/data/appdata_oc2dci802tok/libresign/pki
drwxr-xr-x. 2 apache apache 4096 Apr 14 12:39 5c91esvd2j_1_openssl
drwxr-xr-x. 2 apache apache 4096 Apr 14 17:46 5c91esvd2j_2_openssl
drwxr-xr-x. 2 apache apache 4096 Apr 14 17:46 5c91esvd2j_3_openssl
drwxr-xr-x. 2 apache apache 4096 Apr 14 17:54 5c91esvd2j_4_openssl
drwxr-xr-x. 2 apache apache 4096 Apr 14 17:56 5c91esvd2j_5_openssl
Last one:
cat 5c91esvd2j_5_openssl/openssl.cnf
I manually replaced it with a minimal working config:
[ req ]
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
prompt = no
[ req_distinguished_name ]
C = FR
ST = Provence-Alpes-Côte d'Azur
L = Salon-de-Provence
O = Infrastructure Nextcloud
OU = DevOps
CN = LibreSign Root CA
[ v3_ca ]
basicConstraints = critical,CA:TRUE
keyUsage = critical, keyCertSign, cRLSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
However, occ libresign:configure:openssl still fails with the same openssl_csr_sign() TypeError.
SELinux
I did see earlier SELinux denials about bash executing java (suggesting to enable httpd_unified). After that, there are no new SELinux setroubleshoot entries when running libresign:configure:openssl again.
I tried with SELinux permissive, no change.
What I suspect
OpenSSL config and CLI usage are valid, including with apache (except for writing to /tmp/test.key, which is SELinux-related, but CSR generation itself works).
LibreSign’s OpenSslHandler::generateRootCert() calls openssl_csr_new() with some options/args that fail with OpenSSL 3 / Oracle Linux 9, and this failure is not logged, so openssl_csr_sign() receives false and throws a TypeError.
It looks like a compatibility or logic bug in LibreSign’s OpenSSL handler when generating the root certificate on this platform.
Request
Could you please:
Review OpenSslHandler::generateRootCert() and how openssl_csr_new() is called (especially options / DN / config handling) for OpenSSL 3 / RHEL9/Oracle Linux 9.
Add error handling/logging around openssl_csr_new() to surface why it returns false (e.g. using openssl_error_string() or similar).
Document the expected structure/paths for the root CA and private key inside data/appdata_*/libresign/pki so that, as a workaround, we can generate the CA manually and drop it where LibreSign expects it.
Should you need more logs (php.ini, full OpenSSL config, SELinux AVC entries, etc.), just let me know.
Expected behavior
Being able to generate the certificate
Screenshots
No response
Environment information
Environment
- Nextcloud: 33.0.2
- LibreSign app version: 13.2.2
- PHP: 8.3.30
- OpenSSL: 3.5.1 1 Jul 2025 (Library: OpenSSL 3.5.1 1 Jul 2025)
- OS: Oracle Linux 9.7
- Web server user: apache
Additional context
No response
Describe the bug
error generating certificate: openssl_csr_sign(): Argument #1 ($csr) must be of type OpenSSLCertificateSigningRequest|string, false given
To reproduce
Summary
I cannot complete LibreSign OpenSSL configuration on Oracle Linux 9.
Running occ libresign:configure:openssl always fails with a TypeError in OpenSslHandler.php because openssl_csr_sign() receives false instead of a valid CSR, even though OpenSSL and the OpenSSL config work correctly from the CLI (including when run as user apache).
Commands and output
From /var/www/html/nextcloud:
sudo -u apache php occ libresign:configure:check
Then:
bash
sudo -u apache php occ libresign:configure:openssl
--cn="LibreSign Root CA"
-o="Infrastructure Nextcloud"
--ou="DevOps"
-c="FR"
-s="Provence-Alpes-Côte d'Azur"
-l="Salon-de-Provence"
-vvv
Always fails with:
OpenSSL config
System default config:
bash
php -i | grep -i openssl.cnf
Openssl default config => /etc/pki/tls/openssl.cnf
Relevant parts of /etc/pki/tls/openssl.cnf:
As root:
bash
openssl req -new -x509 -days 1 -nodes
-keyout /tmp/test.key
-out /tmp/test.crt
-subj "/CN=test"
-config /etc/pki/tls/openssl.cnf
-extensions v3_ca
openssl x509 -in /tmp/test.crt -text -noout | grep -A5 "CA:TRUE"
Shows:
LibreSign PKI folder
content of folder /var/www/html/nextcloud/data/appdata_oc2dci802tok/libresign/pki
Last one:
cat 5c91esvd2j_5_openssl/openssl.cnf
I manually replaced it with a minimal working config:
However, occ libresign:configure:openssl still fails with the same openssl_csr_sign() TypeError.
SELinux
I did see earlier SELinux denials about bash executing java (suggesting to enable httpd_unified). After that, there are no new SELinux setroubleshoot entries when running libresign:configure:openssl again.
I tried with SELinux permissive, no change.
What I suspect
OpenSSL config and CLI usage are valid, including with apache (except for writing to /tmp/test.key, which is SELinux-related, but CSR generation itself works).
LibreSign’s OpenSslHandler::generateRootCert() calls openssl_csr_new() with some options/args that fail with OpenSSL 3 / Oracle Linux 9, and this failure is not logged, so openssl_csr_sign() receives false and throws a TypeError.
It looks like a compatibility or logic bug in LibreSign’s OpenSSL handler when generating the root certificate on this platform.
Request
Could you please:
Review OpenSslHandler::generateRootCert() and how openssl_csr_new() is called (especially options / DN / config handling) for OpenSSL 3 / RHEL9/Oracle Linux 9.
Add error handling/logging around openssl_csr_new() to surface why it returns false (e.g. using openssl_error_string() or similar).
Document the expected structure/paths for the root CA and private key inside data/appdata_*/libresign/pki so that, as a workaround, we can generate the CA manually and drop it where LibreSign expects it.
Should you need more logs (php.ini, full OpenSSL config, SELinux AVC entries, etc.), just let me know.
Expected behavior
Being able to generate the certificate
Screenshots
No response
Environment information
Environment
Additional context
No response