Hi,
I have a PKI that provides TLS certificate for internal use, we distribute the CA root certificate to the systems so the TLS connection can be validated, this works perfectly fine except for Nextcloud in flatpak.
I really can not figure a way to make Nextcloud desktop use this CA, now I am doubting this is possible.
The error displayed by Nextcloud when asking to trust the certificate is the following:
The issuer certificate of a locally looked up certificate could not be found
I tried the following things:
- starting p11-kit-server service and socket for the user and override the flatpak
--filesystem=xdg-run/p11-kit/pkcs11
- allowing access to /etc/pki/ which ends in
/run/host/etc/pki, then I tried variables like SSL_CERT_DIR and SSL_CERT_FILES to the right place
- injecting the root ca with the right format in the Nextcloud.cfg in
@\General\CaCertificates but maybe I did it wrong? It looks like this
0\General\CaCertificates="@ByteArray(-----BEGIN CERTIFICATE-----\nMIIBpTCCAUqgAwIBAgIRAOvHl4-----8<-cut---GOzGlLqZ/YpeFbRAuzOhdGCDkpGH1Cc=\n-----END CERTIFICATE-----\n\n)"
What is sure is the host certificate is not available in flatpak, if I grep a chunk of the file in /etc/ there are no result.
The non-flatpak version works, so there is no issue with the TLS endpoint itself.
With the second solution using /etc/pki and environment variables, a curl within the flatpak environments can validate the certificate when querying the url.
Hi,
I have a PKI that provides TLS certificate for internal use, we distribute the CA root certificate to the systems so the TLS connection can be validated, this works perfectly fine except for Nextcloud in flatpak.
I really can not figure a way to make Nextcloud desktop use this CA, now I am doubting this is possible.
The error displayed by Nextcloud when asking to trust the certificate is the following:
I tried the following things:
--filesystem=xdg-run/p11-kit/pkcs11/run/host/etc/pki, then I tried variables likeSSL_CERT_DIRandSSL_CERT_FILESto the right place@\General\CaCertificatesbut maybe I did it wrong? It looks like thisWhat is sure is the host certificate is not available in flatpak, if I grep a chunk of the file in
/etc/there are no result.The non-flatpak version works, so there is no issue with the TLS endpoint itself.
With the second solution using /etc/pki and environment variables, a curl within the flatpak environments can validate the certificate when querying the url.