⚠️ Before submitting, please verify the following: ⚠️
Bug description
Title
Flatpak build 3.17.0/3.17.1: self-signed root CA rejected even when trusted in system store
Description
After upgrading to Nextcloud Desktop 3.17.0 (Flatpak on Pop!_OS 22.04), the client stopped accepting my self-signed root certificate.
- The root CA is installed system-wide (
/usr/local/share/ca-certificates/..., updated with update-ca-certificates).
openssl s_client -connect <server>:443 -CApath /etc/ssl/certs returns Verify return code: 0 (ok).
- But the Nextcloud client refuses to connect, logs:
- Clearing
cookies0.db does not help.
- Rolling back to 3.16.3 (Flatpak) makes syncing work again.
This looks like a regression introduced in 3.17.0 around stricter certificate validation, combined with the Flatpak sandbox not using the host CA bundle.
Environment
- OS: Pop!_OS 22.04 (Ubuntu-based)
- Client version: 3.17.0 and 3.17.1 (Flatpak from Flathub)
- Server: Nextcloud on Start9 (self-signed CA with intermediate)
- Cert trust: Root CA installed in host trust store, verified with OpenSSL
Steps to reproduce
Steps to reproduce
- Install Nextcloud Desktop 3.17.0 or 3.17.1 via Flatpak.
- Add a server with a valid certificate chain rooted in a self-signed CA that is trusted on the host.
- Attempt to connect.
Workarounds tried
- Verified root CA in host store (
openssl passes).
- Cleared Flatpak client cache (
cookies0.db).
- Tried exporting host CA bundle into Flatpak config and pointing
SSL_CERT_FILE to it. Didn’t help.
- Downgraded to 3.16.3 → works fine again.
Notes
This seems related to stricter certificate checks introduced in 3.17.0. Please confirm whether this is an intentional policy change (self-signed no longer supported by default) or a Flatpak packaging issue (not picking up host CA).
Expected behavior
Expected behavior
The Flatpak client should honor the system’s trust store or allow using a user-provided CA, just as 3.16.x did.
Actual behavior
- Client refuses to connect, claiming “root certificate … is self-signed and untrusted.”
- Logs show “Certs not trusted by user decision.”
Which files are affected by this bug
certificateFile
Operating system
Linux
Which version of the operating system you are running.
PopOS
Package
Community FlatPak
Nextcloud Server version
27.1.17
Nextcloud Desktop Client version
3.17.0
Is this bug present after an update or on a fresh install?
Updated from a minor version (ex. 3.16.1 to 3.16.2)
Are you using the Nextcloud Server Encryption module?
Encryption is Enabled
Are you using an external user-backend?
Nextcloud Server logs
Additional info
No response
Bug description
Title
Flatpak build 3.17.0/3.17.1: self-signed root CA rejected even when trusted in system store
Description
After upgrading to Nextcloud Desktop 3.17.0 (Flatpak on Pop!_OS 22.04), the client stopped accepting my self-signed root certificate.
/usr/local/share/ca-certificates/..., updated withupdate-ca-certificates).openssl s_client -connect <server>:443 -CApath /etc/ssl/certsreturnsVerify return code: 0 (ok).cookies0.dbdoes not help.This looks like a regression introduced in 3.17.0 around stricter certificate validation, combined with the Flatpak sandbox not using the host CA bundle.
Environment
Steps to reproduce
Steps to reproduce
Workarounds tried
opensslpasses).cookies0.db).SSL_CERT_FILEto it. Didn’t help.Notes
This seems related to stricter certificate checks introduced in 3.17.0. Please confirm whether this is an intentional policy change (self-signed no longer supported by default) or a Flatpak packaging issue (not picking up host CA).
Expected behavior
Expected behavior
The Flatpak client should honor the system’s trust store or allow using a user-provided CA, just as 3.16.x did.
Actual behavior
Which files are affected by this bug
certificateFile
Operating system
Linux
Which version of the operating system you are running.
PopOS
Package
Community FlatPak
Nextcloud Server version
27.1.17
Nextcloud Desktop Client version
3.17.0
Is this bug present after an update or on a fresh install?
Updated from a minor version (ex. 3.16.1 to 3.16.2)
Are you using the Nextcloud Server Encryption module?
Encryption is Enabled
Are you using an external user-backend?
Nextcloud Server logs
Additional info
No response