Skip to content

[Bug]: Self-signed cert rejected #8737

Description

@kenwdelong

⚠️ Before submitting, please verify the following: ⚠️

Bug description

Title

Flatpak build 3.17.0/3.17.1: self-signed root CA rejected even when trusted in system store


Description

After upgrading to Nextcloud Desktop 3.17.0 (Flatpak on Pop!_OS 22.04), the client stopped accepting my self-signed root certificate.

  • The root CA is installed system-wide (/usr/local/share/ca-certificates/..., updated with update-ca-certificates).
  • openssl s_client -connect <server>:443 -CApath /etc/ssl/certs returns Verify return code: 0 (ok).
  • But the Nextcloud client refuses to connect, logs:
  • Clearing cookies0.db does not help.
  • Rolling back to 3.16.3 (Flatpak) makes syncing work again.

This looks like a regression introduced in 3.17.0 around stricter certificate validation, combined with the Flatpak sandbox not using the host CA bundle.


Environment

  • OS: Pop!_OS 22.04 (Ubuntu-based)
  • Client version: 3.17.0 and 3.17.1 (Flatpak from Flathub)
  • Server: Nextcloud on Start9 (self-signed CA with intermediate)
  • Cert trust: Root CA installed in host trust store, verified with OpenSSL

Steps to reproduce

Steps to reproduce

  1. Install Nextcloud Desktop 3.17.0 or 3.17.1 via Flatpak.
  2. Add a server with a valid certificate chain rooted in a self-signed CA that is trusted on the host.
  3. Attempt to connect.

Workarounds tried

  • Verified root CA in host store (openssl passes).
  • Cleared Flatpak client cache (cookies0.db).
  • Tried exporting host CA bundle into Flatpak config and pointing SSL_CERT_FILE to it. Didn’t help.
  • Downgraded to 3.16.3 → works fine again.

Notes

This seems related to stricter certificate checks introduced in 3.17.0. Please confirm whether this is an intentional policy change (self-signed no longer supported by default) or a Flatpak packaging issue (not picking up host CA).

Expected behavior

Expected behavior

The Flatpak client should honor the system’s trust store or allow using a user-provided CA, just as 3.16.x did.


Actual behavior

  • Client refuses to connect, claiming “root certificate … is self-signed and untrusted.”
  • Logs show “Certs not trusted by user decision.”

Which files are affected by this bug

certificateFile

Operating system

Linux

Which version of the operating system you are running.

PopOS

Package

Community FlatPak

Nextcloud Server version

27.1.17

Nextcloud Desktop Client version

3.17.0

Is this bug present after an update or on a fresh install?

Updated from a minor version (ex. 3.16.1 to 3.16.2)

Are you using the Nextcloud Server Encryption module?

Encryption is Enabled

Are you using an external user-backend?

  • Default internal user-backend
  • LDAP/ Active Directory
  • SSO - SAML
  • Other

Nextcloud Server logs

Additional info

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    Fields

    No fields configured for Bug.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions