Ref: https://github.com/nextcloud/desktop/issues/4927
I have a self hosted Nextcloud instance using my own private CA for TLS certs. When running nextcloudcmd
without the --trust
, it disregards the cert validation failure as “This is not an actual error” and proceeds with the sync anyway. I expected it to reject the untrusted server cert and assume it is a MITM attack:
# nextcloudcmd --non-interactive -n ~/Nextcloud https://nextcloud.lan
09-10 12:25:54:348 [ info nextcloud.sync.accessmanager ]: 2 "" "https://nextcloud.lan/ocs/v1.php/cloud/capabilities?format=json" has X-Request-ID "18ff47a0-a482-4456-a489-7aa747170c58"
09-10 12:25:54:348 [ info nextcloud.sync.networkjob ]: OCC::JsonApiJob created for "https://nextcloud.lan" + "ocs/v1.php/cloud/capabilities" ""
09-10 12:25:54:545 [ info nextcloud.sync.account ]: "SSL-Errors happened for url \"https://nextcloud.lan/ocs/v1.php/cloud/capabilities?format=json\" \tError in QSslCertificate(\"3\", [REDACTED] : \"The root certificate of the certificate chain is self-signed, and untrusted\" ( \"The root certificate of the certificate chain is self-signed, and untrusted\" ) \n " Certs are known and trusted! This is not an actual error.
09-10 12:25:54:871 [ info nextcloud.sync.networkjob.jsonapi ]: JsonApiJob of QUrl("https://nextcloud.lan/ocs/v1.php/cloud/capabilities?format=json") FINISHED WITH STATUS "OK"
After adding the root CA cert to the system’s trust store the validation passes and the warning goes away.
I am running the latest nextcloud-desktop-cmd
package, version 2.6.2-1build1
, on Ubuntu Server 20.04.2 LTS.
I did not see this problem in the NextCloud CVE list.
Run nextcloudcmd
against a server that has a TLS cert that the system won’t validate.
Abort the operation if the server’s TLS cert cannot be validated, unless --trust
is specified to explicitly override the security checks.
src/libsync/account.cpp
Linux
Ubuntu 20.04.2 LTS
Distro package manager
24.0.3
2.6.2-1build1
Fresh desktop client install
Encryption is Disabled
Possible MITM