[Bug]: nextcloudcmd complains about invalid SSL certificate (desktop client OK) #9125
Description
⚠️ Before submitting, please verify the following: ⚠️
- This is a bug, not a question or a configuration issue.
- This issue is not already reported on Github (I've searched it).
- Nextcloud Server and Desktop Client are up to date. See Server Maintenance and Release Schedule and Desktop Releases for supported versions.
- I agree to follow Nextcloud's Code of Conduct
Bug description
Hello,
I am running NextCloud Server (through Docker) with an internal SSL certificate signed by an internal CA. It is trusted on all clients and everything is working well with the Desktop client (even on the Linux system where I encounter the issue). However, when trying to use the CLI client nextcloudcmd , it complains about an untrusted SSL certificate:
> ~ $ nextcloudcmd --trust -u MYUSER -p MYPASSWORD /local/path/ https://files.myserver.local 11-23 14:38:05:419 [ info nextcloud.sync.accessmanager ]: 2 "" "https://files.myserver.local/status.php" has X-Request-ID "e65da2c4-f9cc-49e7-a87a-4a0f6c5f0517" 11-23 14:38:05:423 [ info nextcloud.sync.networkjob ]: OCC::CheckServerJob created for "https://files.myserver.local" + "status.php" "" 11-23 14:38:05:432 [ info nextcloud.sync.account ]: ssl errors "SSL-Errors happened for url \"https://files.magvice.lan/status.php\" \tError in QSslCertificate(Version=\"3\", SerialNumber=\"47:d2:bb:ce:c8:cb:18:89\", Digest=\"D9O40qAmetFoLaTZ3vHhvA==\", Issuer=\"MGV-ROOT-CA\", Subject=\"MGV-ROOT-CA\", AlternativeSubjectNames=QMultiMap(), EffectiveDate=QDateTime(2025-07-10 12:23:00.000 UTC Qt::UTC), ExpiryDate=QDateTime(2075-07-10 12:23:00.000 UTC Qt::UTC)) : \"**The root certificate of the certificate chain is self-signed, and untrusted\" ( \"The root certificate of the certificate chain is self-signed, and untrusted\" ) \n "** 11-23 14:38:05:432 [ info nextcloud.sync.account ]: QList(QSslCertificate(Version="3", SerialNumber="46:8a:1a:e2:66:34:d4:dd", Digest="IB3IvABJFcMHO11lF6zCjQ==", Issuer="ORG-SUB-CA", Subject="*.myserver.local", AlternativeSubjectNames=QMultiMap((QSsl::DnsEntry, "*.myserver.local")), EffectiveDate=QDateTime(2025-07-10 12:51:00.000 UTC Qt::UTC), ExpiryDate=QDateTime(2026-07-10 12:51:00.000 UTC Qt::UTC)), QSslCertificate(Version="3", SerialNumber="13:d8:35:c1:65:ad:dc:c2", Digest="5L2/k2YJEPj9fZLbV1WGGg==", Issuer="ORG-ROOT-CA", Subject="ORG-SUB-CA", AlternativeSubjectNames=QMultiMap(), EffectiveDate=QDateTime(2025-07-10 12:23:00.000 UTC Qt::UTC), ExpiryDate=QDateTime(2035-07-10 12:23:00.000 UTC Qt::UTC)), QSslCertificate(Version="3", SerialNumber="47:d2:bb:ce:c8:cb:18:89", Digest="D9O40qAmetFoLaTZ3vHhvA==", Issuer="ORG-ROOT-CA", Subject="ORG-ROOT-CA", AlternativeSubjectNames=QMultiMap(), EffectiveDate=QDateTime(2025-07-10 12:23:00.000 UTC Qt::UTC), ExpiryDate=QDateTime(2075-07-10 12:23:00.000 UTC Qt::UTC))) 11-23 14:38:05:432 [ info nextcloud.sync.account ]: "SSL-Errors happened for url \"https://files.magvice.lan/status.php\" \tError in QSslCertificate(Version=\"3\", SerialNumber=\"47:d2:bb:ce:c8:cb:18:89\", Digest=\"D9O40qAmetFoLaTZ3vHhvA==\", Issuer=\"ORG-ROOT-CA\", Subject=\"ORG-ROOT-CA\", AlternativeSubjectNames=QMultiMap(), EffectiveDate=QDateTime(2025-07-10 12:23:00.000 UTC Qt::UTC), ExpiryDate=QDateTime(2075-07-10 12:23:00.000 UTC Qt::UTC)) : \"The root certificate of the certificate chain is self-signed, and untrusted\" ( \"The root certificate of the certificate chain is self-signed, and untrusted\" ) \n " Certs are known and trusted! This is not an actual error. 11-23 14:38:05:432 [ warning nextcloud.sync.networkjob ]: SslHandshakeFailedError: **"The server enforces strict transport security and does not accept untrusted certificates." : can be caused by a webserver wanting SSL client certificates** 11-23 14:38:05:432 [ warning nextcloud.sync.networkjob ]: QNetworkReply::SslHandshakeFailedError "The server enforces strict transport security and does not accept untrusted certificates." QVariant(Invalid) 11-23 14:38:05:432 [ warning nextcloud.sync.networkjob.checkserver ]: error: status.php replied 0 "" Error connecting to server for status
I can successfully confirm the system trusts the SSL certificate because I can query it with curl without any issues. I can also confirm that no client certificates are required to access the system.
Passing the option '--trust' does not do anything at all. Also, no logs are registered on the server side (only the GUI clients appear in tthe logs. I attached them anyways). I also tried to disable HSTS but I have the same error from nextcloudcmd .
Steps to reproduce
- Deploy the latest version of NextCloud server with Docker Compose
- Install a SSL certificate (fullchain) recognized by the client
- Install the CA certificates on the client system
- Create a user on the NextCloud server
- Create an app passworrd for authentication with the CLI client
- Try to sync using nextcloudcmd
Expected behavior
The CLI client nextcloudcmd should connect and sync just like the GUI desktop client does.
In any case, the '--trust' option shoud work around the issue but it does not even work (I never had to use it in the past)
Which files are affected by this bug
N/A
Operating system
Linux
Which version of the operating system you are running.
Arch Linux
Package
Distro package manager
Nextcloud Server version
Nextcloud Hub 25 Autumn (32.0.2)
Nextcloud Desktop Client version
4.0.1daily, Git revision e81c242
Is this bug present after an update or on a fresh install?
Fresh desktop client install
Are you using the Nextcloud Server Encryption module?
Encryption is Enabled
Are you using an external user-backend?
- Default internal user-backend
- LDAP/ Active Directory
- SSO - SAML
- Other
Nextcloud Server logs
See attachment 'nextcloud.log' (too big to paste here). It only contains the Windows clients (and mobile) with the Desktop versions though (as mentioned, the CLI client error does not generate any log on the server).