[Bug]: LDAPS CA Certificate not working

[maxdallmair]

Hello everyone,

I am running a Nextcloud AIO instance with docker-compose.
I have installed and configured the LDAP plugin. With the check mark in the setting “Turn off SSL certificate verification.” the connection also works promptly. Unfortunately not with SSL.

Here I had already a discussion in the AIO repository with some infos.
nextcloud/all-in-one#6426

I have set the ENV variable NEXTCLOUD_TRUSTED_CACERTS_DIR: /srv/nextcloud/ssl where my ROOTCA.crt is located in my compose.

According to this guide, that's the only thing to do. GitHub - nextcloud/all-in-one: 📦 The official Nextcloud installation method. Provides easy deployment and maintenance with most features included in this one Nextcloud instance.

Unfortunately, the connection does not work. I then executed the following command, which I found in a Git issue.
sudo docker exec --user www-data -it nextcloud-aio-nextcloud php occ security:certificates:import /usr/local/share/ca-certificates/ROOTCA-JO-DC.crt

The certificate is then also displayed with this command. Unfortunately, the connection still does not work.
sudo docker exec --user www-data -it nextcloud-aio-nextcloud php occ security:certificates

ldaps and Port 636 is configured.

Output of sudo docker info
Client: Docker Engine - Community
Version: 28.0.1
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.21.1
Path: /usr/libexec/docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v2.33.1
Path: /usr/libexec/docker/cli-plugins/docker-compose

Server:
Containers: 12
Running: 10
Paused: 0
Stopped: 2
Images: 23
Server Version: 28.0.1
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
Swarm: inactive
Runtimes: runc io.containerd.runc.v2
Default Runtime: runc
Init Binary: docker-init
containerd version: bcc810d6b9066471b0b6fa75f557a15a1cbf31bb
runc version: v1.2.4-0-g6c52b3f
init version: de40ad0
Security Options:
apparmor
seccomp
Profile: builtin
cgroupns
Kernel Version: 6.1.0-35-amd64
Operating System: Debian GNU/Linux 12 (bookworm)
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 3.823GiB
Name: cloud
ID: 8b885316-a703-4fda-a7e2-d8187eba8786
Docker Root Dir: /var/lib/docker
Debug Mode: false
Experimental: false
Insecure Registries:
::1/128
127.0.0.0/8
Live Restore Enabled: false

Expected behavior

LDAP should work with imported ROOTCA.crt

Nextcloud Server version

master

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.4

Web server

None

Database engine version

MySQL

Is this bug present after an update or on a fresh install?

Fresh Nextcloud Server install

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

services:
nextcloud-aio-mastercontainer:
image: ghcr.io/nextcloud-releases/all-in-one:latest
init: true
restart: always
container_name: nextcloud-aio-mastercontainer # This line is not allowed to be changed as otherwise AIO will not work correctly
volumes:
- nextcloud_aio_mastercontainer:/mnt/docker-aio-config # This line is not allowed to be changed as otherwise the built-in backup solution will not work
- /var/run/docker.sock:/var/run/docker.sock:ro # May be changed on macOS, Windows or docker rootless. See the applicable documentation. If adjusting, don't forget to also set 'WATCHTOWER_DOCKER_SOCKET_PATH'!
network_mode: bridge # add to the same network as docker run would do
ports:
- 80:80 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
- 8080:8080
- 8443:8443 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
environment: # Is needed when using any of the options below
NEXTCLOUD_TRUSTED_CACERTS_DIR: /srv/nextcloud/ssl # CA certificates in this directory will be trusted by the OS of the nextcloud container (Useful e.g. for LDAPS) See https://github.com/nextcloud/all-in-one#how-to-trust-user-defined-certification-authorities-ca
volumes: # If you want to store the data on a different drive, see https://github.com/nextcloud/all-in-one#how-to-store-the-filesinstallation-on-a-separate-drive
nextcloud_aio_mastercontainer:
name: nextcloud_aio_mastercontainer # This line is not allowed to be changed as otherwise the built-in backup solution will not work

List of activated Apps

Nextcloud Signing status

Nextcloud Logs

Additional info

No response

[kesselb]

@szaimen what is NEXTCLOUD_TRUSTED_CACERTS_DIR doing?

Looking at php-ldap's documentation, I'm not sure if the extension is using the system's certificate store.

cc @nextcloud/ldap

[szaimen]

@szaimen what is NEXTCLOUD_TRUSTED_CACERTS_DIR doing?

See https://github.com/nextcloud/all-in-one?tab=readme-ov-file#how-to-trust-user-defined-certification-authorities-ca

[maxdallmair]

Hi, any idea what it could be? I can't find a solution.

[szaimen]

See #53143