NextCloud / WebDAV Cert Error

I ran into additional trouble this morning and discovered the likely cause; I have yet to verify and will follow up shortly with my findings. The root cert used by Comodo/Sectigo for the last 20 years expired Saturday 30 May 2020 at 7am Eastern.

This Sectigo KB seems to indicate a client issue: https://support.comodoca.com/Com_KnowledgeDetailPageSectigo?Id=kA01N000000rgSZ

Now with these cross-certificates and the AddTrust expiring in May 2020
We can safely say that modern clients are unaffected by this expiry, browsers simply choose a chain directly to the SHA-2 root (COMODO or USERTrust) and the cross-cert back to AddTrust is simply ignored.

Most path-building will ignore it due to its expiry, and it should be noted also that there’s no requirement in the TLS RFCs for clients to check the nesting of expiry dates - so an end-entity cert expiring after a certificate further ‘up’ the chain is not problematic.

The only clients which would have problems would be those which have not included the newer roots, but do have the AddTrust. An example might be some incredibly old, EoL’d Android version.

(Of course the use of the AddTrust cross-certs is predicated on either the client having that certificate cached, chasing AIA URLs to fetch it, or the server providing the cross-cert in the TLS handshake).

That said, I’m working through replacing the expired cert on my NextCloud server now and will report back with the results.

I’m running with a Comodo (Sectigo) wildcard positive SSL. Per the article I linked earlier this morning, the following certs may be downloaded from:

root: https://crt.sh/?id=1199354
intermediate: https://crt.sh/?id=1720081

The Domain Validation cert is also critical, and is somewhat difficult to source. It can be downloaded from Sectigo’s SalesForce site (search for ‘sectigo SectigoRSADomainValidationSecureServerCA’) or directly from https://crt.sh/?d=1720081

I updated both my web server (where NextCloud runs) and my reverse proxy. Following the update and restarts, I’m pleased to report that Joplin now syncs without error over TLS if the sync mechanism is set to WebDAV.

Unfortunately, native NextCloud sync is now broken with a different error message:

Cannot parse JSON:
<html class=“ng-csp” data-placeholder-focus=“false” lang=“en” data-locale=“en” >
<head data-user=“jeffy” data-user-displayname=“jeffy” data-requesttoken=“big ugly string that I have removed”>
<meta charset=“utf-8”>
<title>
Files - Nextcloud
<meta http-equiv=“X-UA-Compatible” content=“IE=edge”>
<meta name=“viewport” content=“width=device-width, initial-scale=1.0, minimum-scale=1.0”>
<meta name=“apple-itunes-app” content=“app-id=1125420102”>
<meta name=“apple-mobile-web-app-capable” content=“yes”>
<meta name=“apple-mobile-web-app-status-bar-style” content=“black”>
<meta name=“apple-mobile-web-app-title” content=“Nextcloud”>
<meta name=“mobile-web-app-capable” content=“yes”>
<meta name=“theme-color” content="#0082c9">
<link rel=“icon” href="/index.php/apps/theming/favicon/files?v=0">
<link rel=“apple-touch-icon” href="/index.php/apps/theming/icon/files?v=0">
<link rel=“mask-icon” sizes=“any” href="/core/img/favicon-mask.svg" color="#0082c9">
<link rel=“manifest” href="/index.php/apps/theming/manifest?v=0">
<link rel=“stylesheet” href="/index.php/css/core/7681-8da2-server.css?v=b92d206521717ac032f8aa58d3c7ff2f-0708a238-0">
<link rel=“stylesheet” href="/index.php/css/core/7681-8da2-css-variables.css?v=b92d206521717ac032f8aa58d3c7ff2f-0708a238-0">
<link rel=“stylesheet” href="/apps/files_pdfviewer/css/style.css?v=6a154fe0-0">
<link rel=“stylesheet” href="/index.php/css/core/7681-8da2-results.css?v=b92d206521717ac032f8aa58d3c7ff2f-0708a238-0">
<link rel=“stylesheet” href="/index.php/css/files/9eeb-8da2-merged.css?v=b92d206521717ac032f8aa58d3c7ff2f-0708a238-0">
<link rel=“stylesheet” href="/apps/files_rightclick/css/app.css?v=5e585c9e-0">
<link rel=“stylesheet” href="/index.php/css/files_sharing/c5f2-8da2-icons.css?v=b92d206521717ac032f8aa58d3c7ff2f-0708a238-0">
<link rel=“stylesheet” href="/index.php/css/activity/6c1e-8da2-style.css?v=b92d206521717ac032f8aa58d3c7ff2f-0708a238-0">
<script nonce=“MlZMb3BUM0piUGMvdDJTKzRwWmMvV0VaZDc5ZS8xTHBEcFc0cWJaWDBnQT06NkFQY2tGZjhXNEZXd2hQWnJLRVZ6UkVnTmRBL2hSR2tWcUhBbjlFRzVGUT0=” defer src="/index.php/core/js/oc.js?v=0708a238">
<script nonce=“MlZMb3BUM0piUGMvdDJTKzRwWmMvV0VaZDc5ZS8xTHBEcFc0cWJaWDBnQT06NkFQY2tGZjhXNEZXd2hQWnJLRVZ6UkVnTmRBL2hSR2tWcUhBbjlFRzVGUT0=” defer src="/core/js/dist/main.js?v=0708a238-0">
much similar output intentionally omitted

AND… I was able to clear the NextCloud sync error by backing up, starting from scratch, and doing a restore.

Hope this all helps!