Updater: cURL error 60

Hi.

The updater over web interface gives the error message: cURL error 60: SSL certificate problem: unable to get local issuer certificate

Question:
The updater does not work. However, marketplace works and can also download and apply upgrades. In my understanding both use cUrl for downloading stuff. What is the difference between these 2 use cases? What does the updater makes different than the marketplace?

Long version: I understand this has to do with my server setup. I have followed the guides I found online (downloading the certificates and linking them in the php.ini) without success.
My server is a linux box in the intranet, no access from outside. Since it is local, I cannot use letsencrypt, so I have created a self signed certificate for accessing owncloud. For my private use in LAN, this is good enough and works fine.

Would it make a difference if I run owncloud in http (instead of https) just for upgrading?
Where does the upgrade script download the updates from, so I can try out if I can download them via the command line?

Furthermore, also the occ script fails. I do not know if this is related to the same problem.
sudo -u www-data php occ upgrade
→ ownCloud is already latest version
(no, it is not. I have 10.8.0.4)

I just want to avoid having to do a fully manual upgrade each time…

Update … I found a workaround.

Running owncloud updater over http (unsecure) connection, did the trick. Updates over web interface ran without problems. So it must have something to do with my self signed SSL certificate (which of course has no issuer).

Now that is even more strange … why does my certificate matter, when my server wants do download an update from some owncloud server? I would in this case only expect that the owncloud server must have a proper certificate.
In my understanding, calling the web interface over http / https should only affect the connection between browser and my own Server. Why does this change the way the server downloads updates from owncloud?
And again, why does this only occur in the updater, and not the market?

Sorry for all the many questions, but it would be great if I could do updates without re-configuring my webserver first (I have http switched off by default)

Greetings,
asminator.

1 Like

This - could - have something to do with the recent update of the root certificates from Let’s Encrypt and an outdated (root) certificate store on your server. On the other hand, if that were the case, Market should also no longer work (curl error).

I would have a look at the certificate store. It can’t hurt.

1 Like

No, I don’t think. Had this problem since installation on my box (~1 year ago), just decided to tackle it now. I updated the certificates as well.

So I believe it has to do with the way the updater uses curl.

And again “unable to get local issuer certificate” … yes, there is no issuer of the (Self signed) SSL certificate the owncloud server provides. But why does this have effect on the updater script, which is supposed to fetch from a server with proper certificate?

Greetings,
asmin

Maybe this could help here as well.

Hi.

Thanks for all the hints. Currenty, cannot check anything because I have to wait until a new update is available. Perhaps the latest owncloud version does not have this problem anymore. And marketplace has always worked.

So that means that fiddling around with the php or websever config would not make any change, since owncloud comes with its own certificates? Is there any way to update the certificates over admin interface, or is the ca-bundle.crt hard-tied to the owncloud release?