Can't connect Nextcloud to MariaDB with SSL

[KB7777]

Steps to reproduce

1. Install Nextcloud 13.0.2 from scratch (everything works fine)
2. Configure MariaDB to accept SSL connection (ca-cert.pem, server-cert.pem, server-key.pem; everything works fine)
3. Set for database account for Nextcloud instance "Require SSL" option

Expected behaviour

Nextcloud should connect to MariaDB with SSL encryption

Actual behaviour

HTTP ERROR 500

Server configuration detail

Operating system: Linux 3.10.0-862.2.3.el7.x86_64 #1 SMP Wed May 9 18:05:47 UTC 2018 x86_64
( CentOS 7.5)

Webserver: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips (apache2handler)

Database: mysql 10.2.14

PHP version: 7.2.5
Modules loaded: Core, date, libxml, openssl, pcre, zlib, filter, hash, Reflection, SPL, session, standard, apache2handler, bz2, calendar, ctype, curl, dom, mbstring, fileinfo, ftp, gd, gettext, iconv, intl, json, ldap, exif, mysqlnd, PDO, Phar, posix, shmop, SimpleXML, sockets, sqlite3, sysvmsg, sysvsem, sysvshm, tokenizer, xml, xmlwriter, xsl, mysqli, pdo_mysql, pdo_sqlite, wddx, xmlreader, igbinary, zip, redis, Zend OPcache

Nextcloud version: 13.0.2 - 13.0.2.1

**Updated from an older Nextcloud/ownCloud or fresh install: ** Fresh

Where did you install Nextcloud from: official tar.gz

Signing status

Array

List of activated apps

Enabled:
 - admin_audit: 1.3.0
 - dav: 1.4.6
 - federatedfilesharing: 1.3.1
 - files: 1.8.0
 - files_external: 1.4.1
 - files_trashbin: 1.3.0
 - issuetemplate: 0.3.0
 - logreader: 2.0.0
 - lookup_server_connector: 1.1.0
 - oauth2: 1.1.0
 - password_policy: 1.3.0
 - provisioning_api: 1.3.0
 - serverinfo: 1.3.0
 - theming: 1.4.1
 - twofactor_backupcodes: 1.2.3
 - workflowengine: 1.3.0
Disabled:
 - activity
 - comments
 - encryption
 - federation
 - files_pdfviewer
 - files_sharing
 - files_texteditor
 - files_versions
 - files_videoplayer
 - firstrunwizard
 - gallery
 - initialcheck
 - nextcloud_announcements
 - notifications
 - sharebymail
 - survey_client
 - systemtags
 - updatenotification
 - user_external
 - user_ldap

Configuration (config/config.php)

{
    "instanceid": "***REMOVED SENSITIVE VALUE***",
    "passwordsalt": "***REMOVED SENSITIVE VALUE***",
    "secret": "***REMOVED SENSITIVE VALUE***",
    "trusted_domains": [
        "***REMOVED SENSITIVE VALUE***"
    ],
    "datadirectory": "***REMOVED SENSITIVE VALUE***",
    "dbtype": "mysql",
    "version": "13.0.2.1",
    "dbname": "***REMOVED SENSITIVE VALUE***",
    "dbhost": "***REMOVED SENSITIVE VALUE***",
    "dbport": "",
    "dbtableprefix": "oc_",
    "mysql.utf8mb4": true,
    "dbuser": "***REMOVED SENSITIVE VALUE***",
    "dbpassword": "***REMOVED SENSITIVE VALUE***",
    "installed": true,
    "loglevel": 1,
    "logfile": "\/var\/log\/nextcloud\/nextcloud.log",
    "knowledgebaseenabled": false,
    "enable_avatars": false,
    "allow_user_to_change_display_name": false,
    "enable_previews": false,
    "default_language": "pl",
    "auth.bruteforce.protection.enabled": false,
    "has_internet_connection": true,
    "maintenance": false,
    "overwrite.cli.url": "https:\/\/"***REMOVED SENSITIVE VALUE***"",
    "overwriteprotocol": "https",
    "overwritewebroot": "\/",
    "overwritehost": ""***REMOVED SENSITIVE VALUE***"",
    "htaccess.RewriteBase": "\/",
    "mail_smtpmode": "php",
    "trashbin_retention_obligation": "7,8",
    "versions_retention_obligation": "7,8",
    "memcache.distributed": "\\OC\\Memcache\\Redis",
    "memcache.locking": "\\OC\\Memcache\\Redis",
    "memcache.local": "\\OC\\Memcache\\Redis",
    "redis": {
        "host": "***REMOVED SENSITIVE VALUE***",
        "port": 0,
        "password": "***REMOVED SENSITIVE VALUE***"
    },
    "updater.release.channel": "stable",
    "proxy": "***REMOVED SENSITIVE VALUE***",
    "dbdriveroptions": {
        "PDO::MYSQL_ATTR_SSL_KEY": "\/etc\/ssl\/certs\/mysql-client\/client-key.pem",
        "PDO::MYSQL_ATTR_SSL_CERT": "\/etc\/ssl\/certs\/mysql-client\/client-cert.pem",
        "PDO::MYSQL_ATTR_SSL_CA": "\/etc\/ssl\/certs\/mysql-client\/ca-cert.pem"
    }
}

Are you using external storage, if yes which one: No.

Are you using encryption: no

Are you using an external user-backend, if yes which one: No.

Client configuration

Browser: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36

Operating system: Windows 10.

Logs

Browser log

10.151.40.57 - - [17/May/2018:14:58:07 +0200] "GET / HTTP/1.1" 500 - 

Nextcloud log

Nothing special here

Browser log

Failed to load resource: the server responded with a status of 500 (Internal Server Error)

[c0fe]

Is your DB installed locally? If not, that's not really advisable but anyways, try adding these lines into your config.php

'dbdriveroptions' => array(
        PDO::MYSQL_ATTR_SSL_KEY =>'/path/to/client-key.pem',
        PDO::MYSQL_ATTR_SSL_CERT =>'/path/to/client-cert.pem',
        PDO::MYSQL_ATTR_SSL_CA => '/file/path/to/ca_cert.pem',
),

Be forewarned this is just a guess.

[KB7777]

@c0fe No, the MariaDB server is another server.
And yes, this configuration is set, see config.php at my first post :)

[tcitworld]

Did you check that logging to MySQL from Nextcloud server CLI with the certs works?
Set loglevel to 0 and eventually debug to true inside your config.php to have more things into the nextcloud logs.

[KB7777]

@tcitworld
Yes, mysql -v --ssl-ca=./ca-cert.pem --ssl-cert=./client-cert.pem --ssl-key=./client-key.pem -h IP -u user -D database -p works fine.

There is nothing at nextcloud.log because the HTTP 500 error comes from apache not from aplication.
But there is another interesting thing with config.php...
It works with:

'dbdriveroptions' => array (
'PDO::MYSQL_ATTR_SSL_KEY' => '/etc/ssl/certs/mysql-client/client-key.pem',
'PDO::MYSQL_ATTR_SSL_CERT' => '/etc/ssl/certs/mysql-client/client-cert.pem',
'PDO::MYSQL_ATTR_SSL_CA' => '/etc/ssl/certs/mysql-client/ca-cert.pem',
),

It's not works (HTTP 500 error) with:

'dbdriveroptions' => array (
PDO::MYSQL_ATTR_SSL_KEY =>'/etc/ssl/certs/mysql-client/client-key.pem',
PDO::MYSQL_ATTR_SSL_CERT =>'/etc/ssl/certs/mysql-client/client-cert.pem',
PDO::MYSQL_ATTR_SSL_CA => '/etc/ssl/certs/mysql-client/ca_cert.pem',
),

I dont't get it... Is it PHP 7.2 related thing?

[tcitworld]

In the first case, you don't actually set the parameters, so if it actually works, it means you either don't need them (they're already set inside php ?) or that you don't use a TLS connection.

[KB7777]

In my case it not working :(

[tcitworld]

Since

It works with:

'dbdriveroptions' => array (
'PDO::MYSQL_ATTR_SSL_KEY' => '/etc/ssl/certs/mysql-client/client-key.pem',
'PDO::MYSQL_ATTR_SSL_CERT' => '/etc/ssl/certs/mysql-client/client-cert.pem',
'PDO::MYSQL_ATTR_SSL_CA' => '/etc/ssl/certs/mysql-client/ca-cert.pem',
),

It should also work if you completely delete this section. Can you confirm that?

[KB7777]

The instance works without these settings. SSL to the database of course not.

[nextcloud-bot]

Hey, this issue has been closed because the label stale is set and there were no updates for 14 days. Feel free to reopen this issue if you deem it appropriate.

(This is an automated comment from GitMate.io.)

[GuyPaddock]

Just ran into this problem on NC 15.0.8 when trying to connect to an Azure Database for MySQL, but it turned out that my path to the PDO::MYSQL_ATTR_SSL_CA file had a typo in it.

The working settings (for me) looked like:

<?php
$CONFIG = array (
  // ... Multiple lines skipped for brevity + security ...
  'dbname' => 'my-db-name',
  'dbhost' => 'my-database-instance.mysql.database.azure.com',
  'dbport' => '3306',
  'dbtableprefix' => '',
  'dbuser' => 'my-db-user@my-database-instance',
  'dbpassword' => 'my-db-password',
  'dbdriveroptions' => array(
    PDO::MYSQL_ATTR_SSL_CA => '/etc/ssl/certs/Baltimore_CyberTrust_Root.pem',
  ),
  // ... Multiple lines skipped for brevity + security ...
);

Azure requires the instance name suffixed to the end of the username, likely for routing purposes. Other, non-Azure installs likely won't need this part, and will need a different CA file than the one for Baltimore CyberTrust. Baltimore CyberTrust is the root CA for MSFT certs.