nextcloud · AndyScherzinger · Dec 1, 2025 · May 11, 2025
diff --git a/config/config.sample.php b/config/config.sample.php
@@ -2572,4 +2572,13 @@
  * Defaults to ``true``
  */
 'enable_non-accessible_features' => true,
+
+/**
+ * Change the default certificates bundle used for trusting certificates.
+ *
+ * Nextcloud ships its own up-to-date certificates bundle, but in certain cases admins may wish to specify a different bundle, for example the one shipped by their distro.
+ *
+ * Defaults to `\OC::$SERVERROOT . '/resources/config/ca-bundle.crt'`.
+ */
+'default_certificates_bundle_path' => \OC::$SERVERROOT . '/resources/config/ca-bundle.crt',
 ];
diff --git a/lib/private/Files/ObjectStore/S3ConnectionTrait.php b/lib/private/Files/ObjectStore/S3ConnectionTrait.php
@@ -213,13 +213,13 @@ protected function paramCredentialProvider(): callable {
 
 	protected function getCertificateBundlePath(): ?string {
 		if ((int) ($this->params['use_nextcloud_bundle'] ?? '0')) {
+			/** @var ICertificateManager $certManager */
+			$certManager = Server::get(ICertificateManager::class);
 			// since we store the certificate bundles on the primary storage, we can't get the bundle while setting up the primary storage
 			if (!isset($this->params['primary_storage'])) {
-				/** @var ICertificateManager $certManager */
-				$certManager = Server::get(ICertificateManager::class);
 				return $certManager->getAbsoluteBundlePath();
 			} else {
-				return \OC::$SERVERROOT . '/resources/config/ca-bundle.crt';
+				return $certManager->getDefaultCertificatesBundlePath();
 			}
 		} else {
 			return null;

diff --git a/lib/private/Http/Client/Client.php b/lib/private/Http/Client/Client.php
@@ -102,7 +102,7 @@ private function getCertBundle(): string {
 		// $this->certificateManager->getAbsoluteBundlePath() tries to instantiate
 		// a view
 		if (!$this->config->getSystemValueBool('installed', false)) {
-			return \OC::$SERVERROOT . '/resources/config/ca-bundle.crt';
+			return $this->certificateManager->getDefaultCertificatesBundlePath();
 		}
 
 		return $this->certificateManager->getAbsoluteBundlePath();

diff --git a/lib/private/Security/CertificateManager.php b/lib/private/Security/CertificateManager.php
@@ -100,7 +100,7 @@ public function createCertificateBundle(): void {
 			$this->view->mkdir($path);
 		}
 
-		$defaultCertificates = file_get_contents(\OC::$SERVERROOT . '/resources/config/ca-bundle.crt');
+		$defaultCertificates = file_get_contents($this->getDefaultCertificatesBundlePath());
 		if (strlen($defaultCertificates) < 1024) { // sanity check to verify that we have some content for our bundle
 			// log as exception so we have a stacktrace
 			$e = new \Exception('Shipped ca-bundle is empty, refusing to create certificate bundle');
@@ -204,7 +204,7 @@ public function getAbsoluteBundlePath(): string {
 		try {
 			if ($this->bundlePath === null) {
 				if (!$this->hasCertificates()) {
-					$this->bundlePath = \OC::$SERVERROOT . '/resources/config/ca-bundle.crt';
+					$this->bundlePath = $this->getDefaultCertificatesBundlePath();
 				} else {
 					if ($this->needsRebundling()) {
 						$this->createCertificateBundle();
@@ -221,7 +221,7 @@ public function getAbsoluteBundlePath(): string {
 			return $this->bundlePath;
 		} catch (\Exception $e) {
 			$this->logger->error('Failed to get absolute bundle path. Fallback to default ca-bundle.crt', ['exception' => $e]);
-			return \OC::$SERVERROOT . '/resources/config/ca-bundle.crt';
+			return $this->getDefaultCertificatesBundlePath();
 		}
 	}
 
@@ -246,6 +246,10 @@ private function needsRebundling(): bool {
 	 * get mtime of ca-bundle shipped by Nextcloud
 	 */
 	protected function getFilemtimeOfCaBundle(): int {
-		return filemtime(\OC::$SERVERROOT . '/resources/config/ca-bundle.crt');
+		return filemtime($this->getDefaultCertificatesBundlePath());
+	}
+
+	public function getDefaultCertificatesBundlePath(): string {
+		return $this->config->getSystemValueString('default_certificates_bundle_path', \OC::$SERVERROOT . '/resources/config/ca-bundle.crt');
 	}
 }
diff --git a/lib/public/ICertificateManager.php b/lib/public/ICertificateManager.php
@@ -52,4 +52,11 @@ public function getCertificateBundle(): string;
 	 * @since 9.0.0
 	 */
 	public function getAbsoluteBundlePath(): string;
+
+	/**
+	 * Get the path of the default certificates bundle.
+	 *
+	 * @since 33.0.0
+	 */
+	public function getDefaultCertificatesBundlePath(): string;
 }
diff --git a/tests/lib/Http/Client/ClientTest.php b/tests/lib/Http/Client/ClientTest.php
@@ -471,6 +471,10 @@ public function testSetDefaultOptionsWithNotInstalled(): void {
 		$this->certificateManager
 			->expects($this->never())
 			->method('listCertificates');
+		$this->certificateManager
+			->expects($this->once())
+			->method('getDefaultCertificatesBundlePath')
+			->willReturn(\OC::$SERVERROOT . '/resources/config/ca-bundle.crt');
 
 		$this->assertEquals([
 			'verify' => \OC::$SERVERROOT . '/resources/config/ca-bundle.crt',

diff --git a/tests/lib/Security/CertificateManagerTest.php b/tests/lib/Security/CertificateManagerTest.php
@@ -48,6 +48,11 @@ protected function setUp(): void {
 		$config = $this->createMock(IConfig::class);
 		$config->expects($this->any())->method('getSystemValueBool')
 			->with('installed', false)->willReturn(true);
+		$config
+			->expects($this->any())
+			->method('getSystemValueString')
+			->with('default_certificates_bundle_path', \OC::$SERVERROOT . '/resources/config/ca-bundle.crt')
+			->willReturn(\OC::$SERVERROOT . '/resources/config/ca-bundle.crt');
 
 		$this->random = $this->createMock(ISecureRandom::class);
 		$this->random->method('generate')