Merge pull request #31574 from nextcloud/s3-crt-bundle

use the nextcloud certificate bundle for s3

3 files changed, 24 insertions, 8 deletions

diff --git a/lib/private/Files/ObjectStore/S3.php b/lib/private/Files/ObjectStore/S3.php
index 074f3a1df91..6492145fb63 100644
--- a/lib/private/Files/ObjectStore/S3.php
+++ b/lib/private/Files/ObjectStore/S3.php
@@ -30,6 +30,7 @@ class S3 implements IObjectStore {
 	use S3ObjectTrait;
 
 	public function __construct($parameters) {
+		$parameters['primary_storage'] = true;
 		$this->parseParams($parameters);
 	}
 
diff --git a/lib/private/Files/ObjectStore/S3ConnectionTrait.php b/lib/private/Files/ObjectStore/S3ConnectionTrait.php
index b72b0ebee53..d6f42c455b4 100644
--- a/lib/private/Files/ObjectStore/S3ConnectionTrait.php
+++ b/lib/private/Files/ObjectStore/S3ConnectionTrait.php
@@ -38,6 +38,7 @@ use Aws\S3\Exception\S3Exception;
 use Aws\S3\S3Client;
 use GuzzleHttp\Promise;
 use GuzzleHttp\Promise\RejectedPromise;
+use OCP\ICertificateManager;
 use OCP\ILogger;
 
 trait S3ConnectionTrait {
@@ -120,6 +121,15 @@ trait S3ConnectionTrait {
 			)
 		);
 
+		// since we store the certificate bundles on the primary storage, we can't get the bundle while setting up the primary storage
+		if (!isset($this->params['primary_storage'])) {
+			/** @var ICertificateManager $certManager */
+			$certManager = \OC::$server->get(ICertificateManager::class);
+			$certPath = $certManager->getAbsoluteBundlePath();
+		} else {
+			$certPath = \OC::$SERVERROOT . '/resources/config/ca-bundle.crt';
+		}
+
 		$options = [
 			'version' => isset($this->params['version']) ? $this->params['version'] : 'latest',
 			'credentials' => $provider,
@@ -129,9 +139,10 @@ trait S3ConnectionTrait {
 			'signature_provider' => \Aws\or_chain([self::class, 'legacySignatureProvider'], ClientResolver::_default_signature_provider()),
 			'csm' => false,
 			'use_arn_region' => false,
+			'http' => ['verify' => $certPath],
 		];
 		if ($this->getProxy()) {
-			$options['http'] = [ 'proxy' => $this->getProxy() ];
+			$options['http']['proxy'] = $this->getProxy();
 		}
 		if (isset($this->params['legacy_auth']) && $this->params['legacy_auth']) {
 			$options['signature_version'] = 'v2';
diff --git a/lib/private/Security/CertificateManager.php b/lib/private/Security/CertificateManager.php
index 0c6791163c2..6f3b01e23b9 100644
--- a/lib/private/Security/CertificateManager.php
+++ b/lib/private/Security/CertificateManager.php
@@ -240,15 +240,19 @@ class CertificateManager implements ICertificateManager {
 	 * @return string
 	 */
 	public function getAbsoluteBundlePath(): string {
-		if (!$this->hasCertificates()) {
-			return \OC::$SERVERROOT . '/resources/config/ca-bundle.crt';
-		}
+		try {
+			if (!$this->hasCertificates()) {
+				return \OC::$SERVERROOT . '/resources/config/ca-bundle.crt';
+			}
 
-		if ($this->needsRebundling()) {
-			$this->createCertificateBundle();
-		}
+			if ($this->needsRebundling()) {
+				$this->createCertificateBundle();
+			}
 
-		return $this->view->getLocalFile($this->getCertificateBundle());
+			return $this->view->getLocalFile($this->getCertificateBundle());
+		} catch (\Exception $e) {
+			return \OC::$SERVERROOT . '/resources/config/ca-bundle.crt';
+		}
 	}
 
 	/**