From eb8989f40b8f7ece2751f470a3960ca4aba2b15d Mon Sep 17 00:00:00 2001
From: Robin Appelman <robin@icewind.nl>
Date: Mon, 14 Mar 2022 18:09:48 +0100
Subject: [PATCH 1/3] use the nextcloud certificate bundle for s3

Signed-off-by: Robin Appelman <robin@icewind.nl>
---
 lib/private/Files/ObjectStore/S3ConnectionTrait.php | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/lib/private/Files/ObjectStore/S3ConnectionTrait.php b/lib/private/Files/ObjectStore/S3ConnectionTrait.php
index c99ebdbcd5cb1..3fd04cd092c7a 100644
--- a/lib/private/Files/ObjectStore/S3ConnectionTrait.php
+++ b/lib/private/Files/ObjectStore/S3ConnectionTrait.php
@@ -39,6 +39,7 @@
 use Aws\S3\S3Client;
 use GuzzleHttp\Promise;
 use GuzzleHttp\Promise\RejectedPromise;
+use OCP\ICertificateManager;
 use OCP\ILogger;
 
 trait S3ConnectionTrait {
@@ -121,6 +122,9 @@ public function getConnection() {
 			)
 		);
 
+		/** @var ICertificateManager $certManager */
+		$certManager = \OC::$server->get(ICertificateManager::class);
+
 		$options = [
 			'version' => isset($this->params['version']) ? $this->params['version'] : 'latest',
 			'credentials' => $provider,
@@ -130,9 +134,10 @@ public function getConnection() {
 			'signature_provider' => \Aws\or_chain([self::class, 'legacySignatureProvider'], ClientResolver::_default_signature_provider()),
 			'csm' => false,
 			'use_arn_region' => false,
+			'http' => ['verify' => $certManager->getAbsoluteBundlePath()],
 		];
 		if ($this->getProxy()) {
-			$options['http'] = [ 'proxy' => $this->getProxy() ];
+			$options['http']['proxy'] = $this->getProxy();
 		}
 		if (isset($this->params['legacy_auth']) && $this->params['legacy_auth']) {
 			$options['signature_version'] = 'v2';

From a93dcbbcfcf3e093803cc7c5fa569d0857e28a7a Mon Sep 17 00:00:00 2001
From: Robin Appelman <robin@icewind.nl>
Date: Mon, 14 Mar 2022 18:34:09 +0100
Subject: [PATCH 2/3] return default bundle when there is an error getting the
 bundle

Signed-off-by: Robin Appelman <robin@icewind.nl>
---
 lib/private/Security/CertificateManager.php | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/lib/private/Security/CertificateManager.php b/lib/private/Security/CertificateManager.php
index 0c6791163c200..6f3b01e23b9a1 100644
--- a/lib/private/Security/CertificateManager.php
+++ b/lib/private/Security/CertificateManager.php
@@ -240,15 +240,19 @@ public function getCertificateBundle(): string {
 	 * @return string
 	 */
 	public function getAbsoluteBundlePath(): string {
-		if (!$this->hasCertificates()) {
-			return \OC::$SERVERROOT . '/resources/config/ca-bundle.crt';
-		}
+		try {
+			if (!$this->hasCertificates()) {
+				return \OC::$SERVERROOT . '/resources/config/ca-bundle.crt';
+			}
 
-		if ($this->needsRebundling()) {
-			$this->createCertificateBundle();
-		}
+			if ($this->needsRebundling()) {
+				$this->createCertificateBundle();
+			}
 
-		return $this->view->getLocalFile($this->getCertificateBundle());
+			return $this->view->getLocalFile($this->getCertificateBundle());
+		} catch (\Exception $e) {
+			return \OC::$SERVERROOT . '/resources/config/ca-bundle.crt';
+		}
 	}
 
 	/**

From 9342faccad3071e0fce22f18cacd5388a1a0f9f8 Mon Sep 17 00:00:00 2001
From: Robin Appelman <robin@icewind.nl>
Date: Tue, 15 Mar 2022 15:50:08 +0100
Subject: [PATCH 3/3] don't try to get custom certs for s3 primary storage

Signed-off-by: Robin Appelman <robin@icewind.nl>
---
 lib/private/Files/ObjectStore/S3.php                |  1 +
 lib/private/Files/ObjectStore/S3ConnectionTrait.php | 12 +++++++++---
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/lib/private/Files/ObjectStore/S3.php b/lib/private/Files/ObjectStore/S3.php
index 074f3a1df9182..6492145fb63b0 100644
--- a/lib/private/Files/ObjectStore/S3.php
+++ b/lib/private/Files/ObjectStore/S3.php
@@ -30,6 +30,7 @@ class S3 implements IObjectStore {
 	use S3ObjectTrait;
 
 	public function __construct($parameters) {
+		$parameters['primary_storage'] = true;
 		$this->parseParams($parameters);
 	}
 
diff --git a/lib/private/Files/ObjectStore/S3ConnectionTrait.php b/lib/private/Files/ObjectStore/S3ConnectionTrait.php
index 3fd04cd092c7a..03166ab1d7e0f 100644
--- a/lib/private/Files/ObjectStore/S3ConnectionTrait.php
+++ b/lib/private/Files/ObjectStore/S3ConnectionTrait.php
@@ -122,8 +122,14 @@ public function getConnection() {
 			)
 		);
 
-		/** @var ICertificateManager $certManager */
-		$certManager = \OC::$server->get(ICertificateManager::class);
+		// since we store the certificate bundles on the primary storage, we can't get the bundle while setting up the primary storage
+		if (!isset($this->params['primary_storage'])) {
+			/** @var ICertificateManager $certManager */
+			$certManager = \OC::$server->get(ICertificateManager::class);
+			$certPath = $certManager->getAbsoluteBundlePath();
+		} else {
+			$certPath = \OC::$SERVERROOT . '/resources/config/ca-bundle.crt';
+		}
 
 		$options = [
 			'version' => isset($this->params['version']) ? $this->params['version'] : 'latest',
@@ -134,7 +140,7 @@ public function getConnection() {
 			'signature_provider' => \Aws\or_chain([self::class, 'legacySignatureProvider'], ClientResolver::_default_signature_provider()),
 			'csm' => false,
 			'use_arn_region' => false,
-			'http' => ['verify' => $certManager->getAbsoluteBundlePath()],
+			'http' => ['verify' => $certPath],
 		];
 		if ($this->getProxy()) {
 			$options['http']['proxy'] = $this->getProxy();