[Bug]: Mac desktop client cannot connect to some self‑hosted servers using internal CA (works from browsers and other OS clients) #9794
Description
⚠️ Before submitting, please verify the following: ⚠️
- This is a bug, not a question or a configuration issue.
- This issue is not already reported on Github (I've searched it).
- Nextcloud Server and Desktop Client are up to date. See Server Maintenance and Release Schedule and Desktop Releases for supported versions.
- I agree to follow Nextcloud's Code of Conduct
Bug description
On macOS the Nextcloud desktop client cannot establish a secure connection to some of my self‑hosted Nextcloud servers that use certificates from the same internal CA.
The exact same servers work fine:
-
in all browsers on macOS
-
with the Windows and Linux desktop clients
-
with an other Nextcloud server that uses the same CA chain.
On macOS, the account setup wizard immediately shows:
“Secure connection to server address https://… failed. How do you want to proceed?”
It offers only “Use different URL / Try unencrypted HTTP / Configure client TLS certificate”, but no certificate details or trust prompt.
After I completely removed the client configuration and containers and reinstalled, the problem persists.
Interestingly, if I start the client manually from Terminal with:
/Applications/Nextcloud.app/Contents/MacOS/nextcloud
I can add the problematic accounts successfully and syncing works.
This looks like a macOS‑specific initialization / TLS handling bug that affects only some servers, even though their certificate chains are valid and identical to the working one
Environment
Desktop client: 33.0.2 (macOS build)
OS: macOS (26.4) on M1 MacBook Pro
Installation: official .app (and tested via Homebrew cask)
Nextcloud servers: multiple self‑hosted instances
2x behind Traefik (Docker)
1x separate Apache server (no Docker, no Traefik)
Certificates: all servers use the same internal PKI:
RootCA → Sub1CA → Signing1CA → leaf cert
Full chain is presented correctly; openssl s_client -showcerts verifies Verify return code: 0 (ok) on all servers.
All servers are reachable and trusted in Safari/Chrome/Firefox on the same Mac.
Steps to reproduce
- On macOS, install the desktop client (33.0.2).
- Ensure the internal CA (Root + intermediates) is imported into the macOS System keychain and set to “Always trust”.
- Start the client normally (Dock / Launchpad).
- Try to add an account for https://nextcloud.example.local (affected server).
- The wizard shows “Secure connection failed …” with the three buttons mentioned above and does not allow trusting the certificate.
- Quit the client.
- Start the client from Terminal with:
/Applications/Nextcloud.app/Contents/MacOS/nextcloud - Repeat the account setup for the same server → now the connection succeeds and the account is added.
Expected behavior
The macOS client should use the same TLS / trust behavior regardless of how it is started, and it should be able to connect to all servers whose certificate chains validate in the macOS keychain and with openssl s_client.
If there is a certificate problem, the client should show a clear trust dialog (similar to browsers), not only a generic “Secure connection failed” page.
Which files are affected by this bug
Nextcloud-33.0.2.pkg
Operating system
macOS
Which version of the operating system you are running.
26.4
Package
Official macOS 12+ universal pkg
Nextcloud Server version
33.0.2
Nextcloud Desktop Client version
33.0.2
Is this bug present after an update or on a fresh install?
Fresh desktop client install
Are you using the Nextcloud Server Encryption module?
Encryption is Disabled
Are you using an external user-backend?
- Default internal user-backend
- LDAP/ Active Directory
- SSO - SAML
- Other
Nextcloud Server logs
Additional info
No response