I have my own webdav server and just installed new certificate with command sudo certbot --apache now I can log in with firefox and all works but in terminal mount Webdav command gives me this output:
/sbin/mount.davfs: the server certificate is not trusted
issuer: Let's Encrypt, US
subject: noipDomain.ddns.net
identity: myDomain.uk
fingerprint: ***************************************
You only should accept this certificate, if you can
verify the fingerprint! The server might be faked
or there might be a man-in-the-middle-attack.
Accept certificate for this session? [y,N]
how can I accept certificate permanently to be able to use .sh script for mounting.
The davfs package should be able to use the systems root certificate store to verify the certificate chain.
However, it seems the questionnaire you should have seen when opening a thread in the #Help section is gone. Maybe you didn't get it in the first place, maybe you've deleted it. In any case, it's required for getting the best help possible. Please answer all the questions to the best of your knowledge:
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
My domain is: fairlab.uk
I ran this command:
mount Webdav
It produced this output:
/sbin/mount.davfs: the server certificate is not trusted
issuer: Let's Encrypt, US
subject: noipDomain.ddns.net
identity: myDomain.uk
fingerprint: ***************************************
You only should accept this certificate, if you can
verify the fingerprint! The server might be faked
or there might be a man-in-the-middle-attack.
Accept certificate for this session? [y,N]
My web server is (include version):
Apache/2.4.29 (Ubuntu)
The operating system my web server runs on is (include version):
Ubuntu 20.04.2
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.27.0
(I should have added that earlier too:) And what's the operating system of your client host? I.e., the host on which you're trying to mount the WebDAV from?
Also, I'm not getting your error?:
osiris@erazer ~ $ sudo mount -t davfs https://fairlabwebdav.ddns.net/ /mnt/tmp/
Please enter the username to authenticate with server
https://fairlabwebdav.ddns.net/ or hit enter for none.
Username: test
Please enter the password to authenticate user test with server
https://fairlabwebdav.ddns.net/ or hit enter for none.
Password:
/sbin/mount.davfs: Mounting failed.
Could not authenticate to server: rejected Digest challenge
osiris@erazer ~ $
I think your client host doesn't have the correct certificate root store installed.
From the davfs2 README file:
davfs2 will use the CA-certificates of your system to verify the server certificate.
The client is also Ubu20.04 just desktop, not server :). I am almost 100% sure that installing the root certificate on the client would help, it helped me once with my own signed certificate, I am just confused that firefox didn't complain. It would be awesome if you could point me out where to find the root certificate and which one should it be.
dpkg -l ca-certificates
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-===============-================-============-=============================>
ii ca-certificates 20210119~20.04.1 all Common CA certificates
Ah, that's jus the HTTP part.. Could you either run it with -L (wich instructs curl to follow redirects, i.e., HTTP -> HTTPS in this case) or use https:// in front of the address? Checking out the non-TLS part of your site isn't revealing anything for obvious reasons
Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< Date: Sat, 13 Feb 2021 21:19:16 GMT
< Server: Apache/2.4.41 (Ubuntu)
< WWW-Authenticate: Digest realm="webdav", nonce="zcUXTj67BQA=022e3c1cc8e9622e232323cb5248455e5e3c9637", algorithm=MD5, qop="auth"
< Content-Length: 470
< Content-Type: text/html; charset=iso-8859-1
<
401 Unauthorized
Unauthorized
This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.
Apache/2.4.41 (Ubuntu) Server at fairlabwebdav.ddns.net Port 443
* Connection #0 to host fairlabwebdav.ddns.net left intact
Well, before I installed letsencrypt certificate I had openssl self-signed certificate installed and I think it is still on the client machine. As I mentioned before I have added root certificate to solve the problem.
Hardcoding a trusted certificate in davfs2's configuration file might indeed lead to the software actually not checking the system root store when the configured trusted cert actually fails.
Looking at the code, it seems to only use a single method of validation, depending on what is configured:
if (strcmp(args->scheme, "https") == 0) {
if (!ne_has_support(NE_FEATURE_SSL))
error(EXIT_FAILURE, 0, _("neon library does not support TLS/SSL"));
ne_ssl_set_verify(session, ssl_verify, NULL);
if (args->trust_server_cert) {
server_cert = ne_ssl_cert_read(args->trust_server_cert);
if (!server_cert)
error(EXIT_FAILURE, 0, _("can't read server certificate %s"),
args->trust_server_cert);
} else if (args->trust_ca_cert) {
ne_ssl_certificate *ca_cert = ne_ssl_cert_read(args->trust_ca_cert);
if (!ca_cert)
error(EXIT_FAILURE, 0, _("can't read server certificate %s"),
args->trust_ca_cert);
ne_ssl_trust_cert(session, ca_cert);
} else {
ne_ssl_trust_default_ca(session);
}
(...)
If servercert is set in davfs2.conf, then it'll check that. If servercert is not set, it'll check for another configured setting "ca_cert" (however, I can't find that in the man page, perhaps clientcert? Seems weird tho..). If that's not set also, only then it checks for the system root store with aid of ne_ssl_trust_default_ca(session).
I have generated self-signed certificate (root, key and so on) then I've configured webdav-ssl.conf on the server and then I get the message on the client machine (the same machine I am using right now) that it is not trusted, so I've added root certificate in the folder (don't ask which directory :)) on the client machine and this solved the problem. So maybe I should try to find it and remove it?
Checking out the non-TLS part of your site isn't revealing anything for obvious reasons 
