ios
ios copied to clipboard
nextcloud
Cannot import SSL Client Certificate (.p12)
Steps to reproduce
- Launch the Nextcloud IOS app (5.4.1) and enter the URL to our NC server
- A popup is shown saying that "the server is requesting a client certificate", as expected
- When browsing to the client certificate (.p12, generated with OpenSSL with the legacy flag) and entering the password for the certificate, we go back to the first popup saying "the server is requesting a client certificate", and we are looping
Expected behaviour
The client certificate should be imported into the app and sent to our NC server when connecting. Note that the same client certificate is correctly installed through Safari and we correctly connect to our NC server through Safari. It only fails when using the NC ios app.
Actual behaviour
The client certificate is not imported into the app and it is looping on the import steps.
Screenshots
Logs
Apache Server log:
[Thu Jul 04 09:42:59.814730 2024] [ssl:error] [pid 270191:tid 140260126217984] [client x.x.x.x:57011] AH02261: Re-negotiation handshake failed
[Thu Jul 04 09:42:59.814859 2024] [ssl:error] [pid 270191:tid 140260126217984] SSL Library Error: error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate -- No CAs known to server for verification?
Reasoning or why should it be changed/implemented?
Environment data
iOS version: IpadOS 17.5.1
Nextcloud iOS app version: 5.4.1
Server operating system: AlmaLinux 8.9
Web server: Apache
Database: Postgres
PHP version: 8.2.16
Nextcloud version: 28.0.2
I have the same issue on iPhone 15 with iOS 17.5.1. But it show "Connection Error: Bad request" after installing client certificate.
I am using Nginx as reverse web proxy and show the following error log from Nginx
2024/07/05 15:17:49 [info] 487983#487983: *5 client sent no required SSL certificate while reading client request headers, client: x.x.x.x, server: nc.xx.xxx, request: "GET /status.php HTTP/2.0", host: "nc.xxx.xx"
With the same client certificate installed in iOS system, my Safari web browser can login to my nextcloud server without any problem.
Hi mpivhchev,
Thank you for your help!
I used theses commands to create the certificate:
On our OpenBSD CA server (LibreSSL 3):
# openssl req -config openssl.cnf -sha256 -nodes -newkey rsa:4096 -keyout client_certs/$client.key -out client_certs/$client.csr -subj "/CN=$client"
# openssl ca -config openssl.cnf -in client_certs/$client.csr -out client_certs/$client.pem
# openssl pkcs12 -export -macalg sha256 -out client_certs/$client.pfx -inkey client_certs/$client.key -in client_certs/$client.pem -keypbe aes-256-cbc -certpbe aes-256-cbc
I have attached the openssl.cnf. openssl.cnf.txt
I tried to recreate the PKCS12 on AlmaLinux 9 (OpenSSL 3):
# openssl pkcs12 -export -out client_certs/$client.pfx -inkey client_certs/$client.key -in client_certs/$client.pem -legacy -descert
But I didn't try to recreate a new CA on AlmaLinux 9 and recreate the KEY/CERT. I will test it.
Hi,
I tried on AlmaLinux 9 and it is still not working for me.
Some information about the PKCS12 file created with the -legacy flag:
# openssl pkcs12 -export -out nctest-legacy.pfx -inkey nctest.key -in nctest.pem -legacy -descert
# openssl pkcs12 -in nctest-legacy.pfx -info
Enter Import Password:
MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Certificate bag
Bag Attributes
localKeyID: #HIDDEN#
subject=CN = nctest
issuer=#HIDDEN#
-----BEGIN CERTIFICATE-----
#HIDDEN#
-----END CERTIFICATE-----
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Bag Attributes
localKeyID: #HIDDEN#
Key Attributes: <No Attributes>
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN ENCRYPTED PRIVATE KEY-----
#HIDDEN#
-----END ENCRYPTED PRIVATE KEY-----
Note that this PKCS12 file (nctest-legacy.pfx) is still correctly imported in Safari and client authentication to our NC server succeeds.
Is this related to the fix of #2904? With 5.5.2 I don't see the certificate nagging anymore but I haven't yet checked if the certificate is still send when installed.
Hi, you can use https://www.openlogic.com/blog/mutual-authentication-using-apache-and-web-client to try and set up a certificate. This is only TLS, not mTLS. mTLS should work as well, but not 100% sure on this.
Please keep in mind all the questions that are asked when creating the certificates, such as Organization Name, Location, and so on, must be different in both the client and server certificate. Otherwise Apple assumes that the cert is self-signed.
Finally, you can test if the certificate can be imported into Mac Keychain. If it works there, it should work on iOS, as they use the same algorithms.
Hi mpivchev,
Thank you for your answers.
I read your link and I already use these Apache directives to configure the client authentication.
So, i tried to import into our Mac Keychain (macOS Monterey 12.7.6) our old certificate (nctest-legacy.pfx), and the certificate is valid (after I added our own CAs - intermediate + ca).
And I have successfully connected to our Nextcloud server through Safari (17.6) using the certificate on our Mac.
Thanks for your time!
As I understand, mTLS is TLS with client certificate. In normal case, client verifies server’s certificate. When server needs to verify client’s certificate, it is mutual TLS(mTLS) because both side need to verify each other. mTLS is TLS protocol when server requests client certificate.
If mTLS is not supported, then client certificate is not supported.
Hi all,
I tried with the latest version of Nextcloud App (5.5.5) and I still have the issue. The error log is different on the Nextcloud App: "Connection error The network connection was lost".
On Apache logs: [Tue Oct 01 11:33:58.322902 2024] [ssl:error] [pid 2418958:tid 140124885071616] [client x.x.x.x:28926] AH02261: Re-negotiation handshake failed [Tue Oct 01 11:33:58.323044 2024] [ssl:error] [pid 2418958:tid 140124885071616] SSL Library Error: error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate -- No CAs known to server for verification?
So it looks like the Nextcloud app is not sending the client certificate to the server. It still works with Safari.
This bug prevents us from deploying Nextcloud on our company ipads, so is there anything I can check/provide to help on this issue?
Thank you for your help,
@ctgvt Hi, did you find solution? Have same problem with Nginx logging: 2025/01/10 01:14:28 [info] 806#806: *1080 client sent no required SSL certificate while reading client request headers ....
Thanks in advance!
Hi @maxbillcheck,
Unfortunately no. We are still waiting for some help so that we can start to use the ios app...
Hi @ctgvt @maxbillcheck. Can you try this PR and check if it resolves your issue? Thanks. https://github.com/nextcloud/ios/pull/3223
Hi, you can use https://www.openlogic.com/blog/mutual-authentication-using-apache-and-web-client to try and set up a certificate. This is only TLS, not mTLS. mTLS should work as well, but not 100% sure on this.
Please keep in mind all the questions that are asked when creating the certificates, such as Organization Name, Location, and so on, must be different in both the client and server certificate. Otherwise Apple assumes that the cert is self-signed.
I followed the steps above to create client certificate and with TestFlight v.6.3.0 (2) the prompt to install p.12 loops after entering password to install cert. Using the client cert to open Nextcloud url in safari prompts for client cert and lets me into my Nextcloud instance no issues.
the same issue in stable 6.3.0 (the loop between 3 screens) from app. i can login from safari browser
Experiencing a related issue with 6.6.0 - no way to bypass when mTLS is optional.
Same problem with iOS 18.5 and app version 6.6.4, keeps asking for the p12, despite it being correctly installed/trusted in the system.
Same issue with iOS 18.5 and app version 7.0.0. I migrated to nextcloud from owncloud and would like to continue using my cloud from my iPhone like it was before.
Hi, I started rewriting the mTLS logic, if possible please test to see if this issue still occurs. Keep in mind it's still WIP and not finalized: https://github.com/nextcloud/ios/pull/3685
Hi, I started rewriting the mTLS logic, if possible please test to see if this issue still occurs. Keep in mind it's still WIP and not finalized: #3685
I've just tested with the latest Testflight Nextcloud build 7.1.2 (0).
I still get the re-prompts to install the certificate after entering password of the chosen certificate.
- The server is requesting a client certificate.
- Select the
.p12certificate from files app. - Enter the password for the chosen certificate
- Loops back to step1
Testflight does not include the changes here: https://github.com/nextcloud/ios/pull/3685. You can only test this by cloning the repo, switching to the mtls branch and building the app via XCode yourself.
Testflight does not include the changes here: #3685. You can only test this by cloning the repo, switching to the
mtlsbranch and building the app via XCode yourself.
Ok. That’s beyond my capabilities sadly.
Hi, there is a new Testlight version 7.1.3 (7) available here: https://testflight.apple.com/join/RXEJbWj9 It includes the new mTLS implementation. Please test it and report if there are any issues, thank you.
Hi @mpivchev , I tested version 7.1.3 (7) on iOS 18.6.2 but nothing happens after selecting the certificate and entering password. Even if I enter a wrong password, I do not even get an error message - just nothing happens. The certificate (.12p) is correctly installed on my iPad and it works if I open my nextcloud URL directly in Safari.
