ocsms icon indicating copy to clipboard operation
ocsms copied to clipboard

Published 20 hours ago • verified publisher icon nextcloud

Self Signed certs without chains don't work

Open ghost opened this issue 5 years ago • 7 comments

Steps to reproduce

  1. Add self-signed cert (no chain) to personal server with self-hosted IP instance of nextcloud
  2. Add account on this app

Expected behaviour

Accept the cert like all other nextcloud integration apps

Actual behaviour

Get the following error: Low level error: Get https://<myip>:<myport>/index.php/apps/ocsms/get/apiversion?format=json: x509: ;certificate signed by unknown authority

Server configuration

Nextcloud/ownCloud version: 16.0.1

PHP version: 7.3.6

HTTPd server: apache2

Database engine & version:

Client configuration

Android version: 7.1.1

ghost avatar Jun 15 '19 20:06 ghost

Did you also add the certificate or your CA to your Android device as a trusted one? Where is the error shown? On the Android device or on the server?

This issue might be more related to the Android client not accepting self signed certificated than the Nextcloud app on the server.

e-alfred avatar Jun 20 '19 08:06 e-alfred

@e-alfred I apologize for the late response to your question.

I did add the certificate to my android "installed trusted certs" section and named it the same as the cert's domain that I'm trying to reach to.

The error shows up in the app over the "Server Address" section (a little red declamation mark next to it)

I have the NextCloud application and DAVdroid both working fine with this certificate, so I'm pretty sure the phone itself would be OK with it. Unless I need to install it a different way for this particular app?

ghost avatar Jul 05 '19 02:07 ghost

Quite the same problem here but I did not add a self-signed cert : i have the Nextcloud dev application on my Android Phone that work very fine with my NextCloudPi installation on local network but Nextcloud SMS refuse to connect with quite the error as @K73SK : Low level error: Get https://<myip>/index.php/apps/ocsms/get/apiversion?format=json: x509: cannot validate certificate for <myip> because it doesn't contain any IP SANs

Thanks by advance for help !

alexdevos avatar Aug 18 '19 12:08 alexdevos

I can confirm that a private certificate chain (not ultimately signed by one of the common public Certificate Authorities) does not work. Even though the root certificate of this private certificate chain has been added as a trusted certificate in Android and this root certificate is accepted by the official Nextcloud app (com.nextcloud.client) and the official Nextcloud Talk app (com.nextcloud.talk2). This means this application is not referencing the Android system for valid certificates and is probably using an internal list of trusted Certificate Authorities.

SaltyCybernaut avatar Oct 01 '19 19:10 SaltyCybernaut

This issue belongs to the Android companion app for OCSMS: https://github.com/nerzhul/ncsms-android

e-alfred avatar Oct 11 '19 22:10 e-alfred

for my part, i have found a solution for this problem, i have used a reverse proxy with pfsense and the problem come from of this. Now i use HAproxy and now it s ok. No more problem with trusting certificate.

Disciplus86 avatar Jan 18 '20 13:01 Disciplus86

On my side I also found a solution - different - using a fork of ncsms-android by @cpu20 (thank you so much :+1: and thanks to @K73SK for the hint) available on this page : https://gitlab.com/cpu20/ownCloud-SMS-App-Fork/-/releases, now it works like a charm ! This fork allows you to "Disable secure connection checks" as you can see on screenshot below. This is perfect for a self-hosted IP instance of Nextcloud (such as NextCloudPi).

alexdevos avatar Feb 29 '20 20:02 alexdevos