flutter
flutter copied to clipboard
wger-project
Allow connecting to self-hosted instances with self-signed certs
Currently, the app doesn't connect to my local instance because it has a self-signed cert, even though I've imported the CA in Android.
Can you add an option to allow logging with local cer (or an option to disable cert verification) when you select local server?
This is definitely something we didn't test. It seems flutter's HTTP client uses the list of CAs from mozilla, but it's possible to add own ones
https://api.flutter.dev/flutter/dart-io/HttpClient-class.html
Thanks for the reply.
I seem to have found a way to fix this, but I'm not very familiar with Flutter, being primarily a C++/C programmer.
I found in a StackOverflow post that you can replace the handler for bad certificates in your HttpClient() object: https://stackoverflow.com/a/54359013/1307661
You could add a setting that enables this fix, exposed through a checkbox (called 'self-signed certificate') on the login screen (when you pick an alternative server).
Then, in any part of the program where you instantiate a http.Client, replace it with either:
- a subclass that has the bad cert handler set according to the proposed setting
- a call to a factory function that produces
http.Clients with the bad cert handler set according to the proposed setting
Hello @rolandgeider, found a PR on the same topic which might be helpful for you: https://github.com/libre-tube/LibreTube/pull/806. Tested that and it works. TLDR: you just need to alter android manifest appropriately. A drawback of such approach is that you decide that your app trusts user-installed certificates at compile time, and you can't change this behavior in runtime. If it's applicable - looks like changing manifest is the simplest way of implementing desired functionality.
That sounds great. Just editing the XML would obviously be the fastest solution and I think always trusting user certificates would also be acceptable
Hello @rolandgeider, please let me know if some work is planned on the issue and if I can help somehow (unfortunately, I'm not a flutter developer and can't implement the feature myself). Thanks!
Hi @kovdan01 yes, this is definitely planned. After I finish with the exercise crowd sourcing feature, I'll do this
this took a bit longer, but I have just added the XML allowing user certificates
Hello @rolandgeider . Thanks for implementing the feature, but it seems that it does not work as intended. It looks like that you forgot to add a line in AndroidManifest.xml describing that a network_security_config.xml is present (which was introduced in 9db063d65c055be72703f70874e4bf02710f2ce3). At least, I've tested the new version and it behaves the same in terms of connecting to instances with self-signed certs. So, the issue will be possibly resolved after altering AndroidManifest.xml properly. See, for example, https://github.com/Bnyro/LibreTube/blob/aadf6d441a498ac9866c395d29a1da4df1a62fe9/app/src/main/AndroidManifest.xml#L19.
@vayan
is this live now? can't find any setting
I might be mistaken, but this is intended to work without any settings, just by altering the manifest in order to allow user certificates.
The last time I checked the issue was still there, but it looks like it's flutter-related and can't be fixed on the wger side. I found some related issues previously, but unfortunately I'm unable to find them right now to leave links here.
I personally switched to using certificates from Let's Encrypt - they are free and do not cause issues. Self-signed ones need to be supported by every single app you want to connect from, so I just gave up.
P.S. Don't take this as an "official" answer, I'm not related to wger development.
Exactly, this is a flag set during compilation. I haven't been able to test it because I don't have the appropriate setup. If there is anything else that needs to be done from our side, we'll try to fix it, but yeah in general using let's encrypt is much easier and you will avoid all the pain that comes from self signed certificates.
Got it! thanks :) yeah my instance is on a private tailscale network so I can't get a let's encrypt cert.
but it's ok I'll switch to http for the mobile app! Just wanted to know if I missed something 😄
Thanks for the great work!
Hi guys! I came accross this post when I was trying to connect the Android application to my newly setup server. It appears that there's still an issue with self-signed/untrusted certificates. I use certificates signed by local CA, since it's not viable for me to use Let's Encrypt certificates due to the nature of my environment.
I get the following error when trying to login with HTTPS. Is there anything I can do about this? Thank you very much :)
