mirror of
https://github.com/floccusaddon/floccus.git
synced 2026-04-25 14:16:12 +03:00
[GH-ISSUE #1038] Cannot connect floccus android 4.9 to nextcloud (non-public CA) #684
Labels
No labels
browser-specific
bug
correctness issues
enhancement
feature: Google Drive
feature: Linkwarden
feature: git
feature: nextcloud-bookmarks
feature: tabs
feature: webdav
help wanted
native-app
priority: high
priority: low
priority: medium
pull-request
question
question
stale
upstream
waiting for more information
wontfix
🙁 Not following issue template
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
starred/floccus#684
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @thsnielsen on GitHub (Feb 9, 2022).
Original GitHub issue: https://github.com/floccusaddon/floccus/issues/1038
Describe the bug
When i enter my connection details, i get E017 Network error (well it is in french so it may be differently worded ..)
To Reproduce
install floccus app from playstore, configure account details (i can share not in public)
I enter the server url, user name, and password, save, and see error E017 Network error in yelow on the main screen
Expected behavior
A clear and concise description of what you expected to happen.
Screenshots
If applicable, add screenshots to help explain your problem.
Desktop
(please complete the following information)
Server
Debug log
not sure howto provide a debug log with the android app - if it is possible please advise
Additional context
I hope you have read all the way here, because i have some suspicions.
I use my own certificate authority, properly created (root, intermediate CA, CA, Server certificate. no funky algorithms selected, just not a public trusted root CA. I CAN connect to nextcloud using https, and the floccus 4.10 plugin for firefox 96.0.3 works fine. I also connect to the nextcloud server from the nextcloud app on my phone. There seem to be missing the "trust this server anyway" option ;-)
@marcelklehr commented on GitHub (Feb 9, 2022):
Have you added your server CA cert to Android? AFAIK, that's the way to make it work.
@thsnielsen commented on GitHub (Feb 9, 2022):
Feel free to laugh - i fell in the classic hole :
My certificate expired day before yesterday :Not After : Feb 7 18:34:12 2022 GMT
I am sorry - i will make a new one during the day
and test again and report back.
@thsnielsen commented on GitHub (Feb 9, 2022):
ok so i generated a new certificate, installed on the nextcloud server, and can OK connect to it from the phone and web, and the floccus 4.10 firefox plugin also connects. Then i verified that my CA is in the phone, but the situation stays E017.
Bear in mind that when i import a CA to android 12, it is located in the USER CA store in android and not in the system CA store. I seem to remember that the apps has to look also in the user CA store?
@thsnielsen commented on GitHub (Feb 9, 2022):
@mnalis commented on GitHub (Feb 9, 2022):
@thsnielsen tangentially related - after reading your introduction about needing to pay to Verisign/Digicert CA to get your cert signed... Are you aware of free CAs like https://letsencrypt.org/ and similar?
Those are not only free of charge and trusted globally (so no need for manually installing your own CA on each client), but opensource ACME-protocol tools completely automate the certificate renewals, and it is much simpler than installing your own CA. (of course, there might be other reasons for preferring your own CA, but I'd though to give you heads-up if you were not aware, and/or wish to update your docs).
@thsnielsen commented on GitHub (Feb 10, 2022):
Thank you for your thoughts! I chose to use my own CA explicitly to have the CA in my possession. Long time ago I was so much told not to just use a self signed certificate on the one hand (though noone was able to give me a valid technical reason why) and on the other hand about government backdoors to the publicly trusted roots (no technical reason either other than imagining they are badly salt'ed). But in the end i got a taste for using my own CA and then there is no more discussion.
So that is my just my case, but i imagine also quite some small medium size enterprises, that would need their own CA also to rule out any dependency.
@sevmonster commented on GitHub (Feb 10, 2022):
Did you load the root CA and intermediate chain, or just the root? If you loaded intermediates, do any of them have the
id-kp-serverAuthOID forExtendedKeyUsage? I don't know about Android 12, but in the past I ran into trouble with that sort of configuration (I'm talking Android 7 or 8 so I imagine it would be fixed by now).I am not so sure that is the case anymore.
Aside
Self-signed certs lack most of the features offered by the X.509 spec (no verification, revocation, chain of trust, stapling, etc...) so many applications that rely on these features may simply not work with no way around it. In some cases you can add the cert to a system store and things will start working, but you will have to do that any time you change/update the certificate as well.
It is not so much a technical issue but a political, monetary, and influential one: who is to say that Timo Inen from GoDaddy will not accept a bribe to provide secret information to Badguy X, or worse yet, replace existing information with something provided by Badguy X? Of course this is largely mitigated by the security features provided by X.509, but it is not impossible, especially by a state-level actor.
It is very common in enterprise environments. For example, many Active Directory forests and System Center installations have CAs configured to hand out certs to client devices for authentication.
Using your own CA still allows for the ease of self-signed certificate creation while retaining all of the missing features of self-signed certs. It is also resistant to any meddling from third parties. It's a good idea, though you do still run into issues like this.
@thsnielsen commented on GitHub (Feb 10, 2022):
(in my first reply, i did not realize half your answer below the the fold-out-arrow i read it now, and it makes an even better posting - thank you for taking your time to reply so richly)
I tried both importing the full chain and only the trusted root.
The trusted root imports to the user certificates (yes! ;-) and when i try to import the full chain instead (that displays correctly in firefox if i inspect the certificate i see three tabs as if you see with the certificate of amazon.com (certificate, intermediateCA, CA) only difference is that firefox moans about mine because the issuer is unknown which is true), importing full chain get a message saying i need also to import the private key (so importing the full chain seems destined for another use case). I googled a bit, and it looks like it is by design that you can only import trusted root and then every issued cert by this root CA is trusted, and also that the user cannot import to the system trusted root store (Android 12 non-rooted).
@sevmonster commented on GitHub (Feb 11, 2022):
I came to the same conclusions. So it seems it may not be possible without root to get all apps to trust a CA or cert.
The other option is to build using your own security config, but floccus uses Capacitor to wrap the webapp in an Android WebView or Chrome Custom Tab... so I don't know that it would work to enable it on the floccus app itself since it won't be handling the connection. I would think the WebView/Chrome app would need to be the ones to establish trust, but neither allow importing certs themselves, they both rely on the system store on Android 12—though you can apparently work around the issue with WebViews. You could always replace the WebView or Chrome package with a custom one that trusts your cert, but on most devices those apps cannot be replaced without root either. In addition, searching the Capacitor docs for "certificate" and "signed" did not bear fruit, so I imagine it does not support supplying custom certs either.
On what certs the device trusts, I finally found the info I was initially looking for; I used the SO answer because it was all I could find at the time. See here:
Thank you. I just thought your comments were interesting and wanted to give some context. Aside from issues like this, private CAs are definitely a good idea (and much better than self signed)
@thsnielsen commented on GitHub (Feb 12, 2022):
I am almost ready to throw in the towel on this one, rooting the S10 is not a small thing :
Root pour la série des Galaxy S10
but i am thinking that both webview and chrome should have a dialogue as when you use them as browsers offering to "Warning : something
Trust this server anyway?"
but maybe applicationized does not offer this - i do not know.
At least we can conclude the issue clear now - thanks for the exchange.
@marcelklehr commented on GitHub (Feb 12, 2022):
Have you tried the System CA store as well? User CA store seems to only work on Android 6.0 and lower, from what I've read.
Capacitor sadly does not expose onReceivedSslError on their WebViewListener interface, which would allow building some kind of exception setting for floccus. I'll open a ticket with them :)
@sevmonster commented on GitHub (Feb 13, 2022):
That's the problem, you cannot add to system store on Android 12 as far as anyone here has seen.
It would be nicer if they came up with a way to support user-provided certs explicitly, or to confirm if building with security configs could affect the web views (I imagine it wouldn't). But that's good too!
@arkdae commented on GitHub (Feb 21, 2023):
What's the status of this bug? I just installed Floccus on my Android phone and I'm getting this same error. I am using a Letsencrypt signed certificate, and all of my other Nextcloud programs are running fine and properly accessing my server.
I wonder if it is not saving the password. When I click on the gear icon, the password field is always blank. I can't tell if it is just a security feature or if it is indeed not saving the password.
@sevmonster commented on GitHub (Feb 21, 2023):
That is intentional. The field is not filled with anything when you edit.
What Android version are you on and when is the last time you updated? Modern devices should include the new LE CA.
@arkdae commented on GitHub (Feb 21, 2023):
Android version 9, patch level May 1, 2019. There are no more updates for this phone.
I question why you question the cert chain. How is it possible that all my other Nextcloud software works fine, but this does not? I'm reasonably confident that the certs are installed properly.
@arkdae commented on GitHub (Feb 21, 2023):
I found the "Trusted Credentials" section of Android settings. I do not see "Let's Encrypt" under the system tab. I don't have any certs under the user tab. I do see "ISRG Root X1," Let's Encrypt's issuer. I can connect to my Nextcloud server through Firefox on my phone, and it doesn't complain about the cert. I'm not sure if Firefox is using the system cert store. I would hope it is.
Is it possible other programs are fine since Let's Encrypt's cert is signed by ISRG and they're not concerned about the entire cert chain, but Floccus is?
@arkdae commented on GitHub (Feb 21, 2023):
Okay, I specifically installed the Let's Encrypt R3 CA as a user credential. But that did not fix it.
@sevmonster commented on GitHub (Feb 21, 2023):
Let's Encrypt moved off of the old R3/R4 intermediates signed by the original DST Root CA X3 in 2020, and the root expired in 2021. Based on what I am reading Android 9 should have the new ISRG roots as you can see, it was added starting with Android 7. New LE intermediates should be trusted by your system.
Firefox likes to download its own certificate bundle. Not sure about Android.
Because the easiest way to get certificate issues resolved is to import the root CA and any intermediate certs to the system store. This makes all of them trusted regardless of other factors. But as we have seen that is no longer easily accomplished with modern Android.
In any case, it does look like your device should support the newest LE CA. Importing the intermediates (which should be trusted already) probably won't help, unless your LE cert is using an expired intermediate somehow. Android ignores the expiry date of trust anchors.
Your problem is likely not related to this issue. You may want to open a new issue and provide debug logs to @marcelklehr as instructed in the template.
@arkdae commented on GitHub (Feb 23, 2023):
I see the problem. It was my misunderstanding. I did not realize that I needed to have the Nextcloud Bookmarks add-on installed. I thought this tool just used Nextcloud's file synchronization mechanism in some way. When I went to create a new bug report, I saw it asking me what version of Nextcloud Bookmarks I'm using, which clued me in to what I needed. After enabling that, it is working now.
I spoke too soon. After enabling Nextcloud Bookmarks, the desktop Firefox plugin works, but the Android program still doesn't. I'll open a new bug report.
@marcelklehr commented on GitHub (May 21, 2023):
I'm closing this as SSL is out of scope of floccus. If android doesn't allow this there's nothing I can do.
@github-actions[bot] commented on GitHub (May 21, 2024):
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.