nextcloud/passman-android

Network Error with Let's Encrypt on Android 4.4.2

trohrberg opened this issue · 12 comments

Hello,

I'm referring to issue #13 since I'm having similar network errors from the time I'm trying to use recent version of passman on my Android 4.4.2 based Zenfone 5. I do have certificates from Let's Encrypt and accessing my Nextcloud installation, and also the web-based password manager works fine - even from my Zenfone 5.

The error message in passman when trying to log in is: Peer not trusted by any of the system trust managers.

Should I manually install the root certificate of Let's Encrypt?

Can anyone help me with that problem? If I understand issue #13 correctly, it is now working for others on old Android versions...

Best regards
Timo

Try importing the root certificate of Let's Encrypt.
Also make sure you provide the full chain of the certs.

Hello,

thank you for your hint. I imported the root certificate of Let's Encrypt, but the passman app still doesn't work. The error displayed is the same. Did I maybe miss anything when importing the certificates? Or did I import the wrong ones? See attached screenshots from my phone with the certificates that I imported.

Thanks for any further hint.

Regards
Timo
screenshot_letsencrypt_root_certificates
screenshot_letsencrypt_root_ca_certificate

Try cleaning passman app cache on your phone

I already tried that quite often. I even installed my own Let's Encrypt certificate on the Android system, but still experiencing the same error. Is it possible that the library used by passman for SSL communication somehow does not respect the manually installed certificates in the Android system?

Just to make clear what I already tried:

  • I deleted all manually installed certificates in my Android system by using the "Delete all certificates" option in the security settings.
  • I checked the chain of certificates shown in my Mozilla Firefox browser when accessing my Nextcloud installation and exported the certificates from there.
  • I checked and figured that the DST Root CA X3 certificate is already present in my Android system.
  • I manually installed the Let's Encrypt Authority X3 certificate which is signed by the one mentioned before and which is used to sign my own Let's Encrypt certificate.
  • I cleaned the entire cache and data of passman app.
  • I tried to log into my Nextcloud with the passman app and it shows the same error as before.

Screenshots attached from the chain of certificates shown in my Mozilla Firefox browser.

Any further hints?

Regards
Timo
screenshot_certificate_chain_firefox

take a look to: https://www.ssllabs.com/ssltest/analyze.html?d=tr82.de&s=46.163.77.207

And my question regarding cache is after you added you certificates to the android trusted certificates, then is when you should clean cache and restart the app

I'm sorry, I didn't want to sound pushy with my summary on what I tried. I checked the SSLLabs report on my server's SSL configuration. Unfortunately, I can not yet figure out how to improve the configuration - but I'm trying to work on it with the hints given in the report.

In the meantime, I already uninstalled the passman app on my smartphone and reinstalled it after cleaning and importing the Let's Encrypt certificate. But unfortunately, it's still giving me the same error.

Having the CA on the android trusted root certs should fix your issue, if it is still failing it's probably something to do with your server config but I don't know what exactly.
Anyway, we will be adding an option to ignore this check for self signed certificates, but we don't have an ETA for this feature yet.

Since this is either fixed with #25 or a server specific issue i'm closing this issue for now, we will however try to help you even if the issue is closed, so feel free to ask and comment away on this issue ^.^

Thank you for your assistance so far and the promised assistance further on. For me it's completely OK to close this issue in the meantime as it seems to affect only me.

Just to make sure, I'm getting it right and not making a silly mistake: The CA certificate needed on the Android trusted root certs is the "DST Root CA X3" certificate shown in the screenshot of Mozilla Firefox, right? If I can find a certificate with that name and especially with the same serial number in the list of trusted certificates on my Android device, everything should be fine, right? Do I really need the second-level "Let's Encrypt Authority X3" certificate imported on the Android device, too? And if so, is it OK if it is listed in the list of "User certificates" instead of the list of "System certificates" like the "DST Root CA X3" certificate?

Thank you for your clarification.

this page contains the lets encrypt root CAs https://letsencrypt.org/certificates/
If you include the full certificate chain on your server response you don't need any intermediate certificates installed, as far as i know, but i don't know how android handles custom added root CA.

Yes, that's also the page, were I took the certificates to import from before just exporting them from my Mozilla Firefox browser. But the issue is still the same. Also, I think you're right with your assumption that no intermediate certificates need to be installed if the server sends the full chain. But the latter is actually happening in my case which can also be seen in the SSLLab report's section "Certification Paths".

I simply don't understand what is going wrong and unfortunately, I don't have more details than just the error message "Peer not trusted by any of the system trust managers.".

I am having the same issue on my Android 4.4. Lenovo P90 which is a very similar phone. I also would very much like to get this solved.