Android app not recognizing self-signed CA certificate
jrlangford opened this issue · 3 comments
Hey Guys! This project looks great. I set up a Turtl server and have no issues with the desktop app. However, when attempting a connection through the Android App, Login fails with a message that contains the following:
Login failed - Error:
https://<myhost>/auth: an error occurred trying to connect: error 14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:s3_clnt.c:1269:(unable to get local issue certificate)
Android version: 8.1.0
Turtl app version: 0.7.2.5
I have installed my custom CA certificate in the system, and can see the API's '{"greeting":"Hi"}' response when navigating to the server's url through the mobile device's browser.
One thing to note: The browser requested me to install the CA in its own certificate store even when it was already installed in the system and could be read in the device's 'Trusted Credentials' section.
It looks like the app is not aware of the custom CA certificate, or, Is there anything I am missing to get the setup right?
JrLangford
Could you share installation instruction you followed for installing Turtl Server?
Tried a few but never made it to the end without it failing.
I would give it another shot following your method.
Thanks
Ronald V
Hi Ronald,
My installation required several steps that were very specific for my setup, one of those was the creation of self signed certificates. However, I think you can get an instance running by following these general steps, assuming a standard Linux setup with Docker installed:
Clone the repository
https://github.com/turtl/server
Run the docker images
cd into the cloned repo's root directory.
Review the environment variables defined in docker-compose.yml and change the passwords to something different to the default values.
Execute the docker-compose up command from the root of the cloned repo as instructed in its README file.
After this step you should have an insecure turtl server running inside a docker container on your host machine and listening on 0.0.0.0:8181.
You can test it is working by running curl 127.0.0.1:8181 from your terminal. This should return {"greeting":"Hi."}.
Configure a reverse proxy
I am using nginx to route requests to the container and do TLS termination.
If you are pointing a public domain name to the server and configure a server block in nginx to route requests to your container then you can install and run certbot to generate a Let's Encrypt certificate for you and automatically configure nginx with the corresponding configuration.
If you are not using a public domain name then you will have to create self-signed certificates for your domain and manually set them up in nginx.
After this step you should have a Turtl server running with TLS enabled, ready to receive external connections securely. You can test it by running curl again, but using the domain name you configured and https instead of the IP and port used earlier. Example: curl https://myturtldomain.com
This is a very general overview of the installation process. If you tell me the specific error you are facing I may be able to help you with more specific advice.
Sorry if I'm wrong to unearth this old issue, but it looks like I'm facing a quite similar one right now, yet my Apache server only supports TLS 1.2 and TLS 1.3 (checked with SSL Labs).
Besides, my web site has a few subdomains, including the one leading to the Turtl server, and that's the only one for which the certificate fails to be checked.
Any hint to solve this would be greatly appreciated!
EDIT: My specific problem has been solved at #400. Thank you!