Login fails with https with self-signed certificates

[knallio]

When I try to connect to my piwigo server over https I get the following error:

java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.

I am using an ssl certificate signed by my own CA, which is trusted by my android phone. This setup usually works for other apps (e.g. I can connect to my nextcloud instance on the server). I can also connect to the web frontend using the browser over https.

According to a google search this issue is usually related to:

1. The CA that issued the server certificate was unknown
2. The server certificate wasn't signed by a CA, but was self signed
3. The server configuration is missing an intermediate CA

Neither one should be a problem, the CA is known and trusted, the server certificate is not self signed, and the server configuration contains all intermediate CAs (and is working with the web frontend and in other apps).

Are there any additional steps necessary? Should this setup work in principle?

Any hints are welcome.

[ramack]

We are using the library OkHttp in a very standard configuration in Piwigo-Android. If the CA is trusted by Androids SSL stuff I am currently out of ideas how it could be easily made working. Maybe we have to configure OkHttp in the app in a specific way to "inherit" those systemlevel trusted certificates?

Did you configure the SSL certificates on the server including the complete certificate chain? - This is a problem several users have with Let's Encrypt certificates.

As it doesn't work out of the box we should add some handling for these use cases in the App, but as this can easily be messed up and the crypto infrastructure could become void we need to carefully check how to do that. With that effort and the current manpower in mind I have assigned to a late Release, as it is a quite special case and usually I'd expect that users capable of setting up an own CA in a secure manner should also be able to use let's encrypt certificates as a workaround.

[knallio]

Thanks for your answer. It gave me some I ideas where I can look further. At the moment it seems to be more an okhttp "problem" than a piwigo problem. I tried checking the connection with the Httper app, which also uses okhttp (as far as I know) and I get the same error.

The SSL certificates on the server include the complete chain, I rechecked that.

At the moment I guess there is nothing that could be done here. I will get back if I find out more.

Feel free to close this issue for the time being.

[coolo]

https://stackoverflow.com/questions/23103174/does-okhttp-support-accepting-self-signed-ssl-certs - you can tweak okhttp. It's strange that it should require that much code though

[ramack]

I don't know what to think about this one here... One one side I'd like to support self-signed certificates, on the other side I don't want to spend a lot of effort and open a (small but existent) security risk for this. So I tend to keep it open for now, schedule it for a later release and check how then how the feedback from other users was.

[knallio]

I have no idea if self-signed certificates should be supported. Just to be clear, in my case it is not a self-signed certificate, but a certificate signed by a custom (trusted) CA. Which I would have expected should be accepted by okhttp in the first place. But I also do not exclude the possibility that I configured something wrong...

[EddyLB]

Have you checked your certificate with e.g. https://www.ssllabs.com/ssltest/ ? That should help you troubleshoot the issue.

_{Sent with GitHawk}

[knallio]

Thanks to stackoverflow I have an explanation for my problem.

While Android still allows adding custom CAs, by default apps silently ignore them, see https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html

So the decision if user CAs should be trusted is up to the app developers, so in this case up to you. Interestingly, google itself seems to still trust user CAs in chrome, since chrome does accept my SSL certificate. Nextcloud, which also works with my setup, made the same decision: https://github.com/nextcloud/android/blob/master/src/main/res/xml/network_security_config.xml

So I would appreciate it if you could add this setting as well, since I don't like the alternatives (root every phone/tablet I want to use with piwigo, maintain a modified version of this app, or ditch my otherwise working SSL setup and go with Let's Encrypt)

[knallio]

I am still convinced that self-signed certificates and CA-signed certificates by a private CA are different. As far as I understood the solution to accept them is also different (and more complex with self-signed certificates). Apart from that, are there any news on the decision? Sorry that I asked again...

[coolo]

I would be fine with implementing a user exception for SSL certificates, but development on the app is very slow atm. Corona may give me more time in the future though :(

[ramack]

with #254 we are accepting also user-installed certificates.

[Servery]

I have got the same problem. I cannot connect to my piwigo self-signed server with my android phone.

[ramack]

Please check Piwigo Android NG.

[Servery]

Piwigo NG does also not work with self signed certificates (OS Error: certificate handshake.cc:393)