search

RocketChat / Rocket.Chat

The communications platform that puts data protection first.
https://rocket.chat/
Other
40.62k stars 10.62k forks source link

IIS 6.0 Reverse Proxy SSL and Android RocketChat Client (4.11) Not Working #19044

Open LeeThompson opened 4 years ago

LeeThompson commented 4 years ago

I realize this may be a configuration issue and not a bug, if that turns out to be the case, please point me to documentation that will help me resolve this.

Description:

When the android client tries to connect to the IIS reverse-proxied SSL RocketChat server the following error is given: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.

Steps to reproduce:

  1. Setup RocketChat
  2. Set up IIS reverse proxy (SSL) to RocketChat
  3. Install Self Signed Root Certificate on Android Device
  4. Attempt to connect with Android RocketChat client

Expected behavior:

The android client to connect.

Actual behavior:

Client does not connect.
java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.

Server Setup Information:

Client Setup Information

Additional context

SSL Key Information:

RSA 4096 bits (SHA256withRSA)
Server Authentication (1.3.6.1.5.5.7.3.1)
Application Certificate Policy: Policy Identifier=Server Authentication
Key Usage: Digital Signature, Key Encipherment (a0)
Subject Alternative Name list includes rocketchat.[domain redacted]

Server (IIS) Notes:

Additional notes

I realize that IIS 6.0 (Windows Server 2008 R2) is old, it's running as a Hyper-V VM and the hardware the host is on can't run Server 2012+, the machine is slated to be replaced but not until 2021/2022 so, just kind of stuck at the moment. (Will probably run Server 2019 when the new machine is purchased and configured.)

Plan B would be to run a reverse proxy container on the Synology (along side MongoDB and RocketChat itself) but I know less about configuring Apache and nginx than I do IIS so that isn't my first choice (also it would have to run on a non-standard port for SSL which seems to cause some issues.)

LeeThompson commented 4 years ago

The incredibly poor documentation for SSL and RocketChat has self signed certificates use RSA 2048, is 4096 not supported? (The docs have no real detailed information.)

(The docs have a lot of command and config examples but never go into detail as to why, what alternatives work, or anything.)

I want to stress that on the Android phone, Chrome can connect to rocketchat over SSL without issue. It's the recently updated Google Play RocketChat client that refuses to connect. Half my users are not pleased.

UPDATE: This may have to do with IIS 6 not supported Websockets (which were not added until IIS 8).

MJPGPleasant commented 3 years ago

This is related to the App not being able to properly handle Self-Signed Certs. I have the same issue with a full Docker install and Nginx reverse proxy running on Ubuntu 20.04

I would suggest moving / re-posting in the App section, as this is not an issue with the server itself.

brendan-mccoy commented 3 years ago

I'm using a Let's Encrypt cert and it works fine for all browsers and the desktop app, even the browser on my phone, but throws the Trust Anchor error on the Android app.

I'm using the exact reverse proxy nginx config shown in the rocket chat docs.

brendan-mccoy commented 3 years ago

My solution was to use the fullchain cert generated by let's encrypt instead of just the regular cert, this makes the android app happy. Not sure why it's necessary.

evgeshkastrong commented 1 year ago

same problem with all my android devices

LeeThompson commented 1 year ago

I ended up using ngrok.