On iOS, pressing Trust button after BadCertificateException, nothing happens

[bradyt]

This issue corresponds with an App Store review. I'm copying here for visibility, as I think users will only see reviews in their own country.

BadCertificateException

I got my own server and when push the trust button nothing happens 😓

I expect they saw this:

sha1: <sha-1 fingerprint of server.cert>

The server sent a certificate that could not be verified with your CA file.

You may export and inspect the certificate. You may indicate that you trust the
certificate, and it will be saved to this profile to allow future
connections.

For those curious, a screenshot for this scenario can be found at https://github.com/bradyt/taskw-dart/wiki/Taskserver-troubleshooting#badcertificateexception.

I believe the user just needs to try sending the request again. The Trust button simply adds the server's certificate to the current profile's Taskserver configuration.

The feature revealing the bad certificate was added at app version 0.0.9. See task/CHANGELOG.md#009, and https://github.com/bradyt/taskw-dart/commit/4826bfcf6760281f4c4ddd39c8b0e1a32aebdba5.

Ideas for improving user experience:

• Automatically retry (statistics or synchronize) after user presses Trust.
  • (This was not immediately easy to implement, hence currently the awkward extra step.)
• Show server.cert in Taskserver configuration, with fingerprint, option to remove, possibly option to set manually
• Add warning in App Store listing, that Apple's APIs may not be able to verify certs generated with Taskserver's pki scripts, that using Let's Encrypt is a workaround, and I have notes at wiki on setting Let's Encrypt up.

[bradyt]

I think after a restart of device, I now see what user was describing. Even with my Let's Encrypt setup, which previously did not provoke BadCertificateException, I see this prompt, and I now understand what user meant by "nothing happens". When I press "Trust", absolutely nothing happens. What should happen is the file should be saved, the prompt should go away, and the file should be available for next send.

It's as if an iOS update removed write permissions and broke the previous behavior of Let's Encrypt PEM files.

I would consider this a severe bug now, apparently for just iOS users, and when I am able to return to the project, I expect this to be the top priority, and hopefully I can begin making progress within the week.

Apologies for the inconvenience. Please consider exporting your tasks from the app, backing up your local Taskwarrior data, and possibly consider importing the tasks from this app, if you expect there were any changes that haven't been synced. I am not actually sure what the behavior of Taskwarrior import is, so please consider making backups and using git or Taskserver to understand the changes task import implies.

Alternatively, you can consider waiting for an update, assuming I can figure out the issue soon.

[bradyt]

I made a couple minutes available and checked debugging with flutter run -d macos, and got the following error message and stack trace as a clue:

══╡ EXCEPTION CAUGHT BY GESTURE ╞═══════════════════════════════════════════════════════════════════
The following NoSuchMethodError was thrown while handling a gesture:
Class 'BadCertificateException' has no instance getter 'profile'.
Receiver: Instance of 'BadCertificateException'
Tried calling: profile

When the exception was thrown, this was the stack:
#0      Object.noSuchMethod (dart:core-patch/object_patch.dart:63:5)
#1      showExceptionDialog.<anonymous closure>.<anonymous closure> (package:task/src/functions/show_exception_dialog.dart:49:25)

Ideally I just make enough time and/or wait to research completely, but felt like updating issue with the small progress.

I'm not sure why the custom exception would suddenly be missing the profile method. In other words, when the exception is thrown, it carries the profile path with it, so that a "Trust" callback allows to save the same certificate to the profile. Anyways, hoping to look at this a little more within a day.

I also don't have any clues yet why my previously functioning Let's Encrypt configuration suddenly provoked this error. Maybe restarting device cleared a cache, where paths were already broken by app update?

[bradyt]

Oh, and now I'm not sure the lack of profile method is an iOS only issue. In the end I may have to circle around to Android if there's a clue that this could occur there as well. But possibly that can wait till other details are understood about the issue.

[tapatianbeast]

Hi! Im the user of the review on iOS.. i got the app on android from f-droid too and when i push the trust button the app allow sync. That was the reason for my review while in android pressing the trust button allows me to synchronize in ios does not work.

[bradyt]

Thank you @tapatianbeast for the original issue and the extra data point regarding Android.

I think I found the issue with the Trust button, introduced at version 0.1.1, during a refactor of the Profiles class before adding the queries feature. I've submitted version 0.1.3 for review with App Store, and will make sure to try it out before releasing, so hopefully a fix is available in about a day or two.

I don't yet know why my Let's Encrypt setup suddenly started provoking the BadCertificateException. That may prove to be a harder problem to understand. If I understand correctly, previously the BadCertificateException only occurred on iOS with server cert and CA generated by Taskserver's pki/ scripts.

[bradyt]

@tapatianbeast version 0.1.3 is on App Store now, I hope this fixes the Trust button issue you discovered.

[tapatianbeast]

work like a charm! Thanks

[bradyt]

Okay, and now I think I found my other half of the problem. The Let's Encrypt CA file I was using, expired last Thursday, 2pm GMT.

> openssl x509 -enddate -noout -in DST_ROOT_CA_X3.crt 
notAfter=Sep 30 14:01:15 2021 GMT

That was good luck, as it helped me understand the issue you described sooner.

Although I took the issue on some tangents that could still be addressed, I think the problem as user originally discovered is solved now. I will close. Anyone, feel free to raise related issues, or add feedback here if you prefer. Will update wiki notes regarding Let's Encrypt soon.