WebDAV connection using HTTPS and trusted Private CA certificate

[casasfernando]

I'm using Buttercup on all my devices (iOS, Linux) using vaults stored on webdav, over https on a private server without any issues. This private server use a certificate signed by a trusted private CA that I can't change. On iOS and Linux I installed/trusted the private CA certificate in the system and that was all I had to do for Buttercup to work.

Recently I got an Android device and I wanted to use Buttercup there as well. So I installed the private CA certificate on the device like I did before for iOS and Linux, tested it works in other apps (eg: Chrome, Firefox) but unfortunately when I try to configure Buttercup to connect to the webdav vaults I get a connection error that I suspect is related to the server certificate.

• Is there any reason why Buttercup will not use user trusted certificates on Android?
• Any chance that a toggle can be added when configuring the webdav connection to accept self-signed/private CA certificates like other apps do? For example Firefox has an option to Use third party CA certificates - Allows the use of third party certificates from the Android CA store. More info: https://developer.android.com/training/articles/security-config#TrustingAdditionalCas

I found another two issues that seems related, but I'm not sure it's exactly the same problem because I'm trying to use https and the server certificate is signed by a user trusted CA:

• https://github.com/buttercup/buttercup-mobile/issues/159
• https://github.com/buttercup/buttercup-mobile/issues/161

Android version: 11 Buttercup version 2.1.0

Thanks.

[casasfernando]

BTW I know I can workaround this by using a 3rd party app (FolderSync) to sync the vault files from the webdav server to local storage and then point Buttercup to the local version of the vault files but it's kind of cumbersome specially when Buttercup is able to handle this directly in other platforms and I would rather try not to use/need two apps to do something that can be done with one.

[casasfernando]

The workaround I'm mentioning in my previous comment is not valid I'm afraid since it seems that Buttercup for Android doesn't have the option to add an existing vault file but only to create a new one, so I'm stuck at the moment without being able to access my Buttercup vaults in Android. :frowning_face:

[perry-mitchell]

Hi @casasfernando - Sorry you're having troubles.

Self-generated certificates have never been supported due to the fact that:

1. They're more obscure these days, as many either use a 3rd party host (eg. hosted Nextcloud) or use LetsEncrypt to generate publicly trusted certs
2. Overriding built in certificate trusting functionality in NodeJS is a pain, and I've never done it before

That being said, I'm happy if someone wishes to add such functionality. It'd help a number of users as well as yourself. I don't currently have the time, however.

If someone were to pick this up, I'd suggest making changes here:

1. Webdav client (may already be done: see HTTP/HTTPS agents)
2. Buttercup-core (ensure agent configuration can be passed in)
3. This repo (ensure, via a flag somewhere, that self-trusted certs can be used - thus overriding the agent support in prior points)

[casasfernando]

Thanks a lot for looking into this @perry-mitchell ! Just two last questions. The private root CA certificate is already installed in the Android certificate store on the device. Would that help in any way to make things a bit more easy or still a nightmare to implement?

Any plans to support using local existing vaults? I can use a thir party app to keep a local vault in sync with a webdav vault but when I try to use a local vault Buttercup only offered the option to create a new one, not to use an existing one. So my hands are tied :(

[perry-mitchell]

It’d make testing it potentially more difficult. But I’m not sure to be honest, I’ve never used self-signed certs.

I’m surprised it doesn’t just work if it’s in the android official location - might be some ReactNative weirdness then. If so that might be very difficult to fix, but just an idea.

[perry-mitchell]

I'm going to close this in favour of #159 for now, as it's sounding like the same issue. Better to pool resources :)