dreautall / waterfly-iii

Unofficial Android App for Firefly III, a free and open source personal finance manager.
MIT License
363 stars 30 forks source link

`Exception in CronetUrlRequest: net::ERR_CERT_VALIDITY_TOO_LONG` since v1.0.5 #418

Closed netw0rk-noob closed 4 months ago

netw0rk-noob commented 4 months ago

Since upgrading from a rather old version (1.0.1) - which still supported pasting my own certificate into the app - to v1.0.6 (v1.0.5 - the first version using cronet according to the changelog - behaves the same way) I get the following error message (text from ocr cause I cant copy it from the app, so it might contain spelling errors) when trying to start the app:

Unkown Error

Host: https://hostname.tld

ClientException: Cronet exception: org.chrom
um.net.impl.NetworkExceptionimpl:
Exception in CronetUrIRequest:
net::ERR_CERT_VALIDITY_TOO_LONG,
ErrorCode=11, InternalErrorCode=-213,
Retryable=false, uri=https://hostname.tld/api/v1/about

By reading other issues regarding the new certificate store usage I've come to the understanding that the related ca cert needs to be imported to androids certificate store. I did this already some time ago for other apps which use it.

Obviously I googled "ERR_CERT_VALIDITY_TOO_LONG" after not finding anything related in the existing issues. Appearently there is a 39 months limit of how long a certificate is allowed to be valid. The certificate of my firefly instance is only 27 months valid though, while the ca certficate it depends on is 5 years (60 months) valid. May that be the culprit here (even though I didnt have any problems with that in any other app/os)? And is there any reasonably simple workaround for this problem?

dreautall commented 4 months ago

Hi, It is indeed the validity of the CA certificate. I'm afraid there is not much I can do about that. There aren't really any settings I can change on my side, it's all "stock Android"... sorry 😞

The only way would be to make a new CA certificate with a shorter validity.

netw0rk-noob commented 4 months ago

If thats all "stock android" as you write, I wonder why I didnt have such a problem with any other app on my device, accessing said CA certificate.

Could you - by any chance - reimplement your previous routine, which allowed the user to paste its own cert to validate it, as a last resort if the android certificate store fails to validate a cert? That would be very helpful for users of selfsigned certs, too.

Without that possibility I (and probably others) will be locked to v1.0.4 for the coming few years, because (at least) I definitely wont recreate my CA and replace it on dozens of devices because one piece of software (and only that one) doens't work with it.

netw0rk-noob commented 4 months ago

@dreautall (pinging you in case you didnt get a notification as this issue was closed already)

dreautall commented 4 months ago

@netw0rk-noob Sorry for my late reply, the weather currently is too good and I'm spending too much time outside 😄

I'm really sorry for the caused inconveniences. As outlined in #77 (specifically here), in Flutter, there are basically two choices: Use the own HTTP implementation, which allows "features" like pasting certificates, or using the cronet HTTP stack, which binds natively to Android (and for example allows using the CA store), but unfortunately, at least in Flutter, doesn't provide any option to modify settings.

After a bit back and forth, I decided to use cronet approach. I understand this has certain downsides for some users, but makes live easier for others. I unfortunately cannot implement both approaches at the same time 😞

netw0rk-noob commented 4 months ago

@dreautall

I unfortunately cannot implement both approaches at the same time

I see. Thanks for the throughout explanation though.