search

element-hq / element-android

A Matrix collaboration client for Android.
https://element.io/
Apache License 2.0
3.27k stars 677 forks source link

User CA certificates not used/accepted by Android Element #8783

Open ne20002 opened 3 months ago

ne20002 commented 3 months ago

Steps to reproduce

I try to set up my own ntfy server within my home network. The TLS certificate of the ntfy server is signed by my own CA. Even though the CA root certificate has been added to the phones settings (listed as user CA), the Element Android client refuses to connect to the ntfy server complaining about ntfy's server certificate.

As there is a seeting in Firefox for Android (secret settings) to enable use of user added CA certificates I assume this is missing in Element for Android.

To reproduce:

Checking the notifications within settings in Element Android, all steps except 'push testing' are successful. 'push testing' fails with 'SSL error'.

Outcome

What did you expect?

A CA certificate added by a user to his/her phone shall be trusted. At least an option to enable this in Element Android would be welcome.

What happened instead?

Certificates of CAs added by the user are not accepted.

Your phone model

S10e

Operating system version

T

Application version and app store

No response

Homeserver

No response

Will you send logs?

No

Are you willing to provide a PR?

No

victornsc commented 2 months ago

I'm having exact same problem. I have my own root certificate installed, which works fine for other apps, including element itself, but not for ntfy notifications specifically.

I ran the Troubleshoot Notifications and get all green ticks except Test Push gives SSL Error.

japtain-cack commented 1 week ago

I'm having similar issues. I use Vault PKI managed certificates across my infrastructure with a ttl of one day. Certs are rotated constantly. On my internet facing load balancer, I have let's encrypt certs rotated weekly.

Element Android would originally not connect at all on the internal network. I should also note I've installed my root/intermediate certs on the android device itself, however element doesn't seem to respect my certificate store. However, I've found that if I wipe element off my device, then connect on the LAN and relaunch element, I am presented with an accept certificate popup. Once clicking this, I can access matrix on the local network. I can then freely switch between internet and LAN and element will work, until my certificates rotate.

My latest test included switching to the LAN, then clearing the element cache, killing the app, then restarting it. This seems to be adequate going forward, I don't have to completely remove element every time. However, I'm uncertain if I needed to do the wipe originally, and be presented with the certificate acceptance popup, or if a simple clearing of the cache while on the lan, then killing the app and restarting it, will always work.