search

icefields / Power-Ampache-2

Android Music Streaming App suite in Material You style.
 Connects to Ampache, Nextcloud Music and compatible backends (Ampache API 4 and above).
https://power.ampache.dev
GNU General Public License v3.0
72 stars 5 forks source link

Can´t connect to Nextcloud with own Root-Certificate #124

Closed sowaco closed 4 months ago

sowaco commented 4 months ago

It seems, that Power Ampache 2 doesn't validate certificates against root certificates installed in the USER root certificate storage.

So, it is not possible to connect to internal/local servers with an own certificate authority.

Tested:

System:

Log:

2024-06-02 14:14:18
Cannot connect to the internet
2024-06-02 14:14:18
authorize() - cannot load data HttpException {"code":404,"message":"{ \"exception\" : \"java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.\" }","detailMessage":"HTTP 404 { \"exception\" : \"java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.\" }","stackTrace":[],"suppressedExceptions":[]}
2024-06-02 14:14:18
retrofit2.HttpException: HTTP 404 { "exception" : "java.security.cert.CertPathValidatorException: Trust anchor for certification path not found." }
    at retrofit2.KotlinExtensions$await$2$2.onResponse(KotlinExtensions.kt:53)
    at retrofit2.OkHttpCall$1.onResponse(OkHttpCall.java:161)
    at okhttp3.internal.connection.RealCall$AsyncCall.run(RealCall.kt:535)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
    at java.lang.Thread.run(Thread.java:919)

authorize() - cannot load data HttpException {"code":404,"message":"{ \"exception\" : \"java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.\" }","detailMessage":"HTTP 404 { \"exception\" : \"java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.\" }","stackTrace":[],"suppressedExceptions":[]}

Thanks for your work !

icefields commented 4 months ago

hello, thanks for the detailed description. It's not possible to connect with self signed certificates, it's an Android limitation. The old Power Ampache uses an old Android SDK, that still allows that. Now every custom certificate must be explicitely added to app codebase: https://developer.android.com/privacy-and-security/security-config#TrustingAdditionalCas

sowaco commented 4 months ago

Hi, I'm not an android developer, so, following can be absolute nonsense, but somebody told me, that this can be done with:

<base-config ...>
    <trust-anchors>
        <certificates src="system" />
        <certificates src="user" />
    </trust-anchors>
</base-config>

See About approval of app trusting User Store with private CA for production use
Network security configuration#trust-anchors
Network security configuration (Search for "users")

Regards

icefields commented 4 months ago

Typically, I've never permitted self-signed certificates in my applications, so delving into this configuration is new to me, but the process seems straightforward based on the documentation. I've noticed multiple mentions of importing the certificate directly into the app, which obviously I can't do for everyone: image Anyway, I suppose it's worth giving it a try, I attached a version of the app where user certificates are enabled in the config, but no certificate is provided. Let me know if it works please, if it does, the fix will be in the next release. APK LINK: https://github.com/icefields/Power-Ampache-2/raw/v1.00-59/app/FDroid/release/app-FDroid-1.00-59.apk

sowaco commented 4 months ago

Success!

I can confirm, that it is working now with the apk "../.app-FDroid-1.00-59.apk".

Thanks a lot.

(Of course, i struggled also with issue #117, I solved this with a switch to an user name with lowercase chars and an api password)

Screenshot_2024-06-03-09-52-02-280_luci sixsixsix powerampache2 fdroid_1_1

icefields commented 4 months ago

Success!

I can confirm, that it is working now with the apk "../.app-FDroid-1.00-59.apk".

Thanks a lot.

Perfect! I will have this fix in the next release. I think I will release this evening on Github, while FDroid it will take 3-6 days.

(Of course, i struggled also with issue #117, I solved this with a switch to an user name with lowercase chars and an api password)

For that one you'll have to wait for the next Nextcloud Music update. As soon as you update, uppercase names should start working right away.

icefields commented 4 months ago

If you use FDroid, it will probably take 3 to 6 days to get the update. If you're using Github releases you're good until v1.00-60 . I'm closing this issue. Thanks again for the report!