"Trust anchor for certification path not found" error with Docker Nextcloud + Swag using Letsencrypt certificate

[pled]

Hi,

I read issue #124 which looks very similar, and I am running Power Ampache 2 v1.00.60-fdroid. But issue is still here. I need help, it is probably not an issue with Power Ampache 2, rather with my config, but I am a bit lost with my problem, as my knowledge with certificate is low.

So I run a docker instance of Nextcloud using Swag as a proxy (provided by linuxserver.io, the stack combine Nextcloud + Mariadb + Swag). Swag is essentially nginx + fail2ban + letsencrypt cert validation built-in. Swag logs show that Letsencrypt certificate is OK for my domain, Nextcloud instance is a subdomain of it.

I can connect to Nextcloud music instance using my android smartphone browser (grapheneos) with HTTPS connection.

But when trying to connect with Power Ampache 2, I get the following error :

2024-06-23 15:51:54
authorize() - cannot load data HttpException {"code":404,"message":"{ \"exception\" : \"java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.\" }","detailMessage":"HTTP 404 { \"exception\" : \"java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.\" }","stackTrace":[],"suppressedExceptions":[]}

2024-06-23 15:51:54
retrofit2.HttpException: HTTP 404 { "exception" : "java.security.cert.CertPathValidatorException: Trust anchor for certification path not found." }
    at retrofit2.KotlinExtensions$await$2$2.onResponse(KotlinExtensions.kt:53)
    at retrofit2.OkHttpCall$1.onResponse(OkHttpCall.java:161)
    at okhttp3.internal.connection.RealCall$AsyncCall.run(RealCall.kt:535)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:644)
    at java.lang.Thread.run(Thread.java:1012)

authorize() - cannot load data HttpException {"code":404,"message":"{ \"exception\" : \"java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.\" }","detailMessage":"HTTP 404 { \"exception\" : \"java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.\" }","stackTrace":[],"suppressedExceptions":[]}

Do you have an idea what is wrong here and why Power Ampache 2 cannot connect ? Thank you for any help.

[icefields]

hello, thanks for the bug report and the detailed bug description. The 404 code hints to a problem with your server (and/or your certificate). The 404 code is generate by the server, not by the app, if the app receives a 404, it's impossible for it to proceed with login (or anything really). I recently enabled the use of self-signed certificates, which fixed that issue for the other users. The authorize() method is simple and there are not conditions to it. Basically, Power Ampache 2 sends the handshake/authorize request, and the server responds with a token. Your server on the other hand, is responding with a 404, and no data attached, except for the error description. I use letsencrypt on a couple of my test servers with no issue. I will look into the error, but atm I'm not really sure how to help here, maybe try to ask the Ampache devs.

[pled]

Hello, thanks for the quick answer. Yes, it is strange because the same URL works from the browser. I found this from the nginx access.log file when using Power Ampache 2 :

92.xxx.yyy.zzz - - [23/Jun/2024:18:11:56 +0200] "GET /apps/music/ampache/server/json.server.php?action=handshake&auth=0dc8eab854xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx289e9ded5423&user=xxxxxxx&timestamp=1719159117 HTTP/2.0" 404 146 "-" "PowerAmpache2-1.00-60-fdroid"

When using browser, it start like this :

92.xxx.yyy.zzz - - [23/Jun/2024:18:23:36 +0200] "GET /apps/music/ampache HTTP/2.0" 200 25101 "-" "Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Mobile Safari/537.36"

May be this is stupid, but could it be related to JSON/Javascript on the server ?

[icefields]

no problem. I can see when using a browser you only get the initial part of the url in the logs and the headers look different, but I'm not really sure how to use this info. I personally rely on the Ampache backend devs when I have issues I can't solve by myself, my primary expertise being on mobile (... also I don't use nginx on any on my test servers unfortunately, so I can't test against that). I was also thinking, your issue is probably not related to the one you linked, LetsEncrypt is an actual recognized certificate, not a self signed one, unless you did something more custom?

[pled]

Thank you for your help, good to hear that Letsencrypt is a valid certificate. I will check with Nextcloud forum now... I will update that thread if I get the answer for that issue.

[pled]

To keep you informed : issue is now resolved, and I have created an issue in the Nextcloud documentation project so that they add the information on the relevant page.

It is about creating a a new location with specific rules in the nginx config file for the server :

    location /apps/music/ampache/server/ {
    }

when connecting Ampache client with Nextcloud Music and using nginx proxy server.