search

invoiceninja / admin-portal

Invoice Ninja: Desktop/mobile admin portal built with Flutter
https://demo.invoiceninja.com
Other
1.6k stars 534 forks source link

Allow self-signed certificates #611

Closed Asfaroth closed 1 month ago

Asfaroth commented 10 months ago

Hello,

I'm using self hosted Invoice Ninja since a few days and I'm absolutely loving it so far! However, I would really like to use the flutter apps but I'm running into an issue: The app doesn't allow self-signed certificates because, obviously, the used CA is not in flutter's CA storage. I had this issue in other flutter applications as well and I know there's a workaround for this. Bigger projects like Immich already implemented a solution for such a use case (see https://github.com/immich-app/immich/releases/tag/v1.78.0 for example).

I've already found a closed issue (https://github.com/invoiceninja/admin-portal/issues/461) here. I really don't think that utilizing self-signed certs is the same as using plain http. In my case I'm hosting Invoice Ninja in a closed network in which I can't use letsencrypt as it is secured by a firewall from the internet. That doesn't necessarily mean that I can use insecure http connections in this network though.

Would it be possible to implement a workaround for this use case?

Dan-Sun commented 8 months ago

Any news about this? Is there any chance to use your own certificates in the near future?

ryanwinter commented 3 months ago

I am also using a self-signed cert and I have added the self-signed root to my Android phones user certificate store but am still unable to log in.

Which cert store is the app using to validate the server cert?

ryanwinter commented 3 months ago

Seems like this a restriction in the Dart SDK in that it only loads the system CA certificates.

#if defined(DART_HOST_OS_ANDROID)
    // On Android, we don't compile in the trusted root certificates. Instead,
    // we use the directory of trusted certificates already present on the
    // device. This saves ~240KB from the size of the binary. This has the
    // drawback that SSL_do_handshake will synchronously hit the filesystem
    // looking for root certs during its trust evaluation. We call
    // SSL_do_handshake directly from the Dart thread so that Dart code can be
    // invoked from the "bad certificate" callback called by SSL_do_handshake.
    const char* android_cacerts = "/system/etc/security/cacerts";
    LoadRootCertCache(android_cacerts);
    return;
hillelcoren commented 1 month ago

We've added a setting option on the login screen which enables specifying an SSL host override, if the SSL fails but the host matches the request should be allowed.