Have Next Cloud installation on a server with a Let's Encrypt certificate (tested, working ok)
Install app on Android (Tested on Android 6.01 on Galaxy A5)
Try to create an account in App via https; click on add an account
Type in server url in https, user and password
Click sign in
Expected behaviour
The account should be created in the App,
Actual behaviour
Low level error: Get https://... /index.php/apps/ocsms/get/apiversion?format=json: x509: certificate has expired or is not yet valid.
See screenshot.
Server configuration
Nextcloud version: 19.0.13, also tested on 17.0.10 and 20.0.13 with same behaviour
PHP version: PHP 7.4.3
Webserver: Apache2
HTTPS: Let's Encrypt implemented by certbot
Client configuration
Android 6.0.1 on a Galaxy A5
Nextcloud SMS app version: 2.0.5
Initial Analysis
Given the expiration of the Let's Encrypt certificate mentioned above, the current certificate chains available from Let's Encrypt will be either:
Chain 1 (modern) : (your cert) > R3 > ISRG Root X1#
Chain 2 (legacy) : (your cert) > R3 > ISRG Root X1 > DST Root CA X3#
1st Test - I make sure my Apache2 server is using one of the chains described above (and not the expired version). This is done my checking my server on https://chainchecker.certifytheweb.com/--> The test revealed I use the Chain 2 - See screenshot below
(A) Trust ISRG Root X1 (not just DST Root CA X3)
(B) if using OpenSSL, they must use version 1.1.0 or later. In OpenSSL 1.0.x, a quirk in certificate verification means that even clients that trust ISRG Root X1 will fail when presented with the Android-compatible certificate chain we are recommending by default.
---> In summary, Could anybody confirm if the App meets (A) and (B) ? - or point me on the right direction in case this does not make any sense.
Many thanks!
The issue is appearing from the beginning of this month and it seems to be related with the expiration of the Let's Encrypt Certificate DST Root CA X3 (and it's R3 intermediate) on Sep 30th 2021 https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
Steps to reproduce
Expected behaviour
The account should be created in the App,
Actual behaviour
Low level error: Get https://... /index.php/apps/ocsms/get/apiversion?format=json: x509: certificate has expired or is not yet valid. See screenshot.
Server configuration
Nextcloud version: 19.0.13, also tested on 17.0.10 and 20.0.13 with same behaviour PHP version: PHP 7.4.3 Webserver: Apache2 HTTPS: Let's Encrypt implemented by certbot
Client configuration
Android 6.0.1 on a Galaxy A5 Nextcloud SMS app version: 2.0.5
Initial Analysis
Given the expiration of the Let's Encrypt certificate mentioned above, the current certificate chains available from Let's Encrypt will be either: Chain 1 (modern) : (your cert) > R3 > ISRG Root X1# Chain 2 (legacy) : (your cert) > R3 > ISRG Root X1 > DST Root CA X3#
1st Test - I make sure my Apache2 server is using one of the chains described above (and not the expired version). This is done my checking my server on https://chainchecker.certifytheweb.com/ --> The test revealed I use the Chain 2 - See screenshot below
2nd Test - the Phone has the certificate ISRG Root X1. This is not obvious for an old Android phone; however the certificate can be installed either by installing Firefox or following a manual method. https://www.stoutner.com/lets-encrypt-isrg-root-x1-and-privacy-browser/ --> I tested on my phone by the url https://valid-isrgrootx1.letsencrypt.org/; It's working
As I had understood from the Let's Encrypt documentation, the App should meet the following requirements: (https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/)
(A) Trust ISRG Root X1 (not just DST Root CA X3) (B) if using OpenSSL, they must use version 1.1.0 or later. In OpenSSL 1.0.x, a quirk in certificate verification means that even clients that trust ISRG Root X1 will fail when presented with the Android-compatible certificate chain we are recommending by default.
---> In summary, Could anybody confirm if the App meets (A) and (B) ? - or point me on the right direction in case this does not make any sense. Many thanks!
Screenshot
Other References
https://letsencrypt.org/docs/certificate-compatibility/ https://docs.certifytheweb.com/docs/kb/kb-202109-letsencrypt/#switching-to-chain-2-legacy https://letsencrypt.org/2020/12/21/extending-android-compatibility.html