3.29.0 doesnt connect and spams with "No client certificate found" dialog

mlilien commented 7 months ago

⚠️ Before posting ⚠️

[X] This is a bug, not a question or an enhancement.
[X] I've searched for similar issues and didn't find a duplicate.
[X] I've written a clear and descriptive title for this issue, not just "Bug" or "Crash".
[X] I agree to follow Nextcloud's Code of Conduct.

Steps to reproduce

connect to server via android app 3.29.0

Expected behaviour

be able to connect to server
client certificate handling should be imho optional
documentation how to handle client certificate e.g. if using LetsEncrypt for nextcloud server is preferable

Actual behaviour

I can not connect and get a "No client certificate found" which i can cancel, but then the dialog appears again

Android version

14

Device brand and model

google pixel 7a

Stock or custom OS?

Stock

Nextcloud android app version

3.29.0

Nextcloud server version

27.1.4

Using a reverse proxy?

Yes

Android logs

No response

Server error logs

No response

Additional information

reverse proxy is traefik

ne20002 commented 7 months ago

I have this nagging on current iOS client after I added optional mTLS on my reverse proxy.

Haugi88 commented 7 months ago

I have the same issue. Only Problem to connect is the App. I have unraid, NGINX reverse and cloudflare.

chomama05 commented 7 months ago

I have the same issue. Browser access works, but android app keeps telling me 'No client certificate was found Do you want to install a TLS client certificate'

ne20002 commented 7 months ago

I got the update from F-Droid. I must say, version 3.29.0 is requiring a client certificate even though it is configured optional on the server.

This is the nginx config:

    ssl_client_certificate  /etc/nginx/client_certs/clientCertsCA-chain.pem;
    ssl_verify_client       optional_no_ca;
    ssl_verify_depth        1;

It works with Firefox (with or w/o certificate, it asks only once). It works with Nextcloud Android app 3.29.0 if a user certificate has been installed on the device. It offers to choose one and uses it.

But if there is no certificate on the device, it always reopens the popup asking to install a certificate, even though I choose Cancel all the time. This prevents the app from opening. For a mtls certificate being optional this is not ok.

The iOS app is not much better. It pops up all the time saying the certificate of the server has changed (it does not) and ask if the certificate is trusted. When selecting yes the app is usable until it pops up again.

As long as these problems exist using client certificates is simply not possible. :(

localguru commented 6 months ago

Same as @ne20002 The App ignores all optional ssl_verify_client settings, but turning ssl_verify_client off.

Niceclear commented 6 months ago

Hello,

I had the same issue.

To solve it, I just removed the host from "Client Certificates" on cloudflare.

ne20002 commented 6 months ago

To solve it, I just removed the host from "Client Certificates" on cloudflare.

With what you disabled check of client certificates all together? So just set support for client certificates to off on your host? This is not solving the problem. ;)

Niceclear commented 6 months ago

With what you disabled check of client certificates all together? So just set support for client certificates to off on your host? This is not solving the problem. ;)

Maybe we don't have the same problem.

My problem was the following error "No client certificate found" like the author.

I checked my cloudflare configuration, and saw that the "Client certificates" option was enabled (an error on my part in the past). I just disabled it and I didn't get the error on the app anymore.

From what I understand, you want to enabled it. But me I don't want.

gabrix73 commented 5 months ago

Same issue here, ok from desktop pc, client certificate "mandatory" for successful authentication in Android 14 . Nextcloud server tls from my vps is configured with letsencrypt certificates.

macdaddybighorn commented 4 months ago

Same issue here, using nextcloud through cloudflare zero trust tunnel. Pixel 7 (Android 14). Stopped working in 3.29.0 so I've been using 3.28.02 since. Just tested 3.29.2 and still broken, just following the open issue here. As a user I'm thankful for those smart enough to contribute!

sapstar commented 3 months ago

I have the same issue. When on my local network and using traefik as reverse proxy, mobile app v3.29.2 works fine. But when connecting over internet, I am using cloudflare tunnel, routing through the traefik reverse proxy in my local network. This only works with 3.28.2.

sapstar commented 3 months ago

Hello,

I had the same issue.

To solve it, I just removed the host from "Client Certificates" on cloudflare.

Thanks for the solution. This resolved it for me.

S4rr4cino commented 2 months ago

Ciao,

Ho avuto lo stesso problema.

Per risolvere il problema, ho semplicemente rimosso l'host dai "Certificati client" su Cloudflare.

Amico ti ringrazio. La tua soluzione ha funzionato. Basta entrare in Cloudflare -> SSL/TLS -> Certificati client -> E rimuovere il vosto sito dall'elenco degli host.

Grazie

thecoolestname36 commented 1 month ago

Obviously this is less than ideal solution, but I figured I'd share my workaround.

I am also experiencing this issue when setting up the Nextcloud Android app (Talk just does not work), and the issue appears to only occur when using Nginx's "ssl_verify_client = optional;". Because I use mTLS with different certificates between the client and Cloudflare, and between Cloudflare and my Nginx proxy, I was conditionally checking for the validation of the Cloudflare mTLS cert. One solution I chased down for a little while was to switch servers to handle clients traffic differently which would allow me to have the ssl_verify_client on and ssl_verify_client off depending on the context, as described in this answer https://serverfault.com/a/1117133/1152045.

As a workaround I no longer authenticate origin flows with the mTLS cert provided by Cloudflare to the upstream server, but instead have Cloudflare add a shared secret in a custom request header which our upstream server can check before proxying the request to the upstream Nextcloud server. This solution is less than ideal, but works for now.

I am also unable to use Firefox, Brave or Edge (didn't test Chrome or Safari) on Android outside the LAN because they either ignore or are too flaky when it comes to mTLS certs on Android OS as a client.

In addition to this, I have an internal DNS within the Nginx network for internal routing, I ran into some other issues with this before ensuring everything was using IPv6 in addition to v4 addressing.

nextcloud / android