search

nextcloud / ios

📱 Nextcloud iOS App
https://itunes.apple.com/us/app/nextcloud/id1125420102
GNU General Public License v3.0
1.94k stars 876 forks source link

iOS App incompatible with LetsEncrypt #1822

Open albgus opened 2 years ago

albgus commented 2 years ago

Steps to reproduce

  1. Issue a certificate through Let's Encrypt
  2. Login to Nextcloud through iOS app
  3. Renew the certificate (wait for renewal or force a renewal)

Expected behaviour

This should be completely transparent for the end user.

Actual behaviour

The user is presented with a security warning stating that the certificate has changed, asking if you would like to trust this certificate.

Screenshots

https://moln.online/s/JD4zPSfkcso8fxc/preview

Logs

If applicable, you can post the iOS app or server logs (removing any sensitive information).

Reasoning or why should it be changed/implemented?

It's bad practice to train users to ignore security warnings.

Environment data

iOS version: 15.1.1

Nextcloud iOS app version: 4.1.0.17

Server operating system: Official Nextcloud docker container, nextcloud:22.

Web server: nginx

Database: PostgreSQL

Nextcloud version: 22.2.3

fakikini commented 2 years ago

I too experience this issue. Would be great if LE certs were default trusted again. I think now R3 and R4 should be trusted -> https://letsencrypt.org/2020/09/17/new-root-and-intermediates.html

albgus commented 2 years ago

I just noticed that an update on the store released 4 days ago mentions "improvements in server trust detection", perhaps this is solved? I'm unable to test this for a few days though

ip6li commented 2 years ago

Same here with iOS version 15.2 and Nextcloud Client version 4.2.0. Server certificate is signed by "C = US, O = Let's Encrypt, CN = R3" - signed by "C = US, O = Internet Security Research Group, CN = ISRG Root X1".

topt commented 2 years ago

I see the same issue - upgraded Server to V23, still the same. Apple iOS Client 4.2.1. Also on Let's encrypt, issues by the same CN=R3. But it's definitely something related to the certificate on the server - I tried quickly to route through Cloudflare, which comes with another cert public cert - then the issue disappeared. I have quite some other stuff running on the same nginx with the same let's encrypt cert, and don't see other issues, just that nextcloud iOS Client seems to detect a certificate change on every App use (not only after it really changed...). I can e.g. browse to that server using safari on the same iOS device without issues. I checked the iOS Log, on full details, but it does not seem to log anything about the certs at all. Any hints?

topt commented 2 years ago

is this maybe related to #1682 ?

primalmotion commented 2 years ago

Same issue here. The certificate is indeed valid, used by many other services I have behind the proxy. I think the warning is valid (the certificate indeed changed as it got renewed) but the fact that I said "YES" is never remembered. Also it would be nice to have a way to disable this warning. As stated by OP, training user to ignore security messages is pretty bad, and in the let's encrypt use case, this change is perfectly expected

topt commented 2 years ago

I see the exact same issue since a few monts, and still with latest version of server (24.0.4) and iOS Client (4.4.2). I can also confirm, let's encrypt cert shows the error that the certificate changed - but it shows this on and on, every time I use the app (and not only after the effective cert change). If I browse to the same nextcloud server using Safari, no problems with the cert. I can also confirm, when routing through cloudflare (so another cert), then it works also in the app without issues. And I also use the same cert on several other services on nginx on the same server and I never get any certificate errors. The Let's encrypt cert is issued by R3 with SRG Root X1. I also checked via qualys SSL labs test, and it shows all ok with a score of A. Any clues?

primalmotion commented 2 years ago

I realized this happened because I was doing MTLS from my nginx proxy. It never really worked with iOS (because apparently the most secure system in the world does not allow you to do secure things). It was set as optional to allow the ios app to work. Removing client certifcates config from my proxy made this issue to go away

ip6li commented 2 years ago

Apple iOS supports mTLS, even with an external Token. I tried that with Yubikey 5 Lightning and Apple Safari browser. I don't know how Nextcloud app handles optional client certificate authentication requests. My set up:

topt commented 2 years ago

Thanks for the mTLS hint - I had this active since a longer time, so most probably some changes in the iOS client are causing this issue. When I comment out my two lines about mTLS in the nginx config like this:

  #ssl_client_certificate /etc/ca-certificates/ca.crt;
  #ssl_verify_client optional;

then it works again without the popup. So the issue is definitely related to how the iOS App handles optional client certificate authentication. As said, looks like all other clients do not have issues with the shown mTLS config.

primalmotion commented 2 years ago

I remember always having trouble with mtls on every apps I tried to use it with (nextcloud, home assistant, etc) which is why I set it to optional a while back. It works well on Safari but I was never able to make it work anywhere else. I'm not completely convinced this is on Nextcloud side

joshtrichards commented 2 weeks ago

This issue hasn't seen any traffic in >2 years. Are any of you - particularly @albgus as the OP - still experiencing this in current client versions?

StefInP commented 2 weeks ago

This doesn't replace the response from the people who reported the bug, but I can testify that in my case, renewal of the Let'Encrypt certificate is completely transparent for the end user (last renewal a week ago). My config :