Open albgus opened 2 years ago
I too experience this issue. Would be great if LE certs were default trusted again. I think now R3 and R4 should be trusted -> https://letsencrypt.org/2020/09/17/new-root-and-intermediates.html
I just noticed that an update on the store released 4 days ago mentions "improvements in server trust detection", perhaps this is solved? I'm unable to test this for a few days though
Same here with iOS version 15.2 and Nextcloud Client version 4.2.0. Server certificate is signed by "C = US, O = Let's Encrypt, CN = R3" - signed by "C = US, O = Internet Security Research Group, CN = ISRG Root X1".
I see the same issue - upgraded Server to V23, still the same. Apple iOS Client 4.2.1. Also on Let's encrypt, issues by the same CN=R3. But it's definitely something related to the certificate on the server - I tried quickly to route through Cloudflare, which comes with another cert public cert - then the issue disappeared. I have quite some other stuff running on the same nginx with the same let's encrypt cert, and don't see other issues, just that nextcloud iOS Client seems to detect a certificate change on every App use (not only after it really changed...). I can e.g. browse to that server using safari on the same iOS device without issues. I checked the iOS Log, on full details, but it does not seem to log anything about the certs at all. Any hints?
is this maybe related to #1682 ?
Same issue here. The certificate is indeed valid, used by many other services I have behind the proxy. I think the warning is valid (the certificate indeed changed as it got renewed) but the fact that I said "YES" is never remembered. Also it would be nice to have a way to disable this warning. As stated by OP, training user to ignore security messages is pretty bad, and in the let's encrypt use case, this change is perfectly expected
I see the exact same issue since a few monts, and still with latest version of server (24.0.4) and iOS Client (4.4.2). I can also confirm, let's encrypt cert shows the error that the certificate changed - but it shows this on and on, every time I use the app (and not only after the effective cert change). If I browse to the same nextcloud server using Safari, no problems with the cert. I can also confirm, when routing through cloudflare (so another cert), then it works also in the app without issues. And I also use the same cert on several other services on nginx on the same server and I never get any certificate errors. The Let's encrypt cert is issued by R3 with SRG Root X1. I also checked via qualys SSL labs test, and it shows all ok with a score of A. Any clues?
I realized this happened because I was doing MTLS from my nginx proxy. It never really worked with iOS (because apparently the most secure system in the world does not allow you to do secure things). It was set as optional to allow the ios app to work. Removing client certifcates config from my proxy made this issue to go away
Apple iOS supports mTLS, even with an external Token. I tried that with Yubikey 5 Lightning and Apple Safari browser. I don't know how Nextcloud app handles optional client certificate authentication requests. My set up:
Thanks for the mTLS hint - I had this active since a longer time, so most probably some changes in the iOS client are causing this issue. When I comment out my two lines about mTLS in the nginx config like this:
#ssl_client_certificate /etc/ca-certificates/ca.crt;
#ssl_verify_client optional;
then it works again without the popup. So the issue is definitely related to how the iOS App handles optional client certificate authentication. As said, looks like all other clients do not have issues with the shown mTLS config.
I remember always having trouble with mtls on every apps I tried to use it with (nextcloud, home assistant, etc) which is why I set it to optional a while back. It works well on Safari but I was never able to make it work anywhere else. I'm not completely convinced this is on Nextcloud side
This issue hasn't seen any traffic in >2 years. Are any of you - particularly @albgus as the OP - still experiencing this in current client versions?
This doesn't replace the response from the people who reported the bug, but I can testify that in my case, renewal of the Let'Encrypt certificate is completely transparent for the end user (last renewal a week ago). My config :
Steps to reproduce
Expected behaviour
This should be completely transparent for the end user.
Actual behaviour
The user is presented with a security warning stating that the certificate has changed, asking if you would like to trust this certificate.
Screenshots
https://moln.online/s/JD4zPSfkcso8fxc/preview
Logs
Reasoning or why should it be changed/implemented?
It's bad practice to train users to ignore security warnings.
Environment data
iOS version: 15.1.1
Nextcloud iOS app version: 4.1.0.17
Server operating system: Official Nextcloud docker container, nextcloud:22.
Web server: nginx
Database: PostgreSQL
Nextcloud version: 22.2.3