Network error :(

[vincegre]

Hi

Installed Passman on my OnePlus 3 (Android 7.1.1) from Play Store. I get a network error when I try to connect at my NextCloud account ! If I don't put https in front it complains incorrect url so I putted https://monserveur and my credentials but I always get a Network error ! Tested with cellphone connected to Wifi ! Something to try or test ?

Thanks

[animalillo]

@vincegre is that the url you entered to the app? If so, it's not a fully quallified domain name, and the phone can't resolve it.

[vincegre]

no no it was just not to reveal real url but sure my server is publicly avalaible on internet and with a full FQDN and SSL protection ! I have no problem with other apps on my phone that synchronise to my NextCloud system !

[brantje]

Is nextcloud installed in a subdirectory?

[vincegre]

nope but SSL is done with a Let's encrypt certificate and I know some old apps don't like much these certificates ! Maybe it's the problem ?

[animalillo]

Denepnding on your android version and your server ssl configuration this could be an issue.

@brantje we need an issue template for this project too

[zmbcgn]

Same here:

android 7.1.1 Nextcloud 12.0 beta2 passman 2.1.2 SSL Cert from letsencrypt / nginx webserver

App works with https://demo.passman.cc/

[animalillo]

Would need more info to debug this out. Please tell me your:

1. Server port
2. SSL server configuration
3. Owncloud / Nextcloud install path relative to site root
4. Android version
5. Passman version
6. Owncloud / Nextcloud version
7. Server logs (apache and nextcloud)
8. Does the official standard nextcloud/owncloud app works with the device?

[zmbcgn]

Sure:

1. 443
2. https://pastebin.com/SbvQQzxw
3. Sites Rootdirectory
4. 7.1.1
5. 12.0 beta2
6. The connection attempt from the app is neither shown in the nginx nor in the nextcloud logfile.
7. Yes. Maybe worth noticing that I also use the TOTP Plugin of Nextcloud.

[vincegre]

Here are details requested:

Server port is on standard SSL 443 (only SSL, if it tries http it's automatically redirected to https SSL server configuration is pretty standard (Apache 2 with Let's Encrypt certificate), has no problem with other cellphone apps that connect at my Nextcloud server

Apache 2 with TLS 1.2

NextCloud installed at root of web server

Android 7.1.1 (One Plus 3)

Passman version on Android: 0.12-NIGHTLY

NextCloud 11.0.3 Passman app: 2.1.2

For logs not sure what you need as logs files are so big :(

No problem to connect with official NextCloud app and some other apps that goes with NextCloud. I use TOTP but I generate a specific distinct password for each app that needs to connect to NextCloud.

[nodauf]

Hi, I had the same issue on my old android. I solve it by putting the same certificate on my root server and on the subdomain where I host nextcloud.

Is it possible for you to try?

[animalillo]

Maybe it's an issue with old android versions and ssl SNI.

I will have to further investigate this and see if the lib we use for http/s requests has a workaround for this.

[vincegre]

@florianaudon not relevant as I'm in latest version of Android so it has no problem with SNI ! Side note your explanation about your problem looks like your SSL chains were incomplete on your webserver which can cunfuse some browsers !

[brantje]

It's also possible that some cyphers are not supported by Android and thus giving problem. Since the demo server seems to work with Android i'll post the nginx config here for testing purposes

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

[nado]

Hi, I have the same issue on an old phone. Android 4.4.2 (Wiko Goa) Passman-android version 0.12 nightly. LetsEncrypt certificate My nginx config :

ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_timeout  5m;
ssl_session_cache    shared:SSL:1m;
ssl_ciphers HIGH:!aNULL:!MD5:!3DES:!CAMELLIA:!AES128;
ssl_dhparam /etc/ssl/certs/dhparam4.pem;
add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options DENY;
proxy_hide_header X-Powered-By;

add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; ";

[animalillo]

please, refer to this table as of android support for ssl cyphers: https://developer.android.com/reference/javax/net/ssl/SSLSocket.html

[nado]

Can it be a lack of TLS 1.2 support if I can access the very same url on the stock browser, nextcloud and davdroid application ? Feel free to ask any detail about my configuration, I dont know what you need. Can it be LetsEncrypt related ?

[animalillo]

hmmm maybe the CA from letsencrypt is not included by default in android?

[brantje]

Just found this link: https://community.letsencrypt.org/t/android-doesnt-trust-the-certificate/16498

[vincegre]

@animalillo If you are using Android 4.4.2 with SNI on your web server it won't work as that version of Android was not compatible with SNI protocol so either update the very outdated Droid or move your server to a dedicated IP for the virtual server....

[nado]

@vincegre I suppose you wanted to talk to me as I was the one with a 4.4.2 Android. If SNI doesnt work, shouldnt it fail for all attempts to connect to my nextcloud instance ? Also according to https://www.ssllabs.com/ssltest/viewClient.html?name=Android&version=4.4.2 it should support SNI. I am open to the fact that it might be my Android version which is too old but I am trying to understand why it succeeds to connect to my server on stock browser or other apps and not for passman.

[animalillo]

some apps have implemented workarounds for android flaws, some have not, we have not, we let a library handle that

[nado]

I see, I can’t afford a new IP right now and there’s no update above KitKat for my phone. Anyway thanks for the help. :)

[vincegre]

@nado yep it was for you ;) Did you check that your Nextcloud instance has a complete SSL chain with sslabs ?? as it's often a problem if CA certificate is missing ! Full cert chain as you can see below: For upgrade of your phones have you checked alternative ROMs ? often better than original ones included by manufacturer of phone :D

[nado]

Its a phone too cheap to get attention and get a ROM, I once tried making one but I dint have enough time to focus on it.

SSLabs screenshot :

[vincegre]

@nado looks like your only solution now is to change your phone :(

[animalillo]

i could check if it's an app problem if you crate me an account and i can try the app on your server from my phone pm me on telegram

[nado]

I am not on telegram, I still use mails (nado@edited), irc (nado on freenode) :)

[animalillo]

@nado i sent you an email from marcos@[domain].es

[brantje]

Confirmed that android 4.4.2 seems to have issues with some ssl configurations, think on making a workaround or a more descriptive message

[zmbcgn]

Based on your answers I made some changes to my nginx configuration, but i still get an network error on my android 7.1.1.

According to SSL Labs i get an A+ on the self test. And I don't want to reduce the security of my website to get the passman app working.

https://www.ssllabs.com/ssltest/analyze.html?d=cloud.5711.org&s=46.163.113.231

[adocampo]

Same here,

Android 7.1.1 Passman: 2.1.2 Nextcloud: 12 SSL: https://www.ssllabs.com/ssltest/analyze.html?d=malevolent.bofhers.com Dockerized Nextcloud, with the port 443 exposed to the host and directly published. No other problems with other nextcloud services noticed.

[animalillo]

@adocampo are you specifiying https protocol? Using subdirectories? How are you typing the url? Maybe that helps us get the error.

[adocampo]

Yes, the URL is https://malevolent.bofhers.com/nextcloud (I tried both with an ending slash and without it). I did use succesfully the android app back when I didn't implementedyet the LE certificate and I could access the server with a selft-signed certificate.

[animalillo]

I'm going to try and check what's going on there @adocampo. Would it be possible to get an account to login to passman and try this out with your setup? If you want to keep a faster communication I'm @WolFi in telegram.

[animalillo]

So far, i've tried this, and it, unsurprisingly gives me a 401 unauthorized, so... i don't see any ssl errors there (android 6)

[adocampo]

I've just contacted you via telegram, I'm going to create an account for you to see if we can reproduce the issue.

[adocampo]

Solved. As I connected to the server with a self-signed certificate and changed to Let's Encrypt, somewhere on the cache probably was the reference to the old one thus it didn't match the new one. Deleting the app cache solved the problem 👍

[zmbcgn]

Well, not for me. Meanwhile I have a brand new phone with an official android version 7.0 (no lineage or cyanogen etc.) and I wiped the app cache. Still getting an network error message.

If neccessary I can create you an test account as well.

[animalillo]

that would be niec, @zmbcgn. you can pm me on telegram if you wish @WolFi there.

[zmbcgn]

Credentials sent via telegram.

[zmbcgn]

Maybe also worth mentioning, that I dont have any issues with the web-extension of passman (https://github.com/nextcloud/passman-webextension/).

[animalillo]

didn't got any telegram at WolFi

[zmbcgn]

now maybe?

[animalillo]

Yes, now i notice you sent it on a private message which i don't get on the desktop app xD I will try to connect to your server this afternoon and tell you what i can find.

[nicman23]

same here, passman webextension, and the website frontend works fine.

however i believe this is just because i am running it on very very low hardware and it just gets timeout

if you care to test my server also the url is home.nicman23.tk i shall make a test:test acount

[animalillo]

I have published a new alpha release. It seems to fix network issues on some devices and it has more descriptive network errors.

Please, tell me if the new version released on the store fix this problem. Also note, it might take a few hours for google to process and propagate the update, so please, make sure you are running v0.13 Nightly before saying it does not work.

[nicman23]

my issue seemed to be a missing chain cert from apache.

[zmbcgn]

Works like a charm with the new release. Thx!

[adocampo]

I can also connect now to my server. 👍

[AnisKhanUK]

Hello, I have a Nexus 6p which just got upgraded to Android O.

The app was working before the upgrade from 7.1.2.

I am on the latest nightly but am getting 'Settings incorrect'

Any ideas? Thanks