CertPathValidatorException : Trust anchor for certification path not found

[adminxana]

Hello team,

Congrats for this awesome app. Although I saw this has already been discussed, I am still unable to solve this issue. I have a local implementation of nextcloud (runing on a RaspberryPI with other services installed, such as PiHole as DNS server). I use the domain names that I added at the PiHole local dns zone, and I am using SSL in order to connect to these sites. I am almost sure that this is an issue with the certificate itself, but I don't know where did I fail.

The apache configs files are the following:

/etc/apache2/sites-available/nextcloud.conf
<VirtualHost *:80>
  ServerName  xanacloud.com
  Redirect permanent / https://xanacloud.com/
</VirtualHost>

/etc/apache2/sites-available/sslnextcloud.conf
<VirtualHost *:443>
    DocumentRoot "/var/www/nextcloud"
    <IfModule mod_headers.c>
      Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
    </IfModule>
    ServerName xanacloud.com
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
    SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
    <Directory "/var/www/nextcloud">
         Options MultiViews FollowSymlinks
         AllowOverride All
         Order allow,deny
         Allow from all
    </Directory>
</VirtualHost>

The certs have been created with OpenSSL, following an online tutorial 🙃

I've installed the .crt in my android phone, still cannot connect.

I am "totally" new with nextcloud and passman (just started to deploy my environment a few months ago) so any help will be much appreciated.

Although I have also installed this cert in my laptop, the website is being shown as untrusted too, that's why I point the certificate as the root cause.

Thanks in advance and wishing you the best 😃

[binsky08]

Hi @adminxana I should implement an "Accept insecure connections" switch or something like this (maybe next year, ... or never). But for a password manager I thought that would be a bad idea xD

I've written this FAQ about custom CAs with Passman Android.

https://github.com/nextcloud/passman-android/blob/master/FAQ.md#how-can-i-use-a-self-signed-certificate-to-connect-the-my-nextcloud-server

Hope that helps :)

[adminxana]

Hi @binsky08, thank you!

it's a bad idea if anyone could access it. But the service is only accessible from the local network (at home) and through a VPN, so most of the security issues should be solved (everything is well protected and firewalled at the network level).

The openssl tutorial is great, and working:

[Sun Nov 06 17:49:15.756576 2022] [mpm_prefork:notice] [pid 155852] AH00170: caught SIGWINCH, shutting down gracefully
[Sun Nov 06 17:49:16.131620 2022] [mpm_prefork:notice] [pid 155910] AH00163: Apache/2.4.54 (Debian) OpenSSL/1.1.1n configured -- resuming normal operations
[Sun Nov 06 17:49:16.131820 2022] [core:notice] [pid 155910] AH00094: Command line: '/usr/sbin/apache2'

It also serves the requests through :443 from the chrome extension, what it's great, and what I want to achieve with the android app somehow.

I'm not a programmer, but I do have a friend that could help implementing another secure connection sollution, such as token identification, maybe comming from the device that hosts the services. Could that work?

Thanks again :D

[binsky08]

you can already use SSO as login method if you have the official Nextcloud Files app installed and configured at your device

[adminxana]

Awesome! I had not tried this method, that way the app works perfectly. Thank you very much!