nextcloud / passman-android

:key: Android app for Passman.
https://passman.cc
GNU General Public License v3.0
92 stars 30 forks source link

Network Error with Let's Encrypt on Android 4.4.2 #34

Closed trohrberg closed 6 years ago

trohrberg commented 6 years ago

Hello,

I'm referring to issue #13 since I'm having similar network errors from the time I'm trying to use recent version of passman on my Android 4.4.2 based Zenfone 5. I do have certificates from Let's Encrypt and accessing my Nextcloud installation, and also the web-based password manager works fine - even from my Zenfone 5.

The error message in passman when trying to log in is: Peer not trusted by any of the system trust managers.

Should I manually install the root certificate of Let's Encrypt?

Can anyone help me with that problem? If I understand issue #13 correctly, it is now working for others on old Android versions...

Best regards Timo

brantje commented 6 years ago

Try importing the root certificate of Let's Encrypt. Also make sure you provide the full chain of the certs.

trohrberg commented 6 years ago

Hello,

thank you for your hint. I imported the root certificate of Let's Encrypt, but the passman app still doesn't work. The error displayed is the same. Did I maybe miss anything when importing the certificates? Or did I import the wrong ones? See attached screenshots from my phone with the certificates that I imported.

Thanks for any further hint.

Regards Timo screenshot_letsencrypt_root_certificates screenshot_letsencrypt_root_ca_certificate

animalillo commented 6 years ago

Try cleaning passman app cache on your phone

trohrberg commented 6 years ago

I already tried that quite often. I even installed my own Let's Encrypt certificate on the Android system, but still experiencing the same error. Is it possible that the library used by passman for SSL communication somehow does not respect the manually installed certificates in the Android system?

trohrberg commented 6 years ago

Just to make clear what I already tried:

Screenshots attached from the chain of certificates shown in my Mozilla Firefox browser.

Any further hints?

Regards Timo screenshot_certificate_chain_firefox

animalillo commented 6 years ago

take a look to: https://www.ssllabs.com/ssltest/analyze.html?d=tr82.de&s=46.163.77.207

And my question regarding cache is after you added you certificates to the android trusted certificates, then is when you should clean cache and restart the app

trohrberg commented 6 years ago

I'm sorry, I didn't want to sound pushy with my summary on what I tried. I checked the SSLLabs report on my server's SSL configuration. Unfortunately, I can not yet figure out how to improve the configuration - but I'm trying to work on it with the hints given in the report.

In the meantime, I already uninstalled the passman app on my smartphone and reinstalled it after cleaning and importing the Let's Encrypt certificate. But unfortunately, it's still giving me the same error.

animalillo commented 6 years ago

Having the CA on the android trusted root certs should fix your issue, if it is still failing it's probably something to do with your server config but I don't know what exactly. Anyway, we will be adding an option to ignore this check for self signed certificates, but we don't have an ETA for this feature yet.

Since this is either fixed with #25 or a server specific issue i'm closing this issue for now, we will however try to help you even if the issue is closed, so feel free to ask and comment away on this issue ^.^

trohrberg commented 6 years ago

Thank you for your assistance so far and the promised assistance further on. For me it's completely OK to close this issue in the meantime as it seems to affect only me.

Just to make sure, I'm getting it right and not making a silly mistake: The CA certificate needed on the Android trusted root certs is the "DST Root CA X3" certificate shown in the screenshot of Mozilla Firefox, right? If I can find a certificate with that name and especially with the same serial number in the list of trusted certificates on my Android device, everything should be fine, right? Do I really need the second-level "Let's Encrypt Authority X3" certificate imported on the Android device, too? And if so, is it OK if it is listed in the list of "User certificates" instead of the list of "System certificates" like the "DST Root CA X3" certificate?

Thank you for your clarification.

animalillo commented 6 years ago

this page contains the lets encrypt root CAs https://letsencrypt.org/certificates/ If you include the full certificate chain on your server response you don't need any intermediate certificates installed, as far as i know, but i don't know how android handles custom added root CA.

trohrberg commented 6 years ago

Yes, that's also the page, were I took the certificates to import from before just exporting them from my Mozilla Firefox browser. But the issue is still the same. Also, I think you're right with your assumption that no intermediate certificates need to be installed if the server sends the full chain. But the latter is actually happening in my case which can also be seen in the SSLLab report's section "Certification Paths".

I simply don't understand what is going wrong and unfortunately, I don't have more details than just the error message "Peer not trusted by any of the system trust managers.".

youphyun commented 5 years ago

I am having the same issue on my Android 4.4. Lenovo P90 which is a very similar phone. I also would very much like to get this solved.