Lets encrypt cerificates are not trusted

[majkrzak]

Similar to https://github.com/patzly/grocy-android/issues/125 I can not connect to Grocy via the home assistant flow as application is throwing errors claiming trusted root can not be found. I'm using the Let's encrypt certificates.

[majkrzak]

This what I can see in the app. Logcat does not return anything regarding it.

My cert is signed by "Let's Encrypt R3", signed by "ISRG Root X1". May it be so, that the conscrypt library you are using is not up to date anymore? Last relase was in 2021

[majkrzak]

To solve the issue, I had to install "Let's Encrypt R3" as custom certificate, despite "ISRG Root X1" being marked as a system trusted one.

[jaapio]

I have the same issue, a fresh requested LE certificate is not trusted by the app.

[ssiegel]

I don't experience any problems using Let's Encrypt Certificates with Grocy Android. I'm using the --preferred-chain 'ISRG Root X1' configuration, i.e. my server provides two certificates in the chain: the actual server certificate and the Let's Encrypt R3 intermediate.

I remember having some compatibility issues a while ago (not using Grocy back then) when I used the cross-signed chain up to DST Root CA X3 (and ISRG Root X1 provided as an additional intermediate). I don't know if this is still the default Let's Encrypt configuration. You might want to check if your chain of intermediate certificates includes the cross-signed ISRG Root X1 and try to remove that from the chain.

[majkrzak]

The chain in my case is: my cert <- R3 <- X1 (selfsing). It is correct, so the problem is not there. Also the stystem handles the certs corectly. I beet the problem is there (quote from readme):

Old Android devices can have problems with newer CAs because their internal list of trusted CAs can be outdated if they don't receive system updates anymore, therefore we've integrated Conscrypt into the app to support current CAs on all Android versions.

[dominiczedler]

I have to set up a server with Let's encrypt cert myself first, before I can test the app with that again. What Android version do you use @majkrzak and @jaapio ?

[jaapio]

I have android 13, the browser did accept the certificate btw. Do you ship a separate cert library with your app?

[dominiczedler]

Yes, the app includes Conscrypt like described in the Readme.

Could you test this APK please? I've disabled Conscript in this debug version. https://drive.google.com/file/d/1oh6eAcZGAcQy2eEsIFddNEgVMCAJ791Q/view?usp=sharing (Sorry, GitHub file upload is currently broken...)

[dominiczedler]

@jaapio Any news?

[dominiczedler]

You can write any further information in here, I can reopen the issue if necessary.

[zunami]

Hello everyone.

I seem to have the same problem. The application says that my certificate is not secure.

I am using Grocy in a Docker container. The container is accessible via a subdomain. https://grocy.mydomain.com This domain works with Let's Encrypt and a wildcard certificate.

Grocy is accessible in the www and in the LAN https://grocy.mydomain.com. The Let's Encrypt certificate works on the www and in the LAN without any problems.

Versions Grocy version 4.2.0 PHP Version 8.3.4 SQLite version 3.44.2

Smartphone Grocy Android 3.5.2 Samsung S23+ UI 6.0

03-17 15:28:42.455 16979 16979 E LoginRequestViewModel: requestLogin: VolleyError: com.android.volley.NoConnectionError: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.

Smartphone

Browser with grocy Lets Encrypt

[dominiczedler]

Hi @zunami, maybe issue #854 helps because there is a workaround and reason for older devices.

[zunami]

that could well be possible only i don't have an old smartphone . i have android 14

[patzly]

@zunami Maybe this information is relevant to you? https://github.com/patzly/grocy-android/issues/854#issuecomment-2004921376

Edit: Sorry didn't saw the answer from @dominiczedler :D