Option to ignore SSL errors when adding server

[DesertLion1]

Hi all,

currently the app validates a server URL at input and will not allow to add a server when the SSL certificate is considered invalid for whatever reasons. I added my self-signed certificate and CA, which are only used internally, to IOS' trust store and they both have green checkmarks "Verified" but still the app does not allow me to add the URL.

How about an option to ignore SSL errors, for example a switch or a warning when pressing "Log In" with the option to either cancel or proceed anyway? After all, I think issues with IOS and self-signed certificates are not that uncommon in internal networks where paperless is probably used most often.

Thank you + Regards Stefan

[paulgessinger]

I actually went and tested this, and I can confirm that this definitely works. You have to use the correct subject alternative name for the networking stack to accept it.

You can test if it works by trying in safari, when safari accepts it, the app will accept it as well.

[somefosterkid]

I came here looking for the solution, but you just have to do http:// before the ip and then :8000 or whatever port you're using, after the ip

[paulgessinger]

Closing this now, with the recommendation to install a self-signed CA as a trusted root, and then using self-signed certificates that the OS trust store accepts. I'm trying to make the error reporting around this better in an upcoming version.

[timvahlbrock]

You can test if it works by trying in safari, when safari accepts it, the app will accept it as well.

Is this still valid? I'm getting no certificate complains with the installed self signed certificate in safari, but the app wouldn't accept it. Reboot didn't help.

[timvahlbrock]

Can confirm that the app will accept the certificate on macOS, but not on iOS.

[paulgessinger]

@timvahlbrock That's strange. I'm almost certain that it's a certificate issue, since I verified it actually works without any errors.

How did you create your certificates?

[timvahlbrock]

using openssl. And it works on macOS in Safari and in the app, but on iOs only in Safari. And I've triple checked that I activated the certificate on iOS in both places.

[timvahlbrock]

One special case might be, that the server just uses the root ca certificate directly, without creating an application certificate.

[paulgessinger]

@timvahlbrock I only tested using a separate CA and application certificate. I'm not sure if this might be the difference? Would you be able to try out using separate certificates?

[timvahlbrock]

Yeah, i will check on that tomorrow

[adadnc]

I've an own internally used CA and a server certificate signed by this CA for my paperless instance. With only the root certificate installed on my iPhone this works very well. On the iPhone It is not enough to install the cert, you will have to set trust: Settings -> General -> About -> (scroll down) Certificate Trust Settings -> ENABLE FULL TRUST FOR ROOT CERTIFICATES

[timvahlbrock]

Got it to work using a separate server certificate. However, when I first created the certificate I gave it a live time of about 100 years, which chrome was okay with, but safari didn't like. Quick research showed that apple doesn't seem to like certificates that are valid longer than a year. Maybe that was the problem before, as my root ca cert is also valid for 100 years, but that didn't seem to bother Safari. It also doesn't seem to be a problem now, as long as the server certificate is short lived enough. Thanks for your quick response and effort on this app.

[paulgessinger]

Awesome, great that at least that's working.

For a bit of context: I'm hesitant to add any kind of custom TLS handling because that brings me into territory where a mistake on my part could have significant consequences. That's why I'd really like to stick to the system provided mechanism as long as it's feasible to get it to work that way.

[timvahlbrock]

Yeah i think that is the way that i would be going as well. But as I haven't developed any iOS Apps so far myself, I wasn't sure whether apple changed the behavior for apps since the original comment.

[adadnc]

Got it to work using a separate server certificate. However, when I first created the certificate I gave it a live time of about 100 years, which chrome was okay with, but safari didn't like. Quick research showed that apple doesn't seem to like certificates that are valid longer than a year. Maybe that was the problem before, as my root ca cert is also valid for 100 years, but that didn't seem to bother Safari. It also doesn't seem to be a problem now, as long as the server certificate is short lived enough. Thanks for your quick response and effort on this app.

I think Apple doesn't accept certificates with that long validity. The limit is 825 days, if I'm not wrong.

[timvahlbrock]

I think Apple doesn't accept certificates with that long validity. The limit is 825 days, if I'm not wrong.

Yeah, I read something of 389 days, but anything less than a year seems to be fine.