Regarding the reasons why "Accept all SSL certificates" option was removed

[di72nn]

This option was intentionally removed because it creates a false sense of security. At any given moment you're not able to tell if your connection is actually secure or it was tampered with.

Possible solutions:

• If you don't want to deal with certification authorities, you can import your self-signed certificate into your Android system.
• You can get a free SSL/TLS certificate (e. g. Let's Encrypt) to take advantage of modern TLS security. If you don't have a domain name yet, you might need to register it. Nowadays you can register a cheap (or maybe even free) domain name.
• If you have an SSL/TLS certificate, but you get java.security.cert.CertPathValidatorException: Trust anchor for certification path not found and you used the option to avoid the error, then you should configure your server properly. See #516.

Also, feel free to create a PR for #258 to implement a memorizing trust manager.

[tcitworld]

FYI, someone on the Play Store wrote without further informations.

Doesn't seem to respect certs from user store. Android 7.0+

[di72nn]

Thanks for the info. Probably #479. v1.* versions that targeted API 24+ may have that problem, but v2 should be fine. Otherwise I need more details.

[Schdefoon]

Is it possible, that removing this option locks out users with a RaspberryPi (Yunohost) in a local domain and a mobile device with LineageOS? As far as I know my only chance is to use a self signed certificate on my server. Unfortunately I can't manage to trust this certificate on my mobile device. I tried very hard the whole weekend without success. There are some topics that this might be a LineageOS problem (e.g. https://github.com/bfabiszewski/ulogger-android/issues/14). There's one thing I could not test so far: Importing my self signed certificate into a mobile device with a "regular" ROM, because I haven't one. That could prove that my server configuration is correct and there's a problem with LineageOS. For me the option "Accept all SSL certificates" would help ...

[di72nn]

Lineage OS 15.1 here. Just tested: importing CA for self-signed certs does work. BTW, I imported ca.crt, not the server.crt (I'm not sure if it is supposed to work with server cert).

Update: Trust anchor for certification path not found is the error you get because the cert is self-signed. If you get something like Hostname 'example.com' was not verified, then you have to fix something else - I got that error until I added subjectAltName (just for testing, I didn't bother to find out what the exact issue was).

[Schdefoon]

Thank you very much for helping - I really appreciate this

I did some more tests and thought about what might going wrong. In fact there are a lot of things that might be wrong so it might be better to tell the whole story:

First of all: I don't exactly understand all what I'm doing. I try, but there might be some fundamental errors. The Yunohost-installation works with domains (not with IP adresses). Because it was important for me I defined a local domain in my home network. The local domain is called yunohost.local. My Raspberry Pi has the IP 192.168.2.132. The only possibility to open Wallabag ist to call https://yunohost.local/wallabag/. It is not possible to call the IP address somehow. Because of this you should setup DNS rules so the domain name can be resolved. Unfortunately my home router can't do this. So my only chance to continue was to edit the hosts file in the clients and insert 192.168.2.132 yunohost.local That's what I did on my LineageOS smartphone. With "FOSS Browser" it is possible to test that this is really working.

Now when I insert the URL above into the Wallabag app I get a response java.security.cer.CertPathValidatorException like you wrote.

When I now upload ca.crt the message changes into Hostname yunohost.local not verified.

Is there a problem because yunohost.local is only redirected by the hosts file? If yes there's no chance for me to fix it under the circumstances I have?

[di72nn]

I would check if you can install an alternative firmware on your router (like OpenWrt or DD-WRT).

Alternatively maybe you can set up a DNS server (that would resolve general addresses + your local ones) on your Raspberry and make your clients (preferably by pushing it via DHCP) or the router use this server. That would localize your workaround to servers, rather than making adjustments to clients.

You can also try adding the IP address to the SSL cert. I haven't tried it, but I guess that way you should avoid the Hostname yunohost.local not verified error.

[Schdefoon]

Thank you very much. I already had installed pi-hole at my yunohost server and read that it might help as a DNS server. So I took a new client and tried to call https://yunohost.local. This failed as expected. Then I entered 192.168.2.132 as DNS address in the network settings of this client and tried again. This time it worked. Additional the pi-hole interface shows activity. So I would guess this is a prove that DNS is working. But in the Wallabag app I still get the error Hostname yunohost.local not verified

This might be the evidence that there is something wrong with my server certificate (standard yunohost installation) and the certificate I imported into my LineageOS devices. Would you mind to send details how you created the certificate to import it into your LineageOS device?

[di72nn]

I think you should first check your server.crt (or whatever it is called for you) with this: openssl x509 -in server.crt -text -noout.

I went through the commands in this comment except that I changed the last two to these to include SAN:

openssl req -new -key server.key -subj "/CN=my.domain.tld" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:my.domain.tld,DNS:subdomain.my.domain.tld")) -out server.csr

openssl x509 -req -extfile <(printf "subjectAltName=DNS:my.domain.tld,DNS:subdomain.my.domain.tld") -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

Then checked the Subject and Subject Alternative Name fields:

openssl req -in server.csr -text -noout
openssl x509 -in server.crt -text -noout

Then imported ca.crt into my phone, and used server.key and server.crt on the test server.

[Schdefoon]

Thank you very much! I can't believe it finally worked :-) I used a similar tutorial with almost the same steps as you wrote. The differences are in step 3 and 4 (server.csr and server.crt) because I had an error because of the connection to /etc/ssl/openssl.cnf.

In my v3.ext file I changed the linesubjectAltName = @alt_names into subjectAltName = DNS:yunohost.local,DNS:www.yunohost.local,DNS:ns.yunohost.local and deleted the segment [alt_names] IP.... In server_rootCA.csr.cnf I changed CN = 192.168.178.55 into CN = yunohost.local

Finally I copied server.key into /etc/yunohost/certs/yunohost.local/key.pem and server.crt into /etc/yunohost/certs/yunohost.local/crt.pem. Then I imported server_rootCA.pem into LineageOS

Then I started the Wallabag connection assistant again. (Maybe this was important. First I got http-400-errors when trying to edit the connection which was stored in the settings)

Again, thank you very much for your help!

[di72nn]

You're welcome! Good to know you got it working.

[fastfailure]

I went through the commands in this comment except that I changed the last two to these to include SAN:

openssl req -new -key server.key -subj "/CN=my.domain.tld" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:my.domain.tld,DNS:subdomain.my.domain.tld")) -out server.csr

openssl x509 -req -extfile <(printf "subjectAltName=DNS:my.domain.tld,DNS:subdomain.my.domain.tld") -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

Then imported ca.crt into my phone, and used server.key and server.crt on the test server.

This really saved my day, thank you!