Android client: Network connection error

I am using an https server with self-signed certificate. Is that an issue?

Can you add some diagnostic logging messages? Such as 1) Connection to web server OK/NOK 2) Nextcloud instance found OK/NOK 3) Login and password is correct OK/NOK.
This is how for example QOwnnotes does it.

If you cannot make these logging changes can you point me to the correct file to change and I can do it myself?

The same URL/login/password works fine on Joplin Linux desktop version.

Here is the debug log from the app:

Date,Level,Message
04-16T20:43:26,30,"""Reducer action", "DECRYPTION_WORKER_SET""
04-16T20:43:26,30,"""DecryptionWorker: completed decryption.""
04-16T20:43:26,30,"""Reducer action", "DECRYPTION_WORKER_SET""
04-16T20:43:26,30,"""DecryptionWorker: starting decryption...""
04-16T20:43:25,30,"""Reducer action", "FOLDER_UPDATE_ALL""
04-16T20:43:25,30,"""Updating all notifications...""
04-16T20:43:25,30,"""Garbage collecting alarms...""
04-16T20:43:25,30,"""Total resources: 3""
04-16T20:43:25,30,"""Reducer action", "SYNC_COMPLETED""
04-16T20:43:25,30,"""Total folders: 1""
04-16T20:43:25,30,"""Total notes: 4""
04-16T20:43:25,30,"""Operations completed: ""
04-16T20:43:25,10,"""TypeError: Network request failed
onerror@index.android.bundle:133:4815
value@index.android.bundle:118:1505
value@index.android.bundle:117:6656
value@index.android.bundle:117:3396
index.android.bundle:117:9584
value@index.android.bundle:46:1389
value@index.android.bundle:25:3449
index.android.bundle:25:960
value@index.android.bundle:25:2703
value@index.android.bundle:25:932
[native code]""
04-16T20:42:34,30,"""Reducer action", "NAV_GO, Log""
04-16T20:42:27,30,"""Reducer action", "NAV_BACK""
04-16T20:42:23,30,"""Reducer action", "NAV_GO, Status""
04-16T20:41:46,30,"""Settings have been saved.""
04-16T20:41:46,30,"""Saving settings...""
04-16T20:41:46,30,"""Reducer action", "SETTING_UPDATE_ONE""
04-16T20:40:39,30,"""Reducer action", "NAV_GO, Config""
04-16T20:40:20,30,"""ResourceService::deleteOrphanResources:", """
04-16T20:40:20,30,"""ResourceService::indexNoteResources: Completed""
04-16T20:40:19,30,"""ResourceService::indexNoteResources: Start""
04-16T20:40:00,30,"""SearchEngine: Updated FTS table in 79ms""
04-16T20:40:00,30,"""Reducer action", "NOTE_UPDATE_ALL""
04-16T20:40:00,30,"""Reducer action", "NOTE_UPDATE_ALL""
04-16T20:39:59,30,"""Reducer action", "SYNC_STARTED""
04-16T20:39:59,30,"""Starting scheduled sync""
04-16T20:39:59,30,"""Preparing scheduled sync""
04-16T20:39:59,30,"""SearchEngine: Updating FTS table...""
04-16T20:39:56,30,"""Reducer action", "NAV_GO, Log""
04-16T20:39:50,30,"""Reducer action", "DECRYPTION_WORKER_SET""
04-16T20:39:50,30,"""DecryptionWorker: completed decryption.""
04-16T20:39:50,30,"""Reducer action", "DECRYPTION_WORKER_SET""
04-16T20:39:50,30,"""DecryptionWorker: starting decryption...""
04-16T20:39:50,30,"""Reducer action", "NOTE_UPDATE_ALL""
04-16T20:39:50,30,"""ResourceFetcher: Auto-added resources: 0""
04-16T20:39:49,30,"""Reducer action", "APP_STATE_SET""
04-16T20:39:49,30,"""Application initialized""
04-16T20:39:49,30,"""Scheduling sync operation...""
04-16T20:39:49,30,"""Reducer action", "NAV_GO, Notes""
04-16T20:39:49,30,"""Reducer action", "FOLDER_SET_COLLAPSED_ALL""
04-16T20:39:49,30,"""Reducer action", "MASTERKEY_UPDATE_ALL""
04-16T20:39:49,30,"""Reducer action", "TAG_UPDATE_ALL""
04-16T20:39:49,30,"""Reducer action", "FOLDER_UPDATE_ALL""
04-16T20:39:49,30,"""Scheduling sync operation...""
04-16T20:39:49,30,"""Reducer action", "MASTERKEY_REMOVE_NOT_LOADED""
04-16T20:39:49,30,"""Loaded master keys: 0""
04-16T20:39:49,30,"""Trying to load 0 master keys...""
04-16T20:39:49,30,"""Loading folders...""
04-16T20:39:49,30,"""Loaded master keys: 0""
04-16T20:39:49,30,"""Trying to load 0 master keys...""
04-16T20:39:49,30,"""Sync target: 5""
04-16T20:39:49,30,"""Reducer action", "SETTING_UPDATE_ALL""
04-16T20:39:49,30,"""Loading settings...""
04-16T20:39:49,30,"""Database is ready.""
04-16T20:39:49,30,"""Current database version", "18""
04-16T20:39:49,30,"""Checking for database schema update...""
04-16T20:39:49,30,"""Database was open successfully""
04-16T20:39:49,30,"""Starting application net.cozic.joplin-mobile (prod)""
04-16T20:39:49,30,"""====================================""

I have the same problem. Neither of my Android devices will connect to my self-hosted Nextcloud server which has a self-signed certificate. However, both my MacBook and Linux box do. The latter didn't until I provided proper paths for the certs as well as chose to ignore the warnings.

I would do the same for the Android configurations but, there doesn't seem to be any way of specifying the details on the 'droid client.

Any thoughts on how we can overcome this serious roadblock? Better yet, please tell me that I'm wrong and that the "fix" is really rather simple!

I'm happy to have found Joplin as it's a great solution to the problem of ineffective note sharing between devices on different platforms. However, there appears to be a serious problem with the Android client because it doesn't seem to connect to Nextcloud servers with self-signed certificates.

I've tried to work around this serious shortcoming by syncing to a folder on my SD card where Nextcloud stores defined files files for off-line access. However, this also doesn't work because, apparently, Joplin can't write to that folder :confounded:

Please, can somebody point me in the right direction for a resolution to this unfortunate situation?

Not accepting connections from untrusted certificates is not a shortcoming but a feature.

Suggested workaround is to use a valid certificate using something like Let’s Encrypt.

This is the same shortcoming as it was in the desktop version! You had recognised it as such and had graciously provided a workaround by providing an option to “Ignore TLS certificate errors”.

I’d be very happy if I can get a “valid certificate” via Let’s Encrypt but, like others, I self-host my instance of Nextcloud and use a Dynamic IP Update Service. Let’s Encrypt doesn’t play nicely with this. Hence, a certificate cannot be generated.

You’ve created a great program, Laurent. Thank-you very much. If I could just get it working on my Android devices, it would be a Killer!

1 Like

As far as I know there’s no solution on mobile other than using regular certificates. Maybe using some trick you can install root certificates on your device but it’s probably not straightforward.

Thanks for your reply, Laurent. And for the suggestion. Alas, "tricky" things are well beyond my meagre capabilities as a mere enthusiastic user of this technology (my forte is mechanical engineering, not coding :face_with_monocle:). Nevertheless, if I come up with something, I'll be sure to post the solution here. I'm sure that @curioustwo and I aren't the only ones who suffer from this debilitating issue.

If you’re not too technical, you might want to look at a different way to setup Nextcloud since self-signed certificates always come with all kind of drawbacks. Personally I’m not too interested in setting up all this, so I simply have a Let’s Encrypt certificate on a fixed IP server.

Alas, a fixed IP server is simply not practical.

Perhaps you're right about this. However, other mobile apps including Nextcloud and piwigo clearly have no problem connecting to my self-hosted server through a dynamic name server. There is more to this than we currently know....

1 Like

Hi Laurent,

I agree with @heviiguy. This is a must feature (to allow untrusted certificates. One BIG reason to have a self-hosted instance of Nextcloud is for privacy and security and that means hosted on my LAN and not in the cloud.

Looks like Android apps won't even work with manually added certificates unless app developer does some work.

From [1]:

Most apps don't work with CA certificates that you add

In Android 7.0 and up, by default, apps don't work with CA certificates that you add. But app developers
can choose to let their apps work with manually added CA certificates.

I tried installing my self-signed certificate on my Android phone but error still persists.

Like @heviiguy says the feature is added to the desktop version so why can't it be added to the Android version?

[1] Add & remove certificates - Pixel Phone Help

Thanks

I assume @laurent means that there is currently no solution in Joplin for self-signed since
FolderSync Pro for Android for example as an option to allow “self-signed” certificates.
“DavX5” also works fine with self-signed certificates.

Joplin works with self-signed certs for a while now. It helps reading the documrntation and FAQ.

How can I use self-signed SSL certificates on Android?

If you want to serve using https but can’t or don’t want to use SSL certificates signed by trusted certificate authorities (like “Let’s Encrypt”), it’s possible to generate a custom CA and sign your certificates with it. You can generate the CA and certificates using openssl, but I like to use a tool called mkcert for it’s simplicity. Finally, you have to add your CA certificate to Android settings so that Android can recognize the certificates you signed with your CA as valid (link).

1 Like

Wow. This is more than a bit rude and condescending.

It doesn't help if the "documrntation" didn't contain this snippet until just recently. Arrogantly implying that it's always been there is a very cheap shot.

Rude would be: read the fucking documentation/FAQ before posting stupid questions and/or stating wrong facts, which have been answered several times before. Did I do that? No, I didn't.

Don't put words in my mouth and read what I'm writing.
Furthermore it was a reply to curioustwo, who "assumed" things after 2 months during which time the FAQ has been updated. So he/she posted without reading the documentation/FAQ.

I never implied that it was always there. If I had, I would have spelled it out. Don't interpret what I'm writing. Take it as it is written.

This is my last comment about this. I will not particpate in a childish argument with someone who takes facts as a personal attack and interprets words to their liking.

So with the help from info from this forum and some many additional hours on further research i was finally able to solve the problem and get my android devices to be willing to open connections between joplin and my nextcloud.
My set-up:

  • Joplin on android
  • nextcloud on raspberry pi
  • apache server
  • openssl

The important steps:

  • create your own CA (certificate authority) with openssl (let’s call it my_ca.pem or my_ca.crt)
  • create your own certificate using your own CA with openssl (let’s call it my_cert.pem or my_cert.crt). Here i found it is absolutely important to specify your host in the alternative names section, otherwise it will not work (android seems to think connection is not secure if the server is only stated in the CN)
  • import my_ca.crt to your android device
  • activate my_cert.pem in your host’s my_host_ssl.conf file for apache

re the alternative names section:

  • here’s a good link explaining this: https://www.endpoint.com/blog/2014/10/30/openssl-csr-with-alternative-names-one
  • I also found that the alternative names are included in the csr-file (which is an interim file), but they will NOT be included in the certificate if you do not add the following text to the openssl command to create the certificate: -extfile my_host_ssl.conf -extensions v3_req. Without this addition, the certificate did not include the alternate names and this caused a problem on my android devices (windows was able to cope with it). So here’s what the command should look like to create the server certificate: openssl x509 -req -in csr_file_which_was_created.csr -CA CA_public_key.pem -CAkey CA_private_key.pem -CAcreateserial -out server_cert_public.pem -days 3650 -sha512 -extfile my_host_ssl.conf -extensions v3_req

check your certificate with the following command:
• openssl x509 -noout -text -in server_cert_public.pem
If the alternative names do not show up (and you can only see the CN name), then android will have an issue and joplin synch will not work.

2 Likes

Yeah: Wow :astonished:

Is is possible to do this with mkcert?

Yes.

Thats nice :-) Can you tell me how? I have already tryd it without success.
I think i used the wrong syntax.