Hi, I sync Joplin between my desktop and iPhone using local Nextcloud server. Everything worked a week ago but suddenly I’m getting ‘Network request failed’ errors on the iPhone. I use the exact same WebDAV url for both desktop and iOS. Any idea what’s going on? Log attached.
Joplin iOS app version: 10.0.45
Joplin Windows 10 version: 1.0.193
I just realized this problem is already opened as issue #2533, I will move the discussion there.
I have found out that in my case it is not a bug, just inexperience - I solved it by issuing my own certificate, made nextcloud use it and then make my iOS trust the certificate and CA. If there is interest I can post the process and it could perhaps be included in some guide for new users, it was quite a journey.
That would be lovely so that other users can use it when they have issues.
To give some background, why this even comes up: I have a Nextcloud instance running at home on an old laptop (on Ubuntu 18.04 LTS, installed through snap), accessible just from the local network. As such, I didn’t even want to use https and started with http. Some applications however, like Calendar in iOS 13, won’t sync with a server on http. So you need https, and for that you need to use SSL certificates. If your server is open to the internet, you can use a service like Let’s encrypt, there are plenty of tutorials on how to do that. On a closed network, Nextcloud offers self signed certificates, which you can easily activate with a one liner, but most application will flag them as untrusted. Sometimes this can be ignored, especially in browsers or Joplin desktop, but on mobile devices this option doesn’t exist. To work around that, you need to:
- Make your own Certification Authority (CA)
- Generate certificate and a key
- Make your Nextcloud server use given CA and certificate
- Make the CA trusted on your devices and use the certificate.
As a disclaimer, I only vaguely know what I’m doing, so if someone sees here an unnecessary or a wrong step, please let me know. I’m trying to write it also for people who are maybe not so experienced with the Linux terminal.
ssh/putty on your Ubuntu server with you Nextcloud instance
Install mkcert (link)
Generate a certificate for your host
mkcert 192.168.0.2 or whatever domain you are using
- this will generate two files
- 192.168.0.2.pem and 192.168.0.2-key.pem
Find your root certificate
Remember the location of these 3 files or copy them somewhere convenient
- For simplicity let’s say you copied them to you home directory
Find where your Nextcloud instance is storing certificates
- you can try
there should be folders like
current and another one let’s call it
numbers - it will be a string of numbers or something else
- you have to be a superuser to access this folder, so use
- then check
there should be 3 files:
- delete these 3 files (
rm cert.pem etc.)
- copy your certificate, key and rootCA into the folder
cp 192.168.0.2.pem /var/snap/nextcloud/numbers/certs/live etc.
- rename these files to the previous names, with rootCA.pem acting as chain.pem
mv 192.168.0.2.pem cert.pem
mv 192.168.0.2-key.pem privkey.pem
mv rootCA.pem chain.pem
- double check that it worked with
Enable and use the custom certificates (source)
sudo nextcloud.enable-https custom -s cert.pem privkey.pem chain.pem
or if in
/snap/bin/nextcloud.enable-https custom -s cert.pem privkey.pem chain.pem
The apache server should now restart and it should be using your certificates
Now somehow get a of copy the certificate and rootCA on your device of choice
- Before you try it, copying the files directly into the directories of nextcloud on the server (
/var/snap/nextcloud/common/files/user/whatever/) doesn’t work, or at least for me they didn’t show up afterward in the the web app.
- mounting a USB stick on the Ubuntu server link
- From the USB stick you can copy the files on a desktop PC and sync it via nextcloud to your iPhone
- Install the certificates in iOS 13 by downloading them and clicking on them
- Then go to Settings - General - Profiles and install them
- there should be one profile with the ubuntu server name and one starting with mkcert
- Make the mkcert CA trusted by going to Settings - General - About - Certificate Trust Settings and enabling full trust
For me this worked, even though the order was much more chaotic and there was a lot of lurking on the web. Hopefully it will save someone some time.
That we need to do this is so wrong on so many levels.
It should be sufficient to install the own root CA certificate and fully trust it.
All your server certificates should verify positively against this.
BTW, installing a certificate works through the Apple apps Safari (download it) or Mail (mail it to yourself). The best way to upload is through Apple COnfigurator on macOS and creating a profile that contains the required CA certificates. Then tap on the certificate, leave the app and go to settings, there is a new menue item near the top. Follow this to install the cert. Then trust the root CA cert as described by Langosh.
But this does not work for Joplin in iOS14. Other apps, such as Mail, Contacts, Calendar will work like this, but Joplin seems to ignore the iOS trust store. macOS Joplin has the same problem, but there you can at least point to the root CA certificates path and trust it. Certainly suboptimal, since the OS provides keychain access. But catastrophic on iOS, as it just does not work at all with your own CA certificates. You have to resort to Lets Encrypt certificates.
This really needs to be improved.
But this is not how
Has anyone perhaps had luck syncing Joplin on iOS 14 to nextcloud by storing the contents of the Joplin app into a folder that the nextcloud app is already syncing (Basically syncing through a networked directory/file system)? I'm not sure if it's even possible on iOS14, but I might try to create a folder for my mobile notes to be stored, then tell nextcloud to sync that folder to the server, then directing my desktop joplin app (which is working fine) to sync to that same folder via webdav. Has anyone tried this who can spare me a half day of toil?
Edit: after looking through this thread it looks like the idea for syncing through the file system has already been entertained with no luck.
Nope that information does not help. My certificates stick to these rules.