Self-signed cert with Nextcloud sync on Android

The exact issue is described here: https://github.com/laurent22/joplin/issues/2065

I’ve installed the cert in the Android certificate store but am still getting the error. Any ideas on how to proceed?

Has anyone got any ideas for me?

I think this has come up in the past. If someone has experienced this issue and knows a solution, please let us know.

I know that self-signed certs didn’t work in the beginning. Then we added that option and it worked, Now it apparentlly stopped working again. So what are the people currentnly doing who previously used self-signed certs that worked?

Hmm, maybe it has nothing to do with the cert at all, but your WebDAV server. These network request failures have been all over the place and Laurent released a new Android and iOS version that addresses this issue. Can you please try 1.0.311. It should be in the Play Store already.

Some WebDAV servers redirect the call which messes up the communication.

Edit: Although I’m using Nextcloud as well, but maybe they changed something and we are using different versions…

I'm on Nextcloud 16.0.5 currently. As for the Android version, that's on 1.0.311. Still having the same issue :frowning:

I usually access nextcloud via http (not https) so I decided to give it a go.

My server certificate is issued by CAcert. Not sure whether this is different from a self-signed certificate.

After updating the URL from http: to https: I could not connect, as can be expected. Then I installed the CAcert root certificate on the phone and everything works again.

Nextcloud 17.0.1 on Synology DSM 6.2, Joplin 1.0.310 on Android 9.

@charlesoblack you mentioned that other clients can connect without error. Can you please provide info on the ssl connection:

echo "Q" |openssl s_client -connect HOST:443 [-CAfile infile]

If you see anything other than Verify return code: 0 (ok) (close to the end) you have a problem. I guess you won’t be able to run this on Android, but please run it on desktop, just to make sure that everything is fine.

Oddly enough this doesn’t work in my (otherwise functioning) setup:

% echo Q | openssl s_client -connect cloud.squirrel.nl:443 |&grep 'Verify return'
    Verify return code: 21 (unable to verify the first certificate)
% echo Q | openssl s_client -connect cloud.squirrel.nl:443 -CAfile CAcert-Root.crt  | & grep 'Verify return'
    Verify return code: 21 (unable to verify the first certificate)
% echo Q | openssl s_client -connect cloud.squirrel.nl:443 -CAfile /CAcert-Class3.crt | & grep 'Verify return'
    Verify return code: 2 (unable to get issuer certificate)
% echo Q | openssl s_client -connect cloud.squirrel.nl:443 -CAfile CAcert-Root.crt -CAfile CAcert-Class3.crt | & grep 'Verify return'
    Verify return code: 2 (unable to get issuer certificate)

This means that something in your chain is broken (most likely the server is set up incorrectly). It is really strange that your connections works.

The setting on mobile does not make it to ignore TLS errors, but only allows the use of self signed certs. These self signed certs must be valid though, so I’m more than puzzled that any of this is working at all.
I’m sorry, I don’t know what to suggest next.

Indeed, something fishy with the server cert. I’ve renewed it and now I have verify return code 0 (ok).

Phew!

Hello,
The openssl command returns this for my nextcloud instance with self-signed cert:
Verify return code: 18 (self signed certificate)
I'm wondering if this can be fixed by application code because I can use nextcloud and carnet android clients to connect to the same nextcloud instance without any problem. Is there something different for Joplin and those other clients?