Joplin: Allow self signed certificates on mobile clients

+1 Android. Started to use Joplin, even installed nextcloud specifically for this, but now I'm stuck at this issue.

+1

+1

I just read about Joplin and immediately fell in love with it. After installing it I also got stuck at my self-signed certificate. I'm using a Ubuntu-homeserver which I only access from outside via VPN. Therefore letsencrypt is not an option.
Apparently newer versions of Android don't even trust user-installed self-signed CA certificates but I found a workaround if you are rootet. Here is what I did to get Joplin talk to my nextcloud 13 instance using my own self-signed certificate. I guess one could have done it with fewer steps but this way I at least understood my own chain of trust.

1. I generated two sets of RSA keys (one for the webserver's certificate, one for the CA)
2. I generated a CSR for the CA-certificate and another CSR for my webserver's certificate.
3. Then I created the self-signed CA with the option "basicConstraints=CA:true"
4. Having formatted this certificate into the DER format (which might not even be needed) I put it onto the internal storage of my devices and installed it via Settings - Security - Encryption & Stuff.
5. I also used the CA to sign the webserver's cert and told nginx to use that one.

The thing is: That is not even enough. Joplin still get's a "network error" when trying to communicate to my server. The magical thing is the Magisk Module "Move Certificate" which takes user-installed certs and puts them into the system. With that module enabled, I am able to use Joplin on a "homeserver.lan" domain.

+1

Another user imported the certificate in their phone and then it worked: https://github.com/laurent22/joplin/issues/191#issuecomment-368815685 Could you try this?

Dear @laurent22, first of all thank you very much for Joplin. It is exactly what I was searching for on my journey from Evernote over Nextcloud Notes to here. U did a great Jop (fun intended).

I have read quite a bit about CAs in Android over the last few days. The user "bufferovercat" unfortunately does not explain how exactly he installed his own CA into his device. Nor does he say which version of Android he uses.
However, I tested with two devices running Android 8.0.0 and 8.1.0. Both don't trust user-installed CAs. This article covers the problem quite well.

If you are rooted, you can move the user installed CA to the system's keystore. This can be done with the Magisk Module "Move Certificates". Having done that I can easily use your app, but not before, since Android hadn't trusted my own CA

+1, use of self signed certificates would be very helpful.

+1

+1
Also a shout-out of thanks!
Your desktop implementation is working great on my KDE Neon rigs!!
Thank you!

+1

Sounds like bypassing Android's own networking library and its refusal to connect HTTPS to a self-signed certificate might prove difficult.

Amusing: in the name of making things more secure by rejecting self-signed certificates, Android effectively requires me to expose my Nextcloud server to the internet, which is surely less secure than having it firewalled off.

@ziggr You know, I agree. I am going to spend some time trying to get the dns method of let's encrypt to work on a nonstandard port this week.

If anyone else is interested the guys at nextcloudpi are trying to make an automated/easy way to do this in their image.
https://github.com/nextcloud/nextcloudpi/issues/293

I was able to overcome this issue with Syncthing. I Syncthing my Desktop Synchronisation target directory to an Android defined directory. Works like a charm encrypted E2E!
Eureka!

But the problem is not fully overcome... I am trying to replicate the same solution in iOS (using Nextcloud offline feature), but without sucess. I am not sure about the file path to access the Nextcloud offline directory, but I believe that I can't access it at all from Joplin...)

Whatever the changes about the framework were, that were done to Joplin v. 1.0.141 (2097319) on Android - the workaround with the Magisk-powered system certificates no longer works.

I access my own server via a VPN and I do not want to expose it to the internet only for Joplin. Sadly I had to move my Joplin notes to a different location. I am very glad that E2E-endcryption is avaliable.

+1 for the Android client. Nice work on Joplin in general. Thanks!

+1 we would love to use android sync for our study-circle ;-)
Thx for the nice work! Have been waiting for ages for a good note taking app which syncs with nextcloud ;-)

+1 for the Android app.Thank You!

+1 Joplin seems to cover all my needs, except this one. Great work anyway :+1:

+1 here: I have Joplin on the tablet (Android 6.0), working flawlessly with my server with self-signed certificate, whereas on my phone (Android 8.1) it does not work because of the certificate :-(

+1, support for self signed certificates would be great

+1, stuck on this issue as well.

Why don't you just create a valid cert with letsencrypt? It's really easy and takes no more than 15 minutes

@ReekyMarko Because, e.g., we might need to manage our own CA so that we can issue client certificates, which (AFAIK) you can not do with letsencrypt.

+1

Switched from Evernote to Joplin on my Linux laptops and on my Android phone, using my own WebDAV/SSL server. It works like a charm from everywhere, as long as I don't enable SSL but fail from Android with self signed SSL certs. It is impossible to send clear passwords with write permission serverside (WebDAV).
@ReekyMarko I chose Joplin to be independent of any service provider (Evernote in my case). I don't want to become dependent on another one (LetsEncrypt).

Here seems to be the solution : https://developer.android.com/training/articles/security-ssl#UnknownCa

+1 for the Android client. Nice work Thanks!

+1 for Android

Hi,

Following the new feature (version 1.0.252), did any of you succeed in using a self-signed certificate ?
I tried again and I still have the same error : Network request failed.

Thanks !

I have just tried it, and works as expected (for me).

Felix Rubio
"Don't believe what you're told. Double check."

On 2019-05-16 10:50, SpeedBlack wrote:

Hi,

Following the new feature (version 1.0.252), did any of you succeed in
using a self-signed certificate ?
I tried again and I still have the same error : Network request
failed.

Thanks !

--
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub [1], or mute the
thread [2].

Links:

[1]
https://github.com/laurent22/joplin/issues/680?email_source=notifications&email_token=ACWYZIGH656HSMPX7ZFUATDPVUN3TA5CNFSM4FJQEOJKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODVRECVY#issuecomment-492978519
[2]
https://github.com/notifications/unsubscribe-auth/ACWYZIGXWMQ2WPNWTDGUIMLPVUN3TANCNFSM4FJQEOJA

Great @flixman !
Did you do anything special ?
The steps I followed:

1. generate the CA
2. generate the wildcard certificate (for nextcloud) and kubernetes configuration (secret & ingress)
3. Adding the CA certificate to my android phone (Andoird Pie 9)
4. Configuring the Joplin application (same configuration as the desktop application (except for the "Ignore TLS certificate errors" option))

Which version of Android do you have ?

Do we have the possibility to add debug logs to isolate this problem?

Thanks !

PS : In the Nextcloud logs :

X.XXX.X.XXX - username [16/May/2019:18:10:11 +0200] "MKCOL /remote.php/webdav/Joplin/.sync/ HTTP/1.1" 405 1544 "-" "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)"  
X.XXX.X.XXX - username [16/May/2019:18:10:12 +0200] "MKCOL /remote.php/webdav/Joplin/.resource/ HTTP/1.1" 405 1544 "-" "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)"
X.XXX.X.XXX - username [16/May/2019:18:10:12 +0200] "PROPFIND /remote.php/webdav/Joplin/ HTTP/1.1" 207 3820 "-" "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)"

Nextcloud version 15.0.7

@SpeedBlack The only x509 extensions I have there are (for the CA and the server: I have multiple servers and I preferred a single wildcard server certificate used by all them).

[ v3_ca ]
basicConstraints        = critical,CA:true
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always,issuer:always
nsComment               = "OpenSSL Generated Certificate for CA"

[ v3_srv ]
basicConstraints        = CA:FALSE
subjectKeyIdentifier    = hash
keyUsage                = nonRepudiation, digitalSignature, keyEncipherment
nsComment               = "OpenSSL Generated Certificate for Servers"
nsCertType              = server
extendedKeyUsage        = serverAuth
authorityKeyIdentifier  = keyid
subjectAltName          = @alt_names

[ alt_names ]
DNS.1 = myserver.org
DNS.2 = *.myserver.org

My android version is 9, also, updated a couple of months ago.

Edit: I do not have the "Ignore TLS certificate errors" option checked in the desktop app.

Any possibility on more explanations or a how-to?
Been trying this weekend to get it working but I can't seam to get passed the same error : Network request failed.

Joplin 1.0.260
Nextcloud 13
Android 7.1.2