Support self-signed SSL Certs about android HOT 21 CLOSED

@gjabell Thanks! I'll have a look at it in the afternoon.

from android.

@gjabell Thanks for your issue (:
Yeah it should be possible, later this week I'll have a look at it.

from android.

@jmattheis Sure thing! I might be able to contribute too if you want some extra help.
Looking forward to trying it out!

from android.

@gjabell That would be great (:, I myself have not much experience with self-signed certificates and android, so feel free to try it.

from android.

@jmattheis Looks like it isn't too hard to implement, I have some partial implementation already. Would you prefer that we disable SSL validation completely, or ask the user for their self-signed Certificate Authority certificate to use for validation?

from android.

Does it work at all with SSL? Because I've set up my already issued Letsencrypt certificate (certfile / certkey) and this work fine from the browser, but the Android client keeps returning status code 0. The server prints this log: http: TLS handshake error from 192.168.130.203:44707: remote error: tls: unknown certificate

Sorry for hijacking this thread, but it seems related ;)

from android.

@jvandenbroek All good! Are you connecting to your server from your phone with the IP address or hostname? Also can you list your server config file here (just put placeholders in place of the private information).

from android.

@gjabell Alright :) I'm using the hostname which works fine on the browser, so the certificate itself seems to be loaded fine.

My /etc/gotify/config.yml:

server:
  port: 8084 # the port for the http server
  ssl:
    enabled: true # if https should be enabled
    redirecttohttps: true # redirect to https if site is accessed by http
    port: 4444 # the https port
    certfile: /etc/letsencrypt/live/mydomain/cert.pem # the cert file (leave empty when using letsencrypt)
    certkey: /etc/letsencrypt/live/mydomain/privkey.pem # the cert key (leave empty when using letsencrypt)
    letsencrypt:
      enabled: false # if the certificate should be requested from letsencrypt
      accepttos: false # if you accept the tos from letsencrypt
      cache: data/certs # the directory of the cache from letsencrypt
      hosts: # the hosts for which letsencrypt should request certificates
      - mydomain.tld
      - myotherdomain.tld
database: # for database see (configure database section)
  dialect: sqlite3
  connection: data/gotify.db
defaultuser: # on database creation, gotify creates an admin user
  name: admin # the username of the default user
  pass: admin # the password of the default user
passstrength: 10 # the bcrypt password strength (higher = better but also slower)
uploadedimagesdir: data/images # the directory for storing uploaded images

Where 'mydomain' is the correct domain dir I use for all my apps. Running with root (only during testing of course ;)), so no permission issues.

Btw I also tried the default port 443, same issue.
Edit: I'm using the prebuild arm64 binary, maybe has something to do with that?

from android.

@jvandenbroek Ah, ok, I think I know the issue. Letsencrypt should give you multiple files, one is cert.pem and another is fullchain.pem. Fullchain.pem has the entire certificate chain in it, and that's the one you want to use. I just got the same error message as you when testing your config locally, but if I change the certfile line to be /etc/letsencrypt/live/mydomain/fullchain.pem it works for me :) Can you try that out?

from android.

@gjabell Great, that seems the culprit! Thank you, I could have tested that myself.. Was a bit mislead by the fact it works with only the privkey file when accessing from desktop :)

from android.

@gjabell

@jmattheis Looks like it isn't too hard to implement, I have some partial implementation already. Would you prefer that we disable SSL validation completely, or ask the user for their self-signed Certificate Authority certificate to use for validation?

It would be great to support both, I guess adding the self-signed certificate would be more secure than just disabling it.

from android.

@jvandenbroek Glad to hear it :) yeah it's a bit confusing, I think in browser the cert is enough to prove that it's from letsencrypt but I guess if you're accessing it from android you need the full chain.

@jmattheis Yeah that's a good point. I guess I can just add some options to the login screen to either disable SSL validation for the current login or select a certificate authority file from the filesystem?

from android.

@jmattheis Alright, just opened a merge request in #15 :) sorry there are so many changes. If you want me to explain any of the changes I made or want something done differently just let me know. I tested it using both my self-signed cert and also a LetsEncrypt cert and didn't have any issues, but if you find anything not working let me know and I'll fix it.

from android.

It's pretty trivial to setup a Traefik reverse proxy with automatic LetsEncrypt provisioning if you deploy via docker.

from android.

@Leopere Yup, but if Gotify is hosted inside an internal network then letsencrypt is not an option cause it shouldn't be visible to the outside.

from android.

from android.

It's possible, just more work than using a self-signed CA especially if you are provisioning lots of clients. You can also run into rate-limit issues if you have many certificates to issue.

from android.

from android.

It depends on the context, obviously since I'm running all of my services for myself, using SSL/TLS for internal networks is a bit overkill (gotta get that green lock though!), but in a corporate setting it's equally as important to encrypt internal as external traffic.

from android.

from android.

Done in #15

from android.