[Tracking] Connection fails with self-signed HTTPS certificate

[overvox]

Describe the bug
When trying to connect to a HTTPS server (using reverse proxy with nginx) the message "Could not establish connection" appears.
However connecting via HTTP works. Similar bug occurs in the FireTV app. Browsers and iOS app work fine however.

To Reproduce
Can send server details in private if necessary for testing.

Expected behavior
Connection with HTTPS server can be established. Tested in Browser and iOS apps, works perfectly.

System (please complete the following information):

• App version: 2.1+
• Android version: Android 10
• Device manufacturer and model: Samsung Galaxy S10 & FireTV stick 4k
• Jellyfin server version: 10.6.4 running on ubuntu 20.04

[ChrisG661]

I am also having the same problem, particularly with Lets Encrypt certificate on older device. I do think this is a problem with the Lets Encrypt intermediate CA and not serving the full chain. It works on newer devices, but only on the first connection attempt. I haven't retrieved the logcat from my newer device, so I will update tomorrow.

[ChrisG661]

I found the issue.
If you are using Lets Encrypt, serve the full chain fullchain.pem or include the intermediate CA chain.pem.
The Lets Encrypt website mentions this:

When configuring a web server, the server operator configures not only the end-entity certificate, but also a list of intermediates to help browsers verify that the end-entity certificate has a trust chain leading to a trusted root certificate. Almost all server operators will choose to serve a chain including the intermediate certificate with Subject “R3” and Issuer “DST Root CA X3.”

The wiki also mentions this, although I somehow skipped it.
If not, then take a look at this for creating a fullchain certificate.

[overvox]

Hey @ChrisG661,

I just tested serving the fullchain.pem and it fixed the issue on my S10.
I can't believe I missed that as well.

Thanks a lot for finding the issue!

Not sure how to handle this issue then, since according to the documentation it's technically not a bug...but might confuse others in the future.

[MoneroArbo]

Same issue, except I'm really don't see why I would want my cert signed by a CA other than the app requires it. Is there any chance to get support for self-signed SSL certs in the app?

[nielsvanvelzen]

Please test again with the beta version of the app, it might work now.

[MoneroArbo]

I guess I was a little trigger happy. I already deleted the container running my jellyfin server instance in favor of trying to setup airsonic or another alternative.

So before I set anything back up, can you clarify if the beta app should work with self-signed certs now, if there's at least a patch for it somewhere in the pipeline, or if you're just speculating that it might?

[nielsvanvelzen]

It might, we use a brand new library under the hood for all network requests so that might fix issues like this. Do note that self signed certificates are not something officially supported by us because it's unsafe.

[MoneroArbo]

Afaik, using self-signed certs is pretty standard for self hosted stuff that only 1 or 2 people are going to connect to. Most such software supports it. As long as you compare and store the fingerprint on first connect, I don't see the issue. Maybe you'd like to elaborate?

Sorry, if it was easy to test or had been intentionally fixed, I'd be happy to test, but if the position is that it won't be supported but might incidentally work, I think I'll move on to trying some non-jellyfin solutions.

edit: The irony here is that the Jellyfin android app supports connecting with no SSL at all, sending user name and password in the clear. How is that safer than a self signed cert, I suppose is the real question.

[nodiscc]

signed certificates are not something officially supported by us because it's unsafe.

self-signed certificates are safe if you manually verify the fingerprint against a known good fingerprint you got from an out-of-band, secure channel (TOFU).

They are also very secure if you installed the signing CA as a valid CA on your device. As far as I know there is no simple way to add your own CA cert as a trusted CA for Android apps (or is there?).

I second the need to support self-signed/custom CA-signed certificates in the jellyfin app (a dialog to accept/reject a self-signed cert on first connection would be great)

[nielsvanvelzen]

Sorry, I send that message quite quickly and now that I read it again I phrased it wrongly. I meant that self-signed certificates can be dangerous (and unsafe) if not used correctly.
The app uses the certificate store from the operating system so installing certificates in the OS should work fine. We do not provide support to set certificates for the app specifically to use as I expect that to be hard to support and maintain. (but if you can prove me wrong I'm open for pull requests!)

[Maxr1998]

We do not provide support to set certificates for the app specifically to use as I expect that to be hard to support and maintain. (But if you can prove me wrong I'm open for pull requests!)

Just as a "warning" beforehand, the current web app will eventually be replaced by a native app, which won't use a WebView anymore, and only connect to Jellyfin through the Kotlin SDK.
Thus, a potential contribution adding support to manually accept such certificates may get obsolete in the future. I suppose it would be better to wait for the native client before trying to implement this feature.

[CarlosOlivo]

I confirm that the latest beta / current master works correctly with properly created self-signed certificates

See #188 to learn how to create a self-signed certificate compatible with Android.

What I have noticed is that jellyfin-sdk-kotlin silently fails any SSL error (no more javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found)

A suggestion to the devs, add a reason field to RecommendedServerInfo or create a custom RecommendedServerInfoScore like ERROR_SSL or whatever to display a proper message.

jellyfin-android/app/src/main/java/org/jellyfin/mobile/fragment/ConnectFragment.kt

Lines 174 to 176 in 7dbf085

	// Find servers and classify them into groups.
	// BAD servers are collected in case we need an error message,
	// GOOD are kept if there's no GREAT one.

[nielsvanvelzen]

Closing since this issue is fixed. We will provide additional error reporting in the future (already merged in the SDK).