New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

allow custom CA - UNABLE_TO_VERIFY_LEAF_SIGNATURE #343

Closed
bugsyb opened this Issue Mar 28, 2018 · 8 comments

Comments

Projects
None yet
4 participants
@bugsyb

bugsyb commented Mar 28, 2018

Operating system

  • Windows
  • macOS
  • Linux
  • Android
  • iOS

Application

  • Desktop
  • Mobile
  • Terminal

This issue is linked to: #191

The problem is that for private purposes custom CA is used and installed on system (Linux/Windows/Android, OSX).

Joplin seems to ignore Trusted CA list and raises error as below:

Error. Please check that URL, username, password, etc. are correct and that the sync target is accessible. The reported error was:
request to https://myhost/ failed, reason: unable to verify the first certificate (Code UNABLE_TO_VERIFY_LEAF_SIGNATURE)

All other system apps work fine. Additionally I've DLP with SSL bump signing all certs generated on the fly with the trusted CA and all apps work fine (unless app has cert pinning embedded). This should not be the case for Joplin and connection should be established correctly.

@laurent22

This comment has been minimized.

@snicker

This comment has been minimized.

snicker commented May 17, 2018

got really excited to use joplin and updated my ownCloud installation from 9.1 to Nextcloud 13, spent a couple hours configuring a Letsencrypt certificate for my server, and now I am finding that this doesn't work simply because Letsencrypt still isn't trusted by Mozilla?

@instantlinux

This comment has been minimized.

instantlinux commented Jun 17, 2018

I have a local root CA that I install on all the organization's laptops/devices. And I want to use Joplin on those devices, using a private NextCloud server signed by that same root CA. Add me to the list of users who want this feature. We don't want to send data to a cloud service like Dropbox, or purchase an SSL cert just for this application.

This is a request for multi-platform support across Mac OS, Linux, Windows, mobile.

@laurent22

This comment has been minimized.

Owner

laurent22 commented Jun 17, 2018

@instantlinux, I would expect the Android app to work if you've installed the root CA. If it does not work, please could you provide the error message? (To find the log, see https://joplin.cozic.net/debugging/ )

@instantlinux

This comment has been minimized.

instantlinux commented Jun 17, 2018

@laurent22 the iPhone iOS app works thanks to built-in functionality of the cert-installation mechanism on that platform; I'm an iPhone user not an Android user but am glad to hear it works there. But I cannot use the Joplin client on Linux, Windows or Mac OS--all of which are in use here.

@laurent22

This comment has been minimized.

Owner

laurent22 commented Jun 18, 2018

@instantlinux, i wonder though, the fact that it shows this error on desktop, doesn't it mean that the cert is wrongly configured? On here they mention these steps - does it work if you try this? https://stackoverflow.com/a/22263280

It's good to know that it works on iOS anyway. On desktop, if it's really needed I could add an option to ignore ssl errors, but i'd like to be sure it cannot be fixed by installing the cert differently.

@instantlinux

This comment has been minimized.

instantlinux commented Jun 18, 2018

See issue #191. I've added a trusted CA (self-generated) to, say, the local trust my Macbook Pro (via Keychain access) for the domain I manage. I've got at least a dozen other services/apps that are already working fine (e.g. green lock icon on the browser bar)--I'm not invoking an "ignore SSL errors" feature, I'm actually validating that the certs I've signed with the self-generated local CA are in fact valid against that CA.

@instantlinux

This comment has been minimized.

instantlinux commented Jun 18, 2018

To reproduce this on an Ubuntu desktop, create a self-signed root CA cert into /usr/local/share/ca-certificates/local/ and then invoke update-ca-certificates. Use that CA to create a cert for the nextcloud service. Confirm from your browser that you can log into the nextcloud server without any SSL errors. Then try to sync Joplin against it from your Ubuntu desktop or your Macbook. Doesn't work.

@laurent22 laurent22 closed this in aa7da78 Jun 19, 2018

laurent22 added a commit that referenced this issue Jun 20, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment