Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Can't connect to self-signed ssl-certificates #381

Open
bobblkabb opened this issue Dec 24, 2017 · 13 comments

Comments

@bobblkabb
Copy link

commented Dec 24, 2017

Illustrations

  • Device: Nexus 5
  • Channel: rc
  • Build: 21

Steps to reproduce

Setting up a nextcloud account. Due to dslite complications I'm forced to use a portmapper via feste-ip.net. So my nextcloud adress looks like: https://mynextcloud.feste-ip.net:43383 or http://mynextcloud.feste-ip.net:45553
Tried both adresses, with and without ssl.

Expected behavoir

Ask to accept self signed certificate and connect right after.

Actual behavior

Getting error message:
Invalid host URL

@mauricioduarte01

This comment has been minimized.

Copy link

commented Dec 25, 2017

I remember having the same issue when using "https" with self-signed certificate. But everything is working good with lets-encrypt

@ernesst

This comment has been minimized.

Copy link

commented Dec 26, 2017

There is no feature in utouch to add/accept a self signed certificate. An option to try would be to manually add it.

However, if you connect in http (not advised) you should have the sef certicate problem.
Could you please try to pull some bug:
Connect to your phone with phablet-shell,
While in the online account menu, right before creating one
Launch in the terminal,

OAU_LOGGING_LEVEL=2
OAU_DAEMON_TIMEOUT=9999
online-accounts-service

Then create the nextcloud account the terminal should spit some log.
Clean the personal data and share them with us.

@bobblkabb

This comment has been minimized.

Copy link
Author

commented Dec 27, 2017

@ernesst
Is there an easier way to do this (just adb shell for instance)?
Don't wanna waste shit loads of time just to set up phablet-shell..
Host [localhost]:2222 not found in /root/.ssh/known_hosts ssh_exchange_identification: read: Connection reset by peer

@ernesst

This comment has been minimized.

Copy link

commented Dec 27, 2017

Adb shell does it too.
In anycase the developper mode should be enable

@bobblkabb

This comment has been minimized.

Copy link
Author

commented Dec 27, 2017

Failed somehow. Got those messages after the last command before I tried to connect:

root@ubuntu-phablet:/var/log# online-accounts-service (process:9016): accounts-glib-WARNING **: Cannot create directory: /root/.config/libaccounts-glib (process:9016): accounts-glib-WARNING **: Error opening accounts DB: unable to open database file Manager could not be created. DB is locked (process:9016): accounts-glib-WARNING **: Cannot create directory: /root/.config/libaccounts-glib (process:9016): accounts-glib-WARNING **: Error opening accounts DB: unable to open database file Manager could not be created. DB is locked (process:9016): accounts-glib-WARNING **: Cannot create directory: /root/.config/libaccounts-glib (process:9016): accounts-glib-WARNING **: Error opening accounts DB: unable to open database file Manager could not be created. DB is locked Cannot open file "/root/.cache/online-accounts-service/client_account_refs.json" (process:9016): accounts-glib-CRITICAL **: ag_manager_list_enabled: assertion 'AG_IS_MANAGER (manager)' failed Couldn't save state to "/root/.cache/online-accounts-service/client_account_refs.json" (process:9016): GLib-GObject-WARNING **: invalid (NULL) pointer instance (process:9016): GLib-GObject-CRITICAL **: g_signal_handlers_disconnect_matched: assertion 'G_TYPE_CHECK_INSTANCE (instance)' failed (process:9016): GLib-GObject-WARNING **: invalid (NULL) pointer instance (process:9016): GLib-GObject-CRITICAL **: g_signal_handlers_disconnect_matched: assertion 'G_TYPE_CHECK_INSTANCE (instance)' failef (process:9016): GLib-GObject-WARNING **: invalid (NULL) pointer instance (process:9016): GLib-GObject-CRITICAL **: g_signal_handlers_disconnect_matched: assertion 'G_TYPE_CHECK_INSTANCE (instance)' failed (process:9016): GLib-GObject-WARNING **: invalid (NULL) pointer instance (process:9016): GLib-GObject-CRITICAL **: g_signal_handlers_disconnect_matched: assertion 'G_TYPE_CHECK_INSTANCE (instance)' failed (process:9016): GLib-GObject-CRITICAL **: g_object_unref: assertion 'G_IS_OBJECT (object)' failed (process:9016): GLib-GObject-WARNING **: invalid (NULL) pointer instance (process:9016): GLib-GObject-CRITICAL **: g_signal_handlers_disconnect_matched: assertion 'G_TYPE_CHECK_INSTANCE (instance)' failed (process:9016): GLib-GObject-WARNING **: invalid (NULL) pointer instance (process:9016): GLib-GObject-CRITICAL **: g_signal_handlers_disconnect_matched: assertion 'G_TYPE_CHECK_INSTANCE (instance)' failed (process:9016): GLib-GObject-WARNING **: invalid (NULL) pointer instance (process:9016): GLib-GObject-CRITICAL **: g_signal_handlers_disconnect_matched: assertion 'G_TYPE_CHECK_INSTANCE (instance)' failed (process:9016): GLib-GObject-WARNING **: invalid (NULL) pointer instance (process:9016): GLib-GObject-CRITICAL **: g_signal_handlers_disconnect_matched: assertion 'G_TYPE_CHECK_INSTANCE (instance)' failed (process:9016): GLib-GObject-CRITICAL **: g_object_unref: assertion 'G_IS_OBJECT (object)' failed (process:9016): GLib-GObject-WARNING **: invalid (NULL) pointer instance (process:9016): GLib-GObject-CRITICAL **: g_signal_handlers_disconnect_matched: assertion 'G_TYPE_CHECK_INSTANCE (instance)' failed (process:9016): GLib-GObject-WARNING **: invalid (NULL) pointer instance (process:9016): GLib-GObject-CRITICAL **: g_signal_handlers_disconnect_matched: assertion 'G_TYPE_CHECK_INSTANCE (instance)' failed (process:9016): GLib-GObject-WARNING **: invalid (NULL) pointer instance (process:9016): GLib-GObject-CRITICAL **: g_signal_handlers_disconnect_matched: assertion 'G_TYPE_CHECK_INSTANCE (instance)' failed (process:9016): GLib-GObject-WARNING **: invalid (NULL) pointer instance (process:9016): GLib-GObject-CRITICAL **: g_signal_handlers_disconnect_matched: assertion 'G_TYPE_CHECK_INSTANCE (instance)' failed (process:9016): GLib-GObject-CRITICAL **: g_object_unref: assertion 'G_IS_OBJECT (object)' failed

Connecting itself didn't show anything.

@ernesst

This comment has been minimized.

Copy link

commented Dec 27, 2017

Hum, i'm currently traveling, i don't remember the correct output.
Can you join the ubport telegram group ? And look for Ern_st ? In order to provide a finer output.

Next time paste the output on paste.ubuntu and copy the link.

@jonnius

This comment has been minimized.

Copy link
Contributor

commented Jan 8, 2018

I can confirm that you can't connect to a nextcloud instance with self signed certificate. Do we need the enhancement to make this possible (optional)? I think since using lets encrypt is pretty easy, people should use it for their nextcloud instances (or another one).

@NeoTheThird NeoTheThird added bug and removed needs confirmation labels Jan 18, 2018

@NeoTheThird NeoTheThird changed the title Can't connect to my nextcloud Can't connect to self-signed certificates Jan 18, 2018

@NeoTheThird NeoTheThird changed the title Can't connect to self-signed certificates Can't connect to self-signed ssl-certificates Jan 18, 2018

@SaltyCybernaut

This comment has been minimized.

Copy link

commented Oct 18, 2018

This is the reason why self signed certificates are not able to be added in the user interface. I could update it but I do not know how other parts of the system would react to a self signed certificate. Alternatively the public key for the self signed certificate could be added to the system certificate store. I had to do that for my internal CA and it worked after that.

@RobertZenz

This comment has been minimized.

Copy link

commented May 26, 2019

Alternatively the public key for the self sighned certificate could be added to the system certificate store. I had to do that for my internal CA and it worked after that.

@SaltyCybernaut Could you explain how to do this?

@SaltyCybernaut

This comment has been minimized.

Copy link

commented May 27, 2019

@RobertZenz there are 4 main steps to add your Certificate Authority / Self-signed Certificate:
(For clarity I used the term 'public key' earlier which really mean the certificate which is composed of a public key any other cryptographically signed information like start date, end date, domain names, etc.)

  1. The root filesystem is mounted as read-only so it will need to be re-mounted with write permissions.
  2. You need to place your certificate in a specific directory /usr/local/share/ca-certificates/ and the filename for the certificate must end in .crt.
  3. You need to execute a system script update-ca-certificates to parse the ca-certificates directory for new certificates to process.
  4. Undo your changes in step 1 and re-mount the root file system as read-only.

I use two scripts to accomplish this, the first one is a helper script to remount the root file system and the second one renames my certificates (I like to have my certs end in .crt.pem which will be ignored if it does not end in .crt) adds them to the correct directory and executes the system script.

Script 1

cat remount-rootfs.sh 
#!/usr/bin/env bash

if [ -z "$1" ]; then
   echo "mounting filesystem as read-write..."
   sudo mount -o remount,rw /
   echo -e "don't forget to undo this with:\n$0 undo"
elif [ "$1" == "undo" ]; then
   echo "mounting filesystem as read-only..."
   sudo mount -o remount,ro /
else
   echo "unrecognized option '$1', only valid option is 'undo'"
fi

Script 2

cat add-priv-cer-authority.sh
#!/usr/bin/env bash
bash remount-rootfs.sh
for crt in example-ca-1.crt.pem example-ca-2.crt.pem; do
   sudo cp $crt /usr/local/share/ca-certificates/${crt%.*}
done
sudo update-ca-certificates
bash remount-rootfs.sh undo
@RobertZenz

This comment has been minimized.

Copy link

commented May 27, 2019

Thank you, a very thorough explanation.

I've followed the steps and the certificate has been added, but Morph still doesn't trust my domain nor can I add an account through the system settings. Not sure what else I can do here.

@SaltyCybernaut

This comment has been minimized.

Copy link

commented May 27, 2019

@RobertZenz, the problem you are having with Morph is a known issue, from what I can gather, Morph does not use the certificates trusted by the system and there is no user facing mechanism to add trusted certificates (Firefox is the same except it has a way to add certificates).

Adding your certificate the the system will allow you to add an "online account" and I can confirm that it works with the option 'Nextcloud' and 'Generic CalDav' under Settings > Accounts.

Since you are still having issues I would recommend first to double check your work then start looking at other issues possible related to your certificate generation. From my personal experience with creating a Certificate Authority for my own use there are a multitude of options (certificates have a wide range of uses) and each browser/system can be picky about what certificate options/parameters they will except. For example I managed to create a certificate one time that Firefox accepted and Chrome rejected.

Also collecting any and all logs will help others diagnose you issue.

@RobertZenz

This comment has been minimized.

Copy link

commented May 27, 2019

Yes, there is a certain possibility that I screwed up the certificate as I just realized, I have to double check that. Thanks for coming back to me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
7 participants
You can’t perform that action at this time.