Certificate signed by unknow authority

[Artiom-M]

On the login screen Low level error is shown (see screenshot)

I have the authority certificate for this server loaded into the phone nextcloud app and various sync apps are working without any issue.

Server configuration

Nextcloud version:
13

Android version:
6

Phone:
Samsung
Nextcloud SMS app version:
Latest from F-Droid

[nerzhul]

Hello,
this problem is when you have a self signed certificate which doesn't include the servername in its fields. It's due to Golang stronger and non removable securities on certificates

[Artiom-M]

What fields should contain server name? My certificate does contain server name in CN and DNS fields.

[nerzhul]

@Artiom-M then it's good... hmm did you use a CA ?

[Artiom-M]

Yes. And CA's certificate is loaded into Android and trusted.

[GraveChaos]

I'm also experiencing this with a certificate signed by my own CA. The root and intermediate CA certificates are loaded into the android trust store (as User CAs, the phone is not rooted).
I believe the certificate is OK - the server name is in both the Common Name and also as a Subject Alternate Name.
If I replace the server certificate with one from LetsEncrypt then I can sign in OK in the Nextcloud SMS App.
Perhaps the app is not trusting non-system CAs for some reason?
I'm running the latest NC-SMS app from Google Play - v2.0.4

[marskl]

Are there any plans to get it running with self signed certificates?

[cpu20]

I implemented a workaround for this problem. In this version I used a checkbox to disable ssl certificate checks. This is not the best way to do it, the best option would be to accept the self signed certificate after inspection and do this for every new self signed certificate. But to do this would require to edit the ncsmsgo files and since I don't know anything about the GO language that was not an option.
I hope this is useful for some people as a temporary fix.

[swedneck]

I'm using a letsencrypt cert and i'm encountering the same problem.

[nerzhul]

@cpu20 you are using a very old ocsms version
@swedneck you should configure your SSL chain on your nginx/apache to provide the chain to the client

[swedneck]

I'm not sure what you want me to do, as i have ssl certs configured and working perfectly well for all other applications. Nextcloud SMS is the only app which complains about certificates.

[nerzhul]

@swedneck i'm using letsencrypt too with nginx and it works just well (before i got an apache with it and it worked too, but if you miss the SSLCertificateChain it doesn't work, because it cannot validate)

[swedneck]

My bad, turns out nginx was using cert.pem instead of fullchain.pem for some reason.

[SiteMaster1]

Hello.
Doesn't work with domain 3 level
SSL Certificate from Let'sEncrypt for *.XXXXX.ru
Name for nextcloud: nc.XXXXX.ru
NextCloud 14
Android 8
Phone - Galaxy S8
Apps from playmarket. From F-Droid doesn't work either. (((

[cpu20]

@nerzhul The version I modified was pulled directly from the master branch. I don't see why I would be using an old version?

[Disciplus86]

@SiteMaster1 i have the same problem :
wildcard with let's encrypt with pfsense (ACME) *.XXXX.fr
Name for nextcloud: nextcloud.XXXXX.fr
NextCloud 14.03
Android 8.1 (lineageos 15.1)

No problem with the application nextcloud & nextcloud talk from F-DROID

@nerzhul wildcard let's encrypt is not supported by Nextcloud SMS (2.04)?

[nerzhul]

@Disciplus86 it's supported because it's golang library support and i'm sure it works, else many binaries in the world will not work, but you should configure the SSLCertificateChain on your server side

[Disciplus86]

Thx @nerzhul but my reverse proxy on my firewall (pfsense) generate the wildcard let's encrypt certificate, not the nextcloud, nextcloud use an autogenerate certificats.
Pfsense will replace the certificate for the client (like a man in the middle ;-) ).

[chrbayer]

Hi, it can't work with self signed certificates at the moment, it has to be allowed in the AndroidManifest.

in AndroidManifest.xml insert a new line after 37:android:allowBackup="true":
android:networkSecurityConfig="@xml/network_security_config"

and a new file res/xml/network_security_config.xml with his content:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <base-config>
        <trust-anchors>
            <certificates src="system"/>
            <certificates src="user"/>
        </trust-anchors>
    </base-config>
</network-security-config>

This gives Android the permission to use self installed certificates, too :-)
Since the app crashes in my Emulator, I can not test, please someone with a working setup, make this small change :-)

And if it is working, I will purchase the app in the Store :-)

Best regards,
Christoph

[Zombie-Ryushu]

I am still having this issue.

[ghost]

Looks like this issue is still relevant, even after a year and a half...

nextcloud/ocsms#296 (comment)

You can see my issue/details above ^ Note that the Nextcloud/php versions are higher than they were at that time I posted.

[Disciplus86]

I have find the solution (for me) with the self signed certificate: do not use reverse proxy (squid) with pfsense, use HAproxy pfsense, and now : all working!!! XD (for me)

i have use this tutorial 👍 https://blog.devita.co/pfsense-to-proxy-traffic-for-websites-using-pfsense/

[ghost]

@Disciplus86 I'm actually not using those proxies (using Apache).

I ended up implementing @cpu20's fix at this commit of his:
https://gitlab.com/cpu20/ownCloud-SMS-App-Fork/commit/0173a12dfd6ec499e772b55dc852a75bd7dd7e04

Just cloned this project down, merged his change into it, gradle built it, and then put it on my phone. Logs me in like a charm. Thank you cpu20!

Now if I can figure out how to get it to actually sync and work like an SMS app lol.

edit: Note it just takes a little while to sync. There wasn't really any UI iindication of a sync happening. Also wish it would show my messages within the app itself... But maybe I'm asking for too much ;) It seems to work though - I can see all my SMS on the server. So much happier now that I have these things backed up somewhere.