Expected behaviour: Login to NextCloud GPodderSync App without any error message.
Current behaviour: My NextCloud is hosted on home network at 192.168.0.222
First occurred: Yesterday. This was my first attempt to sync to NextCloud GPodderSync App.
Steps to reproduce:
I make sure my phone is connected to my home WiFi router which is the same network that my Nextcloud Server is on, then I open AntennaPod App on my phone.
Go to Settings, then Synchronization
Tap on “Choose synchronization provider” then tap on “Nextcloud Gpoddersync…”
FYI. I have the GpodderSyn App enabled on my Nextcloud server
In the Hostname box I type the local ip address of my NextCloud server: https://192.168.0.222/
The following ERROR message is displayed: " java.security.cert.CertPathValidatorException: Trust anchor for certification path not found."
Environment:
I have a configured a self-signed security certificate on my server so that I can connect via https://
My NextCloud server was installed via snap package on this page - Install nextcloud on Linux | Snap Store and my server is running Ubuntu 20.04 LTS
My Question:
How do I eliminate the Error message so that I can login securely to carry out a sync?
Have you considered taking the other route, of having a certificate issued with a recognized chain?
Clearly you can’t get a certificate for a rfc1918 ipv4 address, but setting up your home internal network with a DNS resolving addresses differently locally than on the global internet seems like a choice one could want to make over messing with trust roots.
I believe android will force you down a path of pain if you wish to add your own CA.
Thanks for the reply @cos . Just FYI, I’m not a tech savvy person (have only setup my 1st Ubuntu machine 2 month ago to get NextCloud going, hence setting up certificates is all brand new to me, but I’m willing to give it s try.
From what I’ve read so far, in order to have a certificate authority issue a certificate, I need a fixed IP Address that is linked to a domain name, is that correct?
If this is the case, there lies my first road block, my Internet Service Provider doesn’t allow a home user (like myself) to have a fixed IP address.
Just FYI, the IP Address on my modem+router supplied by my Internet Company changes every 2 months or so.
Fixed IP addresses are only available to business customers and I can’t afford the increased monthly fees just to run my NextCloud server. Hence why I am searching for a way to get AntennaPod working with my NextCloud setup given my self-sign certificate.
Bottom line is this… I’m willing to go down the path of pain, but do not have the faintest idea where to start nor how to add trust roots / adding my own CA to android.
If you (or anyone) can share any resources or provide some steps to follow that would be most appreciated.
I really would like to get AntennaPod working with my NextCloud, but if this is impossible, then I may have to revert back to using PodBean which would be a shame as I really like AntennaPod.
Certificates with trust chains to well-known authorities is important for system integrity and security. Google makes it hard to mess with them for good reasons. If you’re unable to find out how to do it, you probably shouldn’t.
Feeding a web search engine the query add certificate authority to android seems to return Importing private CA certificates in Android as it’s first result. It seems to have a easy to follow guide with screen shots.
Before following it, make sure you understand what you’re giving yourself into. Are you relying on using the same device for something else? Are you e.g. doing online banking it? Will such apps risk blocking themselves if detecting you’ve tampered with security settings?
The way I see it, you have essentially three options for using next cloud on a private lan:
Self-sign your TLS certificates, as you’ve detected.
Obtain proper TLS certificates.
Skip using https on your nextcloud instance.
Please consider which of these is more appropriate for you personally.
While there seem to be ways to get certificates (e.g. letsencrypt.org/t/59379, or a fixed ipv6-address), that would likely require more work and time than you seem to wish to spend.
How about simply avoiding the problem by serving your nextcloud over plain http? I have zero experience of that software, but this thread suggests it to be possible:
While small, there is a risk. My concern is that the one affected is aware of it and makes an informed decision.
Sure it’s unlikely that installing rough CA certificates prevents apps from working, and reverting configuration is likely possibly if it happens. But banks tend to have a very different perspective on fraud prevention, security and approved use of software. I hope everyone messing with trust stores only does so on devices they can be without for a week, if something breaks to the level of requiring a reset to factory defaults.
Nah. That’s a quite targeted attack, which is purely theoretical here. Even with the password, the actual network and thus the nextcloud instance, are presumably unreachable for unauthorized persons. If the OP had real threats or adversaries, I assume they would feel motivated to cough up the trivial funds required to obtain a secure certificate.