allow custom CA - UNABLE_TO_VERIFY_LEAF_SIGNATURE

[bugsyb]

Operating system

• Windows
• macOS
• Linux
• Android
• iOS

Application

• Desktop
• Mobile
• Terminal

This issue is linked to: #191

The problem is that for private purposes custom CA is used and installed on system (Linux/Windows/Android, OSX).

Joplin seems to ignore Trusted CA list and raises error as below:

Error. Please check that URL, username, password, etc. are correct and that the sync target is accessible. The reported error was:
request to https://myhost/ failed, reason: unable to verify the first certificate (Code UNABLE_TO_VERIFY_LEAF_SIGNATURE)

All other system apps work fine. Additionally I've DLP with SSL bump signing all certs generated on the fly with the trusted CA and all apps work fine (unless app has cert pinning embedded). This should not be the case for Joplin and connection should be established correctly.

[laurent22]

Note for reference: https://stackoverflow.com/questions/20082893/unable-to-verify-leaf-signature

[snicker]

got really excited to use joplin and updated my ownCloud installation from 9.1 to Nextcloud 13, spent a couple hours configuring a Letsencrypt certificate for my server, and now I am finding that this doesn't work simply because Letsencrypt still isn't trusted by Mozilla?

[instantlinux]

I have a local root CA that I install on all the organization's laptops/devices. And I want to use Joplin on those devices, using a private NextCloud server signed by that same root CA. Add me to the list of users who want this feature. We don't want to send data to a cloud service like Dropbox, or purchase an SSL cert just for this application.

This is a request for multi-platform support across Mac OS, Linux, Windows, mobile.

[laurent22]

@instantlinux, I would expect the Android app to work if you've installed the root CA. If it does not work, please could you provide the error message? (To find the log, see https://joplin.cozic.net/debugging/ )

[instantlinux]

@laurent22 the iPhone iOS app works thanks to built-in functionality of the cert-installation mechanism on that platform; I'm an iPhone user not an Android user but am glad to hear it works there. But I cannot use the Joplin client on Linux, Windows or Mac OS--all of which are in use here.

[laurent22]

@instantlinux, i wonder though, the fact that it shows this error on desktop, doesn't it mean that the cert is wrongly configured? On here they mention these steps - does it work if you try this? https://stackoverflow.com/a/22263280

It's good to know that it works on iOS anyway. On desktop, if it's really needed I could add an option to ignore ssl errors, but i'd like to be sure it cannot be fixed by installing the cert differently.

[instantlinux]

See issue #191. I've added a trusted CA (self-generated) to, say, the local trust my Macbook Pro (via Keychain access) for the domain I manage. I've got at least a dozen other services/apps that are already working fine (e.g. green lock icon on the browser bar)--I'm not invoking an "ignore SSL errors" feature, I'm actually validating that the certs I've signed with the self-generated local CA are in fact valid against that CA.

[instantlinux]

To reproduce this on an Ubuntu desktop, create a self-signed root CA cert into /usr/local/share/ca-certificates/local/ and then invoke update-ca-certificates. Use that CA to create a cert for the nextcloud service. Confirm from your browser that you can log into the nextcloud server without any SSL errors. Then try to sync Joplin against it from your Ubuntu desktop or your Macbook. Doesn't work.