Java errors for self-signed certificates

[clach04]

I love that https://github.com/9001/copyparty/ by default will accept https / TLS / SSL connections by default using a self-signed certificate. The Android app does not appear to support this

Error2: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.

maybe wrong password?

This maybe an enhancement request in disguise as well as a bug report.

Option to ignore unknown certs (off by default). https://github.com/mwarning/trigger has such an option.

[9001]

Well then, guess it's time to dust off android studio again :>

Supporting self-signed certificates can make sense in some situations, so it's not a terrible idea -- although preferably it should ask you to add a permanent exception for one specific certificate that you actually trust, rather than blanket-allowing unsigned certs.

Might also add a warning if you try to trust the default certificate that comes with copyparty, since that thing isn't far away from just running plain http... Since anyone can grab the private-key from the repo and decrypt the traffic that way (or at least I think so -- not 100% on the details of TLS heh)

Not sure when I'll get around to this, so if any android wizards feels like picking this one up in the meantime, please do!

[clach04]

Alternative (well parallel) idea; document (somewhere):

1. Doc how to generate a self signed certificates for https://github.com/9001/copyparty/ (if there isn't already something)
2. Doc how to add self signed certificates to Android System (which party-up would then use)

Probably worth a spin off ticket, possibly under https://github.com/9001/copyparty/issues/ rather than party-up.

Thoughts? This is something I can help with (unlike the ignore option added to Party-Up).

[9001]

Oh nice, didn't realize android lets you add your own certificates -- yeah that is a good idea, and it's more secure too (since you know exactly what certificate you're trusting) 👌

on the other hand it's a bit more work when you're setting up the app, but hey... i'm not entirely confident i'd be able to pull off the prompt in the app to auto-trust the certificate either :-p

I've updated the warning you get when you launch copyparty with the default cert, so it now mentions the linux certificate generator -- but that leaves out the Windows users... I'll see how doable it would be to port the script to batch or powershell :> and we should mention all this in the readme too probably 👍

EDIT: and come to think of it, the obvious solution would be to let copyparty generate/manage its own certificates by invoking cfssl as necessary -- i'll see if that's doable by the next ver!

EDIT2: the more I think about that, not entirely sure it's a good idea after all... would need to specify domain / IPs to generate the cert for, and would feel very bolted-on. Let's sleep on it :>

regarding the documentation for party-up, we should probably mention that it's better to trust the CA certificate rather than the server cert, mainly since it makes maintenance easier and I think that's what Android expects at any rate... or at least I think that's the case! haven't checked yet hehe

[chocolateimage]

What is interesting is that I have a certificate from Let's Encrypt, and Firefox and Chrome (on Android on the same device) lets me view the page without any warnings (or any extra certificates). But Party UP does not seem to work. I do have HTTPS on port 3923 and not 443.

[clach04]

What is interesting is that I have a certificate from Let's Encrypt, and Firefox and Chrome (on Android on the same device) lets me view the page without any warnings (or any extra certificates). But Party UP does not seem to work. I do have HTTPS on port 3923 and not 443.

That is odd, I'm successfully using a Let's Encrypt cert without issues with Android party-up client (I gave up on self-signed immediately after realizing there was no existing support). My reverse proxy is Caddy (in front of a docker instance of CopyParty) in case that helps any.

EDIT similar to you; I'm not using 443 either, I'm using a custom port in the URL.

[chocolateimage]

What is interesting is that I have a certificate from Let's Encrypt, and Firefox and Chrome (on Android on the same device) lets me view the page without any warnings (or any extra certificates). But Party UP does not seem to work. I do have HTTPS on port 3923 and not 443.

That is odd, I'm successfully using a Let's Encrypt cert without issues with Android party-up client (I gave up on self-signed immediately after realizing there was no existing support). My reverse proxy is Caddy (in front of a docker instance of CopyParty) in case that helps any.

EDIT similar to you; I'm not using 443 either, I'm using a custom port in the URL.

After further testing around, I found out that the system certificates don't actually include mine except for Windows (for some reason). The browser seems to use their own certificates so that's why it always seems to work in browsers.

EDIT: It was my issue all along, I was using cert.pem instead of fullchain.pem