Since the last Update 21062021 the own ca-certificates are not trusted anymore

Using /e/OS Applications
1

Hello all,

since the last update every application on the phone do not trust us on CA anymore. On webbrowser for example i get this default error: “Security connection unknown certificate”. The certificates are installed and visible in the system-settings.

What have I already tried?

  • delete and install the CA again
  • manual install of CA’s over the webbrowser
  • testet with firefox, and the build in chrome
  • Testet with other apps, same problem, self-installed certificates are no longer trusted
  • reboots beween processes
  • testet on us two fairphones

Can anyone help me? Are the CA’s to be installed differently? Has anything changed?

Thanks a lot and best Regards
boospy

2

/e/ supports a lot of devices, and some get updates for different Android versions simultaneously, so depending on the device even with a date it might not be clear what Android version the update was for, then there are different release channels you could be on …

In short: What exactly does it say in Settings - About phone - Android version - /e/ version?

3

Thank you for your answer. Here a the detailed informations.

Androidversion 10
/e/ version: 0.17-20210621120947

4

What exactly does it say in Settings - About phone - Android version (you can tap on this to get further) - /e/ version?

For me it currently says 0.17-q-20210529117214-dev-FP3 there, so it includes the Android version “q” for 10, the update release channel “dev” and the device “FP3”. All the necessary info in one place (yes, it would be better they would display this as the version everywhere consistently).

5

Aaaa, yes, you are right :upside_down_face: here is the number:

0.17-q-20210621120947-stable-FP3

6

Update: Tested on many webbbrowsers and i installed the certs on 2 ways. Directly from the webbrowser and local. Same result.
The new mainproblem is that we have now deepinspection also in the office and at the customers as an obligation. So this time the mobilephone is not useable online in that networks. That is definitely not fun.
So i’ve reseted completly one of the fairphones, but the problem remains.

Doesn’t anyone use e/os with their own certificate authority?

7

Update to last version this day, did’nd do anything. Very strange.

8

Hello all, so now a time later, and latest update, the issue exist. Since I don’t necessarily want to reset my devices here again… if someone has a test device available to test the certificate store would be very helpful.

I have created a test webserver for this:

https://test.osit.cc/

So if you import the CA-Certificate on your device, and the certificate store is working right, no certificate error messeage should be displayed.

Here is the CA-certificate:

-----BEGIN CERTIFICATE-----
MIIGgTCCBGmgAwIBAgIIIcEP4Xvu4NcwDQYJKoZIhvcNAQENBQAwgcgxCzAJBgNV
BAYTAkFUMRMwEQYDVQQIEwpTdGVpZXJtYXJrMRIwEAYDVQQHEwlHbGVpc2RvcmYx
EjAQBgNVBAoTCUJvZHlndWlkZTESMBAGA1UEAwwJKi5vc2l0LmNjMRkwFwYJKoZI
hvcNAQkBFgpjYUBvc2l0LmNjMQ8wDQYDVQQNEwZSb290Q0ExHTAbBgNVBEgTFFNl
cnZlci1MZWdpdGltaWVydW5nMR0wGwYDVQRIExRDbGllbnQtTGVnaXRpbWllcnVu
ZzAeFw0yMDA0MTAxMzQ5MDBaFw0zMDA0MTAxMzQ5MDBaMIHIMQswCQYDVQQGEwJB
VDETMBEGA1UECBMKU3RlaWVybWFyazESMBAGA1UEBxMJR2xlaXNkb3JmMRIwEAYD
VQQKEwlCb2R5Z3VpZGUxEjAQBgNVBAMMCSoub3NpdC5jYzEZMBcGCSqGSIb3DQEJ
ARYKY2FAb3NpdC5jYzEPMA0GA1UEDRMGUm9vdENBMR0wGwYDVQRIExRTZXJ2ZXIt
TGVnaXRpbWllcnVuZzEdMBsGA1UESBMUQ2xpZW50LUxlZ2l0aW1pZXJ1bmcwggIi
MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCaGkJLFvtO9sFqqCWYabziRvBO
hsiVjfrMiSixdju1kibUEJrPvqfq2YnVoyH/Hk72u/30aEZEW+pZI8mL3a1WSq3F
b2v8mle4CrrHIWYWGyGeRuvGDTXIk9VVaJj7hwVRIcWNV6bGfCWfor91QhyRGFCy
mSe2Eo+byfFw6PoH/z7nVRGAiXRjUfL9EaX2DTj/HpE0iomMPy/JrtGfUrFzTvwi
MXI78q8hjUF/thuWVbEter2WrmTSmrLHx83KLSFbJ6sGu3hsRQor60UII8nrdta1
EicXcwlF5T2v5CetAyyv9uM13/X9eaeE4HYgFqQX638uRXgfUUBc6SeDxJKhwM+a
vjVgQchvKULYqKHOiwsv+RM5wjzBz0lOOZLnMG7wtxlTgsVCWfgHIEDoN+/ohIYq
SLYTVMqtXyCr8EErYcPtYbO5FT+BYcdEKg5BMR1TH1pQAlntljYYPIYzkDS3o15v
BLMzj1IUMQTUf5Dny0MLxjjMBEcA54cK952G5vBplIo7egZ+40g+qW75xLVhO+NO
trxB4ErBiCbCYVdKi5kLnJy6jK87x7+hy31OlUAcrSyf69K/nrc3EBAwuaX9lQMb
+kunlauiKcd2EZiaXrSA/Rj/I3YSik7Rq0toxiOT2UlMemsjzS9ABmEg44XnmC+M
RXycgORna/kOTuBGFwIDAQABo20wazAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
BBRYwl97oh85QvipXhGWbCj8wkDX6jALBgNVHQ8EBAMCAQYwLAYDVR0fBCUwIzAh
oB+gHYYbaHR0cDovL2RlZXBkb2MuYXQvcmV2b2tlLWNhMA0GCSqGSIb3DQEBDQUA
A4ICAQBNHexZAWnGjCeDxMFOcQ6lmGJT5Lt8h0mmlBhYqouJhbCms5yQBn9iIEbr
sPQpA+A3ePelcH7iIAOglv/dEC2cL4XO8h1DCOCsX/Spu2YMUJHeOUPrHFsRDVbo
5GMeo7OmoJ+zPhXGXULV3SCHytCj1wj6Wk1QGHbS9YH66H1UskEwGb/UIJFl5To9
/aDORC+CAt5ftVJeiit0G9HcdQbKGCzZX/B5ul9R9vr/ol50aj3smGivMrqx2+FJ
Lh/4dywfwSD1Q1YxyThB3MLJj83ufOK4blLkelkrvB+wFewidTEy5GA+fngYDV3z
B/9pMM/2dTpY4ycWBvnOp35VIeDQyKT28C/8BUQAFZzcSmekx6qmVnch5XA5B9dW
uo8c/dZmyxp135KA5vYkZ5zYA+BC8j8CeS5y5HH5Gf+6TpXMm6lfBrA2yCJWpdKn
eYLAQW4FjzQMs1h+pFNR6/gKz9tGOEzs3S9ePIsvqnEFbcwmvnHvKlC3gox8N75h
KrM4XY/8HxtEHQL/YX6E/0ChZJ60mfw8OkRfCdzF3EtuC4NODbDWSz2TRInOJYQY
Q27jqh2J1+dhA/PwpFGtDhL2w9AcghEB3Psx6TnZIE5xcGQUgNxZqBWKOturprDp
7JQe7lzaJ6wmzBYfLbEQRcVZTW4peyq5Fzy8kW3LGa3iaeHGoQ==
-----END CERTIFICATE-----
9

Ok, i reseted my own phone. CA did’nt work. So e/OS is not usable for business. I will have to recommend my company to buy Google phones again. Too bad.

10

you can still use a user-provided root-ca, but depending on API level an app targets, the App needs to opt-in to trust user-supplied root-CAs on the device

https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html

User-added CAs

[…]. Android Nougat changes how applications interact with user- and admin-supplied CAs. By default, apps that target API level 24 will—by design—not honor such CAs unless the app explicitly opts in. […]

this is achirved with a network-security-config of the App as in https://developer.android.com/training/articles/security-config

  • Custom trust anchors: Customize which Certificate Authorities (CA) are trusted for an app’s secure connections. For example, trusting particular self-signed certificates or restricting the set of public CAs that the app trusts.

I gave this a try, it’s a bit cumbersome but Firefox has a hidden option for this, and accepted a certificate signed by my own root-ca-cert.

Firefox added it within https://github.com/mozilla-mobile/fenix/issues/3728
(enable secret menu via logo touch incantation → secret settings → enable user trust-ca)

Bromite added this in https://github.com/bromite/bromite/pull/1110
(goto chrome://flags → search for “allow”, enable “allow-user-certificates”

1 Like
11

Wow! Nice! This works very well already!