DavX5 distrust Let's Encrypt root certificate

Hi Friends!
I’m using DavX5 with Nextcloud for contacts and events synchronization, for sio4.org organization, where is in use Debian jessie 8.5 and Certbot 0.10.2-1 (I don’t know at the moment if is it possible to upgrade Certbot to a next release, since “apt” does not find more recent versions).
Then, for other organization 3x1t.org, Debian stretch 9.6, and Certbot 0.28.0-1, and again DavX5 and Nextcloud.

My question is: on 3x1t.org, it is sufficient to accept the first certificate and the following (of the same domain) are automatically accepted at each renewal by DavX5.

On sio4.org, instead, at every renew, DavX5 show the renewed certificate signature and ask me if accept or reject it.

What I don’t understand is why of these two different behaviors: on 3x1t.org, only one request, on sio4.org at every (auto) certificate renew.

I’ve open this question on DavX5 forum too, and now here, since I seem to understand it depends to some extent on server-side issues.

Have you any suggestion?

Many many thanks!

Davide

1 Like

The official instructions for Jessie are here: https://certbot.eff.org/lets-encrypt/debianjessie-other . It says to avoid using the apt version and to use certbot-auto, which will always be the current version.

You should upgrade this. 0.10.2-1 will stop functioning very soon.

I agree with you that both certificates and their chains look correctly deployed.

The only distinguishing difference I can see is that sio4.org uses a 4096-bit RSA key and 3x1t.org's is the more common 2048-bit. But that shouldn’t affect validation.

I installed DAVx5 on an Android tablet from F-Droid and I was able to establish connections to both of your domains without any certificate prompt. I used “Login with URL and user name” with the URL set to https://sio4.org/ and https://3x1t.org/. If you used a different combination of login settings, let me know and I can try it.

I did get a certificate prompt when using https://untrusted-root.badssl.com/ as the URL, which would suggest that the app does trust your servers’ certificates by default - at least on my version of Android (7.0).

2 Likes

Hi _az and first of all thanks for your kind help!

Is the use of Certbot different from the use of certbot-auto, except for the command name?

Then

I ask DAVx5 team this and then I will update the post!

Yes, it’s different.
For sio4.org: you can try “sio4.org/owncloud/” or “cosmogonia.org/owncloud/
For 3x1t.org: you can try “3x1t.org/cloud/

the mystery thickens :japanese_ogre:

1 Like

It’s the same, except you will need to manually setup the cron job. The linked page instructs you how to do so.

Those other URLs worked okay for me as well.

I’d be curious to know whether you can open those URLs in the standard Android browser on those particular devices, without getting a certificate prompt.

Now I will change certbot to certbot-auto and then upgrade to Android Pie (9.0) my two phone and then repeat the procedure.
For now, I will try to collect clues.
In this moment I have no other ideas :slight_smile:

Thanks a lot for your kind help!