Generate proper self signed certificate working on IOS


#1

Hi all,

I have problem with self signed certificate and root certificate generated by https://github.com/jsha/minica

I am trying to use this certs to setup my Bitwarden server: https://hub.docker.com/r/mprasil/bitwarden#enabling-https

Everything works well when I use Firefox or Chrome but can’t open web server from ios Safary or Bitwarden mobile app.
I sent root cert via email and installed it on my iphone.

When accesing server from ios in logs I see: [rustls::session][WARN] Sending fatal alert DecodeError


#2

What error do you get from Mobile Safari? What URL are you using to access the server? Can you document the process you used to install the root certificate?


#3

Could you show here that public “root” cert you installed?


#4

Root installed and accepted on ios: minica.pem https://pastebin.com/raw/4LXJTFRc
Certificate installed on my server toogether with private key (as describe here: https://hub.docker.com/r/mprasil/bitwarden/#enabling-https): cert.pem https://pastebin.com/raw/UWp7Emgd


#5

Not sure if this is related…
But the cert has no SAN and the CN is rather “non-compliant”:
CN = minica root ca 61b14f


#6

I am accessing https://192.168.0.19 from Mobile Safari and Bitwarden Mobile app.
Mobile Safari gets me nothing than white page
Mobile Chrome on ios gets me: "ERR_BAD_SSL_CLIENT_AUTH_CERT
Bitwarden Mobile app gets me: “There is a problem connecting to the server”

Firefox and Chrome on Windows show me “green padlock” for server on https://192.168.0.19 after I installed root cert on my windows and everything works great


#7

Is Chrome up-to-date? (probably yes)
If not, try updating it.

Are you using anti-virus?
If so, check if that is blocking this cert.
Or try it while anti-virus is disabled.


#8

Which protocols and ciphers are enabled?

Can you test connection to the site with OpenSSL?


#9

Chrome is up-to-date and i dont use any antivirus on ios


#10

How to test connection with OpenSSL? Site is only available on my lan network so I can test it from other computer


#11

You could try

openssl s_client -connect 192.168.0.19:443

You should get a lot of output about the ciphers and certificates. (You can try typing something like GET / HTTP/1.0 after the connection is established in order to confirm that you’re also talking to the web server you intended.)


#12

And please post the output.

You can press “ctrl-c” to exit openssl.


#13

https://pastebin.com/raw/Z4DC06y6


#14

This is “interesting”…
Server Temp Key: X25519, 253 bits

Not entirely sure about its’ significance, nor exactly how to test for other curves with openssl (yet).
But I will research it some more and get back to you on that either way.


#15

Related discussion:

Why is this issue even on this forum? Let’s Encrypt isn’t even being used.


#16

Please show output of:
openssl s_client -connect 192.168.0.19:443 -curves secp384r1


#17

https://pastebin.com/raw/ts49JHi0


#18

OK this is better:
Server Temp Key: ECDH, P-384, 384 bits

Can you set the supported curves (or their order)?
[I see no mention of which web server you are using]


#19

I don’t think I can set any curves.
I am using this image https://github.com/dani-garcia/bitwarden_rs (https://github.com/dani-garcia/bitwarden_rs) and the only think I can do is to set cert.pem and key.pem during container creation.

Please remmeber that the problem with connection occurs only on IOS.
Windows and Linux work ok. I think the problem is with generated files from minica not server settings.


#20

I understand; but I must look where I think the problem may be… :slight_smile:
And rule out any of the doubts in my mind.
To be clear: If I could help in your direction I would. But I don’t know anymore than you know about the problem (and I’m far away from it)