Generate proper self signed certificate working on IOS

Hi all,

I have problem with self signed certificate and root certificate generated by https://github.com/jsha/minica

I am trying to use this certs to setup my Bitwarden server: https://hub.docker.com/r/mprasil/bitwarden#enabling-https

Everything works well when I use Firefox or Chrome but can’t open web server from ios Safary or Bitwarden mobile app.
I sent root cert via email and installed it on my iphone.

When accesing server from ios in logs I see: [rustls::session][WARN] Sending fatal alert DecodeError

What error do you get from Mobile Safari? What URL are you using to access the server? Can you document the process you used to install the root certificate?

Could you show here that public "root" cert you installed?

Root installed and accepted on ios: minica.pem https://pastebin.com/raw/4LXJTFRc
Certificate installed on my server toogether with private key (as describe here: https://hub.docker.com/r/mprasil/bitwarden/#enabling-https): cert.pem https://pastebin.com/raw/UWp7Emgd

Not sure if this is related…
But the cert has no SAN and the CN is rather “non-compliant”:
CN = minica root ca 61b14f

I am accessing https://192.168.0.19 from Mobile Safari and Bitwarden Mobile app.
Mobile Safari gets me nothing than white page
Mobile Chrome on ios gets me: "ERR_BAD_SSL_CLIENT_AUTH_CERT
Bitwarden Mobile app gets me: “There is a problem connecting to the server”

Firefox and Chrome on Windows show me “green padlock” for server on https://192.168.0.19 after I installed root cert on my windows and everything works great

Is Chrome up-to-date? (probably yes)
If not, try updating it.

Are you using anti-virus?
If so, check if that is blocking this cert.
Or try it while anti-virus is disabled.

Which protocols and ciphers are enabled?

Can you test connection to the site with OpenSSL?

Chrome is up-to-date and i dont use any antivirus on ios

How to test connection with OpenSSL? Site is only available on my lan network so I can test it from other computer

You could try

openssl s_client -connect 192.168.0.19:443

You should get a lot of output about the ciphers and certificates. (You can try typing something like GET / HTTP/1.0 after the connection is established in order to confirm that you’re also talking to the web server you intended.)

And please post the output.

You can press “ctrl-c” to exit openssl.

https://pastebin.com/raw/Z4DC06y6

This is “interesting”…
Server Temp Key: X25519, 253 bits

Not entirely sure about its’ significance, nor exactly how to test for other curves with openssl (yet).
But I will research it some more and get back to you on that either way.

Related discussion:

Why is this issue even on this forum? Let’s Encrypt isn’t even being used.

Please show output of:
openssl s_client -connect 192.168.0.19:443 -curves secp384r1

https://pastebin.com/raw/ts49JHi0

OK this is better:
Server Temp Key: ECDH, P-384, 384 bits

Can you set the supported curves (or their order)?
[I see no mention of which web server you are using]

I don’t think I can set any curves.
I am using this image https://github.com/dani-garcia/bitwarden_rs (https://github.com/dani-garcia/bitwarden_rs) and the only think I can do is to set cert.pem and key.pem during container creation.

Please remmeber that the problem with connection occurs only on IOS.
Windows and Linux work ok. I think the problem is with generated files from minica not server settings.

I understand; but I must look where I think the problem may be...
And rule out any of the doubts in my mind.
To be clear: If I could help in your direction I would. But I don't know anymore than you know about the problem (and I'm far away from it)