I use certbot on the server.
Flutter app does not have any special files, it just connects over HTTPS automatically.
2 Likes
That's literally IMPOSSIBLE.
Where there any instructions?
Like: "do this" and then it just works automatically.
3 Likes
No. Why impossible? When you open an https link with your web browser, you don't set up configuration files for each new site. It just opens. The app connects automatically just like that. What am I missing here?
2 Likes
It has to use a certificate to encrypt.
Automatic HTTPS (without giving it any cert files) is IMPOSSIBLE.
So which files does it use to encrypt with?
3 Likes
Again, when user opens any HTTPS page in a web browser, he does not manually provide certificate files, it works automatically for him.
And I did not provide certificate files for the mobile app to connect.
2 Likes
OMG!
Flutter is a CLIENT app - NOT a SERVER app.
Well that explains it!
4 Likes
Yes, the server runs on Ubuntu; the client is a Flutter app on Android.
2 Likes
Yes, I manage both the server and the client app.
2 Likes
Good.
Please show the vhost config file that covers api.simlr.net:443
[/etc/nginx/sites-enabled/api.simlr.net-le-ssl.conf ?]
3 Likes
server {
server_tokens off;
listen [::]:443 ssl;
listen 443 ssl;
server_name api.interesting.casa api.simlr.net;
client_max_body_size 16k;
location / {
... rate limit and proxy params here ...
}
# listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/interesting.casa/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/interesting.casa/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
2 Likes
openssl s_client -connect api.interesting.casa:443 -servername api.interesting.casa
139938880242112:error:2008F002:BIO routines:BIO_lookup_ex:system lib:../crypto/bio/b_addr.c:704:Name or service not known
connect:errno=2
root@ul18ipv46:/var/tmp/trash# openssl s_client -connect api.simlr.net:443 -servername api.simlr.net
CONNECTED(00000005)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = api.simlr.net
verify return:1
---
Certificate chain
0 s:CN = api.simlr.net
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Although that is the default trust path chain, it might not be the best one for your use case.
I would try using the alternate trust path chain.
You can do that quickly by manually editing the fullchain file and removing the last cert from it.
/etc/letsencrypt/live/interesting.casa/fullchain.pem
3 Likes
I am not sure this is the perfect solution or not but I fixed it by 2 parts.
Part 1. Set the server to use short chain as the valid example by let's encrypt ("https://valid-isrgrootx1.letsencrypt.org")
1.1. update certbot to latest version from Certbot - Ubuntufocal Nginx
1.2. renew or set certbot with
sudo certbot -d your domain --preferred-chain "ISRG Root X1"
1.3 check result by
openssl s_client -connect valid-isrgrootx1.letsencrypt.org:443
the result should be like:
Certificate chain
0 s:CN = valid-isrgrootx1.letsencrypt.org
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
Part 2. Set flutter to know ISRG Root X1 by
ByteData data = await rootBundle.load('assets/ca/isrgrootx1.pem');
SecurityContext.defaultContext.setTrustedCertificatesBytes(data.buffer.asUint8List());
Put these code in main or first loading app part
isrgrootx1.pem is ISRG Root X1 pem file
link: https://letsencrypt.org/certs/isrgrootx1.pem
For part 2 I think because flutter or dart does not load .pem file as it should from here:
5 Likes
Hi @sornrak-kp welcome to the LE community forum 
and thanks for your detailed solution which is a big step forward for anyone with this situation.
3 Likes
It did not help - I got another error: "unable to get local issuer certificate".
I solved the issue thanks to @sornrak-kp solution.
Did not change anything on the server, just added lets-encrypt-r3.pem as a trusted certificate to the Flutter app.
Thanks everyone for participation!
4 Likes
It's not recommended to "pin" intermediate certificates: Let's Encrypt could change to the backup certificate in case of an incident without any notice. Also, intermediates can change even without an incident, but usually you'd get a notice through the API Announcements - Let's Encrypt Community Support category on this Community, so you're recommended to subscribe to it!
6 Likes
It is difficult to say, from here, exactly what doing "add as a trusted certificate to Flutter app" does.
Windows has a "trusted intermediates" in their store.
As long as it is just an addition to whatever else is there, and NOT replacing all other certs, I don't see much harm in doing that.
But it makes me wonder "WHY?".
Why does this add fix anything?
Unless there is no "ISRG Root X1" anywhere in the "Flutter app", this add should make no difference.
5 Likes
I found with certbot using the defaults were all 99.9% of users needed
My site certificate is refreshed automatically the new X3 was transparent
1 Like