Ubuntu Android problem

I use certbot on the server.
Flutter app does not have any special files, it just connects over HTTPS automatically.

2 Likes

That's literally IMPOSSIBLE.

Where there any instructions?

Like: "do this" and then it just works automatically.

2 Likes

No. Why impossible? When you open an https link with your web browser, you don't set up configuration files for each new site. It just opens. The app connects automatically just like that. What am I missing here?

2 Likes

It has to use a certificate to encrypt.
Automatic HTTPS (without giving it any cert files) is IMPOSSIBLE.
So which files does it use to encrypt with?

2 Likes

Again, when user opens any HTTPS page in a web browser, he does not manually provide certificate files, it works automatically for him.

And I did not provide certificate files for the mobile app to connect.

2 Likes

OMG!
Flutter is a CLIENT app - NOT a SERVER app.

Well that explains it!

3 Likes

Yes, the server runs on Ubuntu; the client is a Flutter app on Android.

2 Likes

@bazar
Lets focus on the server for now.
Can you manage it?

2 Likes

Yes, I manage both the server and the client app.

2 Likes

Good.
Please show the vhost config file that covers api.simlr.net:443
[/etc/nginx/sites-enabled/api.simlr.net-le-ssl.conf ?]

2 Likes

@rg305

server {
    server_tokens off;
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name api.interesting.casa api.simlr.net;
    client_max_body_size 16k;

    location / {
        ... rate limit and proxy params here ...
    }

    # listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/interesting.casa/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/interesting.casa/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
2 Likes
openssl s_client -connect api.interesting.casa:443 -servername api.interesting.casa
139938880242112:error:2008F002:BIO routines:BIO_lookup_ex:system lib:../crypto/bio/b_addr.c:704:Name or service not known
connect:errno=2
root@ul18ipv46:/var/tmp/trash# openssl s_client -connect api.simlr.net:443 -servername api.simlr.net
CONNECTED(00000005)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = api.simlr.net
verify return:1
---
Certificate chain
 0 s:CN = api.simlr.net
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---

Although that is the default trust path chain, it might not be the best one for your use case.
I would try using the alternate trust path chain.
You can do that quickly by manually editing the fullchain file and removing the last cert from it.
/etc/letsencrypt/live/interesting.casa/fullchain.pem

2 Likes

@rg305 @bazar

I am not sure this is the perfect solution or not but I fixed it by 2 parts.

Part 1. Set the server to use short chain as the valid example by let's encrypt ("https://valid-isrgrootx1.letsencrypt.org")

1.1. update certbot to latest version from Certbot - Ubuntufocal Nginx
1.2. renew or set certbot with
sudo certbot -d your domain --preferred-chain "ISRG Root X1"
1.3 check result by

openssl s_client -connect valid-isrgrootx1.letsencrypt.org:443

the result should be like:

Certificate chain
 0 s:CN = valid-isrgrootx1.letsencrypt.org
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1

Part 2. Set flutter to know ISRG Root X1 by

 ByteData data = await rootBundle.load('assets/ca/isrgrootx1.pem');
  SecurityContext.defaultContext.setTrustedCertificatesBytes(data.buffer.asUint8List());

Put these code in main or first loading app part

isrgrootx1.pem is ISRG Root X1 pem file
link: https://letsencrypt.org/certs/isrgrootx1.pem

For part 2 I think because flutter or dart does not load .pem file as it should from here:

5 Likes

Hi @sornrak-kp welcome to the LE community forum :slight_smile:
and thanks for your detailed solution which is a big step forward for anyone with this situation.

2 Likes

It did not help - I got another error: "unable to get local issuer certificate".

I solved the issue thanks to @sornrak-kp solution.
Did not change anything on the server, just added lets-encrypt-r3.pem as a trusted certificate to the Flutter app.

Thanks everyone for participation!

3 Likes

It's not recommended to "pin" intermediate certificates: Let's Encrypt could change to the backup certificate in case of an incident without any notice. Also, intermediates can change even without an incident, but usually you'd get a notice through the API Announcements - Let's Encrypt Community Support category on this Community, so you're recommended to subscribe to it!

3 Likes

It is difficult to say, from here, exactly what doing "add as a trusted certificate to Flutter app" does.
Windows has a "trusted intermediates" in their store.
As long as it is just an addition to whatever else is there, and NOT replacing all other certs, I don't see much harm in doing that.
But it makes me wonder "WHY?".
Why does this add fix anything?
Unless there is no "ISRG Root X1" anywhere in the "Flutter app", this add should make no difference.

2 Likes

I found with certbot using the defaults were all 99.9% of users needed
My site certificate is refreshed automatically the new X3 was transparent

1 Like