App ignores installed root CA certificate on device and connection fails

[FlorentBrianFoxcorner]

What is wrong?

• Latest version from Play Store, 1.2.4.1
• Trying to set Library root URL to https://<ourPhotoPrismHost>:2342 leads to error:
• Library is not accessible: SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
• Our home PhotoPrism instance runs with a self signed TLS certificate.
• Root CA certificate was installed on our Android devices
• Tried with Android 14, latest PixelOS (several different devices) and Samsung A53 current OTA Samsung version
• Connection to PhotoPrism instance via browser works with self signed certificate and installed root certificate. Works without setting up a browser exception rule for self signed TLS certificate.

To Reproduce
Steps to reproduce the behavior:

1. Set up local PhotoPrism with self signed TLS certificate and own root CA certificate
2. make sure own root CA certificate is installed on device
3. verify TLS works with browsers without certificate manual rule in browser but with installed root CA only
4. Try to connect PP Gallery with PP instance

Expected behavior
PP Gallery takes own installed root CA into account and accepts the self signed certificate.

Screenshots

Device (please complete the following information):

• Model: Xiaomi M21016G, PixelOS, Android 14, security update 5th January
• Model: Samsung A53, Android 14 current OTA
• Model: Xiaomi Redmi Note 8T, PixelOS, Android 14

Additional context
Add any other context about the problem here.

[FlorentBrianFoxcorner]

X-check: Works fine without TLS after setting PP instance's PHOTOPRISM_DISABLE_TLS: "true".
Thank you, cool app!

[Radiokot]

Hi Florian.
Thank you for a detailed report. However, I can't reproduce the issue – if the certificate chain is set up correctly and the CA certificate is installed on the device, both the gallery and the browser connects to the library without any warnings.

Please, check the following:

1. You've installed the correct CA certificate on your phone;
2. Your server certificate is actually signed by this CA;
3. Your server certificate has both Common Name and Subject Alternative Name (SAN) pointing to the IP/hostname you are going to access your library at. Although SAN can have many values, at least the one from Common Name must be there;
4. PhotoPrism actually uses your certificate: follow the custom certificate guide, but disable PHOTOPRISM_DEFAULT_TLS. Restart your instance, go to the browser and check if the certificate is actually yours and not issued by PhotoPrism Berlin.

In case you are confused by a bunch of openssl guides, try following the one written by me: https://gist.github.com/Radiokot/092dfa1bc480ae8209cb6f48dabe1904

[FlorentBrianFoxcorner]

Thank you very much Oleg, my subject's Common Name had indeed a typo!
Lesson learned: Even if browsers do not complain, the TLS certificate may be wrong.

[djk314]

2fa cloudflare have a problem too can't log with it. When use google account it said it's not secure....

[Radiokot]

@djk314 try getting a proper certificate, like through LetsEncrypt

[djk314]

Cloudflare Access has a proper certificate but, app use browser to login that not use https when you try to log with google credentials it generate a security problem. I use personaly a 2fa code with cloudflare Access (i own my server) via mail to use it to login, but each time i'm disconnect from Cloudflare Access

[Radiokot]

The app uses the provided root URL and then follows redirects in the browser. Check your configuration. You can also email me your public URL so I can identify the problem myself: [email protected]

[djk314]

I will send you a screen where it cause this specific problem when i'll be rejected from the app, but i use a code each time i'm rejected from my Cloudflare Access for now. I think it's a google auth problem not cloudflare. But it's very specific not all people use Google 2fa+cloudflare access+Cloudflare Tunnel, yeah i know i'm security paranoid ;p but some personals data on my personal OMV/Docker/Kvm server. Thank's for reply, app is cool.