I wanted to try out the Android app for tt-rss which is hosted on a free cloud server. I do not have any domain names for the server, I just use the IP address. Previously, as I was setting up the server, I followed the instructions here so that I could use encrypted communications between my web browser (Firefox) and the server running tt-rss.
I knew next to nothing about all the options related to certificates. When I tried to load the self signed certificate generated by the commands in the link above into my Android phone, I could not get the app to connect to tt-rss, I was getting certificate errors. After a number of trials and errors, I could get the app to talk to the server. I believe the key options that made the difference in certificate creation were 1) specifying the subject alt name (thanks to the hint from JustAMacUser), 2) making sure the certificate has CA:True set. I am sharing the settings that I used below, it could be useful to others who run into a similar issue.
This is the command I used to create the certificate on the server:
sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -config trial.cnf -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt
Here are the contents of trial.cnf
configuration file, you should modify the parts highlighted with <...>
:
[req]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
countryName = <FILL>
stateOrProvinceName = <FILL>
localityName = <FILL>
organizationName = <FILL>
organizationalUnitName = <FILL>
commonName = <PUT IP HERE, e.g., 1.1.1.1>
emailAddress = <FILL>
[req_ext]
basicConstraints = CA:TRUE
subjectAltName = @alt_names
[v3_req]
basicConstraints = CA:TRUE
subjectAltName = @alt_names
[alt_names]
IP.1 = <PUT IP HERE, e.g., 1.1.1.1>
After creating the new certificate, restart apache by: (if you are using a different server, the command would be different)
sudo service apache2 restart
I then downloaded the certificate to my local computer by visiting the tt-rss server from Firefox, add a security exception, click the security icon to the left of the server address, click more Information, view Certificate, then click Download PEM (chain)
.
The certificate now needs to be converted into a format that Android understands. The following command does the conversion.
openssl x509 -inform PEM -outform DER -in <DOWNLOADED_FILENAME>.pem -out self_signed.crt
Finally, copy the certificate to your Android phone. I used adb
but any other way would be fine.
adb push self_signed.crt /storage/self/primary/Download/self_signed.crt
Now, selecting Security settings, Install from SD Card then choosing self_signed.crt
results in the certificate installation into Android (you need to have lock screen password enabled, I believe). You can check to see if you have a CA certificate by going to Trusted Credentials (under Security settings) and verifying that the certificate shows up under the User tab.
Lastly, I had to grant API access to the app to get it to connect to the server.
There are probably better ways to get the self signed certificate to work with Android, I have very little experience with such settings. There might be serious security issues with the implementation above, if so, please let me know.