Home > Back-end >  Rocket.chat on Android with self-signed CA
Rocket.chat on Android with self-signed CA

Time:11-11

I'm working on getting Rocket.chat deployed on a ship, and it's very likely production will be done with a self-signed CA. I've been having a (big) fight trying to get this working on my Android phone, haven't had a chance to try iOS yet.

Here is the script I'm using to generate my CA and certs.

######################
# Become a Certificate Authority
######################
# Generate private key
openssl genrsa -des3 -out myCA.key 2048
# Generate root certificate
openssl req -x509 -new -nodes -key myCA.key -sha256 -days 825 -out myCA.pem

######################
# Create CA-signed certs
######################
NAME=rocketchat # Use your own domain name
# Generate a private key
openssl genrsa -out $NAME.key 2048
# Create a certificate-signing request
openssl req -new -key $NAME.key -out $NAME.csr
# Create a config file for the extensions
>$NAME.ext cat <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = $NAME # Be sure to include the domain name here because Common Name is not so commonly honoured by itself
EOF
# Create the signed certificate
openssl x509 -req -in $NAME.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out $NAME.crt -days 825 -sha256 -extfile $NAME.ext

nginx config has the following lines:

   ssl_certificate /etc/nginx/certs/rocketchat.crt;
   ssl_certificate_key /etc/nginx/certs/rocketchat.key;

I installed myCA.pem as a trusted authority on my dev machine and it's happy with the security.

enter image description here

I converted the PEM to DER

openssl x509 -inform PEM -outform DER -in myCA.pem -out CA.crt

and installed CA.crt as a trusted authority on my phone (Android), but Chrome on the phone throws

NET::ERR_CERT_AUTHORITY_INVALID 

and the Rocket.Chat app throws

java.security.cert.certpathvalidatorexception: trust anchor for certification path not found

What I'm really trying to find out is if someone has deployed and used the rocket.chat app with a fully self-signed CA and cert on Android, and what process they used to generate the CA? Because I've tried many many permutations of things that I've found on Google, and none seem to be doing the job. SSL for Android is well outside of my experience.

Thank you for your time.

CodePudding user response:

Got there eventually using a CA I generated following these guys: http://ampledata.org/custom_ca_android.html

It's possible the difference was in this

$ openssl req -x509 -new -sha384 -days 30 -nodes \
    -key custom_ca.pk.pem -out custom_ca.cert.pem \
    -subj "/O=Custom CA" \
    -extensions ext \
    -config <(cat <<EOF
    [req]
    distinguished_name=dn
    [dn]
    [ext]
    basicConstraints=CA:TRUE,pathlen:0
    )

But last time I tried basicConstraints=CA:True it broke on both Android and Windows/Chrome.

Now I just need to figure out what tweaks to make iOS accept it...

  • Related