[GH-ISSUE #87] Recognize imported ca certs in android #72

New issue

Closed

opened 2026-05-07 00:19:31 +02:00 by BreizhHardware · 7 comments

BreizhHardware commented 2026-05-07 00:19:31 +02:00

Owner

Copy link

Originally created by @ki9us on GitHub (Jan 6, 2022).
Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/87

Feature request for the android app. I'm self hosting my ntfy instance and want to use my self-signed cert. The custom CA cert is imported in my Android OS... some apps recognize it and some don't. I request that ntfy trusts these user-imported CAs. I imagine they are easily accessible from the android SDK and/or your HTTP request library.

Originally created by @ki9us on GitHub (Jan 6, 2022). Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/87 Feature request for the android app. I'm self hosting my ntfy instance and want to use my self-signed cert. The custom CA cert is imported in my Android OS... some apps recognize it and some don't. I request that ntfy trusts these user-imported CAs. I imagine they are easily accessible from the android SDK and/or your HTTP request library.

BreizhHardware 2026-05-07 00:19:31 +02:00

• closed this issue
• added the
  android-app
  enhancement
  labels

BreizhHardware commented 2026-05-07 00:19:31 +02:00

Author

Owner

Copy link

@ki9us commented on GitHub (Jan 6, 2022):

The errors I get with my server are like this:

java.security.cert.CertPathValidatorExecption: Trust anchor for certificate path not found.  

<!-- gh-comment-id:1006224484 --> @ki9us commented on GitHub (Jan 6, 2022): The errors I get with my server are like this: ``` java.security.cert.CertPathValidatorExecption: Trust anchor for certificate path not found. ```

BreizhHardware commented 2026-05-07 00:19:31 +02:00

Author

Owner

Copy link

@ki9us commented on GitHub (Jan 6, 2022):

I looked into it...

By default, secure connections (using protocols like TLS and HTTPS) from all apps trust the pre-installed system CAs, and apps targeting Android 6.0 (API level 23) and lower also trust the user-added CA store by default.

https://developer.android.com/training/articles/security-config#CustomTrust

So I guess user-added CA certs are not trusted by default anymore. Seems like you can re-trust them by creating this network_security_config.xml file and referencing it in your manifest.

<?xml version="1.0" encoding="UTF-8" ?>
<network-security-config>
    <base-config cleartextTrafficPermitted="false">
        <trust-anchors>
            <certificates src="user"/>
            <certificates src="system"/>
        </trust-anchors>
    </base-config>
</network-security-config>

According to https://stackoverflow.com/a/60102517/3006854

I'd be happy to test this fix on my custom CA certs but I don't have all the android build tools and don't want to install them (I know it's a heavy environment). However, if you send me an .apk I will test it for you.

<!-- gh-comment-id:1006238852 --> @ki9us commented on GitHub (Jan 6, 2022): I looked into it... > By default, secure connections (using protocols like TLS and HTTPS) from all apps trust the pre-installed system CAs, and apps targeting Android 6.0 (API level 23) and lower also trust the user-added CA store by default. https://developer.android.com/training/articles/security-config#CustomTrust So I guess user-added CA certs are not trusted by default anymore. Seems like you can re-trust them by creating this `network_security_config.xml` file and referencing it in your manifest. ```xml <?xml version="1.0" encoding="UTF-8" ?> <network-security-config> <base-config cleartextTrafficPermitted="false"> <trust-anchors> <certificates src="user"/> <certificates src="system"/> </trust-anchors> </base-config> </network-security-config> ``` According to https://stackoverflow.com/a/60102517/3006854 I'd be happy to test this fix on my custom CA certs but I don't have all the android build tools and don't want to install them (I know it's a heavy environment). However, if you send me an `.apk` I will test it for you.

BreizhHardware commented 2026-05-07 00:19:31 +02:00

Author

Owner

Copy link

@binwiederhier commented on GitHub (Jan 6, 2022):

Tested with a self-signed CA and certs in the emulator: github.com/binwiederhier/ntfy-android@54dd90d415

It was quite difficult to generate all of those, but it works. The one thing to note is that it didn't work with an internal IP address. It had to be a hostname. I used 10.0.2.2.nip.io which resolves to 10.0.2.2 for testing, but in your setup, you probably should have a real DNS server.

I'm closing this. It'll be in the next release, which will be a week or so I think. Until then you can probably use HTTP :-D

Thank you for resporting this and that's for pointing me in the right direction!!

<!-- gh-comment-id:1006457333 --> @binwiederhier commented on GitHub (Jan 6, 2022): Tested with a self-signed CA and certs in the emulator: https://github.com/binwiederhier/ntfy-android/commit/54dd90d415dda9f066cb4680bab79bfed24e9433 It was quite difficult to generate all of those, but it works. The one thing to note is that it didn't work with an internal IP address. It had to be a hostname. I used 10.0.2.2.nip.io which resolves to 10.0.2.2 for testing, but in your setup, you probably should have a real DNS server. I'm closing this. It'll be in the next release, which will be a week or so I think. Until then you can probably use HTTP :-D Thank you for resporting this and that's for pointing me in the right direction!!

BreizhHardware commented 2026-05-07 00:19:31 +02:00

Author

Owner

Copy link

@ki9us commented on GitHub (Jan 6, 2022):

You mean... you couldn't get the cert to work with an ip, even if you set it in the server certificate's Subject Alternative Names? Something like:

...
[SAN]
subjectAltName=DNS:mydomain.tld,IP:10.0.2.2

In the CSR should allow a self-signed cert to work for both https://mydomain.tld and https://10.0.2.2. I have domain-/hostnames so it doesn't affect me, but I feel like it should work.

If the android sdk doesn't support it, however, what can you do? 🤷

<!-- gh-comment-id:1006767622 --> @ki9us commented on GitHub (Jan 6, 2022): You mean... you couldn't get the cert to work with an ip, even if you set it in the server certificate's Subject Alternative Names? Something like: ``` ... [SAN] subjectAltName=DNS:mydomain.tld,IP:10.0.2.2 ``` In the CSR should allow a self-signed cert to work for both `https://mydomain.tld` and `https://10.0.2.2`. I have domain-/hostnames so it doesn't affect me, but I feel like it _should_ work. If the android sdk doesn't support it, however, what can you do? 🤷

BreizhHardware commented 2026-05-07 00:19:32 +02:00

Author

Owner

Copy link

@binwiederhier commented on GitHub (Jan 6, 2022):

Ohhhh there is an IP: field. Yeah i didn't do that. I mean it should work. If you want I can build you an APK and you can try it.

<!-- gh-comment-id:1006773659 --> @binwiederhier commented on GitHub (Jan 6, 2022): Ohhhh there is an IP: field. Yeah i didn't do that. I mean it should work. If you want I can build you an APK and you can try it.

BreizhHardware commented 2026-05-07 00:19:32 +02:00

Author

Owner

Copy link

@ki9us commented on GitHub (Jan 6, 2022):

Nah. If DNS: works, IP: should also work. Or else it's android's fault anyway.

<!-- gh-comment-id:1006800933 --> @ki9us commented on GitHub (Jan 6, 2022): Nah. If `DNS:` works, `IP:` should also work. Or else it's android's fault anyway.

BreizhHardware commented 2026-05-07 00:19:32 +02:00

Author

Owner

Copy link

@ki9us commented on GitHub (Jan 23, 2022):

Working in v1.6.0

<!-- gh-comment-id:1019392464 --> @ki9us commented on GitHub (Jan 23, 2022): Working in v1.6.0

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

dependabot/npm_and_yarn/web/fast-uri-3.1.2

email-verification

attachment-no-http2

attachment-fixes

attachment-s3

config-generator

postgres-replica

dockers-v2

postgres-support

postgres-webpush+user+message

postgres-webpush+user

postgres-webpush

1364-copy-action

crashfix

user-header

scalar-api-docs

cancel-scheduled

update-available

windows-server

303-update-notifications

postgres

admin-ui

require-login

http-clipboard

message-cache-lock

debian-stripe

predefined-users

busy-timeout

template-dir

ipv6

client-ip-header

apns-fix

feat_optional_require_login

security-updates

pg-message-cache

templating-disallow

templating-3

templating-2

message-size-limit+delay-limit

remove-rate-topics

html-emails

cf-priority

acl-underscores

auth-user-header

markdown

img-attach

web-improvements

utf8-headers

matrix-507-reject

http-response-writer

new-homepage-design

e2e

canary

windows

electron

update-messages

webhook-templating

v2.22.0

v2.21.0

v2.20.1

v2.20.0

v2.19.2

v2.19.1

v2.19.0

v2.18.0

v2.17.0

v2.16.0

v2.15.0

v2.14.0

v2.13.0

v2.12.0

v2.11.0

v2.10.0

v2.9.0

v2.8.0

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.0

v2.1.2

v2.1.1

v2.1.0

v2.0.1

v2.0.0

v1.31.0

v1.30.1

v1.29.1

v1.29.0

v1.28.0

v1.27.2

v1.27.1

v1.26.0

v1.25.2

v1.25.1

v1.25.0

v1.24.0

v1.23.0

v1.22.0

v1.21.2

v1.21.1

v1.21.0

v1.20.0

v1.19.0

v1.18.1

v1.18.0

v1.17.1

v1.17.0

v1.16.0

v1.15.0

v1.14.1

v1.14.0

v1.13.0

v1.12.1

v1.12.0

v1.11.1

v1.11.2

v1.11.0

v1.10.0

v1.9.0

v1.8.0

v1.7.0

v1.6.1

v1.6.0

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.8

v1.4.7

v1.4.6

v1.4.5

v1.4.4

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.3.2

v1.3.3

v1.3.1

v1.3.0

v1.2.5

v1.2.4

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.0

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

Labels

Clear labels   

ai-generated

  

android-app

  

android-app

  

android-app

  

🪲 bug

  

build

  

build

  

dependencies

  

docs

  

enhancement

  

enhancement

  

🔥 HOT

  

in-progress 🏃

  

ios

  

prio:low

  

prio:low

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

🔒 security

  

server

  

server

  

unified-push

  

web-app

  

website

No labels

ai-generated

android-app

android-app

android-app

🪲 bug

build

build

dependencies

docs

enhancement

enhancement

🔥 HOT

in-progress 🏃

ios

prio:low

prio:low

pull-request

question

🔒 security

server

server

unified-push

web-app

website

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/ntfy#72

No description provided.