Seedvault Backup + WebDAV share + self-signed certificate: SSLHandshakeException

mushix99

Hi,
was happy to see, Seedvault Backup has an option to do backups on a remote WebDAV backup location (labeled beta).
But pointing it to a WebDAV server with self-signed HTTPS certificate - like Nextcloud - lead to

WebDavHandler: java.net.ssl.SSLHandshakeException:
java.security.cert.CertPathValidatorException: Trust anchor for certfication path not found.

Is this error caused by GrapheneOS/Android security system - or specifically Seedvault Backup app, which is unable to do provide a confirm dialog for trusting self-signed certificates?

And assuming, threat model permits sef-signed certificates: is there any workaround to allow this connection - or do I need to bite the bullet and create a local CA and import it in an Android Trust manager (not confident about it yet, just what I've read)

Thanks for any infos.

n3t_admin

mushix99 Maybe I'm confused, but what is your current setup? Meaning, how did you create the self signed cert and what did you do on your GrapheneOS device with it?

TrustExecutor

mushix99 You will probably need to create your own CA and import root and intermediate certs into Android's Trust Store.

There is a neat application called step-ca that can generate short lived certificates for your local services. If you use step-ca and install it on Alpine linux from the community repositoriy then you can store the keys on a yubikey.

Or you can just use a Let's encrypt certificate.

secrec

mushix99 And assuming, threat model permits sef-signed certificates: is there any workaround to allow this connection - or do I need to bite the bullet and create a local CA and import it in an Android Trust manager (not confident about it yet, just what I've read)

A local CA imported into Android is certainly a viable solution currently. An alternative workaround also exists, which is to use a proper signed certificate, which CAN be applied to only locally accessible addresses without the need to have a public facing http server. What you need for this is a domain name. You can get a free domain name from various places like freenom. Then get yourself a wildcard certificate from letsencrypt to apply to your local server. Finally, set up your local DNS to catch that domain name and direct it to your local IP address.

mushix99

n3t_admin mushix99 Maybe I'm confused, but what is your current setup? Meaning, how did you create the self signed cert and what did you do on your GrapheneOS device with it?

Current setup is a bare HTTPS server accessible on LAN only + pre-generated certificates, as provided by solutions like Apache or Caddy. I don't intend to use a public domain for this server - just sleeping well with added layer of encryption, so credentials don't travel in plaintext over the wire.

TrustExecutor mushix99 You will probably need to create your own CA and import root and intermediate certs into Android's Trust Store.

Thanks for your answer (also for the tipp with step-ca), this is what I suspected.

Am I correct, that the inability to use self-signed certificates is rather related to Seedvault Backup app than GrapheneOS and should be reported in former issue tracker? Thinking about it, I already had apps on GOS, which needed a confirmation popup for self-signed certificates, but then worked well.

GrapheneOS

Android apps on modern Android ignore non-system roots by default. The next release of the OS will likely include a Seedvault update which added support for non-system roots, although we're uneasy about that being expanded to more components.

mushix99

GrapheneOS Thank you very much for this info and your work, good to know!

mushix99

GrapheneOS So if I understood you, a self-signed certificate won't work right now due to inability to import CAs on non-rooted devices.

Good news is, that DAVx5 or Nextcloud backup locations can be used as workaround (requires third-party app for now; native WebDAV mount would be awesome).

apormakiso

FWIW I have a self-signed cert working (trusted) by self-hosted Vaultwarden (Bitwarden) instance, after importing my root CA directly into the device (after all the warnings).

bumbum1212

So I'm having a similar issue. Here's my WebDav setup

GraphenOS >> TailScale IP >> NAS with Authenticated WebDav Enabled on Single Folder

It's my server that's NOT publicly facing, I can only get to it remotely through TailScale so I have absolutely no need for a public domain/proper cert. I got around the handshake exception but adding my self-signed cert to GrapheneOS but now I'm getting an SSLPeerUnverifiedException (likely cause the cert is self-signed). Happy to use an SMB Share as well.

Some of us self-hosting folks would prefer to go this route than deal with a paid app or third party.

bumbum1212

secrec Installing a local CA did not work for me, I went from receiving an SSLHandshakeException to SSLPeerUnverifiedException. I do like your work around with using a proper free domain and certificate. I'll try it when I have time and follow-up.

bumbum1212

@secrec Your recommendations worked. My setup is also kind of weird because I'm experimented with the best ways to do this. I have a NAS I access through TailScale, it's in another location. To write a backup directly to my I have a WebDav server pointing to a mapped drive on the NAS used only for backups.

Phone >> WebDav on Windows11 >> Mapped NAS Drive (TailScale)

Here's what I did

Took a domain I already have and used LetsEncrypt to generate a certificate
Setup a webdav server using wsgidav in Python (couldn't get Caddy to work on Windows with a WebDav module)
WebDav server is NOT authenticated (auth kept breaking, and this is local anyway and will be run sporadically so who cares)
Created a DNS entry on my local router domainname.com >> 10.x.x.x

This got passed any SSL errors and now I'm able to backup GrapheOS to my NAS