Private Certificates Not Working Android 7.0 Nougat

  • developer

    @Bernd said in Private Certificates Not Working Android 7.0 Nougat:

    Ok, I’ve been using Davdroid with a self signed certificate that was imported by CADroid. Everything worked well up to the upgrade to Nougat.

    I see. According to Android 7.0: Network Security Configuration, user-installed CAs are not trusted anymore by default.

    Davdroid shows a screen that the certificate was issued by an unknow CA if it starts to sync. In the windows (that covers ca 3/4 of the screen) it shows the certificate details. Davdroid asks if it should trust the certificate. It gives the options “cancel”, “once” or “always”. Answering “always” makes it vanish.

    Did this screen show up before Android 7, too? As far as I understand it, it should not have appeared before, if you have installed the CA system-wide.

    It always shows up twice, I suppose for calendar and contacts. I have one calendar and one addressbook to sync with a Baikal server.

    (A known problem, which is going to be fixed soon.)

    Androids account settings shows that there are synchronisation problems in the davdroid account. Last sync is from the day when I upgraded.

    Can you refresh the collection list in DAVdroid? When the popup shows up, it should work then.

    I don’t have the problem with my phone that runs Marshmallow. So I also think it comes from Androids new policy of handling certificates.

    I guess it’s a combination of MemorizingTrustManager problems plus the Android 7 changes, but I’d like to verify that.

    Can you try to

    1. terminate DAVdroid in the task manager,
    2. launch DAVdroid, go into an account, “Refresh CalDAV/CardDAV collections”
    3. if a popup appears, “always accept”
    4. terminate DAVdroid again
    5. lauch it again, go into this account, synchronize?

  • It hasn’t shown up with Android 6.

    But your 5 steps helped. It syncs again 🙂

    I’ll keep an eye on it …

  • The app MUST be updated

    To allow use of User certificate authorities (a CA certificate not from Verisign or such) the APP must allow in its security settings that user CAs can be used, and there are lots of settings around that.

    The link that I posted in the initial OP provides an overview to what need to b done.

    No DAVDroid to date have those settings, so for Android 7.0 only trusted certificates can be used, ie. letsencrypt.

    Please, compile it in already. It can be tested in the AVD emulator.

  • SO if your DAV server nginx or such has a self signed CA certificate, certificate and private key produced in your dorm room with easy-rsa or openssl

    and the ca certificate is added to android settings security install from storage

    it appears in android settings user credentials

    The alternative
    a trusted certificate you get from someone like letsencrypt, and it works based on the domain name in it and that it is signed by trusted authority appearing in android settings security trusted credentials system. because the certificate is presented by the ip the domain resolves to, there is a chain of trust.

    because google wants trusted credentials that are less hackable, the app needs to explicitly allow dorm room ca certificates. Man-in-the-middle attacks on corporate services apps like gmail is now much harder. The user can no longer by stupidity ignore certificate warnings and connect to impersonation sites. if app provider says only trusted, that’s the way it’s gonna be.

  • The popup to connect to untrusted ca certificate site still appears and you can say ignore

    However, an exception is thrown when DAVDroid actually tries to connect Trust anchor for certification path not found.

  • Article about the problem

    A root user certificate can see all traffic, replace ads on your https pages and the alike

  • developer

    Could you please check with DAVdroid 1.3? Both problems (user-installed CAs not trusted by default and the non-working process of accepting custom certificates) should have been solved.

  • I’ve got the app from F-Droid, there is no update yet.

  • developer

    @Bernd Please check as soon as they have compiled it.

  • F-Droid claimed they build every 24 h. Since that did not happen, there seems to be some manual action required on their part.

    1.3 was published 160902 at 10:22Z, some 37 hours ago.

  • DAVDroid 1.3-ose is now available from and it works for Android 7.0 Nougat

  • Still got synchronistation errors after the upgrade. I recreated the account and everything works now.
    Thanks for the support!

Similar topics