DAVdroid fails every time letsencrypt refreshes the certificate



  • My scenario is a nextcloud 10.0.1 with an SSL certificate created by https://letsencrypt.org.
    DAVdroid happily connects to it and syncs contats and calendar.
    But every time the SSL certificate is refreshed (every ~30 days) it stopps syncing without an error message. My current workaround is to delete the DAVdroid sync-account and recreate it.


  • admin

    We can only help you when you can provide a debug info and debug logs. You can create them from the DAVdroid settings menu.



  • I would, but that file contains information like URL, user name, email address etc. that I do not want to post publicly. Is the logfile still any help if I anonymize it?



  • Here it is (anonymized). I can privately provide the domain if there is a way to do so.

    2017-06-20 21:37:55 0 [cert4android.CustomCertManager$1] Connected to service
    2017-06-20 21:37:55 1 [syncadapter.SyncAdapterService$SyncAdapter] at.bitfire.davdroid.addressbooks sync of Account {name=dummy@email.com, type=bitfire.at.davdroid} has been initiated.
    PARAMETER #1 = ignore_settings
    PARAMETER #2 = force
    PARAMETER #3 = expedited
    PARAMETER #4 = ignore_backoff
    2017-06-20 21:37:55 1 [AccountSettings] Account dummy@email.com has version 6, current version: 6
    2017-06-20 21:37:55 1 [syncadapter.AddressBooksSyncAdapterService$AddressBooksSyncAdapter] Running sync for address book
    PARAMETER #1 = Account {name=Contacts (dummy@email.com kQ), type=at.bitfire.davdroid.address_book}
    2017-06-20 21:37:55 1 [syncadapter.AddressBooksSyncAdapterService$AddressBooksSyncAdapter] Address book sync complete
    2017-06-20 21:37:55 1 [syncadapter.SyncAdapterService$SyncAdapter] Sync for at.bitfire.davdroid.addressbooks complete
    2017-06-20 21:37:55 2 [syncadapter.SyncAdapterService$SyncAdapter] com.android.contacts sync of Account {name=Contacts (dummy@email.com kQ), type=at.bitfire.davdroid.address_book} has been initiated.
    PARAMETER #1 = ignore_settings
    PARAMETER #2 = force
    PARAMETER #3 = expedited
    PARAMETER #4 = ignore_backoff
    2017-06-20 21:37:55 2 [AccountSettings] Account dummy@email.com has version 6, current version: 6
    2017-06-20 21:37:55 2 [syncadapter.ContactsSyncAdapterService$ContactsSyncAdapter] Synchronizing address book: https://nextcloud10.mydomain.com/remote.php/dav/addressbooks/users/dummy.user/contacts/
    2017-06-20 21:37:55 2 [syncadapter.ContactsSyncAdapterService$ContactsSyncAdapter] Taking settings from: Account {name=dummy@email.com, type=bitfire.at.davdroid}
    2017-06-20 21:37:55 2 [syncadapter.SyncManager] Preparing synchronization
    2017-06-20 21:37:56 2 [syncadapter.SyncManager] Querying capabilities
    2017-06-20 21:37:56 2 [HttpClient$1] --> PROPFIND https://nextcloud10.mydomain.com/remote.php/dav/addressbooks/users/dummy.user/contacts/ http/1.1
    2017-06-20 21:37:56 2 [HttpClient$1] Content-Type: application/xml; charset=utf-8
    2017-06-20 21:37:56 2 [HttpClient$1] Content-Length: 258
    2017-06-20 21:37:56 2 [HttpClient$1] Depth: 0
    2017-06-20 21:37:56 2 [HttpClient$1]
    2017-06-20 21:37:56 2 [HttpClient$1] <?xml version='1.0' encoding='UTF-8' ?><propfind xmlns="DAV:" xmlns:CAL="urn:ietf:params:xml:ns:caldav" xmlns:CARD="urn:ietf:params:xml:ns:carddav"><prop><CARD:supported-address-data /><n0:getctag xmlns:n0="http://calendarserver.org/ns/" /></prop></propfind>
    2017-06-20 21:37:56 2 [HttpClient$1] --> END PROPFIND (258-byte body)
    2017-06-20 21:37:56 3 [syncadapter.SyncAdapterService$SyncAdapter] com.android.calendar sync of Account {name=dummy@email.com, type=bitfire.at.davdroid} has been initiated.
    PARAMETER #1 = ignore_settings
    PARAMETER #2 = force
    PARAMETER #3 = expedited
    PARAMETER #4 = ignore_backoff
    2017-06-20 21:37:56 3 [AccountSettings] Account dummy@email.com has version 6, current version: 6
    2017-06-20 21:37:56 3 [syncadapter.CalendarsSyncAdapterService$SyncAdapter] Updating local calendar https://nextcloud10.mydomain.com/remote.php/dav/calendars/dummy.user/defaultcalendar_shared_by_another.user/ with CollectionInfo(id=22, serviceID=6, type=null, url=https://nextcloud10.mydomain.com/remote.php/dav/calendars/dummy.user/defaultcalendar_shared_by_another.user/, readOnly=false, displayName=AnotherUser(another.user), description=AnotherUser, color=-1146130, timeZone=null, supportsVEVENT=true, supportsVTODO=true, selected=true, confirmed=false)
    2017-06-20 21:37:56 2 [cert4android.CustomCertManager] Certificate not trusted by system
    2017-06-20 21:37:56 2 [cert4android.CustomCertManager] Querying custom certificate trustworthiness
    2017-06-20 21:37:56 3 [syncadapter.CalendarsSyncAdapterService$SyncAdapter] Updating local calendar https://nextcloud10.mydomain.com/remote.php/dav/calendars/dummy.user/privat/ with CollectionInfo(id=24, serviceID=6, type=null, url=https://nextcloud10.mydomain.com/remote.php/dav/calendars/dummy.user/privat/, readOnly=false, displayName=MyUserName, description=MyUserName, color=-6306073, timeZone=null, supportsVEVENT=true, supportsVTODO=true, selected=true, confirmed=false)
    2017-06-20 21:37:56 3 [syncadapter.CalendarsSyncAdapterService$SyncAdapter] Synchronizing calendar #4, URL: https://nextcloud10.mydomain.com/remote.php/dav/calendars/dummy.user/defaultcalendar_shared_by_another.user/
    2017-06-20 21:37:56 3 [syncadapter.SyncManager] Preparing synchronization
    2017-06-20 21:37:56 3 [syncadapter.SyncManager] Querying capabilities
    2017-06-20 21:37:56 3 [HttpClient$1] --> PROPFIND https://nextcloud10.mydomain.com/remote.php/dav/calendars/dummy.user/defaultcalendar_shared_by_another.user/ http/1.1
    2017-06-20 21:37:56 3 [HttpClient$1] Content-Type: application/xml; charset=utf-8
    2017-06-20 21:37:56 3 [HttpClient$1] Content-Length: 227
    2017-06-20 21:37:56 3 [HttpClient$1] Depth: 0
    2017-06-20 21:37:56 3 [HttpClient$1]
    2017-06-20 21:37:56 3 [HttpClient$1] <?xml version='1.0' encoding='UTF-8' ?><propfind xmlns="DAV:" xmlns:CAL="urn:ietf:params:xml:ns:caldav" xmlns:CARD="urn:ietf:params:xml:ns:carddav"><prop><n0:getctag xmlns:n0="http://calendarserver.org/ns/" /></prop></propfind>
    2017-06-20 21:37:56 3 [HttpClient$1] --> END PROPFIND (227-byte body)
    2017-06-20 21:37:56 3 [cert4android.CustomCertManager] Certificate not trusted by system
    2017-06-20 21:37:56 3 [cert4android.CustomCertManager] Querying custom certificate trustworthiness
    2017-06-20 21:44:55 3 [HttpClient$1] <-- HTTP FAILED: javax.net.ssl.SSLHandshakeException: Timeout when waiting for certificate trustworthiness decision
    2017-06-20 21:44:55 3 [syncadapter.SyncManager] I/O exception during sync, trying again later
    EXCEPTION javax.net.ssl.SSLHandshakeException: Timeout when waiting for certificate trustworthiness decision
    at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:357)
    at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:281)
    at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:251)
    at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:151)
    at okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:192)
    at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:121)
    at okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:100)
    at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
    at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
    at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
    at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:120)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
    at okhttp3.logging.HttpLoggingInterceptor.intercept(HttpLoggingInterceptor.java:211)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
    at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:185)
    at okhttp3.RealCall.execute(RealCall.java:69)
    at at.bitfire.dav4android.DavResource.propfind(DavResource.kt:264)
    at at.bitfire.davdroid.syncadapter.CalendarSyncManager.queryCapabilities(CalendarSyncManager.java:90)
    at at.bitfire.davdroid.syncadapter.SyncManager.performSync(SyncManager.java:141)
    at at.bitfire.davdroid.syncadapter.CalendarsSyncAdapterService$SyncAdapter.sync(CalendarsSyncAdapterService.java:68)
    at at.bitfire.davdroid.syncadapter.SyncAdapterService$SyncAdapter.onPerformSync(SyncAdapterService.java:85)
    at android.content.AbstractThreadedSyncAdapter$SyncThread.run(AbstractThreadedSyncAdapter.java:272)
    Caused by: java.security.cert.CertificateException: Timeout when waiting for certificate trustworthiness decision
    at at.bitfire.cert4android.CustomCertManager.checkCustomTrusted$cert4android_release(CustomCertManager.kt:222)
    at at.bitfire.cert4android.CustomCertManager.checkServerTrusted(CustomCertManager.kt:163)
    at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:117)
    at com.android.org.conscrypt.OpenSSLSocketImpl.verifyCertificateChain(OpenSSLSocketImpl.java:643)
    at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
    at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:353)
    ... 28 more

    2017-06-20 21:44:55 3 [syncadapter.CalendarsSyncAdapterService$SyncAdapter] Synchronizing calendar #5, URL: https://nextcloud10.mydomain.com/remote.php/dav/calendars/dummy.user/privat/
    2017-06-20 21:44:55 3 [syncadapter.SyncManager] Preparing synchronization
    2017-06-20 21:44:55 3 [syncadapter.SyncManager] Querying capabilities
    2017-06-20 21:44:55 3 [HttpClient$1] --> PROPFIND https://nextcloud10.mydomain.com/remote.php/dav/calendars/dummy.user/privat/ http/1.1
    2017-06-20 21:44:55 3 [HttpClient$1] Content-Type: application/xml; charset=utf-8
    2017-06-20 21:44:55 3 [HttpClient$1] Content-Length: 227
    2017-06-20 21:44:55 3 [HttpClient$1] Depth: 0
    2017-06-20 21:44:55 3 [HttpClient$1]
    2017-06-20 21:44:55 3 [HttpClient$1] <?xml version='1.0' encoding='UTF-8' ?><propfind xmlns="DAV:" xmlns:CAL="urn:ietf:params:xml:ns:caldav" xmlns:CARD="urn:ietf:params:xml:ns:carddav"><prop><n0:getctag xmlns:n0="http://calendarserver.org/ns/" /></prop></propfind>
    2017-06-20 21:44:55 3 [HttpClient$1] --> END PROPFIND (227-byte body)
    2017-06-20 21:44:55 3 [cert4android.CustomCertManager] Certificate not trusted by system
    2017-06-20 21:44:55 3 [cert4android.CustomCertManager] Querying custom certificate trustworthiness
    2017-06-20 21:44:56 2 [HttpClient$1] <-- HTTP FAILED: javax.net.ssl.SSLHandshakeException: Timeout when waiting for certificate trustworthiness decision
    2017-06-20 21:44:56 2 [syncadapter.SyncManager] I/O exception during sync, trying again later
    EXCEPTION javax.net.ssl.SSLHandshakeException: Timeout when waiting for certificate trustworthiness decision
    at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:357)
    at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:281)
    at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:251)
    at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:151)
    at okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:192)
    at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:121)
    at okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:100)
    at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
    at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
    at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
    at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:120)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
    at okhttp3.logging.HttpLoggingInterceptor.intercept(HttpLoggingInterceptor.java:211)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
    at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:185)
    at okhttp3.RealCall.execute(RealCall.java:69)
    at at.bitfire.dav4android.DavResource.propfind(DavResource.kt:264)
    at at.bitfire.davdroid.syncadapter.ContactsSyncManager.queryCapabilities(ContactsSyncManager.java:172)
    at at.bitfire.davdroid.syncadapter.SyncManager.performSync(SyncManager.java:141)
    at at.bitfire.davdroid.syncadapter.ContactsSyncAdapterService$ContactsSyncAdapter.sync(ContactsSyncAdapterService.java:68)
    at at.bitfire.davdroid.syncadapter.SyncAdapterService$SyncAdapter.onPerformSync(SyncAdapterService.java:85)
    at android.content.AbstractThreadedSyncAdapter$SyncThread.run(AbstractThreadedSyncAdapter.java:272)
    Caused by: java.security.cert.CertificateException: Timeout when waiting for certificate trustworthiness decision
    at at.bitfire.cert4android.CustomCertManager.checkCustomTrusted$cert4android_release(CustomCertManager.kt:222)
    at at.bitfire.cert4android.CustomCertManager.checkServerTrusted(CustomCertManager.kt:163)
    at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:117)
    at com.android.org.conscrypt.OpenSSLSocketImpl.verifyCertificateChain(OpenSSLSocketImpl.java:643)
    at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
    at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:353)
    ... 28 more

    2017-06-20 21:44:56 2 [syncadapter.ContactsSyncAdapterService$ContactsSyncAdapter] Contacts sync complete
    2017-06-20 21:44:56 2 [syncadapter.SyncAdapterService$SyncAdapter] Sync for com.android.contacts complete
    2017-06-20 21:46:30 4 [syncadapter.SyncAdapterService$SyncAdapter] com.android.contacts sync of Account {name=Contacts (dummy@email.com kQ), type=at.bitfire.davdroid.address_book} has been initiated.
    2017-06-20 21:46:30 4 [AccountSettings] Account dummy@email.com has version 6, current version: 6
    2017-06-20 21:46:30 4 [syncadapter.ContactsSyncAdapterService$ContactsSyncAdapter] Synchronizing address book: https://nextcloud10.mydomain.com/remote.php/dav/addressbooks/users/dummy.user/contacts/
    2017-06-20 21:46:30 4 [syncadapter.ContactsSyncAdapterService$ContactsSyncAdapter] Taking settings from: Account {name=dummy@email.com, type=bitfire.at.davdroid}
    2017-06-20 21:46:30 4 [syncadapter.SyncManager] Preparing synchronization
    2017-06-20 21:46:30 4 [syncadapter.SyncManager] Querying capabilities
    2017-06-20 21:46:30 4 [HttpClient$1] --> PROPFIND https://nextcloud10.mydomain.com/remote.php/dav/addressbooks/users/dummy.user/contacts/ http/1.1
    2017-06-20 21:46:30 4 [HttpClient$1] Content-Type: application/xml; charset=utf-8
    2017-06-20 21:46:30 4 [HttpClient$1] Content-Length: 258
    2017-06-20 21:46:30 4 [HttpClient$1] Depth: 0
    2017-06-20 21:46:30 4 [HttpClient$1]
    2017-06-20 21:46:30 4 [HttpClient$1] <?xml version='1.0' encoding='UTF-8' ?><propfind xmlns="DAV:" xmlns:CAL="urn:ietf:params:xml:ns:caldav" xmlns:CARD="urn:ietf:params:xml:ns:carddav"><prop><CARD:supported-address-data /><n0:getctag xmlns:n0="http://calendarserver.org/ns/" /></prop></propfind>
    2017-06-20 21:46:30 4 [HttpClient$1] --> END PROPFIND (258-byte body)
    2017-06-20 21:46:30 4 [cert4android.CustomCertManager] Certificate not trusted by system
    2017-06-20 21:46:30 4 [cert4android.CustomCertManager] Querying custom certificate trustworthiness


  • developer

    Did you disable notifications for DAVdroid? cert4android/DAVdroid should show a notification that allows you to accept the certificate (works here, I use a LetsEncrypted-secured host too).



  • BTW, I run DAVdroid 1.6.1.1-gplay

    "Did you disable notifications for DAVdroid?" No, at least not purposely. I wouldn't know how to do that. I found a setting to "reset notifications" which didn't change anything.

    Also I found a setting to reset trusted certificates. Pressing that instantly leads to the described problem of a not working synchronization.

    You are right, when creating the account, I accepted the certificate once. But when letsencrypt refreshes the certificate, DAVdroid does not ask me again, but just keeps trying ... obviously with timeouts.

    I think there should be two action items:

    1. Please show an error message when an error (or timeout) occours.
    2. Either ask for another certifictate confirmation when letsencrypet changed it, or (even better) just accept letsencrypet certificats without user confirmation.

  • developer

    @konline said in DAVdroid fails every time letsencrypt refreshes the certificate:

    I think there should be two action items:

    1. Please show an error message when an error (or timeout) occours.

    This is an opposite requirement as not showing error messages for temporary error conditions, as often requested. The notification should be shown, and if it's not answered within time, sync will be deferred for some time.

    1. Either ask for another certifictate confirmation when letsencrypet changed it, or (even better) just accept letsencrypet certificats without user confirmation.

    LetsEncrypt certs are automatically accepted when

    • you trust system certificates in DAVdroid settings, and
    • your server is set up correctly. Do you send the correct intermediate certificates?


  • Thank you rfc2822.
    Now, I configured the webserver that runs nextcloud to also send the certificate chain file of letsencrypet. Now, Davdroid is happy - so am I :)


Log in to reply
 

Looks like your connection to Bitfire App Forums was lost, please wait while we try to reconnect.