Backend doesnt use android system ca store

[fyra]

My Piwigo instance is only accessible locally, so initially I tried setting up the server with a self signed cert after that didn't work (can only add a ca certificates as trusted in android)
I set up a private CA, and adding it to the system ca store, now my piwigo instance works over SSL in browsers on the android device but the piwigo-ng app throws this errror:

Login Fail
HandshakeException: Handshake error in client (OS error: CERTIFICATE_VERIFY_FAILED: self signed certificate in certificate chain(handshake.cc:393))

I even made an intermediate ca to test

$ openssl s_client -connect elec.fyra:8443 -CAfile root.ca.fyra.crt 
CONNECTED(00000003)
depth=2 CN = root.ca.fyra
verify return:1
depth=1 CN = intermediate.ca.fyra
verify return:1
depth=0 CN = server.fyra
verify return:1
---
Certificate chain
 0 s:CN = server.fyra
   i:CN = intermediate.ca.fyra
 1 s:CN = intermediate.ca.fyra
   i:CN = root.ca.fyra
 2 s:CN = root.ca.fyra
   i:CN = root.ca.fyra

[...]

    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---

After a bit of searching the underlying issue I've found is that flutter/dart doesn't use the android system ca store flutter/flutter#41781

[remi-martin]

Hi, thanks for your workaround.
This might be related to #74.
We know there are several issues with self hosted Piwigos.

[fyra]

Hi, thanks for your workaround. This might be related to #74. We know there are several issues with self hosted Piwigos.

To be clear, my attempt at working around the issue did not pan out. At the moment i havent been able to test the app beyond the login screen.

(Plain http support would be great for local-only self hosted instances, but I gather Android is clamping down on that making things complicated)

It'll spit out essentially the same error with an in-house CA as with a plain old self-signed cert.