Certificate not valid in setting up mobile access - vr. 3.4+ of Moodle

Certificate not valid in setting up mobile access - vr. 3.4+ of Moodle

by Ken Task -
Number of replies: 10
Picture of Particularly helpful Moodlers

For x reference:

https://moodle.org/mod/forum/discuss.php?d=362175#p1460558

Repeated (some) below:

Server host multiple versions of Moodle including a 3.2 and a 3.3 (highest).

Those implementations are in subdirectories ... not virtual apaches with different fully qualified domain names.   So all sites are under the same SSL config/cert.

No errors reported in those versions (3.2,3.3) when setting up/allowing mobile access.

The error is present in setting up mobile access to the 3.4 site.

Attempting that, begets:

"It seems that the HTTPS certificate is self-signed or not trusted. The mobile app will only work with trusted sites."

not self-signed ... so that leaves 'not trusted'.

Checked server config and certs with CA (comodo) providers tool as well as with https://ssllabs.com/ no glaring errors ... sslabs does show 'trusted' - and provides a letter grade of 'A'.

So what does the mobile app setup consider 'trusted'? Cert is a global certificate for the domain.

Thanks, in advance, for any advice or test I could perform on server.

Ken

Average of ratings: Useful (2)
In reply to Ken Task

Re: Certificate not valid in setting up mobile access - vr. 3.4+ of Moodle

by Walter Byrd -


I am having the same issue. Also using Moodle 3.4. I have not tried other versions of Moodle.

I am using an old version of Android - 3.x I think.

Comodo is widely used, and should be accepted by Moodle.

Average of ratings: -
In reply to Walter Byrd

Re: Certificate not valid in setting up mobile access - vr. 3.4+ of Moodle

by Ken Task -
Picture of Particularly helpful Moodlers

Thanks for the 'me too'!   Nice to know am not alone! ;)

Not at all sure that it's an issue with Comodo CA specific (although this is a global certificate for a domain AND their process isn't like others ... say that of Entrust) but rather how/what the moodle check is doing/using.   I assume some sort of curl call.

Heck, I don't mind looking at code ... if I just knew where to find that check.

Debug to the hilt shows nothing. :\   Even raw server logs don't show any error.

''spirit of sharing', Ken


Average of ratings: -
In reply to Walter Byrd

Re: Certificate not valid in setting up mobile access - vr. 3.4+ of Moodle

by Matteo Scaramuccia -
Picture of Core developers Picture of Peer reviewers Picture of Plugin developers

Hello Everyone,
I'd say to go for the path described in https://moodle.org/mod/forum/discuss.php?d=361822#p1459168.

The issue here is not in Moodle but in the OS not having updated its own Trusted Root Certificates: the only thing that Moodle could do is to trust some Root Certificates "on behalf of the OS" but this would be the very first time someone would fix an OS issue by means of code for a production environment - on the contrary, in a dev/test env it's (was) pretty common to accept untrusted certificates, at least before the Let's Encrypt era.

My suggestion is to fix the OS issue by creating the right chain of certificates within the "certificate" published in your Virtual Host, in order to let the OS trust the current Comodo Root Certificate: I'm guessing Comodo will help you for sure in creating the right chain for your web server.

HTH,
Matteo

Average of ratings: -
In reply to Matteo Scaramuccia

Re: Certificate not valid in setting up mobile access - vr. 3.4+ of Moodle

by Ken Task -
Picture of Particularly helpful Moodlers

While I agree it has to do with the cert chains and probably specific to Comodo, the fact still remains that the other Moodle versions on that same server ... 3.1, 3.2, 3.3 do not report that issue when setting up mobile access.   So there has been a change to 3.4 setup of mobile.  I can't come to any other conclusion.

(not that I'm arguing with ya ... more like venting!)

The OS is kept up to date (CentOS 7) ... am pretty religious about not waiting for updates to build up and normally acquire them very soon after announcements are made by CentOS.  While I had been keeping an eye on openssl updates I hadn't been keeping up with ciphers ... that's correct now.  I don't re-call ever seeing any update to ca chains/certs.

Did find this:

https://access.redhat.com/solutions/1549003

How to reset trusted CA's in CentOS 6 and 7 - for anyone else seeing the same thing with a CentOS 7.

and have stepped through it all ... no change to the 3.4 notice.

Wish I could talk directly to Comodo, but don't think they'll cooperate as I don't work for the organization and therefore can't speak for them nor to the global cert setup.   Organization, BTW, uses the same global cert for their web site ... WordPress.  

Running SSLLabs test on entities web site shows no issues just like the server where the moodles are hosted.   Have run Comodo's analyser on host where moodles are hosted ... no issues reported.   That one shows 'trusted by Microsoft' and 'trusted by Mozilla'.  But not trusted by Moodle 3.4?

The chances of finding someone in these forums running Comodo with a global cert are probably pretty slim (to none) - definitely not the same domain.

Not an abnormal situation for me ... so I'll continue to investigate.    If/when I arrive at a solution am thinking about keeping it a dark secret! ;)

And a comment ... if past environment checks means future for Moodle ... the https check.  Am wondering if that will be come a requirement.  Am not against that ... just curious ... not that anyone from Moodle HQ will respond to that.

'spirit of sharing', Ken

Average of ratings: -
In reply to Ken Task

Re: Certificate not valid in setting up mobile access - vr. 3.4+ of Moodle

by Matteo Scaramuccia -
Picture of Core developers Picture of Peer reviewers Picture of Plugin developers

HI Ken,
try to browse Moodle with a browser in that OS to see if the browser complains about the certificate: if no, that's a good point to start investigating from HQ but if each of the browsers in that OS is complaining about the security of the web site, you need to second my proposal ;).

As I wrote in the link I posted if you go to your site and check for the chain in the server certificate, you'll get a response (just noticed that it is different from the one got the first time I tried) - done on a CentOS 7 fully updated even for CAs:

$ openssl s_client -connect sos.tcea.org:443
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = EssentialSSL Wildcard, CN = *.tcea.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = EssentialSSL Wildcard, CN = *.tcea.org
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=EssentialSSL Wildcard/CN=*.tcea.org
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
...

Comodo gives you two pointer (found w/ Google):

  1. https://support.comodo.com/index.php?/Knowledgebase/Article/View/637/37/certificate-installation-apache--mod_ssl. You should have received a zip file w/ both the crt and the CAs in the bundle for creating the chain. If not, you should contact their support to ask for the missing CAs for the supposed bundle. More from the net: https://stackoverflow.com/questions/11340298/certificate-is-trusted-by-pc-but-not-by-android#32841338
  2. https://support.comodo.com/index.php?/Knowledgebase/Article/View/1145/1/how-do-i-make-my-own-bundle-file-from-crt-files describes how to create a CAs bundle by your own

Could you share the steps you used to configure the Comodo certificate in your Apache 2.x? Just to understand if we're missing something in those steps.

Separate question: why not using Let's Encrypt instead of Comodo?

HTH,
Matteo

Average of ratings: -
In reply to Matteo Scaramuccia

Re: Certificate not valid in setting up mobile access - vr. 3.4+ of Moodle

by Ken Task -
Picture of Particularly helpful Moodlers

Thanks, Matteo.   Been tinkering with it today this AM but then got side tracked with a Web Conference call that lasted a lot longer than expected and has side tracked me until just a few minutes ago.  

Comodo docs/links you've provided and that I found earlier did have links for acquiring the chain file bundle.  I have, supposedly, the domain chain bundle file and had that in ssl.conf.   There's also a setting in ssl.conf for 'depth'.

So the reason still messed up is really me!   Only so many hours in a day!   Only affects mobile access as far as I can tell.

Ken

Average of ratings: -
In reply to Ken Task

Re: Certificate not valid in setting up mobile access - vr. 3.4+ of Moodle

by Juan Leyva -
Picture of Core developers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Plugin developers Picture of Testers

Hi Ken,

in 3.4 we introduced some checks to avoid typical problems when enabling the Mobile service. These are mostly warnings because some devices may work even if your certificate's chain is not correct.

In any case, does the Mobile app for your 3.4 site? If it works as expected, you can ignore the warning

PS: Read the Mobile FAQ: https://docs.moodle.org/en/Mobile_Moodle_FAQ there are a couple of sites for checking your SSL certificate

Juan

Average of ratings: -
In reply to Juan Leyva

Re: Certificate not valid in setting up mobile access - vr. 3.4+ of Moodle

by Ken Task -
Picture of Particularly helpful Moodlers

Thanks for response, Juan.   Yep the Geotrust ssl checker confirmed (much more easily to spot/see) the same thing ssllab or CLI check on server does ... CA chain is the culprit.

Yes, Matteo, I have believed you all along and you did tell me that was the issue. ;)

Chrome from an Android does work, app, however doesn't.    But that's ok for now ... it's a 'sandbox' site.

'spirit of sharing', Ken

Average of ratings: -
In reply to Ken Task

Re: Certificate not valid in setting up mobile access - vr. 3.4+ of Moodle

by Ken Task -
Picture of Particularly helpful Moodlers

Follow up ... yep, was missing a chain file and had to acquire it from comodo.  Geotrust checks out now ... follows the chain, but in config/setup of mobile services same error.   Will ignore and download the latest/greatest app to see what that looks like now.

Ken

Average of ratings: -
In reply to Ken Task

Re: Certificate not valid in setting up mobile access - vr. 3.4+ of Moodle

by udagawa mitsuru -

I have same trouble and I'm found the solution. This problem is caused of "PHP curl module" and "libcurl". If you can't ignore this warning  message, compile "libcurl" and "PHP curl module".

Average of ratings: -