Comments for Jethro Carr

Comment on Mozilla Sync Server RPMs by Jethro Carr

Jethro Carr — Sat, 18 May 2013 16:13:38 +0000

I haven’t sorry – I’m planning to spend some time in the next week or two building the latest release and QA testing the RPMs before releasing, so will include the captcha stuff in my tests to see if a) it works and b) if not, how to fix it. :-)

Comment on Mozilla Sync Server RPMs by Patrick Smears

Patrick Smears — Sat, 18 May 2013 10:47:03 +0000

Thanks for this – saved me a huge amount of work :-)

Did you look at getting the captcha facility to work? When I enabled it I got an unhelpful error on the front end (basically “crash id” plus an md5 hash) when trying to set up sync. After some debugging I think the mako templating system is trying to store its “compiled” templates in somewhere that’s not writable. (For now I’ve just turned captcha back off, but I’d be interested to know whether you’d had more success than me :-) )

Comment on Custom CA certificates & Android by Jethro Carr

Jethro Carr — Fri, 17 May 2013 10:30:23 +0000

I suspect the issue is that your CA certificate is missing some attribute that Android is expecting, such as the X509v3 extension, so it believe it’s a user certificate.

Note that PKCS#12 files can have two different passwords – the password for the key inside the file and the password for an encrypted PKCS#12 file itself… it may be that Android is asking for one and you’re giving the password for another.

But PKCS#12 is definitely not the right format for a CA, you would never be importing a private key for a CA. :-)

Comment on Custom CA certificates & Android by Jethro Carr

Jethro Carr — Fri, 17 May 2013 10:25:54 +0000

“Android supports DER-encoded X.509 certificates, saved in files with a .crt file extension (if your certificate file has a .cer, .der, or other extension, you must change it to .crt or you won’t be able to install it).”

So that’s exactly what my instructions do – creates a DER format certificate with a .crt file extension.

I think the confusion around DER certificates is that they state you can’t import a .der file extension – the file can be in DER format, but must end with .crt. But that’s just their code only looking for certain extensions, the filename has no bearing on the format of the contents.

Comment on Custom CA certificates & Android by Andrew

Andrew — Fri, 17 May 2013 02:03:52 +0000

When I would pull my DER format cert in, I got the same dialogs as you but no mention of a CA. Just “package contains: one user cert”. Reading up on line seemed to suggest that this was a result of using the DER format and to get it to be treated as a CA you had to use PKCS#12. PKCS#12 usually expects there to be a private key somewhere in the file, and while you can produce files without such, it usually causes certain software to misbehave. Android will endlessly prompt for the password to the file even if you give the correct password, for instance.

Comment on Custom CA certificates & Android by Andrew

Andrew — Fri, 17 May 2013 02:01:13 +0000

I'm willing to bet the bit about X509v3 may be my particular issue (which, if so, thanks!), but this, from Google themselves, sure seems to suggest that PKCS#12 is required, and that sentiment seems -- if nothing else, implied, by various posts, e.g. on StackOverflow. Misleading documentation and subtle bugs seem to be Android's thing, sometimes.

Comment on Custom CA certificates & Android by Jethro Carr

Jethro Carr — Thu, 16 May 2013 13:10:41 +0000

I’ve added some notes for anyone wanting to use Firefox Mobile with a custom CA:
http://www.jethrocarr.com/2013/05/17/firefox-mobile-for-android-cas/

Essentially download a PEM format CA certificate using the browser and it will prompt with an install option. Easy as! :-)

Comment on Custom CA certificates & Android by Jethro Carr

Jethro Carr — Thu, 16 May 2013 12:40:23 +0000

Actually the stock browser might still have an old cert from previously as I think it has it’s own (hidden) CA store… but the other apps verify it regardless.

Comment on Custom CA certificates & Android by Jethro Carr

Jethro Carr — Thu, 16 May 2013 12:37:38 +0000

I can’t comment on what the Android documentation says, but this works for me. I even just re-tested in a moment of paranoia that it’s no longer valid on the newer Android versions by deleting and re-importing my keys using the above method. I’ve updated the post with screenshot. :-)

I have a number of apps that validate the CA correctly (aNag, WordPress and the stock Android browser). Note that additional addon browsers (eg Firefox) may not work, it seems they don’t read the Android certificate store and can’t validate the CA cert.

Be careful with terminology, these instructions are to import a certification authority. Anything else like self-signed standalone certs, user certs, keys, CA keys (!!) I have no idea about.

Also note that it’s possible that Android doesn’t accept CAs if generated the “wrong” way. My certs all include the X509v3 extension “X509v3 Basic Constraints: CA:TRUE”, the absence of which has sometimes caused problems in the past with certain systems (glares at Solaris).

Comment on Custom CA certificates & Android by Andrew

Andrew — Wed, 15 May 2013 22:32:21 +0000

Have you actually followed these directions? Because pretty much everywhere you look, including Android’s own help documents, it says DER format won’t import CA certificates (or private keys), only client certs, which is not what most people are looking for (most people are seeking to avoid self-sign warnings, and that’s what your directions imply).

To add certification authorities you have to use PKCS#12 format. That leads to other frustrating Android bugs (expecting a password even if one isn’t there, and even at that, the output of OpenSSL seems to not have a valid password no matter what).

If you have actually gotten apps to use your self-signed web server certs, I’d love to hear about it. Because what you are saying — that you have imported CA certificates by DER — is by all accounts not technically possible in Android.