Adding system-wide trust to a self-signed certificate

  • Hi,

    since I use my own Nextcloud instance running on a local network at home, I do not have a trusted certificate for it.

    Without it calendar refuses to sync events, while Nextcloud account iself can be added.

    I managed to get it working by adding my self-signed cert as a trusted (system wide). But I'm not sure, if its ideal solution, since it might conflict with a base image.

    Will it get overwritten by future updates ? Is there any nice solution ? Thanks.

    adb push cert.pem /home/phablet/cert.pem
    # you need to switch system to RW mode (eg. using UT tweak tool)
    adb shell
    # switch to root
    sudo -i
    # copy certs to trusted
    cp /home/phablet/cert.pem /usr/share/ca-certificates/
    # I'm not sure if it's necessary, but i renamed file to cert.crt, since on my first try I couldn't find it in a list while running the next command
    # You need to reconfigure trusted certs like this:
    dpkg-reconfigure ca-certificates
    # when asked pick "ask" option. You will be presented with a list of all certs. Find yours and select it too and then finish the process.
    # And voila, it works :-)

  • Maybe could be an option for you. They offer free certificates and are a trusted certificate authority.

  • @ingo said in Adding system-wide trust to a self-signed certificate:

    Maybe could be an option for you. They offer free certificates and are a trusted certificate authority.

    That is an option, if you have public static IP address, but I run Nextcloud on my local home network (on IP, so letsencrypt can't verify, that I own that address. They offer similar solutions (as I did) for localhost etc.

    Anyway, can anybody tell, if my change will prevail some OTA update ? Thank you.

  • Ah, ok, you only access your nextcloud in your home network and not from outside via some dynamic DNS service. Yeah, then letsencrypt won't work.

    From what I understand, changes to the root file system don't survive an OTA update.

  • Just adding a +1 to this issue as I too run a nextcloud on my private network that I access through a VPN so I can't use let's encrypt.

  • Just to let you all know (a year later) no OTA update so far broke my changes to ca-certificates. But it might be a case, that this part of file system simply wasn't updated either and it might get overwritten eventually with the next OTA.

Log in to reply