Connecting confluence mobile app with client SSL/TLS certificate

Michal Kevicky November 20, 2018

I wanted to connect to our confluence using Android app w/ SSL/TLS client certificate. Android internet browser is capable of connecting to the web version of confluence, but Android Confluence App not. Is there any way doing so? Will it be supported in any future release/update of the app?

Regards,

Michal

 

1 answer

0 votes
Shannon S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 21, 2018

Hi Michal,

According to our documentation on Confluence Mobile, SSL certificates are supported. I tried searching to see if there were any reported cases of the Android Confluence app not working with SSL/TLS, but I wasn't able to find any.

Here are the requirements for the SSL:

HTTPS and certificate requirements

In the latest version of the iOS and Android apps, you can connect to the app using either HTTP or HTTPS.

If you're using HTTPS your proxy must allow TLS 1.2 traffic. This is an iOS requirement that we've chosen to implement for both the iOS and Android apps to prevent confusion (for example where one device can log in, and another cannot).

Ideally, your certificate should be from a trusted Certificate Authority. If you have certificate that is self-signed, or from an unknown Certificate Authority (for example, you are your own CA), users may still be able to use the app by manually installing your certificate on their device. See our Knowledge base article for more information on how to do this. 

Can you let me know what error message you're getting when you try to connect? If you're meeting all the requirements, have a look at the knowledge base article above for help connecting.

Let me know if you have any questions!

Regards,

Shannon

Michal Kevicky November 21, 2018

Hi Shannon,

I use own certification authority (not literally self signed). I have

  • my own CA only for issuing client certificates,
  • imported CA's public key certificate to my mobile,
  • imported client certificate to my mobile,
  • tested connection using mobile's web browser (chrome) - succeed.

Connection supports and works with TLS 1.0, 1.1, 1.2. It's published using valid Let's Encrypt certificate.

I have launched confluence mobile app, entered URL, hit NEXT button, got

Can't connect to your site
This could be because the URL is wrong, you need to use a VPN, or Confluence is unavailable.

LEARN MORE , TRY AGAIN

That's pretty much it.

Regards,

Michal

Shannon S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 27, 2018

Hi Michal,

Could you check the article Unable to connect to SSL services as well just to be sure that the proper certs are copied over? I know this helps most often when a valid cert isn't working as expected.

Failing this, I'll dig a bit more into it and see what else could cause this, but I haven't seen very many examples of this yet, unfortunately.

Regards,

Shannon

Michal Kevicky April 15, 2019

Hi Shanon,

meanwhile I tried multiple times, updated Confluence several times, actually running

  • Confluence v. 6.14.1 and 6.14.2
  • Confluence Server mobile app v. 0.2.21 installed from Google Play

Tested using

  • Google Pixel running Android 9
  • OnePlus 5 running Android 9

CA Certificate is installed in Trusted Credentials
Client certificates are installed in User Credentials with access mode set to "VPN and apps"

Reverse proxy (nginx, running TLS 1.2) have not logged any attempt to create SSL handshake with SSL/TLS client certificates, just got 403 for non-successfull attempt, while hitting /server-info.action

Regards,
Michal

Shannon S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 16, 2019

Michal,

Thank you for providing such thorough details of your setup and tests thus far.

While you do have a valid Let's Encrypt certificate, the mobile app requires a trusted certificate authority (e.g. DigiCert, GoDaddy, etc.) and the Let's Encrypt certificate may not be compatible.

I would recommend reviewing the resolution on the below article to help get Java to trust the certificate:

Let me know how that goes!

Regards,

Shannon

Michal Kevicky April 16, 2019

Is there any plan that Confluence Server will support new Let's Encrypt X4 CA launching on July 8. as a trusted CA?

https://confluence.atlassian.com/doc/running-confluence-behind-nginx-with-ssl-858772080.html

If your team plans to use the Confluence Server mobile app, you'll need a certificate issued by a trusted Certificate Authority.  You can't use the app with a self-signed certificate, or one from an untrusted or private CA.

  • Server certificate HAVE TO be from trusted store
  • but Client certificate CAN BE signed by private CA

Am I right?

Thanks

Shannon S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 17, 2019

Hello Michal,

The reason that we do not support Let's Encrypt is using a different structure entirely in order to obtain your certificate. The service is a free one and thus not on the list of Trusted Root Certificate Authorities. There is nothing here that would be used to prove your identity, as it's free, anyone can obtain such a certificate.

Therefore, since Let's Encrypt is not considered a Trusted CA Authority, the Confluence Server app is not able to support it. Unless, of course, you make the manual changes I mentioned earlier. Keep in mind that this would defeat the purpose of Let's Encrypt, since it's made to renew without you having to interfere with it.

Have a look here for more information on Trusted Authorities: What is a Certificate Authority?

We had a feature request in the past to support their structure, but it is not something we will be pursuing in the near future:

For more information on which Authorities are considered trusted:

Let me know if you have any questions about that.

Regards,

Shannon

Michal Kevicky April 17, 2019

Okay,

and what about private certification authority?

Regards,
Michal

Michal Kevicky April 17, 2019

+ if you could be so kind, just to clarify, what is the difference in security model between

  • using Confluence through Web Browser with client certificates (which works with Let's Encrypt)
  • using Confluence through Confluence Server Mobile App with client certificates (which does not work with LE)

This is nor blame or hate, I really want to understand motivation.

Warm regards,
Michal

Shannon S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 18, 2019

Hi Michal,

A private certification authority is fine too, but we recommend the certified authority because it doesn't require additional configuration like Let's Encrypt does.

It's not to say that Let's Encrypt won't totally work, it's just that it can require further configuration.

To answer your question about comparing the web browser vs the server mobile app, they're not necessarily equal. One thing that works in a mobile browser might not work the same way in the app, if you have Multi Factor Authentication, for example.

That said, if you have all the certs setup properly and it's still not working, then we may need to raise a bug, keeping in mind that the Confluence Server Mobile app is still currently in beta.

Could you provide examples of the messages you're seeing on the mobile app, such as screenshots of the error or prompts on the mobile device?

Regards,

Shannon

Michal Kevicky April 19, 2019

Hi Shanon,

here is the screenshot of the error message. Same I got whether I use Let's Encrypt or own CA, properly registered to the android system.

As written above, the client certificate is registered for use with "VPN and apps".

Regards,
Michal

confluence-proton.jpg

Shannon S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 24, 2019

Hello Michal,

Thank you for providing those details. It is starting to look a bit more like a configuration issue.

I've run across the following article:

The causes and resolutions are as follows:

Cause

This error appears when the mobile app can't reach the Confluence site at all.  This may be because:

  • the Confluence site URL entered in the login screen is incorrect 
  • you've entered the URL with HTTPS, but the site is HTTP (or vice versa)
  • HTTPS is enabled, but the Confluence base URL is set to HTTP
  • the Confluence site is only accessible when connected to a virtual private network (VPN)
  • the Confluence site is currently down or unavailable, for example for scheduled maintenance or upgrade
  • your network configuration may be preventing unauthenticated requests to your server

Resolution

To resolve this issue:

  • check that the Confluence site URL has been entered correctly, including the context path if you have one, for example, mycompany.com/confluence
  • try entering the URL without http:// or https:// (we'll try both HTTPS and HTTP for you). 
  • check whether you can connect to Confluence using the browser on your device. 
  • make sure you are connected to your organisation's virtual private network (VPN) if your Confluence site is not accessible on the public internet.
  • if you only get this error on Android, but you see a compatibility error on iOS, follow this article instead: 'Can't connect to your site' error in the Confluence Server mobile app

In addition, I would recommend testing from an iOS device and see if you are getting the same error there, or if you only get a compatibility error.

Thank you and best regards,

Shannon

Michal Kevicky April 24, 2019

Shannon,

as I have written before

Reverse proxy (nginx, running TLS 1.2) have not logged any attempt to create SSL handshake with SSL/TLS client certificates, just got 403 for non-successful attempt, while hitting /server-info.action

This means

  • site is publicly available
  • HTTPS is enabled and site is published only via HTTPS
  • URL was exactly the same as the one used in web browser, tested with and without https:// prefix
  • yes, the mobile browser has successfully connected to web version of Confluence
  • VPN is not required to connect (I have configured everything starting from virtual machine, through network, firewalls and reverse proxy

And I have not logged any attempt from mobile to negotiate SSL/TLS handshake with reverse proxy terminating SSL/TLS using client certificate.

Regards,
Michal

Shannon S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 25, 2019

Thank you, Michal, for confirming. 

I am creating a support ticket for you right now so please check your email for that.

It will help if you can reply to that ticket with a copy of your support zip.

Thank you so much. We will have our support team to continue to investigate this for you. Please feel free to reply here once you were able to resolve it with them with the cause of the error.

Regards,

Shannon

Jörn Holpart September 10, 2019

Did you ever solve this? Im facing a pretty similar situation. Connecting on via ssl terminating nginx reverse proxy doesnt work, connecting via the http-only internal address works...

 

#EDIT: nvm. found it. custom error pages were blocking <baseurl>/server-info

Like Shannon S likes this
Shannon S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 11, 2019

Thank you for confirming you were able to solve it @Jörn Holpart!

I checked @Michal Kevicky's thread but it appears that it timed out, so I don't think we ever ended up finding out what was the issue with the SSL. 

Michal - were you ever able to solve this on your end?

Regards,

Shannon 

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events