It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Connecting confluence mobile app with client SSL/TLS certificate

I wanted to connect to our confluence using Android app w/ SSL/TLS client certificate. Android internet browser is capable of connecting to the web version of confluence, but Android Confluence App not. Is there any way doing so? Will it be supported in any future release/update of the app?

Regards,

Michal

 

1 answer

0 votes

Hi Michal,

According to our documentation on Confluence Mobile, SSL certificates are supported. I tried searching to see if there were any reported cases of the Android Confluence app not working with SSL/TLS, but I wasn't able to find any.

Here are the requirements for the SSL:

HTTPS and certificate requirements

In the latest version of the iOS and Android apps, you can connect to the app using either HTTP or HTTPS.

If you're using HTTPS your proxy must allow TLS 1.2 traffic. This is an iOS requirement that we've chosen to implement for both the iOS and Android apps to prevent confusion (for example where one device can log in, and another cannot).

Ideally, your certificate should be from a trusted Certificate Authority. If you have certificate that is self-signed, or from an unknown Certificate Authority (for example, you are your own CA), users may still be able to use the app by manually installing your certificate on their device. See our Knowledge base article for more information on how to do this. 

Can you let me know what error message you're getting when you try to connect? If you're meeting all the requirements, have a look at the knowledge base article above for help connecting.

Let me know if you have any questions!

Regards,

Shannon

Hi Shannon,

I use own certification authority (not literally self signed). I have

  • my own CA only for issuing client certificates,
  • imported CA's public key certificate to my mobile,
  • imported client certificate to my mobile,
  • tested connection using mobile's web browser (chrome) - succeed.

Connection supports and works with TLS 1.0, 1.1, 1.2. It's published using valid Let's Encrypt certificate.

I have launched confluence mobile app, entered URL, hit NEXT button, got

Can't connect to your site
This could be because the URL is wrong, you need to use a VPN, or Confluence is unavailable.

LEARN MORE , TRY AGAIN

That's pretty much it.

Regards,

Michal

Hi Michal,

Could you check the article Unable to connect to SSL services as well just to be sure that the proper certs are copied over? I know this helps most often when a valid cert isn't working as expected.

Failing this, I'll dig a bit more into it and see what else could cause this, but I haven't seen very many examples of this yet, unfortunately.

Regards,

Shannon

Hi Shanon,

meanwhile I tried multiple times, updated Confluence several times, actually running

  • Confluence v. 6.14.1 and 6.14.2
  • Confluence Server mobile app v. 0.2.21 installed from Google Play

Tested using

  • Google Pixel running Android 9
  • OnePlus 5 running Android 9

CA Certificate is installed in Trusted Credentials
Client certificates are installed in User Credentials with access mode set to "VPN and apps"

Reverse proxy (nginx, running TLS 1.2) have not logged any attempt to create SSL handshake with SSL/TLS client certificates, just got 403 for non-successfull attempt, while hitting /server-info.action

Regards,
Michal

Michal,

Thank you for providing such thorough details of your setup and tests thus far.

While you do have a valid Let's Encrypt certificate, the mobile app requires a trusted certificate authority (e.g. DigiCert, GoDaddy, etc.) and the Let's Encrypt certificate may not be compatible.

I would recommend reviewing the resolution on the below article to help get Java to trust the certificate:

Let me know how that goes!

Regards,

Shannon

Is there any plan that Confluence Server will support new Let's Encrypt X4 CA launching on July 8. as a trusted CA?

https://confluence.atlassian.com/doc/running-confluence-behind-nginx-with-ssl-858772080.html

If your team plans to use the Confluence Server mobile app, you'll need a certificate issued by a trusted Certificate Authority.  You can't use the app with a self-signed certificate, or one from an untrusted or private CA.

  • Server certificate HAVE TO be from trusted store
  • but Client certificate CAN BE signed by private CA

Am I right?

Thanks

Hello Michal,

The reason that we do not support Let's Encrypt is using a different structure entirely in order to obtain your certificate. The service is a free one and thus not on the list of Trusted Root Certificate Authorities. There is nothing here that would be used to prove your identity, as it's free, anyone can obtain such a certificate.

Therefore, since Let's Encrypt is not considered a Trusted CA Authority, the Confluence Server app is not able to support it. Unless, of course, you make the manual changes I mentioned earlier. Keep in mind that this would defeat the purpose of Let's Encrypt, since it's made to renew without you having to interfere with it.

Have a look here for more information on Trusted Authorities: What is a Certificate Authority?

We had a feature request in the past to support their structure, but it is not something we will be pursuing in the near future:

For more information on which Authorities are considered trusted:

Let me know if you have any questions about that.

Regards,

Shannon

Okay,

and what about private certification authority?

Regards,
Michal

+ if you could be so kind, just to clarify, what is the difference in security model between

  • using Confluence through Web Browser with client certificates (which works with Let's Encrypt)
  • using Confluence through Confluence Server Mobile App with client certificates (which does not work with LE)

This is nor blame or hate, I really want to understand motivation.

Warm regards,
Michal

Hi Michal,

A private certification authority is fine too, but we recommend the certified authority because it doesn't require additional configuration like Let's Encrypt does.

It's not to say that Let's Encrypt won't totally work, it's just that it can require further configuration.

To answer your question about comparing the web browser vs the server mobile app, they're not necessarily equal. One thing that works in a mobile browser might not work the same way in the app, if you have Multi Factor Authentication, for example.

That said, if you have all the certs setup properly and it's still not working, then we may need to raise a bug, keeping in mind that the Confluence Server Mobile app is still currently in beta.

Could you provide examples of the messages you're seeing on the mobile app, such as screenshots of the error or prompts on the mobile device?

Regards,

Shannon

Hi Shanon,

here is the screenshot of the error message. Same I got whether I use Let's Encrypt or own CA, properly registered to the android system.

As written above, the client certificate is registered for use with "VPN and apps".

Regards,
Michal

confluence-proton.jpg

Hello Michal,

Thank you for providing those details. It is starting to look a bit more like a configuration issue.

I've run across the following article:

The causes and resolutions are as follows:

Cause

This error appears when the mobile app can't reach the Confluence site at all.  This may be because:

  • the Confluence site URL entered in the login screen is incorrect 
  • you've entered the URL with HTTPS, but the site is HTTP (or vice versa)
  • HTTPS is enabled, but the Confluence base URL is set to HTTP
  • the Confluence site is only accessible when connected to a virtual private network (VPN)
  • the Confluence site is currently down or unavailable, for example for scheduled maintenance or upgrade
  • your network configuration may be preventing unauthenticated requests to your server

Resolution

To resolve this issue:

  • check that the Confluence site URL has been entered correctly, including the context path if you have one, for example, mycompany.com/confluence
  • try entering the URL without http:// or https:// (we'll try both HTTPS and HTTP for you). 
  • check whether you can connect to Confluence using the browser on your device. 
  • make sure you are connected to your organisation's virtual private network (VPN) if your Confluence site is not accessible on the public internet.
  • if you only get this error on Android, but you see a compatibility error on iOS, follow this article instead: 'Can't connect to your site' error in the Confluence Server mobile app

In addition, I would recommend testing from an iOS device and see if you are getting the same error there, or if you only get a compatibility error.

Thank you and best regards,

Shannon

Shannon,

as I have written before

Reverse proxy (nginx, running TLS 1.2) have not logged any attempt to create SSL handshake with SSL/TLS client certificates, just got 403 for non-successful attempt, while hitting /server-info.action

This means

  • site is publicly available
  • HTTPS is enabled and site is published only via HTTPS
  • URL was exactly the same as the one used in web browser, tested with and without https:// prefix
  • yes, the mobile browser has successfully connected to web version of Confluence
  • VPN is not required to connect (I have configured everything starting from virtual machine, through network, firewalls and reverse proxy

And I have not logged any attempt from mobile to negotiate SSL/TLS handshake with reverse proxy terminating SSL/TLS using client certificate.

Regards,
Michal

Thank you, Michal, for confirming. 

I am creating a support ticket for you right now so please check your email for that.

It will help if you can reply to that ticket with a copy of your support zip.

Thank you so much. We will have our support team to continue to investigate this for you. Please feel free to reply here once you were able to resolve it with them with the cause of the error.

Regards,

Shannon

Did you ever solve this? Im facing a pretty similar situation. Connecting on via ssl terminating nginx reverse proxy doesnt work, connecting via the http-only internal address works...

 

#EDIT: nvm. found it. custom error pages were blocking <baseurl>/server-info

Like Shannon_Spaniol likes this

Thank you for confirming you were able to solve it @Jörn Holpart!

I checked @Michal Kevicky's thread but it appears that it timed out, so I don't think we ever ended up finding out what was the issue with the SSL. 

Michal - were you ever able to solve this on your end?

Regards,

Shannon 

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Posted in Confluence

How is your team having fun and bonding, remotely, utilizing Confluence?

Thanks everyone for answering last week’s question. The winner of the random drawing from those who commented is: @LarryBrock I’ll contact you separately with your prize details. This wee...

333 views 9 7
Join discussion

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you