I wanted to connect to our confluence using Android app w/ SSL/TLS client certificate. Android internet browser is capable of connecting to the web version of confluence, but Android Confluence App not. Is there any way doing so? Will it be supported in any future release/update of the app?
Regards,
Michal
Hi Michal,
According to our documentation on Confluence Mobile, SSL certificates are supported. I tried searching to see if there were any reported cases of the Android Confluence app not working with SSL/TLS, but I wasn't able to find any.
Here are the requirements for the SSL:
HTTPS and certificate requirements
In the latest version of the iOS and Android apps, you can connect to the app using either HTTP or HTTPS.
If you're using HTTPS your proxy must allow TLS 1.2 traffic. This is an iOS requirement that we've chosen to implement for both the iOS and Android apps to prevent confusion (for example where one device can log in, and another cannot).
Ideally, your certificate should be from a trusted Certificate Authority. If you have certificate that is self-signed, or from an unknown Certificate Authority (for example, you are your own CA), users may still be able to use the app by manually installing your certificate on their device. See our Knowledge base article for more information on how to do this.
Can you let me know what error message you're getting when you try to connect? If you're meeting all the requirements, have a look at the knowledge base article above for help connecting.
Let me know if you have any questions!
Regards,
Shannon
Hi Shannon,
I use own certification authority (not literally self signed). I have
Connection supports and works with TLS 1.0, 1.1, 1.2. It's published using valid Let's Encrypt certificate.
I have launched confluence mobile app, entered URL, hit NEXT button, got
Can't connect to your site
This could be because the URL is wrong, you need to use a VPN, or Confluence is unavailable.LEARN MORE , TRY AGAIN
That's pretty much it.
Regards,
Michal
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Michal,
Could you check the article Unable to connect to SSL services as well just to be sure that the proper certs are copied over? I know this helps most often when a valid cert isn't working as expected.
Failing this, I'll dig a bit more into it and see what else could cause this, but I haven't seen very many examples of this yet, unfortunately.
Regards,
Shannon
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Shanon,
meanwhile I tried multiple times, updated Confluence several times, actually running
Tested using
CA Certificate is installed in Trusted Credentials
Client certificates are installed in User Credentials with access mode set to "VPN and apps"
Reverse proxy (nginx, running TLS 1.2) have not logged any attempt to create SSL handshake with SSL/TLS client certificates, just got 403 for non-successfull attempt, while hitting /server-info.action
Regards,
Michal
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Michal,
Thank you for providing such thorough details of your setup and tests thus far.
While you do have a valid Let's Encrypt certificate, the mobile app requires a trusted certificate authority (e.g. DigiCert, GoDaddy, etc.) and the Let's Encrypt certificate may not be compatible.
I would recommend reviewing the resolution on the below article to help get Java to trust the certificate:
Let me know how that goes!
Regards,
Shannon
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Is there any plan that Confluence Server will support new Let's Encrypt X4 CA launching on July 8. as a trusted CA?
https://confluence.atlassian.com/doc/running-confluence-behind-nginx-with-ssl-858772080.html
If your team plans to use the Confluence Server mobile app, you'll need a certificate issued by a trusted Certificate Authority. You can't use the app with a self-signed certificate, or one from an untrusted or private CA.
Am I right?
Thanks
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Michal,
The reason that we do not support Let's Encrypt is using a different structure entirely in order to obtain your certificate. The service is a free one and thus not on the list of Trusted Root Certificate Authorities. There is nothing here that would be used to prove your identity, as it's free, anyone can obtain such a certificate.
Therefore, since Let's Encrypt is not considered a Trusted CA Authority, the Confluence Server app is not able to support it. Unless, of course, you make the manual changes I mentioned earlier. Keep in mind that this would defeat the purpose of Let's Encrypt, since it's made to renew without you having to interfere with it.
Have a look here for more information on Trusted Authorities: What is a Certificate Authority?
We had a feature request in the past to support their structure, but it is not something we will be pursuing in the near future:
For more information on which Authorities are considered trusted:
Let me know if you have any questions about that.
Regards,
Shannon
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Okay,
and what about private certification authority?
Regards,
Michal
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
+ if you could be so kind, just to clarify, what is the difference in security model between
This is nor blame or hate, I really want to understand motivation.
Warm regards,
Michal
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Michal,
A private certification authority is fine too, but we recommend the certified authority because it doesn't require additional configuration like Let's Encrypt does.
It's not to say that Let's Encrypt won't totally work, it's just that it can require further configuration.
To answer your question about comparing the web browser vs the server mobile app, they're not necessarily equal. One thing that works in a mobile browser might not work the same way in the app, if you have Multi Factor Authentication, for example.
That said, if you have all the certs setup properly and it's still not working, then we may need to raise a bug, keeping in mind that the Confluence Server Mobile app is still currently in beta.
Could you provide examples of the messages you're seeing on the mobile app, such as screenshots of the error or prompts on the mobile device?
Regards,
Shannon
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Shanon,
here is the screenshot of the error message. Same I got whether I use Let's Encrypt or own CA, properly registered to the android system.
As written above, the client certificate is registered for use with "VPN and apps".
Regards,
Michal
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Michal,
Thank you for providing those details. It is starting to look a bit more like a configuration issue.
I've run across the following article:
The causes and resolutions are as follows:
Cause
This error appears when the mobile app can't reach the Confluence site at all. This may be because:
- the Confluence site URL entered in the login screen is incorrect
- you've entered the URL with HTTPS, but the site is HTTP (or vice versa)
- HTTPS is enabled, but the Confluence base URL is set to HTTP
- the Confluence site is only accessible when connected to a virtual private network (VPN)
- the Confluence site is currently down or unavailable, for example for scheduled maintenance or upgrade
- your network configuration may be preventing unauthenticated requests to your server
Resolution
To resolve this issue:
check that the Confluence site URL has been entered correctly, including the context path if you have one, for example, mycompany.com/confluence
try entering the URL without http:// or https:// (we'll try both HTTPS and HTTP for you).
check whether you can connect to Confluence using the browser on your device.
make sure you are connected to your organisation's virtual private network (VPN) if your Confluence site is not accessible on the public internet.
if you only get this error on Android, but you see a compatibility error on iOS, follow this article instead: 'Can't connect to your site' error in the Confluence Server mobile app
In addition, I would recommend testing from an iOS device and see if you are getting the same error there, or if you only get a compatibility error.
Thank you and best regards,
Shannon
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Shannon,
as I have written before
Reverse proxy (nginx, running TLS 1.2) have not logged any attempt to create SSL handshake with SSL/TLS client certificates, just got 403 for non-successful attempt, while hitting /server-info.action
This means
And I have not logged any attempt from mobile to negotiate SSL/TLS handshake with reverse proxy terminating SSL/TLS using client certificate.
Regards,
Michal
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thank you, Michal, for confirming.
I am creating a support ticket for you right now so please check your email for that.
It will help if you can reply to that ticket with a copy of your support zip.
Thank you so much. We will have our support team to continue to investigate this for you. Please feel free to reply here once you were able to resolve it with them with the cause of the error.
Regards,
Shannon
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Did you ever solve this? Im facing a pretty similar situation. Connecting on via ssl terminating nginx reverse proxy doesnt work, connecting via the http-only internal address works...
#EDIT: nvm. found it. custom error pages were blocking <baseurl>/server-info
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thank you for confirming you were able to solve it @Jörn Holpart!
I checked @Michal Kevicky's thread but it appears that it timed out, so I don't think we ever ended up finding out what was the issue with the SSL.
Michal - were you ever able to solve this on your end?
Regards,
Shannon
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.