X509 certificate verification - cert4android

Support
1

NethServer Version: NS8

Since updating to NS8, I have noticed that I am getting many more requests “cert4android has encountered an unknown certificate. Do you want to trust it?”

This rarely happened with NS7.9. So I am wondering what might be going on.

The X509 certificate details shows all the correct issued domains but with a [2] in front of the FQDN.

I’d like to do the manual check of the certficate details but can’t find where this would be listed in the console. Does this need to be checked from the command line or is there somewhere in the GUI that it can be done?

Thanks in advance.

2

BTW, I’ve tried to delete one certificate that I no longer need as I created a new FQDN for webmail. Each time I try to delete that certificate from the GUI, it processes and then gives an error.

Task module/traefik1/delete-certificate failed

module/traefik1/delete-certificate

<3>Timeout after about 30 seconds. Certificate not obtained for
… full list of FQDNs

3

You can check the used certificates using openssl on CLI:

openssl s_client -connect sub.domain.tld:443 < /dev/null

Maybe the certificate is already deleted and the browser needs to be refreshed?

Please also check the logs to hopefully get more detailed error information.

Maybe related:

4

Hi @mrmarkuz
I checked, deleted the /home/traefik1/.config/actions/delete-certificate/validate-output.json and re-ran the delete certificate.

I opened the certificate in the console admin using another browser so I didn’t need to worry about the cache perhaps keeping the old view. The old certificate is still there and when I try to delete, it still gives the same error. :frowning:

Task module/traefik1/delete-certificate failed. I think this just isn’t deleting from the admin GUI or is still in a list somewhere that is used for the display. Perhaps I have to manually edit something?

Interestingly the other certificates aren’t exactly correct either. When I run the openssl s_client -connect sub.domain.tld:443 < /dev/null for my html websites and webmail, nextcloud, collabora, it shows the CN=webmail.domain.tld. If I am not mistaken, in NS7.9 the CN was the main domain or domain.tld. In any case, the CN should be one of the subdomains, correct?

5

In NS7 there was one cert with alternative names for the other names.

To check the alternative names of a cert:

openssl s_client -connect domain.tld:443 | openssl x509 -noout -text | grep DNS

With NS8 the apps using letsencrypt just have their FQDN in the cert. Only the custom letsencrypt certificates use CN and alternative names like it was in NS7, see also Certificate overview in Core 3.6.0 - #4 by davidep

Let’s check if there are manual or failed certs:

root@home:~# api-cli run module/traefik1/get-facts
Warning: using user "cluster" credentials from the environment
{"custom_path_routes": 0, "custom_host_routes": 0, "custom_certificates": 0, "acme_manual_certificates": 4, "acme_auto_certificates": 8, "acme_failed_certificates": 0}
6

Hi @mrmarkuz ,

It’s been a few weeks and I apologize for the delay.

Today I had another `cert4android has encountered an unknown certificate. Do you want to trust it? As far as I can tell, there was not update of certificates since the validity period is Mar 28, 2025 to Jun 26, 2025, so I’m not sure why I’m getting this question.

But, I was able to figure out how to confirm the certificate using the following command:

openssl s_client -connect sub.domain.tld:443 -showcerts < /dev/null 2>/dev/null | openssl x509 -in /dev/stdin -noout -fingerprint -sha256

It provided the SHA256 certificate so I could confirm that it is correct. I have to remember this command as I’m sure I’ll get it again in the next few weeks.

Now back to the certificate that doesn’t want to delete.

When I ran the command above, everything is OK. There are no failed_certificates.

I also ran

$ api-cli run module/traefik1/get-facts
Warning: using user "cluster" credentials from the environment
{"custom_path_routes": 0, "custom_host_routes": 0, "custom_certificates": 0, "acme_manual_certificates": 12, "acme_auto_certificates": 4, "acme_failed_certificates": 0}

with no failed certificates.

So I’m not sure why I can’t delete the certificate. I guess it isn’t causing any issues but it would be nice to clean it up.

7

What’s the result when deleting the certificate on CLI? Adapt “mail.domain.tld” to the domain name of the cert you want to delete.

api-cli run module/traefik1/delete-certificate --data '{"fqdn":"mail.domain.tld","type":"internal"}'

Please check if the domain name of the certificate is listed in the default certs:

runagent -m traefik1 cat configs/_default_cert.yml
8

Hi @mrmarkuz
When I run from the cli

# api-cli run module/traefik1/delete-certificate --data '{"fqdn":"delete.domain.tld","type":"internal"}'
Warning: using user "cluster" credentials from the environment
<3>Timeout after about 30 seconds. Certificate not obtained for [...'**list of many different subdomains but not the one I wanted to delete**' ].
<3>
false

When I ran the above command, a window popped up in the cluster admin GUI that said

module/traefik1/delete-certificate

Task cluster/delete-certificate failed
 cluster/delete-certificate
Task ID: lots of numbers

<3>Timeout after about 30 seconds. Certificate not obtained for [... subdomain list excluding the one I'm trying to delete ...]
<3>

Strange the certificate wasn’t in the list but shows up in the GUI list.

image
image2310×1382 161 KB

Running

runagent -m traefik1 cat configs/_default_cert.yml

and the delete.domain.tld is found in the list of certificates.

It’s in the list but won’t delete.

9

This sounds odd: I see two possible reasons for the timeout.

  1. Let’s Encrypt servers cannot reach your NS8 node on port 443, or 80 (if you installed Traefik before version 3, released during milestone 8.4)
  2. Loki is down. Check if the System Logs page is working correctly.
1 Like