Jump to content
Enpass Discussion Forum

WebDAV Sync Error with new Letsencrypt R3 Intermediate


hummels151
 Share

Recommended Posts

Hi,

Since Friday my Enpass is not synchronizing with my WebDAV on a QNAP NAS anymore. I have not changed anything. The Enpass Version is still the same and the QNAP NAS still runs on the same firmware with same settings. The only thing that has changed is the renewed letsencrypt certificate which is issued by the new R3 intermediate with ISRG Root X1 authority. I checked if it is a certificate problem by changing the synchronization settings to "ignore SLL certificate verification". Using this setting, the sync was successful. Without this setting it fails with error code "904060". A crosscheck with my browsers on Windows 10, Ubuntu 20.04 and Android shows that every other device is trusting this root CA and verifies the certificate successfully.

The obvious reason would be that Enpass is not trusting the ISRG Root X1 Authority. So please fix that, otherwise everyone using letsencrypt certificates will not be able to sync anymore sooner or later. https://letsencrypt.org/certificates/

I know there is a possibility to switch letsencrypt to use an alternative Root CA which probably would work. But since this would be a temporary solution only (Letsencrypt says they support the cross signature of IdenTrust until March 17, 2021 https://letsencrypt.org/2019/04/15/transitioning-to-isrg-root.html) I do not want to change that.

Obviously, I also do not want to disable the certificate validation for synchronizing my passwords. So please add the new Letsencrypt Root CA.

Link to comment
Share on other sites

Hi @hummels151,

Welcome to the forums!

Please revert to us with the answer to the following queries, and we will get it sorted out for you:

  • On which devices and OS versions (mention all) are you using Enpass?
  • Which Enpass version are you using on each device?
  • On which device are you facing this issue?
  • Also, let us know if opening up the same WebDAV in the browser shows any warnings or not(while using HTTPS, of course)?

Thanks for your co-operation.

Link to comment
Share on other sites

I am using Enpass on the following devices:

  • Android 10 QKQ1.190825.002, Enpass 6.6.1.449 (sync only working when SSL verification ignored)
  • Ubuntu 20.04, Enpass 6.5.1 (723) (sync only working when SSL verification ignored)
  • Win10 Pro 10.0.19042, Enpass 6.5.2 (724) (just checked it again and surprisingly the sync was working with SSL verification)

So currently it looks like the linux based devices are facing the issue. When configuring without verification, got the following:

image.png.9d8860f5ec72b81764d6b375cc772db6.png

On Android I even got the error code 904060. When I check "ignore verification of SSL certificate", it works like a charme:

image.png.cee72461528d8a6c2a67a6472c436471.png

The WebDAV in Browser is working certificate-wise, but there is a known problem with the QNAP NAS WebDAV, that opening it in a Browser will result in "Forbidden".

image.png.98162c32060aafd18da23442eb60fc93.png

When I test it in my Nautlius with davs://.... it works very well, as you can see here:

image.thumb.png.b6352fc412c4b9ce38e6499266e44073.png

 

I hope the information are helpful and you can figure out what is happening here.

 

BRs,

hummels151

Link to comment
Share on other sites

Hi @hummels151,

Thanks for sharing the details.

We only use a system certificate store, so anything supported by your OS should work with Enpass seamlessly(at least in theory). It would be helpful if you could confirm compatibility across browsers on all platforms you're using Enpass on, e.g., Firefox/Chrome/Safari with Linux/Windows/OSX/iOS/Android.

We also noticed this line from the recent LetsEncrypt blog - Meanwhile, we issued our root certificate ("ISRG Root X1") and applied for it to be trusted by the major software platforms."

Maybe the mentioned platforms are missing this certificate in their root cert store? Upon looking into some forum threads, we found that some browsers are temporarily using a workaround to get past it. Rest assured, we'll be testing this scenario and will keep you updated.

Thanks for your co-operation.

Link to comment
Share on other sites

Hi @Pratyush Sharma,

Thanks for your hint that Enpass is just using the system wide root certificate store. It seems like all browsers on all my "not working" devices have own CAs built in so it just works.

I then tried to figure it out using a connect of openssl on my ubuntu 20.04 machine and discovered that my server was sending the wrong (old) intermediate certificate. So the browsers seem to "know" the intermediates already and trust them while the root devices obviously do not.

After changing my QNAP NAS to use the correct new intermediate, it works like a charme again.

Thank you!

BRs,

hummels151

  • Thanks 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...