English

Warning after importing certificates for lets encrypt and cacert

exclamation mark on the top left and no option to get rid of it found in settings or the dialogue.
can be removed temporarily but not permanently, shows up again after reboot.

Could you explain a big more about your problem? I have no idea what you are talking about to be honest.

to life up to the usecase, get a copy of root certs e.g. by cacert via cacert.org; the pem-files.

  1. go to https://www.cacert.org/index.php?id=3
  2. open the pem-files and you will be asked to add them for (chrome: either wifi or vpn and apps; in fact you will rather need them for websites); so used mozilla (choice: websites or email or software)
  3. activate websites and maybe email if you use s/mime and maybe apps if you know any dev that uses cacert for that purpose - I don’t

view via system settings

  1. Einstellungen -> Sicherheit -> Vertrauenswürdige Anmeldedaten -> Nutzer
  2. imported certs are shown there, no option given even to remove or deactivate the warning for a cert the user gives trust; system ones you can deactive and in fact should for a number of them (e.g. TÜRKTRUST to name just a single one).

after reboot: Warning sais

“Netzwerküberwachung: Dritte können Ihre Netzwerkaktivitäten überwachen, einschließlich E-Mails, Apps und sichere Websites.
Dies wird durch vertrauenswürdige Anmeldedaten ermöglicht, die auf Ihrem Gerät installiert sind.”

That warning is easily misunderstood by users for a security concern instead of “thats the way you should do it” that it is.

There is a Link to check on those certs underneath… where you can remove them and most users will try to get rid of that certs when there is such a warning. And after that they go to the support of their company or service and ask why they cannot enter the service. I hope the problem is clear.

Hi @wolf,

this is not related to Fairphone OS, but a feature in Android itself. I think it was implemented in Android 4.4 (KitKat).

There is plenty of information about this notification and how to get rid of it on the web. One way to circumvent this is to move the certificate to the system truststore (requires root). You could also build Fairphone Open Source OS by yourself and add the certificates before compiling.

jnsp

ok, I still hope the upcoming Fairphone OS will include a solution; why making another distribution if not changing things :wink: … ah, for the name on it, of course.

Why do you think you need to add those certificates? Letsencrypt certificates work out of the box without any warnings. Is there another reason?

are you serious? why would I not add e.g. cacert? maybe you like warnings all over the things you use. I do not and it is clearly nothing that helps average users. but proper certs do.

there are also certs of companies e.g. in insurances … there are self signed certs as of “myself” … that was just an example you can easily make use of yourself. it is about any certs of trustworthy origin are a better way than having no certs or preinstalled ones.

Yes, I’m serious: I am genuinely interested in your reason to install those certificates; epecially the reason for installing the letsencrypt certificate.

I don’t get warnings all over the things I use so this is not an issue for me. But apparently your reason for importing the CAcert certificates is that you frequently communicate with parties that use certificates signed by CAcert. Thus it shouldn’t cause any warnings “all over the things” for you either.

But, again, my question: Why do you import the certificate form Letsencrypt? It works out of the box because it is crosssigned by certificates installed in all browsers and operating systems.

may be not the best answer but given already

that was just an example you can easily make use of yourself

why would you trust a cross signature over your own choice? just because it works … meh

Hm I’d like to understand that as well.

So do you delete all pre-installed certificates or all the cross signatures (if the latter is possible)? If you don’t, then you are still trusting the cross signatures, aren’t you? Because if your own added certificate gets deleted without your knowledge (by accident or whatever - not very likely but possible), you will nevertheless not get a warning. So if you only want to trust certificates you chose, you’d need to delete the pre-installed ones, needn’t you?

1 Like

I do not need to. I just want to get rid of the warnings for certs that I clearly stated that I trust them. And that should not need to hack the whole thing.

I get invalid cert errors for my let’s encrypt cert, which I use for jabber, email, davdroid and nextcloud.
About one minute after reboot, the cert is accepted again. Strange thing!