Does Traccar Manager support HTTPS protocol?

Krzysztof5 years ago

Traccar Manager app does seem to have issues while connecting to server via https

What is the problem and quick description

I'm having problems connecting my Traccar Manager app to my Traccar Server.
I've used the app with success when I was accessing server trough http protocol but for security reason I've switched to https (with self-signed certificate) and I can not access it.

My server setup

My server is in local network with local IP and accessed from outside via NAT and port forwarding.
Server is lintening for https at port 443 and http at port 8082 on local IP.
Https is port-forwarded for port 50000 to outside world and port 8082 is for local access only (ie not forwarded for security reasons).
Web interface is accessible at https://PUBLIC_IP_ADDR:50000 and works flawlessly.
Tracecar trackers ports are also forwarded on my router to different public ip ports for security reasons and they work fine.
In this setup Traccar has almost no changes in configuration except for adding https support.

My app setup

I try to connect to server via WAN and HTTPS using https://PUBLIC_IP_ADDR:50000 and got error:

Server connection failed.

with no more explanation.

I also tried connecting via LAN and HTTPS to https://LOCAL_IP_ADDR and https://LOCAL_IP_ADDR:443 ald also got the same error.

I tried to connect to server via LAN and HTTP at http://LOCAL_IP_ADDR:8082 and it worked fine.

Conclusion

From what I can see it looks like Traccar Manager has no support for https protocol. I'd prefer not to open port for http traffic just to connect this app to server so i'm forced to use mobile web browser (which looks similar but is slightly less responsive than the app).
If I'm wrong and missing something please let me know.

Anton Tananaev5 years ago

Can you provide URL?

Krzysztof5 years ago

You can look into it on https://nerdrack.ddns.net:50000

Anton Tananaev5 years ago

You are using invalid certificate:

NET::ERR_CERT_AUTHORITY_INVALID
Krzysztof5 years ago

Yes, as I've written before I'm using self signed certificate - default one generated by system.
Did you get that error in browser or is that from logs from traccar manager app?
While in browser this can be bypassed:

   In firefox: by clicking 'Advanced' and 'Accpet risk, continue'.
    In Chrome: by clicking 'Advanced' and 'Open website XXXXX (insecure)'

This is only due to fact that this is self signed certificate - untrusted but valid.

I've created my own CA and signed certificate that this server is using. So basically my phone with traccar manager trusts this website - it has green lock on url bar when i visit it via browser. Not it's the same as if i were to use SSL certificate that I'd bought for this domain (at least for me and for everyone who would install this CA).

After adding this CA I've tried all steps from above and still i get the same error.

If You are willing to try further help me I'd gladly send over my CA via email or other more personal than forum means of communication, so You can try it in VM or android emulator (not to install my CA in your devices since You don't know me and I understand if You had some safety concerns regarding installing unknown CA ;) ).

I doubt it's certificate problem basing on what I've tried but I still may be wrong.

Anton Tananaev5 years ago

Your browser trusts it or your phone trusts it? I'm almost certain that it's a certificate issue. Just get a valid trusted certificate. I don't see any good reason not to.

Krzysztof5 years ago

Since I installed ca on phone directly under trusted root ca whole android should trust this ca.
I'm fiddling with server and my networking setup as well as with my domain name (thats why it ddns for now) so I thought I'd go with self-signed certs for now.
I hope to get 'proper' certificate as soon as I can then.

Thank You very much for help

Kublach4 years ago

Hi :)

First of all, thank you for this application.

I have exact the same problem as @Krzysztof...
I use HTTPS proxy as described here using Let's encrypt certificates.
When I try to set up Traccar Manager it says "Server connection failed", but when I try the same link in my browser it works (and connection is secured.)
It also work when I try locally with port 8082.

Can you please check it? What information do you need?

Anton Tananaev4 years ago

Link?

Kublach4 years ago
Anton Tananaev4 years ago

Interesting. Unclear why it's failing. I would recommend checking Android logs to see if there are any errors.

Kublach4 years ago
11-16 19:16:31.839 23793 23956 E CONSCRYPT: ------------------Untrusted chain: ----------------------
11-16 19:16:31.839 23793 23956 E CONSCRYPT: == Chain0 ==
11-16 19:16:31.839 23793 23956 E CONSCRYPT:  Version:   3
11-16 19:16:31.839 23793 23956 E CONSCRYPT:  AuthorityKeyIdentifier:   41830168014a84a6a63047dddbae6d139b7a64565eff3a8eca1
11-16 19:16:31.839 23793 23956 E CONSCRYPT:  SubjectKeyIdentifier:   416041441be1a5fee05b1d04942f935707de55a16061efe
11-16 19:16:31.839 23793 23956 E CONSCRYPT:  Serial Number:   38d100f1c36f8b59cd17391fd17071ad41a
11-16 19:16:31.840 23793 23956 E CONSCRYPT:  SubjectDN:   CN=kublach.duckdns.org
11-16 19:16:31.840 23793 23956 E CONSCRYPT:  IssuerDN:   CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
11-16 19:16:31.840 23793 23956 E CONSCRYPT:  Get not before:   Mon Nov 16 17:07:59 GMT+01:00 2020
11-16 19:16:31.841 23793 23956 E CONSCRYPT:  Get not after:   Sun Feb 14 17:07:59 GMT+01:00 2021
11-16 19:16:31.841 23793 23956 E CONSCRYPT:  Sig ALG name:   SHA256withRSA
11-16 19:16:31.841 23793 23956 E CONSCRYPT:  Signature:   5a4b339f68624b2c253b996e2f7ad72d1d7205152cb545bbcdf264fe9dbc046fc01d48b758281e45e3eb38ea8cf9c12a1a923869d9b845c16d8432b5174308345c17975c6c79bc6606d471da029c5149c7a77fde162fc52bfa8836e12fc0263fdc04676024797c103130d82145b2d005e3c7c7da534724871c99074a75b91d691b06fe8b6c3272488f8952f1a8888ed09abc776d08772de852b6dc1e514f93596aaeb70bc2cdc2dc4b2df44a6bb72964764dd19d50031ec6a248e8f8cd9cbcd05c063313d7dff77be905f05aa1d68642bc63e2990dd67880716d176c96e51f6fdaf4dfb03a1d70f4d71ed61e2a83ef76eca6fbcb6b7a96bd3cf72c595e6e0383
11-16 19:16:31.844 23793 23956 E CONSCRYPT:  Public key:
11-16 19:16:31.844 23793 23956 E CONSCRYPT:
11-16 19:16:31.844 23793 23956 E CONSCRYPT:  30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03
11-16 19:16:31.844 23793 23956 E CONSCRYPT:  82 01 0f 00 30 82 01 0a 02 82 01 01 00 a8 9a 81 2b b3 05 1f
11-16 19:16:31.844 23793 23956 E CONSCRYPT:  75 a3 1b fc 12 8d 57 f5 6c ae 35 07 c9 c7 1f 8d fc 93 b4 17
11-16 19:16:31.844 23793 23956 E CONSCRYPT:  d3 a1 60 31 f8 b7 85 34 8b c6 98 4d ec 48 64 19 20 d3 7c a5
11-16 19:16:31.844 23793 23956 E CONSCRYPT:  34 60 f3 e8 5d 32 02 a2 4f f2 a8 8c 44 0b 24 99 ce a9 e1 c1
11-16 19:16:31.844 23793 23956 E CONSCRYPT:  22 da 3b 6b 30 5c 04 36 37 78 ba 89 4a 91 c3 45 36 3c b9 5e
11-16 19:16:31.844 23793 23956 E CONSCRYPT:  68 d1 93 ed a5 27 4e 06 1b b0 f8 7f ce 71 a1 93 b2 22 61 55
11-16 19:16:31.844 23793 23956 E CONSCRYPT:  a4 e8 9e 83 4f 80 c9 56 c7 09 c9 44 7c 91 4a c6 71 ed 47 8a
11-16 19:16:31.844 23793 23956 E CONSCRYPT:  5a 7a 8b cb b6 f5 10 4b f3 e8 42 bd ac 61 b8 ab ce 81 c5 18
11-16 19:16:31.844 23793 23956 E CONSCRYPT:  af b8 58 21 3f 9f b9 78 15 08 33 be 61 fd 6b 8a b9 1a cd e2
11-16 19:16:31.844 23793 23956 E CONSCRYPT:  62 c9 98 27 4f 50 38 9e bc 3f 37 49 de cb 95 5d 59 9c ac d1
11-16 19:16:31.844 23793 23956 E CONSCRYPT:  36 cd e5 7a 3d 6a fb bf b6 93 a3 50 95 79 06 73 66 5c 74 85
11-16 19:16:31.844 23793 23956 E CONSCRYPT:  6c 30 2c 0a 3f 45 a7 79 61 d2 a9 f7 01 dc 9a 0e cd ea 52 88
11-16 19:16:31.844 23793 23956 E CONSCRYPT:  01 16 33 4e a1 02 c2 0d fc 79 75 01 dc cd 37 7c 42 08 ad 01
11-16 19:16:31.844 23793 23956 E CONSCRYPT:  2d cf 99 8d c7 c5 10 92 5f 02 03 01 00 01
11-16 19:16:31.845 18539 22510 I adbd    : USB event: FUNCTIONFS_SUSPEND
11-16 19:16:31.847 23793 23956 W StartFragment:
*11-16 19:16:31.847 23793 23956 W StartFragment: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.*
11-16 19:16:31.847 23793 23956 W StartFragment:         at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:239)
11-16 19:16:31.847 23793 23956 W StartFragment:         at com.android.okhttp.internal.io.RealConnection.connectTls(RealConnection.java:1471)
11-16 19:16:31.847 23793 23956 W StartFragment:         at com.android.okhttp.internal.io.RealConnection.connectSocket(RealConnection.java:1415)
11-16 19:16:31.847 23793 23956 W StartFragment:         at com.android.okhttp.internal.io.RealConnection.connect(RealConnection.java:1359)
11-16 19:16:31.847 23793 23956 W StartFragment:         at com.android.okhttp.internal.http.StreamAllocation.findConnection(StreamAllocation.java:221)
11-16 19:16:31.847 23793 23956 W StartFragment:         at com.android.okhttp.internal.http.StreamAllocation.findHealthyConnection(StreamAllocation.java:144)
11-16 19:16:31.847 23793 23956 W StartFragment:         at com.android.okhttp.internal.http.StreamAllocation.newStream(StreamAllocation.java:106)
11-16 19:16:31.847 23793 23956 W StartFragment:         at com.android.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:400)
11-16 19:16:31.847 23793 23956 W StartFragment:         at com.android.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:333)
11-16 19:16:31.847 23793 23956 W StartFragment:         at com.android.okhttp.internal.huc.HttpURLConnectionImpl.execute(HttpURLConnectionImpl.java:483)
11-16 19:16:31.847 23793 23956 W StartFragment:         at com.android.okhttp.internal.huc.HttpURLConnectionImpl.getResponse(HttpURLConnectionImpl.java:429)
11-16 19:16:31.847 23793 23956 W StartFragment:         at com.android.okhttp.internal.huc.HttpURLConnectionImpl.getResponseCode(HttpURLConnectionImpl.java:560)
11-16 19:16:31.847 23793 23956 W StartFragment:         at com.android.okhttp.internal.huc.DelegatingHttpsURLConnection.getResponseCode(DelegatingHttpsURLConnection.java:106)
11-16 19:16:31.847 23793 23956 W StartFragment:         at com.android.okhttp.internal.huc.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:30)
11-16 19:16:31.847 23793 23956 W StartFragment:         at org.traccar.manager.StartFragment$1.doInBackground(StartFragment.java:80)
11-16 19:16:31.847 23793 23956 W StartFragment:         at org.traccar.manager.StartFragment$1.doInBackground(StartFragment.java:65)
11-16 19:16:31.847 23793 23956 W StartFragment:         at android.os.AsyncTask$3.call(AsyncTask.java:378)
11-16 19:16:31.847 23793 23956 W StartFragment:         at java.util.concurrent.FutureTask.run(FutureTask.java:266)
11-16 19:16:31.847 23793 23956 W StartFragment:         at android.os.AsyncTask$SerialExecutor$1.run(AsyncTask.java:289)
11-16 19:16:31.847 23793 23956 W StartFragment:         at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
11-16 19:16:31.847 23793 23956 W StartFragment:         at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
11-16 19:16:31.847 23793 23956 W StartFragment:         at java.lang.Thread.run(Thread.java:919)
11-16 19:16:31.847 23793 23956 W StartFragment: Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
11-16 19:16:31.847 23793 23956 W StartFragment:         at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:668)
11-16 19:16:31.847 23793 23956 W StartFragment:         at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:513)
11-16 19:16:31.847 23793 23956 W StartFragment:         at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:432)
11-16 19:16:31.847 23793 23956 W StartFragment:         at com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:360)
11-16 19:16:31.847 23793 23956 W StartFragment:         at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:94)
11-16 19:16:31.847 23793 23956 W StartFragment:         at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:89)
11-16 19:16:31.847 23793 23956 W StartFragment:         at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:224)
11-16 19:16:31.847 23793 23956 W StartFragment:         at com.android.org.conscrypt.ConscryptFileDescriptorSocket.verifyCertificateChain(ConscryptFileDescriptorSocket.java:430)
11-16 19:16:31.847 23793 23956 W StartFragment:         at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
11-16 19:16:31.847 23793 23956 W StartFragment:         at com.android.org.conscrypt.NativeSsl.doHandshake(NativeSsl.java:387)
11-16 19:16:31.847 23793 23956 W StartFragment:         at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:234)
11-16 19:16:31.847 23793 23956 W StartFragment:         ... 21 more
11-16 19:16:31.847 23793 23956 W StartFragment: Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
11-16 19:16:31.847 23793 23956 W StartFragment:         ... 32 more

Is this a problem?
11-16 19:16:31.847 23793 23956 W StartFragment: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.

Anton Tananaev4 years ago

Looks like it. Most likely the issue is with your server and you are missing one of the certificates in the chain.

Kublach4 years ago

Thank you for help... I found problem... Apache needed:

            SSLCertificateChainFile /path/to/my.domain/ca.cer

In config file...

markus4 years ago

Hi Anton!

I have the same problem using https with TraccarManager-App on iOS Devices with a self-signed certificate.
The ReverseProxy on apache2 for using https is active and working.
Everything is fine when using a browser, either internal or external doesn't matter if using http or https with the browser version every situation is working as expected.

Internal or via VPN using http (without httpS) I have no problem using TraccarManager-App. Using the TraccarManager-App from external using https leads into an error message "Error Server connection failed".
At the same time checking the tracker-server.log with debug-mode ALL there is no entry that shows any connection request. Therefore the communication via https and the TraccarManager-App does not reach the server.

I'm sure the issue has to do with the TraccarServer iOS-App that maybe does not consider the iOS certificate storage of the device.
I can confirm that, my self-signed certificate is registered properly within iOS according that german link [https://support.apple.com/de-at/HT204477 ]. Translated it says sending the *.cer file via mail to the iOS device, klick on cer File and install it via Settings / Profile loaded and then activate it via Settings / General / Info / Certificate.
I also tested the successful storage of the self-signed certificate within the iOS device because after registering my certificate in the way I described before also the browser version of traccar does no longer ask the "unsafe self-signed certificate" question any more.

I'd like to add that the https access via the old TraccarManger+ App is working properly due to the App itself asks for accepting the self signed certificate. I found out, that also this app does not look after the within the iOS device stored certificates.

Do you have any idea how to solve that or could you check the TraccarManager app please?

Unfortunately the debuging possibilities for iOS users are limited therefore I can't send you more evidence.
But you can try by yourself using my server link:

[https://mxdream.mywire.org:9097 ]

Thank you and by the way I wish you a good and healthy new year 2021!
Markus