Add possibility to Ignore self-signed certificate warning

[kda-jt]

Hi!
First off, thanks for the great work you're doing!
I have a local instance of Photoprism, running with a self-signed certificate.

The app fails to connect to my instance because of a SSLHandshakeException.
Would it be possible to add an "Accept self-signed SSL certificates" option?

Cheers

[ippocratis]

The app does not trust unknown CA's and self signed certs, but it will if you install your CA to the android cert store (android settings > security > encryption and credentials > install a certificate)
Taken from an on older Oleg's answer

#9 (comment)

[Radiokot]

@ippocratis is right, you have to add your CA through the Android settings. I have a complete guide on how to create keys for mTLS, you follow it:
https://gist.github.com/Radiokot/092dfa1bc480ae8209cb6f48dabe1904

[kda-jt]

@Radiokot @ippocratis
Thanks for your answers.
I've read the docs, yet my suggestion still stands.

Prior to posting, I had tried installing my self-signed cert device-wide, and that was not possible on my device. It just does not allow for self-signed certs.

Any opinions?
(Note: I'm not asking for help debugging my device, I've already done that)

[ippocratis]

Wait,
Android Settings -> Security -> Encryption & Credentials -> Install a Certificate -> Select CA Certificate option -> install anyway , doesn't let you install you cert?

Also:
What's your usecase for this cert? Using it on your reverse proxy?using it for mutual TLS?

I have signed and used certs for mutual TLS with openssl for android 10,11,12,13.

For reverse proxy I use caddy. Caddy signs certs with letsencrypt.

[Radiokot]

@kda-jt if for some reason your device doesn't let you installing custom authorities and certificates, I suggest issuing a valid cert with Let's Encrypt and using it either directly with PhotoPrism through PHOTOPRISM_TLS_* config options or through a reverse proxy.
I definitely don't want to add the ability to simply skip the certificate check. It not only complicates the connection screen, but also opens a security breach.

[kda-jt]

I definitely don't want to add the ability to simply skip the certificate check. It not only complicates the connection screen, but also opens a security breach.

Okay, that's fair enough.
Thank you for your answer & your work!