Fail to fetch to CouchDB server using self-signed certificate from physical Android - Ionic

Ionic Framework
1

I’m developing an app that requests documents from a CouchDB server, when running the same code using ionic serve from a computer, it works, when using inside Android (On my physical cellphone), I get a fail to fetch.

My CouchDB server is running using self-signed certificate.
My server has CORS enabled:

pnpm install -g add-cors-to-couchdb
add-cors-to-couchdb http://192.168.1.27:5984 -u admin -p xxxx

My code uses PouchDB

    this.rdb = new PouchDB('https://192.168.1.2:6984/employees',
    {
      auth: {
        username: "xxxx",
        password: "xxxx",
      },
    });

Inspecting the calls from the Android app I get this error message:

android
android945×271 51.4 KB

When I open the same url (https://192.168.1.2:6984) inside a browser using my cellphone, it works.

My App has many settings:
AndroidManifest.xml

<manifest xmlns:android="http://schemas.android.com/apk/res/android" xmlns:tools="http://schemas.android.com/tools" android:networkSecurityConfig="@xml/network_security_config" >

    <application
        android:usesCleartextTraffic="true"
        tools:ignore="GoogleAppIndexingWarning">
        <uses-library
            android:name="org.apache.http.legacy"
            android:required="false" />
    ...
    </application>
    <uses-permission android:name="android.permission.INTERNET" />
    <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
</manifest>

network_security_config.xml

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <domain-config cleartextTrafficPermitted="true">
        <domain includeSubdomains="true">localhost</domain>
        <domain includeSubdomains="true">192.168.1.27</domain>
    </domain-config>
    <base-config cleartextTrafficPermitted="true">
        <trust-anchors>
            <certificates src="system" />
            <certificates src="user" />
        </trust-anchors>
    </base-config>
    <debug-overrides>
      <trust-anchors>
          <certificates src="@raw/couchdb"/>
      </trust-anchors>
  </debug-overrides>
</network-security-config>

I renamed and copied my certificate from couchdb.pem to:
android/app/src/main/res/raw/couchdb.crt
and to:
android/app/src/main/assets/couchdb.crt

capacitor.config.ts

...
  server: {
    androidScheme: 'https',
    allowNavigation: ['https://192.168.1.27:6984/employees']
  }
...

CouchDB Server settings

local.ini

[ssl]
enable = true
cert_file = /etc/couchdb/cert/couchdb.pem
key_file = /etc/couchdb/cert/privkey.pem

I generated my certificate using:

openssl req -newkey rsa:2048 -nodes -x509 -keyout privkey.pem -out couchdb.pem -days 1095 -addext "subjectAltName = IP.1:192.168.1.27"

I’m running CouchDB inside docker, the log prints an error of certificate unknown, but I can access the server using https if I run my app using ionic serve in my computer:

Attaching to couch_couchserver_1
couchserver_1  | [info] 2024-03-31T03:02:46.560859Z nonode@nohost <0.248.0> -------- Preflight check: Checking For Monsters
couchserver_1  | 
couchserver_1  | [info] 2024-03-31T03:02:46.561748Z nonode@nohost <0.248.0> -------- Preflight check: Asserting Admin Account
couchserver_1  | 
couchserver_1  | [info] 2024-03-31T03:02:46.563687Z nonode@nohost <0.248.0> -------- Apache CouchDB 3.3.3 is starting.
couchserver_1  | 
couchserver_1  | [info] 2024-03-31T03:02:46.563729Z nonode@nohost <0.249.0> -------- Starting couch_sup
couchserver_1  | [notice] 2024-03-31T03:02:46.569034Z nonode@nohost <0.103.0> -------- config: [admins] admin set to '****' for reason nil
couchserver_1  | [info] 2024-03-31T03:02:46.623235Z nonode@nohost <0.248.0> -------- Apache CouchDB has started. Time to relax.
couchserver_1  | 
couchserver_1  | [notice] 2024-03-31T03:02:46.628526Z nonode@nohost <0.345.0> -------- rexi_server : started servers
couchserver_1  | [notice] 2024-03-31T03:02:46.629507Z nonode@nohost <0.349.0> -------- rexi_buffer : started servers
couchserver_1  | [notice] 2024-03-31T03:02:46.667987Z nonode@nohost <0.380.0> -------- mem3_reshard_dbdoc start init()
couchserver_1  | [notice] 2024-03-31T03:02:46.670659Z nonode@nohost <0.382.0> -------- mem3_reshard start init()
couchserver_1  | [notice] 2024-03-31T03:02:46.670694Z nonode@nohost <0.383.0> -------- mem3_reshard db monitor <0.383.0> starting
couchserver_1  | [notice] 2024-03-31T03:02:46.672077Z nonode@nohost <0.382.0> -------- mem3_reshard starting reloading jobs
couchserver_1  | [notice] 2024-03-31T03:02:46.672122Z nonode@nohost <0.382.0> -------- mem3_reshard finished reloading jobs
couchserver_1  | [info] 2024-03-31T03:02:46.678058Z nonode@nohost <0.389.0> -------- Apache CouchDB has started. Time to relax.
couchserver_1  | 
couchserver_1  | [info] 2024-03-31T03:02:46.678114Z nonode@nohost <0.389.0> -------- Apache CouchDB has started on http://any:5984/
couchserver_1  | [info] 2024-03-31T03:02:46.678128Z nonode@nohost <0.389.0> -------- Apache CouchDB has started on https://any:6984/
couchserver_1  | [notice] 2024-03-31T03:02:46.721316Z nonode@nohost <0.476.0> -------- All system databases exist.
couchserver_1  | [notice] 2024-03-31T03:02:51.694422Z nonode@nohost <0.438.0> -------- couch_replicator_clustering : cluster stable
couchserver_1  | [notice] 2024-03-31T03:02:51.698330Z nonode@nohost <0.460.0> -------- Started replicator db changes listener <0.577.0>
couchserver_1  | [info] 2024-03-31T03:02:51.698548Z nonode@nohost <0.579.0> -------- open_result error {not_found,no_db_file} for _replicator
couchserver_1  | [notice] 2024-03-31T03:03:01.629532Z nonode@nohost <0.345.0> -------- rexi_server : cluster stable
couchserver_1  | [notice] 2024-03-31T03:03:01.629615Z nonode@nohost <0.349.0> -------- rexi_buffer : cluster stable
couchserver_1  | [error] 2024-03-31T03:03:53.646933Z nonode@nohost <0.1095.0> -------- application: mochiweb, "Accept failed error", "{error,\n    {tls_alert,\n        {certificate_unknown,\n            \"TLS server: In state wait_finished received CLIENT ALERT: Fatal - Certificate Unknown\\n\"}}}"
couchserver_1  | [error] 2024-03-31T03:03:53.646967Z nonode@nohost <0.1095.0> -------- application: mochiweb, "Accept failed error", "{error,\n    {tls_alert,\n        {certificate_unknown,\n            \"TLS server: In state wait_finished received CLIENT ALERT: Fatal - Certificate Unknown\\n\"}}}"
couchserver_1  | [error] 2024-03-31T03:03:53.646989Z nonode@nohost <0.1096.0> -------- application: mochiweb, "Accept failed error", "{error,\n    {tls_alert,\n        {certificate_unknown,\n            \"TLS server: In state wait_finished received CLIENT ALERT: Fatal - Certificate Unknown\\n\"}}}"
couchserver_1  | [error] 2024-03-31T03:03:53.647012Z nonode@nohost <0.1096.0> -------- application: mochiweb, "Accept failed error", "{error,\n    {tls_alert,\n        {certificate_unknown,\n            \"TLS server: In state wait_finished received CLIENT ALERT: Fatal - Certificate Unknown\\n\"}}}"
2

Assuming you’ve looked at the Network tab in DevTools as well? What about LogCat in Android Studio?

3

The sample app code: GitHub - danilobatistaqueiroz/ionic-pouchdb-sqlite: ionic 7 OffLineFirst, using pouchdb backed by sqlite when android platform and indexeddb when on the web

LogCat doesn’t show anything.
To improve my tests, I created a very simple page in an Apache2 server on 192.168.1.2 using SSL (self signed certificate) and CORS enabled.
In the App I called:

    this.http.get('https://192.168.1.2').subscribe({
      next: (response) => { console.log(response); },
      error: (error) => { console.error(error); },
      complete: () => console.log('completed!!!!')
    });

Using ionic serve in another computer with another IP (192.168.1.27), my app works.
Using my app on an Android physical device I get this error:

apache2
apache21066×166 23.3 KB

If I open a browser using my Android cellphone, I can navigate to https://192.168.1.2

4

The problem is on Ionic.