Within the enterprise environment, occasionally some hosts are served with corporate internal CA. And, these root certificates are registered in each device user store.
But obsidian (android) looks only trusts certificates in the system store.
So, retrieving web content or accessing server with some plugins (e.g., ReadItLater, Auto Link Title, or Self-hosted LiveSync), failed.
I know it’s disabled by default since API level 24.
But if you add “user” to certificate src, It would be very useful.
I renamed this thread to clarify its intent. For anyone who stumbles upon this thread in the future, allowing this will let whoever provided you the root certificate (state or corporate) to spy on you (perform a men in the middle attack).
You are right to be concerned. That’s right, if an untrusted root certificate has been installed, may MITM works.
On the other hand, it’s also true that some people want to access the endpoint that is non-secure or signed by a local CA.
For example, in a corporate environment, it may be used for various reasons, and the same is true for local testing.
Of course, it is safe to prohibit access to all addresses, but is it possible to add a feature to register addresses that may be accessed as an “allowlist” and not prohibit access to those addresses?
I am in need of this feature as well. I am using the remotely-sync plugin to sync to a local webdav server that I’ve secured with my own CA that I run at home. I’ve installed the root cert on my wife’s Android phone, and it seems to be working fine for other apps, but obsidian does not allow the plugin to connect over https, so I can’t sync files with her. I’m able to connect & sync using the same configuration on my iPhone. Would love for this to be supported, otherwise I’ll have to create an http webdav option for this use case, which would be less secure than https + self-signed cert.
I also support this one.
Today I was really shocked when I found out that Obsidian cannot tolerate self-signed certificates even if I have my CA certificate installed on the Android device.
So far, Obsidian is the only app I had this problem on my phone. All other programs accept self-signed certificates just fine.
I second this too. I agree there is a valid security concern but forbidding the self signed certificate is also affecting other valid scenarios too. I set up Nextcloud in my local network using my generated certificated. I can connect to it using Nextcloud client on iPhone. There is a warning the first time when I connect to it. I think this may be a better experience in Obsidian too. Let the user to decide whether to trust the certificate or not. The certificates banned by the browsers are different. They are not self signed certificates anf they were assigned by a trusted organization. The browsers don’t ban self signed certificates at all. There are warning before I accept the certificate.
Banning the self signed certificates in Obsidian is worse, because I have to either use Obsidian or us http which is worse. I’ve been using http endpoint in my local network to use remotely sync. It seems like it’s stop working in recent Obsidian update. It seems to me there is no way to sync now.