[Freedombox-discuss] Can't get android phone to connect to radicale.

A. F. Cano afc at shibaya.lonestar.org
Wed Feb 8 04:34:09 UTC 2017

On Tue, Feb 07, 2017 at 12:41:54PM -0500, Daniel Gnoutcheff wrote:
> On 02/06/2017 11:15 PM, A. F. Cano wrote:
> >   Failed to obtain certificate for domain <domain>.freedombox.rocks: Failed
> >   authorization procedure. <domain>.freedombox.rocks (http-01):
> >   urn:acme:error:connection :: The server could not connect to the client
> >   to verify the domain :: Could not connect to <domain>.freedombox.rocks
> From this, it sounds like the HTTP server on <domain>.freedombox.rocks
> is not reachable from the public Internet.  It needs to be in order for
> the "http-01" validation method to work [1].
> What happens if you try to visit http://<domain>.freedombox.rocks/ in a
> browser, preferably from a public Wifi network or some other independent
> network?

Trying this from a real outside network will have to wait until
saturday, but trying it from an inside machine it seems that DNS does
its job and sends the packets to the right place.  I get:

  Your connection is not secure

  The owner of <domain>.freedombox.rocks has configured their website
  improperly. To protect your information from being stolen, Firefox has
  not connected to this website.

  This site uses HTTP Strict Transport Security (HSTS) to specify that
  Firefox only connect to it securely. As a result, it is not possible to
  add an exception for this certificate.

> What happens when you run
>   getent ahosts <domain>.freedombox.rocks

>From the same internal machine I get:  STREAM <domain>.freedombox.rocks  DGRAM  RAW

This address is the same one that ifconfig reports on the freedombox for
the ppp0 interface, which is the outside interface.  So it seems to be

> from a Linux workstation?
> Is the freedombox behind another router?  If so, have we verified port

No.  The ppp connection is the outside interface, via a CDMA phone.

> forwarding for tcp ports 80 and 443?
> > Stopping orbot and disabling the firewall seem to not fix the issue.
> Right.  I think we *also* need to fix certificate issue.

I'll keep digging into the iptables rules.  I have a lot to learn in
this area so it might take a while.

> > I don't see any packets going to/from the phone with wireshark,
> Are you running wireshark on the freedombox itself?  If not, I'm not
> sure I'd trust that packet dump.  Capturing unicast traffic that doesn't

I'm running wireshark on the machine that has the wifi interface to
which the android phone connects (wlan0) and capturing the packets of
that interface.  This android phone is not the same one I use to connect
to the internet via ppp.

I'm also learning the many options of wireshark and I'm quite
overwhelmed by the amount of packets wireshark is displaying.  I've
tried to restrict what gets displayed to what comes/goes from/to the
android phone (static IP address), but I'm still getting flooded with
MDNS packets.

> involve the capturing host is tricky business [2].  Maybe try tcpdump on
> the freedombox (via ssh)?
> [1] https://tools.ietf.org/html/draft-ietf-acme-acme-05#section-7.2
> [2] https://wiki.wireshark.org/CaptureSetup/WLAN

Thanks.  I'll check this next but I wanted to send out what I can


More information about the Freedombox-discuss mailing list