Came home today, went to sync, and got the following message:

"The server certificate for "https://[mycomputername].local:[a number]/OmniFocus.ofocus/" is signed by an untrusted root server. This site may not be trustworthy. Would you like to synchronize anyway?"

This is after a whole bunch of problems syncing this morning, even after completely erasing the iPhone OF database.

I sync using Bonjour over an Airport Extreme router wi-fi network.

Has anyone ever seen this error? I couldn't find any postings in the forum on it.

Versions:

Leopard 10.5.8
iPhone OS version 3.1.2
OmniFocus on my Mac: 1.7.5 (v77.41.6 r1210331)
OmniFocus on my iPhone: 1.5.3

Same problem here today, after upgrading to 1.6.1

I emailed support about this and received this repsonse:

I'm terribly sorry for the confusion here. In 1.6.1, Apple asked us to make some changes in regards to handling server certificates. That warning is normal- feel free to select the "Trust always" option.

If you have any other questions or suggestions, please don't hesitate to contact me. We really appreciate your support!

Sincerely,

Jameson Brown
Support Ninja
Omni Group

As a guy who does security for a living, and is having this same problem, that warning may be "normal" but it certainly isn't a good idea. Teaching customers to click "Trust always" without giving them any way to verify that the certificate is, actually, something they should trust is bad practice. Trusted root certificates is one way to do that, but at the very least, they should display a fingerprint on the server and client side that can be compared.

+1

This seems like a big deal, as it will display (and unnerve?) everyone who syncs OF iPhone to anything else. I think we could use more explanation and clarification from Omni as to why OF has to show this error message and no other iPhone-syncing apps do.

I think it only happens with the Bonjour sync, not the MobileMe (my guess for the most-used variety, based on no data whatsoever) sync. Agreed that it would be worrisome to encounter, and I don't understand what Apple wanted to accomplish here, but "everyone who syncs OF iPhone to anything else" is overstating things quite a bit.

Of course, who knows if anyone else is bothering to use encryption in their syncing methods? None of this trusted certificate stuff comes into play if not, right?

Well, OK good points. Sorry for the overstatement.

I inquired about encryption on OF iPhone syncing and was told it always uses encryption, so I assumed it would affect everyone.

Sync on the iPhone does do encryption (unless you've configured it otherwise with a plain http: URL in the WebDAV settings), but I think the issue here is where those certificates come from. If you're running Bonjour syncing, you probably don't have an identity certificate for your Mac issued by a recognized certificate authority, right? Whereas Apple's MobileMe servers will have certificates that can be traced back to a certificate authority by the security code to establish that the server is who it purports to be. When I try to sync to MobileMe from a network where there's a redirector to intercept web requests and force you to log in, I get a warning that the certificate looks a little fishy in some way, presumably because addresses don't match. But now I've reached the limits of my knowledge, so maybe this is a good place for me to stop, before I'm forced to go learn more about this stuff :)

If you're running Bonjour syncing, you probably don't have an identity certificate for your Mac issued by a recognized certificate authority, right?

It only needs to be "recognized" by the application. Presumably, Omnifocus installed a certificate on their local sync server that was recognized by their iPhone app. Now, for whatever reason, it is no longer recognized by their iPhone app, at the request of Apple. Not being clear on what the issue was that Apple was concerned about or on the details of the local iPhone certificate-store, it's hard to say what the problem was, but the "solution" here is awful. I've had an "Omnifocus security audit" item sitting in Omnifocus for a while now - it might be time to dig into it.

It'd be nice to get some more detail on what Apple's concern was. Do they not like the use of self-signed CA's? If that's the case, is there a plan to get a cert signed by a recognized CA?

Same thing happened to me. Only now I am unable to sync via Bonjour. It simple won't sync. No error message; nothing.

I deleted the app from my iPhone and reinstalled. I select "Set Up Sync", select my shared Bonjour selection from my Mac, it goes into "Preparing to Synchronize" for about a second or two, then back to the "Sync with Mac" page. Nothing I do seems to work.

Apple asked us to switch to their public API for approving untrusted certificates in 1.6.1. The warning you're seeing is a normal part of the API, and once you select "Trust always", shouldn't ask you to approve again (unless you turn off Bonjour sync, then turn it back on, since you're effectively generating a new self-signed certificate). Hope this clears things up!

Sefbro, it sounds like something else may be going on in your case; if you email omnifocus@omnigroup.com, or call us at 800.315.6664, we can help. Thanks!

Apple asked us to switch to their public API for approving untrusted certificates in 1.6.1. The warning you're seeing is a normal part of the API, and once you select "Trust always", shouldn't ask you to approve again (unless you turn off Bonjour sync, then turn it back on, since you're effectively generating a new self-signed certificate). Hope this clears things up!

Not providing some way of identifying whether the certificate in question is one you should trust is a problem. Displaying a certificate fingerprint in both the mac and iPhone client would solve this. If this isn't supported as a consequence of the Apple API, they need some beating on to understand that.

Here's the response I received via email from Jameson Brown, a support ninja:

Sorry for the trouble! Here are a few troubleshooting steps you should try for Bonjour sync:

- First, recycle the power on your wireless router, then try synching again. As basic as it sounds, this has been the #1 culprit with Bonjour synching issues.

- Reset synching on the desktop by going into the Sync pane of the Preferences menu, setting the sync method to "Nothing", then set it back to Bonjour.

- If you're running Tiger, try turning off the firewall, then sync OmniFocus. If that worked, I'll send you detailed instructions on how to sync with the firewall on; for now, we just want to get you up and running.

- If you're running Leopard, go into System Preferences>Security>Firewall, and make sure it's either set to allow all incoming connections, or add OmniFocus to the list of applications allowed access.

- On your desktop's network settings, make sure there aren't any proxy servers set up.

- Turn your iPhone off and back on.

- Offices typically have firewalls installed on their wireless networks that will block the iPhone's attempt to connect with your Mac for synching. You may need to contact your IT department so they can open up a port for you to sync with.

You also have the option of setting up an ad-hoc network, which is a network that's broadcast directly from the wireless card on your Mac, which your iPhone can connect to in order to sync :

http://www.thinkmac.net/tutorials/2009/7/27/create-wireless-ad-hoc-network-mac-tips-daily-387.html

I tried the things he suggested, along with some suggestions from the FAQ, and finally got things to sync properly.

I tried the things he suggested, along with some suggestions from the FAQ, and finally got things to sync properly.

To clarify, this didn't solve an "Untrusted Root Server" error, did it? Is this the right thread?

"The server certificate for "https://[mycomputername].local:[a number]/OmniFocus.ofocus/" is signed by an untrusted root server. This site may not be trustworthy. Would you like to synchronize anyway?"

Woops! Sorry, that prompt is a bug: OmniFocus isn't supposed to display an "Untrusted Root Server" error when doing a Bonjour sync.

As a guy who does security for a living, and is having this same problem, that warning may be "normal" but it certainly isn't a good idea. Teaching customers to click "Trust always" without giving them any way to verify that the certificate is, actually, something they should trust is bad practice.

Absolutely agreed!

Sorry for the internal confusion on this, our support ninjas thought our OmniFocus engineers knew about this change in behavior and that we were accepting it as a limitation of the new security API—when really it's just a bug in our new code, not something imposed by the API at all. We'll fix it.

(Sorry also for the delay in noticing and responding to this! We've been working around the clock towards getting our first round of iPad apps ready.)

Good to hear, even if it took a few weeks ;)

Hi,
I have the project in dotnet.But I ahve to do thata in ipa and have to synchronize tha data from the server of the projct which is in dot net.
In first page i need a login page,which have to run when the login id and pswd is typed correctly which has given in the dotnet project.and in next page after clicking the synchroonize buton the data in the server must be synchronized.Can any one help me.
smrafiqsmd@gmail.com



Thank u

Mohammed, it would probably be best if you give us a call at 800.315.6664 or email our support ninjas (omnifocus@omnigroup.com) so they can help.