The Omni Group
These forums are now read-only. Please visit our new forums to participate in discussion. A new account will be required to post in the new forums. For more info on the switch, see this post. Thank you!

Go Back   The Omni Group Forums > OmniFocus > OmniFocus Syncing > Bonjour sync
FAQ Members List Calendar Search Today's Posts Mark Forums Read

 
"Untrusted Root Server" error on Bonjour sync Thread Tools Search this Thread Display Modes
Came home today, went to sync, and got the following message:

"The server certificate for "https://[mycomputername].local:[a number]/OmniFocus.ofocus/" is signed by an untrusted root server. This site may not be trustworthy. Would you like to synchronize anyway?"

This is after a whole bunch of problems syncing this morning, even after completely erasing the iPhone OF database.

I sync using Bonjour over an Airport Extreme router wi-fi network.

Has anyone ever seen this error? I couldn't find any postings in the forum on it.

Versions:

Leopard 10.5.8
iPhone OS version 3.1.2
OmniFocus on my Mac: 1.7.5 (v77.41.6 r1210331)
OmniFocus on my iPhone: 1.5.3
 
Same problem here today, after upgrading to 1.6.1
 
I emailed support about this and received this repsonse:

Quote:
I'm terribly sorry for the confusion here. In 1.6.1, Apple asked us to make some changes in regards to handling server certificates. That warning is normal- feel free to select the "Trust always" option.

If you have any other questions or suggestions, please don't hesitate to contact me. We really appreciate your support!

Sincerely,

Jameson Brown
Support Ninja
Omni Group
 
As a guy who does security for a living, and is having this same problem, that warning may be "normal" but it certainly isn't a good idea. Teaching customers to click "Trust always" without giving them any way to verify that the certificate is, actually, something they should trust is bad practice. Trusted root certificates is one way to do that, but at the very least, they should display a fingerprint on the server and client side that can be compared.
 
+1

This seems like a big deal, as it will display (and unnerve?) everyone who syncs OF iPhone to anything else. I think we could use more explanation and clarification from Omni as to why OF has to show this error message and no other iPhone-syncing apps do.
 
I think it only happens with the Bonjour sync, not the MobileMe (my guess for the most-used variety, based on no data whatsoever) sync. Agreed that it would be worrisome to encounter, and I don't understand what Apple wanted to accomplish here, but "everyone who syncs OF iPhone to anything else" is overstating things quite a bit.

Of course, who knows if anyone else is bothering to use encryption in their syncing methods? None of this trusted certificate stuff comes into play if not, right?
 
Well, OK good points. Sorry for the overstatement.

I inquired about encryption on OF iPhone syncing and was told it always uses encryption, so I assumed it would affect everyone.
 
Sync on the iPhone does do encryption (unless you've configured it otherwise with a plain http: URL in the WebDAV settings), but I think the issue here is where those certificates come from. If you're running Bonjour syncing, you probably don't have an identity certificate for your Mac issued by a recognized certificate authority, right? Whereas Apple's MobileMe servers will have certificates that can be traced back to a certificate authority by the security code to establish that the server is who it purports to be. When I try to sync to MobileMe from a network where there's a redirector to intercept web requests and force you to log in, I get a warning that the certificate looks a little fishy in some way, presumably because addresses don't match. But now I've reached the limits of my knowledge, so maybe this is a good place for me to stop, before I'm forced to go learn more about this stuff :)
 
Quote:
Originally Posted by whpalmer4 View Post
If you're running Bonjour syncing, you probably don't have an identity certificate for your Mac issued by a recognized certificate authority, right?
It only needs to be "recognized" by the application. Presumably, Omnifocus installed a certificate on their local sync server that was recognized by their iPhone app. Now, for whatever reason, it is no longer recognized by their iPhone app, at the request of Apple. Not being clear on what the issue was that Apple was concerned about or on the details of the local iPhone certificate-store, it's hard to say what the problem was, but the "solution" here is awful. I've had an "Omnifocus security audit" item sitting in Omnifocus for a while now - it might be time to dig into it.
 
It'd be nice to get some more detail on what Apple's concern was. Do they not like the use of self-signed CA's? If that's the case, is there a plan to get a cert signed by a recognized CA?
 
 


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


Similar Threads
Thread Thread Starter Forum Replies Last Post
Filenames w/chars like "" cause error exporting to O. Sync Server. [Bug; will fix.] devastat OmniOutliner for iPad 5 2011-05-12 11:03 AM
OF for iPhone: Turning sync off/back on causes "No Root" error [FIXED-install v1.2.3] ajr OmniFocus Syncing 1 2009-04-29 03:33 PM
Bonjour Sync: "No root can reach all tail" error ian.munday Bonjour sync 10 2008-11-20 06:44 AM
Sync: server returned an error 403 "forbidden" fishwind OmniFocus for iPhone 6 2008-08-08 12:16 PM
Still "Untrusted Server certificate" bastain OmniFocus Syncing 10 2008-07-27 09:24 AM


All times are GMT -8. The time now is 11:29 PM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2019, vBulletin Solutions, Inc.