I installed Firefox nightly from Play store and logged in to a local server. Synced successfully.
I killed firefox on the phone and relaunched it. When I tried to sync, I get the same errors as @chesterosoronyas.
From a clean session, Firefox will give you an option of accepting the self-signed certificate. When you close it and relaunch. You do not get that option. If you look at the Network logs, you’ll see that requests will fail with a security error.
An error occurred:: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
@derick - you’re a testing rock star! Thanks for reproducing that - it really helps. To close the loop, if you install the *.my.local-ip.covalid cert, and then use https://192-168-1-195.my.local-ip.co - does the problem go away? Ensuring this is specifically an issue around self signed certs (it really seems that way!) will be great.
@derick - well, that’s no good! Is there data loss as well as an expired session or just an expired session? I’m interested in translating any of these scenarios into bug tickets that Product Team can actionable fix. I think the first scenario (self signed cert results in MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT) is already fixed (use valid cert), but this second scenario is possibly troubling. This is effectively that a PWA on desktop or mobile (a supported scenario!), that logs you out.
I think (I hope!) this is because you’re running the default version in medic-os which is 3.9.0. Can you confirm this? If yes, can you upgrade to at least 3.10.4 (where we fixed this) and report back if you’re still logged out?
@mrjones there’s no data loss but the logout also happens with 3.10.5 and 3.11.2 (takes a couple of seconds longer than 3.10 for the session to expire)
I thought it was linked to enabling ‘Enhanced Tracking Protection’ but disabling that did not help.
For those having data loss - we encourage you to install a valid TLS certificate. To read more on this see this forum post and the docs on the topic.
For those getting logged out, now that you have a valid TLS certificate, either build a branded version of the CHT Android app for your deployment, or use the unbranded app with a custom URL. Either solution will reliably keep you logged in until the progress web app (PWA) issue is resolved.
Oh yes! In case folks aren’t familiar with them, *.my.local-ip.co certificates are for development only. This is because the private key for the certificate is publicly available and should not be considered secure.
HI @ojwangantony, @andrineM and @chesterosoronyas,
Please proceed to install a valid TLS certificate, retest the syncing issue and let us know if the syncing is working well as expected.
@ojwangantony - While you won’t need a Pi-hole per se, yes, you will need a DNS server given you’re trying to deploy in an entirely offline environment and you need to match a domain name to the name (CN) on the TLS certficiate. A Pi-hole is one way to solve this. See our offline documentation and my prototyping posts for more information.
We are currently doing further internal tests of the offline prototype with a planned facility site setup of the same on 26th Oct. We shall give feedback.
I am happy to report that our team deployed the solution in one of our supported health facilities and it worked well. The facility is now able to use the android app as well as the browser.
We will continue monitoring the facility for at least a week before we can recommend scale up to other sites. Kindly allow us to provide more feedback next week and as appropriate
@andrineM - That’s really great news! Thanks so much for coming back and giving us all an update here on the forums.
If you have learned any lessons or disovered new best practices that would be helpful for others to know, I would be grateful if you could report them back here. Thank you!
Thanks so much to the CHT community for the enormous support in resolving our deployment issues. I am happy to report that the pilots were very successful and our implementing partners are planning for scale up of CHT in their supported health facilities.
For our offline deployments, we registered a new domain and got SSL certificates for use in deploying Afyastat. The local.ip option was really short term and expired in less that a week into our pilot, and getting the renewed ones took time thereby affecting the application use. We also learnt that the local.ip certs expired after 3 months with no guarantee on renewals.
We are happy to be part of the community and we’ll continue to provide feedback as we have many users use the application.
@mrjones Allow me to thank you and the CHT team for the support accorded to Palladium Kenya (KeHMIS 3 Project) as we run the prototype for the deployment of CHT on both online and offline environments. Below please see the progress that we have made.
Under the leadership of @ojwangantony from our development team, enockrugut has managed to further automated the process of setting up and configuring both pihole and CHT. This has made deployment a seamless process and we are now ready to carryout a mass rollout in our facilities.
Lavatsaleo has also worked closely with AbdulhakimRajab in testing out the scripts and giving feedback from our pilot facilities.
We look forward to further collaborations with the community. We shall continuously offer feedback and support. Thank you
