Android: Add support for HTTPS & HTTP for self hosted server

[acendrou]

This PR allows the use of a custom certificate for a self-hosted NewsBlur server with an HTTPS connection and enables the use of an HTTP connection to a NewsBlur server. (Fixes #1924)

[samuelclay]

You know, honestly, we need to figure out how to do HTTPS for self-hosted servers. My development environment is a self-hosted server, and I have to type thisisunsafe all the time to access it in Edge. The Chrome/Edge flags that used to allow localhost on HTTPS are gone now, so I'd love to learn what devs are doing about this. But I'm speaking about the larger case.

Does this look good @sictiru?

Also, @claude, no need to review the code or write any code, but what do developers do to have https with self-signed certs to run NewsBlur in development (which is no different than self-hosting and figuring out tailscale/dns). Notice that we self-sign a cert (see make cert) but it's annoying and the mobile apps don't support it.

[claude]

Claude finished @samuelclay's task —— View job

---

HTTPS Solutions for Local Development

Here are the modern approaches developers use for HTTPS in local development, especially when mobile apps are involved:

1. mkcert (Most Popular for Local Development)

mkcert is the de facto standard for local HTTPS. It creates locally-trusted certificates and installs a local CA:

# Install mkcert
brew install mkcert  # macOS
# or use other package managers

# Install local CA
mkcert -install

# Create cert for your domain
mkcert localhost 127.0.0.1 ::1 newsblur.local

Mobile App Support:

• Export the CA certificate: mkcert -CAROOT shows the CA location
• Install the CA on mobile devices:
  • iOS: AirDrop the rootCA.pem file, install it, then trust it in Settings → General → About → Certificate Trust Settings
  • Android: Settings → Security → Install from storage, then select the rootCA.pem file

Pros: Works seamlessly across all browsers and mobile apps once CA is trusted
Cons: Requires manual CA installation on each mobile device

2. Tailscale with HTTPS Certificates

Tailscale now offers HTTPS certificates for your tailnet:

# Enable HTTPS in your tailnet
tailscale cert your-machine.your-tailnet.ts.net

How it works:

• Tailscale issues real Let's Encrypt certificates for your .ts.net domain
• Certificates are trusted by all devices (no CA installation needed)
• Works automatically on any device connected to your tailnet
• Certificates auto-renew

Pros:

• Real, publicly-trusted certificates
• No manual trust setup needed
• Works across all devices on your tailnet
• Perfect for self-hosted scenarios

Cons:

• Requires Tailscale network
• Slightly more complex initial setup

3. Caddy Server (Automatic HTTPS)

Caddy can automatically provision certificates, even for local development:

# Caddyfile
localhost {
    reverse_proxy localhost:8000
    tls internal
}

For self-hosted with real domains:

newsblur.yourdomain.com {
    reverse_proxy localhost:8000
}

Caddy will automatically get Let's Encrypt certificates if you have a real domain pointing to your server.

Pros: Zero-config HTTPS with real domains
Cons: Requires domain name and port 80/443 access for Let's Encrypt

4. Let's Encrypt with DNS Challenge (For Self-Hosted)

For self-hosted servers behind NAT/firewall:

# Using certbot with DNS challenge
certbot certonly --manual --preferred-challenges dns -d newsblur.yourdomain.com

You can use services like:

• Duck DNS: Free dynamic DNS with API for automated renewals
• Cloudflare: Free DNS with API support
• acme.sh: Automated cert management with DNS provider integration

Pros: Real certificates, works behind firewalls
Cons: Requires domain name and DNS provider with API

5. Local DNS + Real Certificates (Hybrid Approach)

Combine local DNS resolution with real certificates:

1. Use /etc/hosts or dnsmasq for local DNS: newsblur.local → 127.0.0.1
2. Use mkcert for the custom domain
3. Mobile devices use the same DNS + trusted CA

Recommendation for NewsBlur Development

Based on your requirements, I'd recommend a two-tier approach:

For Pure Local Development (your current use case):

• Use mkcert - It's the industry standard and solves the "thisisunsafe" problem
• One-time setup per developer machine
• Document CA export/import for mobile testing
• Update your make cert to use mkcert instead of raw openssl

For Self-Hosted Production:

• Use Tailscale HTTPS if users are comfortable with Tailscale (many self-hosters already use it)
• Or use Caddy as a reverse proxy with Let's Encrypt
• Or use DNS-01 challenge with certbot for fully private servers

Practical Implementation for NewsBlur

To solve your immediate problem:

1. Replace the current make cert command with mkcert
2. Add documentation for mobile developers on CA trust setup
3. Consider adding Caddy as an optional reverse proxy for both dev and self-hosted
4. The Android changes in this PR become a fallback for users who can't/won't set up proper certificates

Would you like me to create an updated make cert command that uses mkcert, or draft documentation for the CA trust setup process?

---

[samuelclay]

Ok, from claude above my takeaway is that you should be using tailscale and I should switch to mkcert, which may work in your case but requires the installation of a root CA. I think that was the rec from #1924. I'm not sure if acceptsUserCertificates is a pre-req to accomplish that though.

[acendrou]

Thanks for your response. I removed some useless code, which is why I force pushed to my branch.

I generated the X.509 certificates using OpenSSL (although other software, such as mkcert, could have been used), as well as the following private keys:

• root CA
• intermediate CA
• certificate and private key corresponding to my domain name hosting newsblur.

I installed the NewsBlur server using the intermediate CA, certificate and private key.
I installed the root CA on my Android phone as a trusted CA for the user. This is a keystore that is separate from those managed by Android (system).
Currently, the NewsBlur Android app is configured by default to only access the CA managed by Android. My pull request simply allows the NewsBlur app to access the two Android keystores: user and system.
This way, it can trust my own root CA.

My NewsBlur server, along with other servers, is on a private LAN. I access it via the internet using a StrongSwan IPSEC VPN, which gives me control over both ends. Therefore, I do not use Tailscale.