Nginx w/ client certificate & DAVx5 (Android client)

ℹ️ Support
1

Hello,

I have set up Nextcloud 18 successfully. It is accessible behind Nginx which requires a client certificate (issued by a self signed CA). Access from a webbrowser works without a problem (client certificate to connect to Nginx, then username/password for Nextcloud).

Now, I would like to access my contacts and calendar from my smartphone (Android 10) and so I installed DAVx5 and put a client certificate on the smartphone. I tried “connect with URL and client certificate” but always get the result that access to CalDAV or CardDAV service is not possible. I tried with 2 different URLs and of course am using the client certificate:

  1. https://nextcloud.example.com/remote.php/dav
  2. https://USER:PASSWORD@nextcloud.example.com/remote.php/dav

Here the log from Nginx:

172.28.64.83 - - [17/Feb/2020:18:54:37 +0100] "PROPFIND /remote.php/dav HTTP/1.1" 401 569 "-" "DAVx5/2.6.3.1-gplay (2020/01/14; dav4jvm; okhttp/3.12.6) Android/10"
172.28.64.83 - - [17/Feb/2020:18:54:37 +0100] "PROPFIND /.well-known/carddav HTTP/1.1" 301 185 "-" "DAVx5/2.6.3.1-gplay (2020/01/14; dav4jvm; okhttp/3.12.6) Android/10"
172.28.64.83 - - [17/Feb/2020:18:54:37 +0100] "PROPFIND /remote.php/dav HTTP/1.1" 401 569 "-" "DAVx5/2.6.3.1-gplay (2020/01/14; dav4jvm; okhttp/3.12.6) Android/10"
172.28.64.83 - - [17/Feb/2020:18:54:37 +0100] "PROPFIND /.well-known/carddav HTTP/1.1" 301 185 "-" "DAVx5/2.6.3.1-gplay (2020/01/14; dav4jvm; okhttp/3.12.6) Android/10"
172.28.64.83 - - [17/Feb/2020:18:54:37 +0100] "PROPFIND /remote.php/dav HTTP/1.1" 401 569 "-" "DAVx5/2.6.3.1-gplay (2020/01/14; dav4jvm; okhttp/3.12.6) Android/10"
172.28.64.83 - - [17/Feb/2020:18:54:37 +0100] "PROPFIND / HTTP/1.1" 405 5 "-" "DAVx5/2.6.3.1-gplay (2020/01/14; dav4jvm; okhttp/3.12.6) Android/10"
172.28.64.83 - - [17/Feb/2020:18:54:38 +0100] "PROPFIND /remote.php/dav HTTP/1.1" 401 569 "-" "DAVx5/2.6.3.1-gplay (2020/01/14; dav4jvm; okhttp/3.12.6) Android/10"
172.28.64.83 - - [17/Feb/2020:18:54:38 +0100] "PROPFIND /.well-known/caldav HTTP/1.1" 301 185 "-" "DAVx5/2.6.3.1-gplay (2020/01/14; dav4jvm; okhttp/3.12.6) Android/10"
172.28.64.83 - - [17/Feb/2020:18:54:38 +0100] "PROPFIND /remote.php/dav HTTP/1.1" 401 569 "-" "DAVx5/2.6.3.1-gplay (2020/01/14; dav4jvm; okhttp/3.12.6) Android/10"
172.28.64.83 - - [17/Feb/2020:18:54:38 +0100] "PROPFIND /.well-known/caldav HTTP/1.1" 301 185 "-" "DAVx5/2.6.3.1-gplay (2020/01/14; dav4jvm; okhttp/3.12.6) Android/10"
172.28.64.83 - - [17/Feb/2020:18:54:38 +0100] "PROPFIND /remote.php/dav HTTP/1.1" 401 569 "-" "DAVx5/2.6.3.1-gplay (2020/01/14; dav4jvm; okhttp/3.12.6) Android/10"
172.28.64.83 - - [17/Feb/2020:18:54:38 +0100] "PROPFIND / HTTP/1.1" 405 5 "-" "DAVx5/2.6.3.1-gplay (2020/01/14; dav4jvm; okhttp/3.12.6) Android/10"

Now, am I doing something wrong or is it normal that it fails?
Is there a better way to do it, knowing that I would like to keep it mandatory for the client to present a valid certificate?

Or is this not a Nextcloud problem after all, but a client (DAVx5) problem?

Nextcloud version: 18
Operating system: Devuan (Beowulf/Ceres, amd64)
Nginx: 1.14.2-2+deb10u1
PHP version: 7.3.11-1~deb10u1

Thank you in advance for your feedback and best regards
Tom