github-starred/actual
2
0
Fork 0
mirror of https://github.com/actualbudget/actual.git synced 2026-03-10 20:23:07 -05:00
Code Issues 250 Packages Projects Releases 53 Wiki Activity

[Bug]: missing icon in Safari and PWA on iOS #1895

New Issue
Closed
opened 2026-02-28 19:57:33 -06:00 by GiteaMirror · 29 comments
GiteaMirror commented 2026-02-28 19:57:33 -06:00
Owner
Copy Link

Originally created by @felixguilherme on GitHub (Feb 25, 2025).

Verified issue does not already exist?

  • I have searched and found no existing issue

What happened?

The Actual favicon is missing in the Safari browser and therefore in PWA installs on iOS 18.3.1. It works as expected on macOS 15.3.1 with Safari 18.3.

Actual version: app: v25.1.0, server: v25.1.0

iOS:

Image

Image

Image

macOS:

Image

How can we reproduce the issue?

  1. Install Actual with this docker compose file
  2. Activate HTTPS using a self-signed certificate
  3. Open Actual in Safari
  4. Add Actual to the home screen

Where are you hosting Actual?

Docker

What browsers are you seeing the problem on?

Safari

Operating System

Mobile Device

Originally created by @felixguilherme on GitHub (Feb 25, 2025). ### Verified issue does not already exist? - [x] I have searched and found no existing issue ### What happened? The Actual favicon is missing in the Safari browser and therefore in PWA installs on iOS 18.3.1. It works as expected on macOS 15.3.1 with Safari 18.3. Actual version: app: v25.1.0, server: v25.1.0 iOS: ![Image](https://github.com/user-attachments/assets/bc0cd6cf-107b-4434-90f2-bf1e79f3db81) ![Image](https://github.com/user-attachments/assets/e1534176-2ddf-4650-af2b-146d702380b6) ![Image](https://github.com/user-attachments/assets/cb65f90a-cae7-4428-b968-d02757d0613c) macOS: ![Image](https://github.com/user-attachments/assets/d5b8ac78-7c03-4b80-bff6-75890b5a7e0e) ### How can we reproduce the issue? 1. Install Actual with [this docker compose file](https://github.com/actualbudget/actual/blob/master/packages/sync-server/docker-compose.yml) 2. Activate HTTPS using a self-signed certificate 3. Open Actual in Safari 4. Add Actual to the home screen ### Where are you hosting Actual? Docker ### What browsers are you seeing the problem on? Safari ### Operating System Mobile Device
GiteaMirror added the good first issuebug labels 2026-02-28 19:57:33 -06:00
GiteaMirror commented 2026-02-28 19:57:34 -06:00
Author
Owner
Copy Link

@Ctrl-Alb commented on GitHub (Feb 27, 2025):

Before seeing your post I was going to open an issue because I encountered the same problem

@Ctrl-Alb commented on GitHub (Feb 27, 2025): Before seeing your post I was going to open an issue because I encountered the same problem
GiteaMirror commented 2026-02-28 19:57:34 -06:00
Author
Owner
Copy Link

@alecbakholdin commented on GitHub (Mar 15, 2025):

I attempted this on iOS 18.2 on Safari and it seems to be working. Are you still experiencing this issue?

@alecbakholdin commented on GitHub (Mar 15, 2025): I attempted this on iOS 18.2 on Safari and it seems to be working. Are you still experiencing this issue?
GiteaMirror commented 2026-02-28 19:57:35 -06:00
Author
Owner
Copy Link

@Ctrl-Alb commented on GitHub (Mar 15, 2025):

Hi @alecbakholdin, unfortunately, I'm still experiencing the issue.
I'm running the latest Actual Budget server version and the latest iOS version (18.3.2).
The issue is well described by @felixguilherme, I'll add one thing about my use case that hopefully could help in figuring out the problem.
The icon is always missing, except when I open the share sheet in Safari while on the Actual server page, where the icon is displayed correctly (see the image).

Image

@Ctrl-Alb commented on GitHub (Mar 15, 2025): Hi @alecbakholdin, unfortunately, I'm still experiencing the issue. I'm running the latest Actual Budget server version and the latest iOS version (18.3.2). The issue is well described by @felixguilherme, I'll add one thing about my use case that hopefully could help in figuring out the problem. The icon is always missing, except when I open the share sheet in Safari while on the Actual server page, where the icon is displayed correctly (see the image). ![Image](https://github.com/user-attachments/assets/4d9c4abd-20c2-43b9-8a1c-a965d6eab603)
GiteaMirror commented 2026-02-28 19:57:35 -06:00
Author
Owner
Copy Link

@alecbakholdin commented on GitHub (Mar 18, 2025):

@CTRL-panino see below Stack Overflow post which explains your problem. It has to do with the fact that you're using a self-signed certificate. There's unfortunately not much we can do about this issue, I think, though there appear to be some steps you can take to register your certificate with iOS: https://stackoverflow.com/questions/6807349/why-wont-this-apple-touch-icon-work

@alecbakholdin commented on GitHub (Mar 18, 2025): @CTRL-panino see below Stack Overflow post which explains your problem. It has to do with the fact that you're using a self-signed certificate. There's unfortunately not much we can do about this issue, I think, though there appear to be some steps you can take to register your certificate with iOS: https://stackoverflow.com/questions/6807349/why-wont-this-apple-touch-icon-work
GiteaMirror commented 2026-02-28 19:57:35 -06:00
Author
Owner
Copy Link

@Ctrl-Alb commented on GitHub (Mar 19, 2025):

Thank you for your help. I tried downloading and installing the certificate, but it doesn't seem to be working. Here are the steps I followed:

  1. I deleted the Actual Budget web-app
  2. I cleared Safari history and data
  3. I downloaded the selfhost.crt file from my Actual Budget server
  4. I installed it from Settings -> General -> VPN & device management
  5. However, it doesn't appear in Settings -> General -> Info -> Certificate Trust Settings

After these steps, when I try to re-create the Actual Budget web-app, the missing icon bug is still present. Am I doing something wrong?

@Ctrl-Alb commented on GitHub (Mar 19, 2025): Thank you for your help. I tried downloading and installing the certificate, but it doesn't seem to be working. Here are the steps I followed: 1. I deleted the Actual Budget web-app 2. I cleared Safari history and data 3. I downloaded the `selfhost.crt` file from my Actual Budget server 4. I installed it from Settings -> General -> VPN & device management 5. However, it doesn't appear in Settings -> General -> Info -> Certificate Trust Settings After these steps, when I try to re-create the Actual Budget web-app, the missing icon bug is still present. Am I doing something wrong?
GiteaMirror commented 2026-02-28 19:57:36 -06:00
Author
Owner
Copy Link

@alecbakholdin commented on GitHub (Mar 21, 2025):

I was able to install the certificate by just clicking on the file. After downloading the file to my iPhone, I clicked on the file in Downloads:

Image

It prompted me to install it:

Image

I go to settings, and I see this:

Image

Then I click on install in the top right:

Image

After these steps, I do see the profile in VPN & Device Management:

Image

Let me know if this helps! I wasn't able to get my docker-compose to work with the self-signed certs, so this is the most I can help with right now, I'm sorry!

@alecbakholdin commented on GitHub (Mar 21, 2025): I was able to install the certificate by just clicking on the file. After downloading the file to my iPhone, I clicked on the file in Downloads: <img width="399" alt="Image" src="https://github.com/user-attachments/assets/25fe17e9-6ece-4e3e-bf95-ea2f2ce2aeb4" /> It prompted me to install it: <img width="348" alt="Image" src="https://github.com/user-attachments/assets/63404a76-e851-4656-8b8a-8ace56fc1c53" /> I go to settings, and I see this: <img width="361" alt="Image" src="https://github.com/user-attachments/assets/8efde1b5-e0e1-4460-84e8-59749870ebcc" /> Then I click on install in the top right: <img width="375" alt="Image" src="https://github.com/user-attachments/assets/5f116724-f597-4c11-8c6c-2896bc96dfd6" /> After these steps, I do see the profile in VPN & Device Management: <img width="382" alt="Image" src="https://github.com/user-attachments/assets/11444735-bbcb-4f05-9e38-35336b263b29" /> Let me know if this helps! I wasn't able to get my docker-compose to work with the self-signed certs, so this is the most I can help with right now, I'm sorry!
GiteaMirror commented 2026-02-28 19:57:36 -06:00
Author
Owner
Copy Link

@Ctrl-Alb commented on GitHub (Mar 21, 2025):

Thank you very much, I really appreciate your help.
The only differences between what I did previously and your new comment are:

Your certificate is called localhost, while I created mine following this guide, and it was named selfhost.crt. Did I choose the right one?

I do see the profile in VPN & Device Management

I see it there, too. However, according to the link you sent in your previous comment, I should also see it in Settings -> General -> Info -> Certificate Trust Settings, but it doesn't appear there

@Ctrl-Alb commented on GitHub (Mar 21, 2025): Thank you very much, I really appreciate your help. The only differences between what I did previously and your new comment are: 1. Your certificate is called `localhost`, while I created mine following [this guide](https://actualbudget.org/docs/config/https), and it was named `selfhost.crt`. Did I choose the right one? 2. > I do see the profile in VPN & Device Management I see it there, too. However, according to the [link you sent in your previous comment](https://stackoverflow.com/questions/6807349/why-wont-this-apple-touch-icon-work), I should also see it in `Settings -> General -> Info -> Certificate Trust Settings`, but it doesn't appear there
GiteaMirror commented 2026-02-28 19:57:37 -06:00
Author
Owner
Copy Link

@ngocphamm commented on GitHub (Apr 1, 2025):

I think this is happening to me too, even when I have Actual Budget behind Cloudflare Access tunnel, which is indeed under HTTPS. Favicon shows the Actual logo properly, but the Add to Home Screen logo is still the generic A letter.

@ngocphamm commented on GitHub (Apr 1, 2025): I think this is happening to me too, even when I have Actual Budget behind Cloudflare Access tunnel, which is indeed under HTTPS. Favicon shows the Actual logo properly, but the `Add to Home Screen` logo is still the generic A letter.
GiteaMirror commented 2026-02-28 19:57:37 -06:00
Author
Owner
Copy Link

@ngocphamm commented on GitHub (May 2, 2025):

Update: The problem I have is with Cloudflare Access, and not Actual. Because there is authentication with Cloudflare required before I can access Actual, when creating the home screen shortcut/bookmark, iOS cannot access the icon file. Creating a bypass rule like /*.png helps. I see the proper icon now!

@ngocphamm commented on GitHub (May 2, 2025): Update: The problem I have is with Cloudflare Access, and not Actual. Because there is authentication with Cloudflare required before I can access Actual, when creating the home screen shortcut/bookmark, iOS cannot access the icon file. Creating a bypass rule like `/*.png` helps. I see the proper icon now!
GiteaMirror commented 2026-02-28 19:57:38 -06:00
Author
Owner
Copy Link

@alecbakholdin commented on GitHub (May 2, 2025):

Glad you figured it out!

@alecbakholdin commented on GitHub (May 2, 2025): Glad you figured it out!
GiteaMirror commented 2026-02-28 19:57:38 -06:00
Author
Owner
Copy Link

@Ctrl-Alb commented on GitHub (Jun 5, 2025):

Hi @matt-fidd ,
I’d like to point out that unfortunately the problem hasn’t been solved.
Maybe the Cloudflare-related bug has been solved but the one described by me and by the author of the issue has not

@Ctrl-Alb commented on GitHub (Jun 5, 2025): Hi @matt-fidd , I’d like to point out that unfortunately the problem hasn’t been solved. Maybe the Cloudflare-related bug has been solved but the one described by me and by the author of the issue has not
GiteaMirror commented 2026-02-28 19:57:39 -06:00
Author
Owner
Copy Link

@james4141 commented on GitHub (Dec 1, 2025):

Spent a bit of time troubleshooting this as I have this issue as well, and can confirm this is a certificate trust issue, and not an issue with Actual itself. However, I am interested in identifying and documenting a process that works, rather than just closing this out by stating it's an iOS issue .

TLDR: Issue is cause by a self-signed certificate that is not trusted by iOS. The documented OpenSSL commands provided result in a certificate that's not fully compatible with iOS, plus additional steps are required in iOS to enable Full Trust.

This Apple KB article shows how to enable Full Trust. The OpenSSL commands provided at Activating HTTPS creates a self-signed server cert and key that is not signed by a separate Root certificate. This is why @CTRL-panino and others aren't seeing the option shown in the Apple KB - there needs to be a certificate chain for iOS to follow.

To verify this, I created my own Root certificate, used it to sign a server cert for Actual, used AirDrop to copy/install the Root cert to the iOS device, then enable Full Trust. I can confirm it works - the are no certificate warnings, and the correct app icon appears.

I am unsure what to recommend here and open to suggestions. OpenSSL can be used to create a compatible cert chain, but there's a fair amount of complexity over the single command we've currently got. And then, you've still got to get the cert onto the iOS device (probably via AirDrop or Mail), then go into Settings to install it, then to another location in Settings to enable Full Trust. None of this is extremely difficult.. it's just more steps.

I'm also not sure how frequently this process needs to be completed. There is a new(ish) limit to how long certificates can be valid, but it only applies to certificates issues to one of the Root CA's preinstalled with iOS - meaning it does not apply to something you created with OpenSSL. This guy determined the maximum validity for certificates issued by a private CA is 825 days, or about 2 years plus a few months - just long enough to completely forget everything you had to do in order to get it working, when it expires 2 years later.

Because there is a dependency on functioning SSL for core features of Actual to work, like Bank Sync and usage of iOS devices, it might be helpful if Actual could generate the necessary certs on startup, if there is no valid cert already defined/installed.

Also - there have also been a number of Discord users reporting an iOS client that randomly disconnects from the server and can only be fixed by deleting the PWA, clearing Safari, browsing to Actual again, clicking through the certificate warning, and reinstalling the PWA. I suspect clicking "visit this website" in Safari creates a temporary exception, and once that timer runs out, everything breaks - resolving this trust issue may fix this as well.

@james4141 commented on GitHub (Dec 1, 2025): Spent a bit of time troubleshooting this as I have this issue as well, and can confirm this is a certificate trust issue, and not an issue with Actual itself. However, I am interested in identifying and documenting a process that works, rather than just closing this out by stating it's an iOS issue . **TLDR:** Issue is cause by a self-signed certificate that is not trusted by iOS. The documented OpenSSL commands provided result in a certificate that's not fully compatible with iOS, plus additional steps are required in iOS to enable Full Trust. This Apple [KB article](https://support.apple.com/en-us/102390) shows how to enable Full Trust. The OpenSSL commands provided at [Activating HTTPS](https://actualbudget.org/docs/config/https/) creates a self-signed server cert and key that is not signed by a separate Root certificate. This is why @CTRL-panino and others aren't seeing the option shown in the Apple KB - there needs to be a certificate chain for iOS to follow. To verify this, I created my own Root certificate, used it to sign a server cert for Actual, used AirDrop to copy/install the Root cert to the iOS device, then enable Full Trust. I can confirm it works - the are no certificate warnings, and the correct app icon appears. I am unsure what to recommend here and open to suggestions. OpenSSL can be used to create a compatible cert chain, but there's a fair amount of complexity over the single command we've currently got. And then, you've still got to get the cert onto the iOS device (probably via AirDrop or Mail), then go into Settings to install it, then to another location in Settings to enable Full Trust. None of this is extremely difficult.. it's just more steps. I'm also not sure how frequently this process needs to be completed. There is a new(ish) [limit](https://support.apple.com/en-us/102028) to how long certificates can be valid, but it only applies to certificates issues to one of the Root CA's preinstalled with iOS - meaning it does not apply to something you created with OpenSSL. [This guy](https://www.michalspacek.com/validity-period-of-https-certificates-issued-from-a-user-added-ca-is-essentially-2-years) determined the maximum validity for certificates issued by a private CA is 825 days, or about 2 years plus a few months - just long enough to completely forget everything you had to do in order to get it working, when it expires 2 years later. Because there is a dependency on functioning SSL for core features of Actual to work, like Bank Sync and usage of iOS devices, it might be helpful if Actual could generate the necessary certs on startup, if there is no valid cert already defined/installed. Also - there have also been a number of Discord users reporting an iOS client that randomly disconnects from the server and can only be fixed by deleting the PWA, clearing Safari, browsing to Actual again, clicking through the certificate warning, and reinstalling the PWA. I suspect clicking "visit this website" in Safari creates a temporary exception, and once that timer runs out, everything breaks - resolving this trust issue may fix this as well.
GiteaMirror commented 2026-02-28 19:57:39 -06:00
Author
Owner
Copy Link

@Ctrl-Alb commented on GitHub (Dec 3, 2025):

Hi @james4141, thank you for the in-depth explanation.

To verify this, I created my own Root certificate, used it to sign a server cert for Actual, used AirDrop to copy/install the Root cert to the iOS device, then enable Full Trust

Could you please share a step-by-step list so I can replicate your setup?

@Ctrl-Alb commented on GitHub (Dec 3, 2025): Hi @james4141, thank you for the in-depth explanation. > To verify this, I created my own Root certificate, used it to sign a server cert for Actual, used AirDrop to copy/install the Root cert to the iOS device, then enable Full Trust Could you please share a step-by-step list so I can replicate your setup?
GiteaMirror commented 2026-02-28 19:57:39 -06:00
Author
Owner
Copy Link

@james4141 commented on GitHub (Dec 3, 2025):

Sure, give this a try and let us know if it worked for you. I had to go back and re-create steps so I may have missed something. You didn't specify which device you're using to create certs, so I'll assume Mac, but these commands will work on Linux as well. If you're on Windows, I can try to help walk you through it.

Open up a terminal and run these commands to create a new directory, change into it, and create a new file:

mkdir actual-cert
cd actual-cert
nano server.ext

Paste this block of text into the nano editor. Change DNS.1 and IP.1 to the correct server name and IP you'll be using to access. This needs to exactly match what you type on your iPhone browser, excluding 'https://' and ':5006'. If you don't use a DNS hostname at all, you can delete this line.

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = actual.example.com
IP.1  = 192.168.1.10

Press Ctrl-X to exit, then 'y' and Enter to save.

Run these commands to generate a root key and certificate, then a server key and certificate signed by the root certificate. You'll be prompted twice for certificate details (CN, Org, Country, etc). Enter what you want, these aren't terribly important. Common Name (CN) should be your server name or IP. If you're prompted to 'extra' attributes, leave those blank and press Enter.

openssl genrsa -out rootCA.key 4096
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.pem

openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr

openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key \
  -CAcreateserial -out server.crt -days 825 -sha256 \
  -extfile server.ext

You should now have a directory named actual-cert with about 7 files in it. The 3 files you'll need are:

  • server.key - private key
  • server.crt - server certificate
  • rootCA.pem - root certificate

Install the server.key and server.crt in your Actual instance. I use Docker so created a config.json file like this:

{
  "https": {
    "key": "/data/server.key",
    "cert": "/data/server.crt"
  }
}

Now we need to get the root certificate installed on your phone. You should be able to email the file to yourself, but I chose to use AirDrop. Open the actual-cert directory in Finder then drag and hold the rootCA.pem over the AirDrop icon on the left. Your phone should appear in the main window - if it doesn't, wake up your phone and try again.

You'll be prompted on your phone where to install the certificate - tap iPhone. Tap Close. Go to Settings > Profile Downloaded. Tap Install, enter your passcode, then tap Install 2 times.

Next, go to Settings > General > About > Certificate Trust Settings. Enable Full Trust for the RootCA you just created.

@james4141 commented on GitHub (Dec 3, 2025): Sure, give this a try and let us know if it worked for you. I had to go back and re-create steps so I may have missed something. You didn't specify which device you're using to create certs, so I'll assume Mac, but these commands will work on Linux as well. If you're on Windows, I can try to help walk you through it. Open up a terminal and run these commands to create a new directory, change into it, and create a new file: ``` mkdir actual-cert cd actual-cert nano server.ext ``` Paste this block of text into the nano editor. Change DNS.1 and IP.1 to the correct server name and IP you'll be using to access. This needs to exactly match what you type on your iPhone browser, excluding 'https://' and ':5006'. If you don't use a DNS hostname at all, you can delete this line. ``` authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = actual.example.com IP.1 = 192.168.1.10 ``` Press Ctrl-X to exit, then 'y' and Enter to save. Run these commands to generate a root key and certificate, then a server key and certificate signed by the root certificate. You'll be prompted twice for certificate details (CN, Org, Country, etc). Enter what you want, these aren't terribly important. Common Name (CN) should be your server name or IP. If you're prompted to 'extra' attributes, leave those blank and press Enter. ``` openssl genrsa -out rootCA.key 4096 openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.pem openssl genrsa -out server.key 2048 openssl req -new -key server.key -out server.csr openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key \ -CAcreateserial -out server.crt -days 825 -sha256 \ -extfile server.ext ``` You should now have a directory named actual-cert with about 7 files in it. The 3 files you'll need are: - server.key - private key - server.crt - server certificate - rootCA.pem - root certificate Install the server.key and server.crt in your Actual instance. I use Docker so created a config.json file like this: ``` { "https": { "key": "/data/server.key", "cert": "/data/server.crt" } } ``` Now we need to get the root certificate installed on your phone. You should be able to email the file to yourself, but I chose to use AirDrop. Open the actual-cert directory in Finder then drag and hold the rootCA.pem over the AirDrop icon on the left. Your phone should appear in the main window - if it doesn't, wake up your phone and try again. You'll be prompted on your phone where to install the certificate - tap iPhone. Tap Close. Go to Settings > Profile Downloaded. Tap Install, enter your passcode, then tap Install 2 times. Next, go to Settings > General > About > Certificate Trust Settings. Enable Full Trust for the RootCA you just created.
GiteaMirror commented 2026-02-28 19:57:40 -06:00
Author
Owner
Copy Link

@Ctrl-Alb commented on GitHub (Dec 3, 2025):

Thank you very much, you've been super helpful! I'll test this when I come back home and I'll let you know.

You didn't specify which device you're using to create certs

I am using Debian (and Docker) for the Actual server and iOS and macOS as clients. So, I assume the steps you described will be perfectly fine for my setup as well

@Ctrl-Alb commented on GitHub (Dec 3, 2025): Thank you very much, you've been super helpful! I'll test this when I come back home and I'll let you know. > You didn't specify which device you're using to create certs I am using Debian (and Docker) for the Actual server and iOS and macOS as clients. So, I assume the steps you described will be perfectly fine for my setup as well
GiteaMirror commented 2026-02-28 19:57:40 -06:00
Author
Owner
Copy Link

@Ctrl-Alb commented on GitHub (Dec 3, 2025):

I'm encountering an error while trying to follow the steps you described. Here's what I've done so far:

  1. I created the server.ext file in the actual-cert folder. This file contains the following lines:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
IP.1  = 192.168.1.28
# I deleted the DNS.1 line because I don't use a DNS hostname
  1. While in the actual-cert folder, I ran the commands:
openssl genrsa -out rootCA.key 4096
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.pem

I entered IT as the Country Name and 192.168.1.28 as the Common Name, leaving the other fields blank.

  1. I ran the command:
openssl genrsa -out server.key 2048
  1. I then ran the command:
openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key \
  -CAcreateserial -out server.crt -days 825 -sha256 \
  -extfile server.ext

This command returns the following error message:

Can't open "server.csr" for reading, No such file or directory
40B0BEB27F000000:error:80000002:system library:BIO_new_file:No such file or directory:../crypto/bio/bss_file.c:67:calling fopen(server.csr, r)
40B0BEB27F000000:error:10000080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:75:
Unable to load certificate request input
@Ctrl-Alb commented on GitHub (Dec 3, 2025): I'm encountering an error while trying to follow the steps you described. Here's what I've done so far: 1. I created the `server.ext` file in the `actual-cert` folder. This file contains the following lines: ``` authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] IP.1 = 192.168.1.28 # I deleted the DNS.1 line because I don't use a DNS hostname ``` 2. While in the `actual-cert` folder, I ran the commands: ``` openssl genrsa -out rootCA.key 4096 openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.pem ``` I entered `IT` as the Country Name and `192.168.1.28` as the Common Name, leaving the other fields blank. 3. I ran the command: ``` openssl genrsa -out server.key 2048 ``` 4. I then ran the command: ``` openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key \ -CAcreateserial -out server.crt -days 825 -sha256 \ -extfile server.ext ``` This command returns the following error message: ``` Can't open "server.csr" for reading, No such file or directory 40B0BEB27F000000:error:80000002:system library:BIO_new_file:No such file or directory:../crypto/bio/bss_file.c:67:calling fopen(server.csr, r) 40B0BEB27F000000:error:10000080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:75: Unable to load certificate request input ```
GiteaMirror commented 2026-02-28 19:57:41 -06:00
Author
Owner
Copy Link

@james4141 commented on GitHub (Dec 3, 2025):

Looks like I forgot a line - give this a try then pick up where you left off:
openssl req -new -key server.key -out server.csr

Edited my comment above to include this as well.

@james4141 commented on GitHub (Dec 3, 2025): Looks like I forgot a line - give this a try then pick up where you left off: `openssl req -new -key server.key -out server.csr` Edited my comment above to include this as well.
GiteaMirror commented 2026-02-28 19:57:41 -06:00
Author
Owner
Copy Link

@Ctrl-Alb commented on GitHub (Dec 3, 2025):

I have followed the steps you described, but now I can't have access to the Actual server.
I tried restarting my Debian machine and even reinstalled Actual Budget (and copying config.json, server.key and server.crt in the /data folder), but now I can't access it either via HTTP or HTTPS.
It’s not a big issue since I didn’t have any personal data in this Actual instance.
Do you have any suggestions to fix it?

@Ctrl-Alb commented on GitHub (Dec 3, 2025): I have followed the steps you described, but now I can't have access to the Actual server. I tried restarting my Debian machine and even reinstalled Actual Budget (and copying `config.json`, `server.key` and `server.crt` in the `/data` folder), but now I can't access it either via HTTP or HTTPS. It’s not a big issue since I didn’t have any personal data in this Actual instance. Do you have any suggestions to fix it?
GiteaMirror commented 2026-02-28 19:57:42 -06:00
Author
Owner
Copy Link

@james4141 commented on GitHub (Dec 3, 2025):

Just to confirm - your file is named config.json and not .jsonc? Are there any container logs? I run mine on Unraid so I'm not certain on the command for that, but this may help

@james4141 commented on GitHub (Dec 3, 2025): Just to confirm - your file is named config.json and not .jsonc? Are there any container logs? I run mine on Unraid so I'm not certain on the command for that, but [this](https://docs.docker.com/reference/cli/docker/container/logs/) may help
GiteaMirror commented 2026-02-28 19:57:42 -06:00
Author
Owner
Copy Link

@Ctrl-Alb commented on GitHub (Dec 3, 2025):

You're right, I mistyped, I meant config.json (I updated previous my comment)

@Ctrl-Alb commented on GitHub (Dec 3, 2025): You're right, I mistyped, I meant `config.json` (I updated previous my comment)
GiteaMirror commented 2026-02-28 19:57:43 -06:00
Author
Owner
Copy Link

@james4141 commented on GitHub (Dec 3, 2025):

Is the container running or does it fail and stop? Logs would be helpful if you are able to retrieve anything

@james4141 commented on GitHub (Dec 3, 2025): Is the container running or does it fail and stop? Logs would be helpful if you are able to retrieve anything
GiteaMirror commented 2026-02-28 19:57:43 -06:00
Author
Owner
Copy Link

@Ctrl-Alb commented on GitHub (Dec 3, 2025):

I figured out the problem: in the config.json file I had written selfhost.key (the file name I used before) instead of server.key (the file name in your guide).
After correcting the issue, not only does the Actual Budget work correctly, it also shows the icon on the home screen!
This means that the steps described in your comment worked perfectly.
Great, thank you very much!

Image

@Ctrl-Alb commented on GitHub (Dec 3, 2025): I figured out the problem: in the `config.json` file I had written `selfhost.key` (the file name I used before) instead of `server.key` (the file name in your guide). After correcting the issue, not only does the Actual Budget work correctly, it also shows the icon on the home screen! This means that the steps described in [your comment](https://github.com/actualbudget/actual/issues/4451#issuecomment-3608289466) worked perfectly. Great, thank you very much! ![Image](https://github.com/user-attachments/assets/c6b0ac94-105e-4fc0-bd93-be0dda13e91d)
GiteaMirror commented 2026-02-28 19:57:44 -06:00
Author
Owner
Copy Link

@james4141 commented on GitHub (Dec 3, 2025):

Glad to hear. So you are aware, the certificate you created for Actual is valid for 825 days - that's supposedly the maximum validity period that iOS will accept for a certificate issued by private CA. Before that runs out, you'd need to run the last 2 commands to generate a new certificate using the same key (or use the last 3 commands to also generate a new key). Then copy the certificate to your server. You wouldn't need to repeat the root CA process on your iPhone since that's valid for 10 years, though I'm not sure if this carries over when upgrading phones.

@james4141 commented on GitHub (Dec 3, 2025): Glad to hear. So you are aware, the certificate you created for Actual is valid for 825 days - that's supposedly the maximum validity period that iOS will accept for a certificate issued by private CA. Before that runs out, you'd need to run the last 2 commands to generate a new certificate using the same key (or use the last 3 commands to also generate a new key). Then copy the certificate to your server. You wouldn't need to repeat the root CA process on your iPhone since that's valid for 10 years, though I'm not sure if this carries over when upgrading phones.
GiteaMirror commented 2026-02-28 19:57:44 -06:00
Author
Owner
Copy Link

@Ctrl-Alb commented on GitHub (Dec 3, 2025):

Thank you for the explanation, I'll keep it in mind.
One last question: in order to make things work not only on my iOS client but also on my macOS client, what should I do?
Should I simply import the rootCA.pem file on my Mac?

@Ctrl-Alb commented on GitHub (Dec 3, 2025): Thank you for the explanation, I'll keep it in mind. One last question: in order to make things work not only on my iOS client but also on my macOS client, what should I do? Should I simply import the `rootCA.pem` file on my Mac?
GiteaMirror commented 2026-02-28 19:57:44 -06:00
Author
Owner
Copy Link

@james4141 commented on GitHub (Dec 3, 2025):

Open Keychain Access, select System keychain, and drop the RootCA.pem there. You may need to search/filter to find it, open that up and select Always Trust.

If you use Firefox on Mac you may need to add it there as well, I think Firefox uses its own cert store.

Image
@james4141 commented on GitHub (Dec 3, 2025): Open Keychain Access, select System keychain, and drop the RootCA.pem there. You may need to search/filter to find it, open that up and select Always Trust. If you use Firefox on Mac you may need to add it there as well, I think Firefox uses its own cert store. <img width="869" height="590" alt="Image" src="https://github.com/user-attachments/assets/e9c8d6f3-7260-4f58-b745-5d2ff6d514a2" />
GiteaMirror commented 2026-02-28 19:57:44 -06:00
Author
Owner
Copy Link

@Ctrl-Alb commented on GitHub (Dec 3, 2025):

Perfect, thank you very much :)
You’ve been super helpful

@Ctrl-Alb commented on GitHub (Dec 3, 2025): Perfect, thank you very much :) You’ve been super helpful
GiteaMirror commented 2026-02-28 19:57:45 -06:00
Author
Owner
Copy Link

@james4141 commented on GitHub (Dec 3, 2025):

Thanks. Just wanted to get to the bottom of this as it gets asked on Discord quite often.

Tagging @youngcw because we need an adult 😬 I posted a potential workound for the iOS SSL/certificate issues when using a self-signed cert. I believe this may also fix issues where iOS clients randomly disconnect from the server. Also, I've found that using https://app.actualbudget.org won't work on iOS devices when the server is using an Untrusted certificate.

Do you think the best resolution here is to update the HTTPS documentation?

@james4141 commented on GitHub (Dec 3, 2025): Thanks. Just wanted to get to the bottom of this as it gets asked on Discord quite often. Tagging @youngcw because we need an adult 😬 I posted a potential [workound](https://github.com/actualbudget/actual/issues/4451#issuecomment-3608289466) for the iOS SSL/certificate issues when using a self-signed cert. I believe this may also fix issues where iOS clients randomly disconnect from the server. Also, I've found that using [https://app.actualbudget.org](https://app.actualbudget.org) won't work on iOS devices when the server is using an Untrusted certificate. Do you think the best resolution here is to update the HTTPS documentation?
GiteaMirror commented 2026-02-28 19:57:45 -06:00
Author
Owner
Copy Link

@james4141 commented on GitHub (Jan 12, 2026):

@Ctrl-Alb Just wanted to follow up and see if this is still working for you - have you had any problems where your iOS client stopped working after getting these certs up and running?

@james4141 commented on GitHub (Jan 12, 2026): @Ctrl-Alb Just wanted to follow up and see if this is still working for you - have you had any problems where your iOS client stopped working after getting these certs up and running?
GiteaMirror commented 2026-02-28 19:57:46 -06:00
Author
Owner
Copy Link

@Ctrl-Alb commented on GitHub (Jan 12, 2026):

Hi @james4141, since I followed your suggestion, the icon is displayed correctly and, as far as I know, I haven’t encountered any problems with the certificates.
So, it seems that everything’s working fine :)

@Ctrl-Alb commented on GitHub (Jan 12, 2026): Hi @james4141, since I followed your suggestion, the icon is displayed correctly and, as far as I know, I haven’t encountered any problems with the certificates. So, it seems that everything’s working fine :)
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
AI generated
API
bank sync
budgeting
bug
can’t replicate
dependencies
docker
documentation
electron
experimental feature
feature
feedback
goal templates
good first issue
help wanted
importers
maintenance
needs info
needs testing
needs triage
needs votes
openid
payees
pull-request
Mirrored from GitHub Pull Request
 regression
reports
responsive
rules
schedules
server
merged
split transactions
tech debt
theme
transaction import
transaction reconciliation
transactions
translations
upstream
user interface
approved
wontfix
No Label bug good first issue
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/actual#1895
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?