Android webview get sslError SSL_UNTRUSTED but certificate is valid

Question

I've implemented onReceivedSslError method in my WebViewClient to properly handle invalid https certificate in webview:

@Override
        public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) {
            final AlertDialog.Builder builder = new AlertDialog.Builder(WebActivity.this);
            String message = "SSL Certificate error.";
            switch (error.getPrimaryError()) {
                case SslError.SSL_UNTRUSTED:
                    message = "The certificate authority is not trusted.";
                    break;
                case SslError.SSL_EXPIRED:
                    message = "The certificate has expired.";
                    break;
                case SslError.SSL_IDMISMATCH:
                    message = "The certificate Hostname mismatch.";
                    break;
                case SslError.SSL_NOTYETVALID:
                    message = "The certificate is not yet valid.";
                    break;
            }
            message += " Do you want to continue anyway?";

            builder.setTitle("SSL Certificate Error");
            builder.setMessage(message);
            builder.setPositiveButton("continue", (dialog, which) -> handler.proceed());
            builder.setNegativeButton("cancel", (dialog, which) -> handler.cancel());
            final AlertDialog dialog = builder.create();
            dialog.show();
        }

When the webview loads my webpage the SslError.SSL_UNTRUSTED error is being detected. However if I open the same exact url in chrome (both desktop or mobile) the certificate is considered valid and trusted:

Why is this happening?

Java doesn't use Chrome's truststore. It has its own. Your message should read 'the *certificate* is not trusted.' — user207421, May 27 '18 at 01:01
i am having the same problem.... on chrome or any other browser the url opens (pc and mobile) however on the webview in my app it gives me primary error3 : untrusted certificate.. any luck with this one? you can use onReceivedSslError but on production google play store will not let you publish your app... i read that android stopped oauth2 login(my url has a verification username and password confirmation)!! did you solved it?! — R.F, Aug 21 '18 at 10:32

score 12 · Answer 1 · edited Oct 07 '21 at 07:59

For me this was an issue with the server I was trying to reach. It had a broken intermediate certificate chain. It was the redirect server that had a broken chain. When there is a broken chain the webview has no way to resolve because it does not know where to look for the correct cert.

Use this tool to check for common misconfigurations. Be sure to check any redirects as well.

Android does not support Authority Information Access

And therefore there is no AIA Fetching

But?!.. it works in browsers Yes, It works in browsers because all browsers carry around a list of intermediates to fall back on when the cert has a broken chain.

Solution: Fix certificate chain on server.

score 4 · Answer 2 · edited Mar 01 '23 at 01:41

Even for me it was giving SSL_UNTRUSTED when the cert was throwing invalid CN(SSL_IDMISMATCH) on android chrome. Added network-security-config and all seemed to work fine. For me I installed a user-ca which wasnt being picked up by webview.

Added this snippet of code, which allowed me to use user-ca installed in user credentials.

<network-security-config>  
  <base-config>  
        <trust-anchors>  
            <!-- Trust preinstalled CAs -->  
            <certificates src="system" />  
            <!-- Additionally trust user added CAs -->  
            <certificates src="user" />  
       </trust-anchors>  
  </base-config>  
</network-security-config>

Android webview get sslError SSL_UNTRUSTED but certificate is valid

2 Answers2

Linked