3

I have an Android project and it works well at my test environment with test environment certificate. And now, I must connect this app to client's UAT environment instead of test environment. From client's web site, I downloaded public certificate and added it to Android application with replacing test environment certiface. When I tested application, I took below error.

What does this error mean? Is the error about server side config? Should I add this certificate to trusted certificates of Android OS?

EDIT: The downloaded certiface from the client's web site is CA certificate. Not a self signed certificate.

W/System.err: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
W/System.err:     at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:236)
W/System.err:     at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.kt:367)
W/System.err:     at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.kt:325)
W/System.err:     at okhttp3.internal.connection.RealConnection.connect(RealConnection.kt:197)
W/System.err:     at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.kt:249)
W/System.err:     at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.kt:108)
W/System.err:     at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.kt:76)
W/System.err:     at okhttp3.internal.connection.RealCall.initExchange$okhttp(RealCall.kt:245)
W/System.err:     at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.kt:32)
W/System.err:     at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:100)
W/System.err:     at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.kt:96)
W/System.err:     at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:100)
W/System.err:     at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.kt:83)
W/System.err:     at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:100)
W/System.err:     at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.kt:76)
W/System.err:     at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:100)
W/System.err:     at xbnvqqyqoxeynry.dxdxdd.intercept(Unknown Source:29)
W/System.err:     at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:100)
W/System.err:     at xbnvqqyqoxeynry.xxxxdx.intercept(Unknown Source:4)
W/System.err:     at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:100)
W/System.err:     at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(RealCall.kt:197)
W/System.err:     at okhttp3.internal.connection.RealCall$AsyncCall.run(RealCall.kt:502)
W/System.err:     at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
W/System.err:     at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
W/System.err:     at java.lang.Thread.run(Thread.java:764)
W/System.err: Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
W/System.err:     at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:654)
W/System.err:     at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:499)
W/System.err:     at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:422)
W/System.err:     at com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:343)
W/System.err:     at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:94)
W/System.err:     at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:88)
W/System.err:     at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:208)
W/System.err:     at com.android.org.conscrypt.ConscryptFileDescriptorSocket.verifyCertificateChain(ConscryptFileDescriptorSocket.java:426)
W/System.err:     at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
W/System.err:     at com.android.org.conscrypt.NativeSsl.doHandshake(NativeSsl.java:383)
W/System.err:     at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:231)
W/System.err:   ... 24 more
W/System.err: Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
W/System.err:   ... 35 more
İlkay Gunel
  • 712
  • 2
  • 11
  • 24

1 Answers1

8

I think you need to create a network_security_config.xml in res/xml and also you need to configure it. For example:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
  <base-config>
    <trust-anchors>
        <certificates src="@raw/certificate_name"/>
        <certificates src="system"/>
    </trust-anchors>
  </base-config>

After this, you should add the network_security_config to AndroidManifest

<?xml version="1.0" encoding="utf-8"?>
<manifest ... >
    <application android:networkSecurityConfig="@xml/network_security_config"
                ... >
    ...
</application>

For more information: https://developer.android.com/training/articles/security-config.html

Mücahid Kambur
  • 1,610
  • 13
  • 10
  • ok, so I need certificate named `certificate_name` inside folder `raw` or `certificate_name.pem` inside `raw` folder? – sosnus Nov 21 '22 at 01:58
  • @sosnus as stated in the link provided in the answer, `Add the self-signed or non-public CA certificate, in PEM or DER format, to res/raw/certificate_name.` – Yonatan Dec 04 '22 at 09:10