Xamarin: expired Let's Encrypt certificate and HttpClient

Question

Recently my Xamarin app stopped working because method GetAsync of HttpClient started throwing exception “The SSL connection could not be established”. Inner exception is “Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED”.

The site I am requesting uses ISRG Root X1 certificate. Android 11 on my device is up to date and all browsers open the requested URI successfully. Site https://expired-r3-test.scotthelme.co.uk/ also says that everything is OK.

Why is HttpClient throwing an exception now? Is there way to fix this problem on my device?

Whilst I don't recommend it, you could disable HttpClient certificate checking in your app as a work around. — Neil, Oct 06 '21 at 09:28
Postman has the same issue and they fixed recently https://github.com/postmanlabs/postman-app-support/issues/10338 — dante, Oct 07 '21 at 03:17

Andrey Rodin · Answer 1 · 2021-10-27T10:22:48.357

I made some investigations. First of all, I installed ISRG Root X1 certificate from official site. It did not help.

Then I added my own HttpClientHandler.ServerCertificateCustomValidationCallback. In Windows 7, where HttpClient.GetAsync call works, the certificate chain passed through parameter is correct: globusenergo.ru -> R3 -> ISRG Root X1.

In Android chain contains obsolete DST Root CA X3 certificate: globusenergo.ru -> R3 -> ISRG Root X1 -> DST Root CA X3.

In addition, I tried different combinations of HttpClient and SSL/TLS implementations as described here. Did not help.

Most likely, this is Xamarin Mono issue. As far as I know, BoringSsl uses own certificate store.

So, if you are owner of site, you should update certificate. It must contain correct chain without reference to expired DST Root CA X3. If you are developing an application and trust the site, you can avoid certificate validation with the following code:

httpClientHandler.ServerCertificateCustomValidationCallback +=
    (sender, cert, chain, sslPolicyErrors) => true;

Update The problem is with HttpClientHandler class, not Xamarin Mono. I specified an instance of this class as a parameter in HttpClient constructor. If you use native AndroidClientHandler, the problem goes away.

score 0 · Answer 2 · answered Sep 19 '22 at 11:25

All info about correct setup about HttpClient on Android project (i.e. Xamarin.Android or Uno Platform Droid) can be found here: HttpClient Stack and SSL/TLS Implementation Selector for Android.

Inside a Uno Platform Droid I tried both solutions (changing setup on Droid project property and implementing AndroidClientHandler) and both are correctly working to me.

Xamarin: expired Let's Encrypt certificate and HttpClient

2 Answers2