6

I have an Android project and it works well at my test environment with test environment certificate. And now, I must connect this app to client's UAT environment instead of test environment. From client's web site, I downloaded public certificate and added it to Android application with replacing test environment certiface. When I tested application, I took below error.

What does this error mean? Is the error about server side config? Should I add this certificate to trusted certificates of Android OS?

EDIT: The downloaded certiface from the client's web site is CA certificate. Not a self signed certificate.

W/System.err: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
W/System.err:     at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:236)
W/System.err:     at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.kt:367)
W/System.err:     at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.kt:325)
W/System.err:     at okhttp3.internal.connection.RealConnection.connect(RealConnection.kt:197)
W/System.err:     at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.kt:249)
W/System.err:     at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.kt:108)
W/System.err:     at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.kt:76)
W/System.err:     at okhttp3.internal.connection.RealCall.initExchange$okhttp(RealCall.kt:245)
W/System.err:     at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.kt:32)
W/System.err:     at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:100)
W/System.err:     at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.kt:96)
W/System.err:     at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:100)
W/System.err:     at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.kt:83)
W/System.err:     at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:100)
W/System.err:     at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.kt:76)
W/System.err:     at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:100)
W/System.err:     at xbnvqqyqoxeynry.dxdxdd.intercept(Unknown Source:29)
W/System.err:     at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:100)
W/System.err:     at xbnvqqyqoxeynry.xxxxdx.intercept(Unknown Source:4)
W/System.err:     at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:100)
W/System.err:     at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(RealCall.kt:197)
W/System.err:     at okhttp3.internal.connection.RealCall$AsyncCall.run(RealCall.kt:502)
W/System.err:     at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
W/System.err:     at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
W/System.err:     at java.lang.Thread.run(Thread.java:764)
W/System.err: Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
W/System.err:     at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:654)
W/System.err:     at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:499)
W/System.err:     at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:422)
W/System.err:     at com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:343)
W/System.err:     at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:94)
W/System.err:     at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:88)
W/System.err:     at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:208)
W/System.err:     at com.android.org.conscrypt.ConscryptFileDescriptorSocket.verifyCertificateChain(ConscryptFileDescriptorSocket.java:426)
W/System.err:     at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
W/System.err:     at com.android.org.conscrypt.NativeSsl.doHandshake(NativeSsl.java:383)
W/System.err:     at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:231)
W/System.err:   ... 24 more
W/System.err: Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
W/System.err:   ... 35 more
Improve this question

1 Answer 1

Reset to default
11

I think you need to create a network_security_config.xml in res/xml and also you need to configure it. For example:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
  <base-config>
    <trust-anchors>
        <certificates src="@raw/certificate_name"/>
        <certificates src="system"/>
    </trust-anchors>
  </base-config>

After this, you should add the network_security_config to AndroidManifest

<?xml version="1.0" encoding="utf-8"?>
<manifest ... >
    <application android:networkSecurityConfig="@xml/network_security_config"
                ... >
    ...
</application>

For more information: https://developer.android.com/training/articles/security-config.html

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

ok, so I need certificate named certificate_name inside folder raw or certificate_name.pem inside raw folder?
@sosnus as stated in the link provided in the answer, Add the self-signed or non-public CA certificate, in PEM or DER format, to res/raw/certificate_name.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.