commonsguy
javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found. at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:328) at okhttp3.internal.connection.RealConnection.connectTls(SourceFile:336) at okhttp3.internal.connection.RealConnection.establishProtocol(SourceFile:300) at okhttp3.internal.connection.RealConnection.connect(SourceFile:185) at okhttp3.internal.connection.ExchangeFinder.findConnection(SourceFile:224) at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(SourceFile:107) at okhttp3.internal.connection.ExchangeFinder.find(SourceFile:87) at okhttp3.internal.connection.Transmitter.newExchange(SourceFile:169) at okhttp3.internal.connection.ConnectInterceptor.intercept(SourceFile:41) at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:142) at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:117) at okhttp3.internal.cache.CacheInterceptor.intercept(SourceFile:94) at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:142) at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:117) at okhttp3.internal.http.BridgeInterceptor.intercept(SourceFile:93) at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:142) at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(SourceFile:88) at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:142) at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:117) at com.myapp.sdk.shared.c.a.g.intercept(SourceFile:287) at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:142) at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:117) at com.commonsware.cwac.netsecurity.OkHttp3Integrator$X509Interceptor.intercept(SourceFile:66) at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:142) at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:117) at com.myapp.sdk.services.b.a.a.d.intercept(SourceFile:122) at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:142) at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:117) at com.myapp.sdk.services.b.a.a.a.intercept(SourceFile:49) at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:142) at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:117) at okhttp3.RealCall.getResponseWithInterceptorChain(SourceFile:221) at okhttp3.RealCall.execute(SourceFile:81) at com.google.firebase.perf.network.FirebasePerfOkHttpClient.execute(Unknown Source) at c.i.a(SourceFile:180) at com.myapp.sdk.shared.c.a.c.a_(SourceFile:46) at io.b.m.a(SourceFile:12267) at io.b.f.e.e.ap.a(SourceFile:35) at io.b.t.b(SourceFile:3603) at io.b.f.e.f.f.a(SourceFile:35) at io.b.t.b(SourceFile:3603) at io.b.f.e.f.d.a(SourceFile:35) at io.b.t.b(SourceFile:3603) at io.b.f.e.f.q.a(SourceFile:37) at io.b.h.a(SourceFile:14827) at io.b.h.b(SourceFile:14774) at io.b.f.e.b.o$b.a(SourceFile:100) at io.b.f.e.b.g$b.a(SourceFile:282) at io.b.f.e.b.g$a.a(SourceFile:663) at io.b.f.e.b.t$a.run(SourceFile:76) at io.b.f.g.l.a(SourceFile:38) at io.b.f.g.l.call(SourceFile:26) at java.util.concurrent.FutureTask.run(FutureTask.java:237) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:269) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1113) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:588) at java.lang.Thread.run(Thread.java:818) Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found. at com.commonsware.cwac.netsecurity.conscrypt.TrustManagerImpl.checkTrustedRecursive(SourceFile:611) at com.commonsware.cwac.netsecurity.conscrypt.TrustManagerImpl.checkTrusted(SourceFile:463) at com.commonsware.cwac.netsecurity.conscrypt.TrustManagerImpl.checkServerTrusted(SourceFile:319) at com.commonsware.cwac.netsecurity.config.NetworkSecurityTrustManager.checkServerTrusted(SourceFile:114) at com.commonsware.cwac.netsecurity.config.RootTrustManager.checkServerTrusted(SourceFile:161) at java.lang.reflect.Method.invoke(Native Method) at com.commonsware.cwac.netsecurity.X509ExtensionsWrapper.checkServerTrusted(SourceFile:78) at com.commonsware.cwac.netsecurity.CompositeTrustManager.checkServerTrusted(SourceFile:252) at com.commonsware.cwac.netsecurity.CompositeTrustManager.checkServerTrusted(SourceFile:232) at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:117) at com.android.org.conscrypt.OpenSSLSocketImpl.verifyCertificateChain(OpenSSLSocketImpl.java:556) at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method) at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:324) ... 56 more Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found. ... 69 more
We use cwac-netsecurity v0.4.5 okhttp v3.14.1
Our implementation:
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.myapp.sdk">
<!-- Using https://github.com/commonsguy/cwac-netsecurity to make networkSecurityConfig retro-compatible-->
<application
android:label="@string/app_name"
android:networkSecurityConfig="@xml/network_security_config"
android:supportsRtl="true">
<meta-data
android:name="android.security.net.config"
android:resource="@xml/network_security_config"/>
</application>
</manifest>
and network_security_config:
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<domain-config cleartextTrafficPermitted="false">
<domain includeSubdomains="true">mysubdomain.com</domain>
<trust-anchors>
<certificates src="system"/>
<certificates src="user"/>
</trust-anchors>
<!-- Certificate needs to be updated on 2019 -->
<pin-set expiration={date}>
<pin digest="SHA-256">{digest}</pin>
</pin-set>
</domain-config>
</network-security-config>
As far as we can see it the logs, it happened for: device: Nexus 5X (bullhead) (Nexus 5X) os version: 6.0.1
I have no means of helping you with this, as I have no means of reproducing your problem. Perhaps your pin expired, since it is set to expire sometime this year according to the comment.
Otherwise, I need a complete project that can reproduce the problem, so that I can run it here and try to figure out what is going on.
@commonsguy Hi Mark, thanks for a fast reply. Is it possible that if my pin expired it would still work on majority of devices and fail on others? Or could it be a rooted device/maybe a proxy enabled problem?
Is it possible that if my pin expired it would still work on majority of devices and fail on others?
The pin-checking algorithm uses the device time, so if the device time is set to the future, the pin will appear to expire early. Otherwise, it should affect all devices around the same time.
Though it dawns on me now that the network security configuration pin checking is set to fail open, so after the expiration date, the pin is ignored. So, a pin expiration should not be the problem.
could it be a rooted device
Presumably there is something that one could do on a rooted device that would result in that error, though nothing comes to mind right now.
maybe a proxy enabled problem
If the user is the victim of a MITM attack and is not connecting to your server, you would get a failed certificate error, if the pin is being checked.