HTTPS custom OBA API server does not work

[sdjacobs]

Summary:

The app does not seem to be able to retrieve data from a custom OBA API server on HTTPS.

Steps to reproduce:

1. Go to Settings -> Advanced -> OneBusAway API Server
2. Put in a URL with HTTPS, i.e. "https://oba-api-staging.soundtransit.org"
3. Go back to the map view.

Expected behavior:

I should be able to get data on where stops are, click on stops, etc.

Observed behavior:

I got a Toast: "Unable to get stops". (Note that everything worked properly without https, ie "http://oba-api-staging.soundtransit.org")

Device and Android version:

Nexus 5X running Android 7.1.1 (stock from manufacturer).

Screenshots:

[barbeau]

Thanks @sdjacobs, I'll take a look. That should definitely work.

[barbeau]

Looks like this is the error showing up in LogCat on a LG G5 with Android 7.0:

E/RequestBase: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.

[barbeau]

The URL looks correctly formed - here's an example for Puget Sound when panning the map (with the API key changed and UUID of my device removed, but otherwise the same as what the app is generating):

https://oba-api-staging.soundtransit.org/api/where/stops-for-location.json?lat=47.12249361101949&lon=-121.81812420487405&latSpan=10.165774244613665&lonSpan=10.381018258631244&app_ver=72&key=TEST

If you click on the above, you get a valid response in Chrome, so everything seems ok there.

So it looks like it's a problem with Android verifying the server certificate - see the following URL for the top 3 common problems that produce this error: https://developer.android.com/training/articles/security-ssl.html#CommonProblems

@sdjacobs I'm assuming maybe you're using a self-signed cert. for the testing environment? Could you test with a well known CA? See http://android.stackexchange.com/a/26504/22751 for how to check the list of trusted CAs on a device.

[sdjacobs]

The cert isn't self-signed, the CA is DigiCert. I'd think that would work.

[barbeau]

Hmmm...let me dig in a bit further. Do you have any other servers set up with HTTPS with a different CA we could test against?

[sdjacobs]

Yes, https://buseta.wmata.com/onebusaway-api-webapp is verified with GeoTrust and it works!

I also did a little more digging and it looks like there's some server misconfiguration. The DigiCert help tool says "The server is not sending the required intermediate certificate." I wonder why it works in my browser.

We'll try to get the server issue addressed - I'll keep this open until we can confirm that it's working in the app, if that's alright

[barbeau]

@sdjacobs Awesome, yes, please keep this open until the issue is resolved server-side so we can make it everything functions correctly. Thanks for looking into the server-side issue! And please share whatever it takes to fix it, as I'm sure this won't be the last time this happens to someone setting up an OBA server with HTTPS.

[sdjacobs]

Ok, server is updated and it now works in the app.

Unfortunately, the issue was internal to Sound Transit's network so I don't know details on how it was addressed. I think it's possible that an internal proxy or load balancer wasn't forwarding the intermediate certificate. FWIW the DigiCert help tool said this:

In most cases, solving this problem in Apache is as simple as adding "SSLCertificateChainFile /path/to/DigiCertCA.crt" to your apache configuration file after/near your SSLCertificateFile line.

[barbeau]

Awesome, thanks @sdjacobs! I'll close this out then.