breautek
commented
2 weeks ago Does your web server host the full certificate chain?
Sometimes a certificate excludes the intermediate chain, a certificate that sits in between the Root CA and your application certificate, usually as an optimisation since most clients would already have the intermediate chains via their OS updates.
The Android OS however does provide intermediate certificate chains. They just have the Root CAs. But the browser will download them and cache intermediate chains found via fullchain certificates.
So if the browser is missing the a chain and visits a site that uses that CA but doesn't provide the fullchain, it will fail. If the browser visits another site that uses the same CA and provides a fullchain certificate, it will work. If the browser returns back to the first site that is missing the chain, it will now work since it will have the intermediate chain cached from the second web page visit. So in otherwords the browser tends to collect intermediate chains as part of using the browser and will make sites that is configured not to use the fullchain still "work" provided that the browser got the intermediate chain cached from elsewhere.
Webviews however does not use the same cache as the browser app. They have isolated caches. That means the webview will not have access to any intermediate chains that the browser has found. Unlike the browser, you also tend to not have broad web page browsing inside webviews. So if you're intend to connect to your web server via a webview, it makes having the fullchain much more important.
If you're unsure that you're certificate has the fullchain, then you'll need to ask your certificate provider.
Some providers don't provide the full chain, but may provide your certificate and the chain separately, in which case you'll need to use a tool to combine them.
If you DO have the fullchain configured on the web server. Then I'd make sure that the android device is completely up-to-date with all updates available to ensure they have the Root CAs. This also includes the webview updates for different TLS support. If that fails, then SSL Labs might be able to point to other SSL configuration issues, that might make it incompatible with android (and other OS/browsers)
Bug Report
Problem
I am getting "The certificate authority is not trusted" - Trying to open my server page
What is expected to happen?
The page should open
What does actually happen?_
I get the error "The certificate authority is not trusted"
Information
When I open the same page in a windows browser and view the certificate it says that it is valid and trusted.
The certificate was created with win-acme.
Command or Code
Environment, Platform, Device
Android
Version information
cordova-plugin-inappbrowser 6.0.0 Cordova CLI (on Windows)- 12.0.0 (cordova-lib@12.0.1)
cordova-plugin-android-permissions 1.1.5 "Permissions" cordova-plugin-device 2.1.0 "Device" cordova-plugin-dialogs 2.0.2 "Notification" cordova-plugin-file 8.0.0 "File" cordova-plugin-inappbrowser 6.0.0 "InAppBrowser" cordova-plugin-network-information 3.0.0 "Network Information" cordova-plugin-splashscreen 6.0.1 "Splashscreen" cordova-plugin-x-toast 2.7.3 "Toast" cordova.plugins.diagnostic 7.1.2 "Diagnostic"
Checklist