Certificate error ERR_CERT_AUTHORITY_INVALID

[depahk]

Hi, I started using Waterfly app some month ago and it goes very well. Unfortunately some weeks ago I can't use the app anymore because the error below

What can be happened? Since it worked before my dubt is if it could have happened somthing to the app. I rechecked the imported custom ca certificate into the system and works, I deleted the data of the app and reimported che certificate of the server and the personal token.

I use a Samsung updated to the last version of everything available. FF v6.1.12

[dreautall]

thank you for the report, looks like I missed that case when upgrading to the new http library - I'll implement a fix shortly!

[dreautall]

It seems that (at least right now), custom user certificates are not supported by Cronet (which the app uses since recently).

Could you try adding your CA Certificate you are using for the custom certificate into Android directly, whether this works? Thank you!

[depahk]

I have already added the CA Certificate into Android system because I use it also for other local services so, unfortunately, the error is the same as above :(

[j1mbl3s]

Chiming in with an additional data point:

I also have a self-signed CA which I have imported and trusted on my Android device. The site works fine in browsers on the device.

The signing chain is: Root CA -> Intermediate CA -> Server

Without adding a custom cert to the app, I get "Invalid SSL Certificate" error. When adding a custom certificate to the app, I get the same "Invalid SSL Certificate" error when the PEM is any of the root CA certificate, the server certificate, or the full certificate chain.

Interestingly, I get the same error as OP when I try to add the intermediate CA certificate to the app.

It would be ideal to only have to add a single certificate from anywhere in the chain, like the root certificate in a 3-tier PKI , such that shot-lived server certificates would not need to be copy+pasted so often.

[dreautall]

Thanks for the report - it's really strange, I switched to a different http library specifically to support the android root cert store... unfortunately that one doesn't support a custom certificate.

No idea why it doesn't work properly. I might just switch back for the next release, sorry.

[dreautall]

Will work again in v1.0.4, which I will release later today or tomorrow. Sorry for the inconvience - that's what you get for switching to a supposedly cool new, better-integrated library 😞

[j1mbl3s]

Hi @dreautall thank you for the quick response on this.

Sorry to comment on the closed issue, and please let me know if I should open a new one. I was looking over the change made for v1.0.4 and noticed it was previously using the CronetClient.defaultCronetEngine(). I was then looking over the CronetClient class and found CronetClient.fromCronetEngine(CronetEngine, {bool}). It looks like supplying this with a CronetEngine built with enablePublicKeyPinningBypassForLocalTrustAnchors = true might do the trick in allowing the device's trust store. I'm not sure if it's enabled or disabled in the default engine.

Hope this helps! I might try building the app with those changes to see if that resolves it for my situation, but I have no experience with Dart. 🙃

[dreautall]

Hey! I also looked at this briefly. I haven't looked at the actual Android Source Code, but from the description ("Disabling the bypass for local trust anchors is highly discouraged") and a very old comment ("The bypass is enabled by default") I assumed this was true by default, and still not properly working... but I honestly also didn't set up my device for testing properly (adding a root cert etc) to try it out more in-depth.

[j1mbl3s]

I gave building the app a shot and it seems you are correct in that Cronet is not working with the local trust store, at least with a minimum effort attempt in doing so.

I was also debugging through the badCertificateCallback using IOClient and found it to be called with the certificate chain (i.e. my intermediate CA certificate) and not the server certificate. That was interesting as, going by the documentation, I was expecting the server certificate! Not sure how one would attempt a legitimate X509 verification with that, since the host won't match to anything in the X509Certificate...

Anyway, this solution seems to work for me, for now. Thanks again!

[dreautall]

Okay, I figured it out - you need to add custom options to AndroidManifest.xml for it to accept user certificates, not only system ones.

However, I also now found a post by the Author of the cronet implementation in dart that custom SSL certificates will never work.

I've reopened #77, maybe we can continue the discussion there!