Trust anchor for certification path not found

[falciloid]

Found on opensstp version 1.6.5.1 from play market. Trying to connect to personal SSTP server with let's encrypt certificate on server side.

At SSL layer I just set to verify hostname and SSL version to TLS 1.2.

Logs below

[2024-01-30 22:29:06.978] Establish VPN connection
[2024-01-30 22:29:07.251] OSC: ERR_UNEXPECTED
java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
    at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:656)
    at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:505)
    at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:425)
    at com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:368)
    at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:102)
    at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:106)
    at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:260)
    at com.android.org.conscrypt.ConscryptEngine.verifyCertificateChain(ConscryptEngine.java:1638)
    at com.android.org.conscrypt.NativeCrypto.ENGINE_SSL_force_read(Native Method)
    at com.android.org.conscrypt.NativeSsl.forceRead(NativeSsl.java:588)
    at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:911)
    at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:747)
    at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:712)
    at com.android.org.conscrypt.Java8EngineWrapper.unwrap(Java8EngineWrapper.java:237)
    at kittoku.osc.terminal.SSLTerminal.receive$app_release(SSLTerminal.kt:284)
    at kittoku.osc.terminal.SSLTerminal.startHandshake(SSLTerminal.kt:151)
    at kittoku.osc.terminal.SSLTerminal.access$startHandshake(SSLTerminal.kt:37)
    at kittoku.osc.terminal.SSLTerminal$startHandshake$1.invokeSuspend(Unknown Source:14)
    at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
    at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:106)
    at kotlinx.coroutines.internal.LimitedDispatcher.run(LimitedDispatcher.kt:42)
    at kotlinx.coroutines.scheduling.TaskImpl.run(Tasks.kt:95)
    at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(CoroutineScheduler.kt:570)
    at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.executeTask(CoroutineScheduler.kt:749)
    at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.runWorker(CoroutineScheduler.kt:677)
    at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.kt:664)
Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
    ... 26 more

[2024-01-30 22:29:07.267] Terminate VPN connection

[NazZaR]

Same here, trying to connect to Microsoft RRAS SSTP server, getting same error. The same connection works using SSTP Max.

[ikitaez]

This error means that you use certificate which is not trusted by Android/app. To fix it go to app settings and uncheck Verify Hostname, then enable Specify Trusted Certificates and put your certificate in any specified directory.

Didnt checked it in Google Play's version, but this works with latest 1.7.1 and Mikrotik self-signed certificate.

[mhtvsSFrpHdE]

Update: My fault, I typed wrong port number. The server has two port, one is CA trusted, one is self-signed. The CA trusted one works.

This is more like a bug instead of wrong user configuration. The same server can be connected directly by using Windows 10 and 11 built in SSTP client without place cert files manually.

Copy cert manually indeed temporary work, however the cert is updated every few weeks.

Similar exception: https://github.com/axios/axios/issues/5271

[mhtvsSFrpHdE]

I hope when the app discovered server's cert is not trusted, show a dialog tells "could not verify server's cert", and print server cert information like issued to, issued by, valid from, this can help better identify problems.

Current notify OSC: ERR_UNEXPECTED provide information too few.