Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Certificate validation failed with user's installed trusted CA certificates

See original GitHub issue

Issue Type

Bug Report
Feature Request
Support Question

Description

I manually installed CA certificate on device and browser works as expected with no warning about SSL certificate. But it does not happen in my Cordova app. I got exception about failed certificate validation when ajax request is executed.

Should app work with manually installed roots?

Information

Command or Code

Environment, Platform, Device

All Android devices. We tried Android 7 and 9.

It worked on iOS with manually installed profiles, but starting with 13.4 (or previous), but it stopped working too with new iOS updates.

Version information

	"cordova-android": "^9.0.0",
	"cordova-custom-config": "^5.1.0",
	"cordova-plugin-auth-dialog": "^0.1.6",
	"cordova-plugin-camera": "^4.1.0",
	"cordova-plugin-compat": "^1.2.0",
	"cordova-plugin-device": "^2.0.3",
	"cordova-plugin-emm-app-config": "^1.0.2",
	"cordova-plugin-file": "^6.0.2",
	"cordova-plugin-file-transfer": "^1.7.1",
	"cordova-plugin-infineatab": "https://479448df5207086fa68a60b812db8a61af4b955e@github.com/Korber-Supply-Chain-Product-Development/cordova-plugin-infineatab.git",
	"cordova-plugin-inappbrowser": "^3.2.0",
	"cordova-plugin-network-information": "^2.0.2",
	"cordova-plugin-statusbar": "^2.4.3",
	"cordova-plugin-whitelist": "^1.3.4",
	"cordova-plugin-zeep": "0.0.4"

Checklist

I searched for already existing GitHub issues about this
I updated all Cordova tooling to their most recent version
I included all the necessary information above

Issue Analytics

State:
Created 3 years ago
Comments:7 (2 by maintainers)

Top GitHub Comments

2reactions

faugusztincommented, Oct 28, 2020

Certificates for your application needs to be configured using the network config file, documentation is at https://developer.android.com/training/articles/security-config

For your use case, you want to add a network_security_config.xml file to res/xml folder:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>  
      <base-config>  
            <trust-anchors>  
                <!-- Trust preinstalled CAs -->  
                <certificates src="system" />  
                <!-- Additionally trust user added CAs -->  
                <certificates src="user" />  
           </trust-anchors>  
      </base-config>  
 </network-security-config>

By default, apps trust only preinstalled CA’s exclusively.

The change was introduced in API 24: https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html

Apps that target API Level 24 and above no longer trust user or admin-added CAs for secure connections, by default.

1reaction

dpoguecommented, Dec 20, 2021

That looks like what I want to do. Can I get the Cordova build to do this for me?

Yes. Create a network_security_config.xml file somewhere, and add it to your config.xml as a resource-file to be copied into the Android platform, and then use edit-config to point the AndroidManifest to it:

<!-- in your config.xml file -->
<platform name="android">
  <resource-file src="path/to/network_security_config.xml" target="app/src/main/res/xml/network_security_config.xml" />

  <edit-config file="app/src/main/AndroidManifest.xml" mode="merge" target="/manifest/application">
    <application android:networkSecurityConfig="@xml/network_security_config" />
  </edit-config>
</platform>