Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Can't access home asissatant - Trust anchor for certification path not found.

See original GitHub issue

Home Assistant Android version: latest beta + 2022.11.0

Android version: 13

Phone model: oneplus 8t

Home Assistant version: 2022.12.6 (latest)

Last working Home Assistant release (if known):

Description of problem:

I noticed today while working with the beta version of the app, that I can’t connect to my instance using the external URL (which has a lets encrypt SSL certificate). I’m getting “The home assistant certificate authority is not trusted” (see pic below)

I forced a new issue of SSL certificate, verified I get it in the chrome app on my phone, and still no luck. I checked multiple SSL checker sites, all show everything is great. I left the beta program, reinstalled the app with the latest stable version, and still, the issue persists. I tried rebooting the phone as well without any luck. The only thing that might make sense here is that last night I installed fidler to try and reverse engineer some app communications, and in the progress, I installed a custom certificate and proxied all my communication to the fiddler proxy on my PC, which must have hand shaken its custom self-signed certificate with the app in the background. But by the end of the night, I uninstalled the certificate. My guess is that somehow there is a leftover of it - so I tried installing that certificate again, but that didn’t help either…

Help please - I can’t use home assistant outside my wifi 😃

Traceback (if applicable, to get the logs you may refer to: https://companion.home-assistant.io/docs/troubleshooting/faqs/#android-crash-logs):

12-15 00:13:14.931 30604 30604 E ResourcesImplExt: the AssetManager's apkAsset: ApkAssets{path=<empty> and /product/overlay/NavigationBarMode3Button/NavigationBarMode3ButtonOverlay.apk}
12-15 00:13:14.931 30604 30604 E ResourcesImplExt: the AssetManager's apkAsset: ApkAssets{path=/product/overlay/NavigationBarMode3Button/NavigationBarMode3ButtonOverlay.apk}
12-15 00:13:14.931 30604 30604 E ResourcesImplExt: the AssetManager's apkAsset: ApkAssets{path=/data/resource-cache/com.android.systemui-neutral-DzxN.frro}
12-15 00:13:14.931 30604 30604 E ResourcesImplExt: the AssetManager's apkAsset: ApkAssets{path=/data/resource-cache/com.android.systemui-accent-SBpT.frro}
12-15 00:13:14.971 30604 30604 I oplus.android.OplusFrameworkFactoryImpl: get feature:IOplusDynamicVsyncFeature
12-15 00:13:14.971 30604 30604 I oplus.android.OplusFrameworkFactoryImpl: get feature:IOplusDynamicVsyncFeature
12-15 00:13:14.971 30604 30604 I oplus.android.OplusFrameworkFactoryImpl: get feature:IOplusDynamicVsyncFeature
12-15 00:13:14.977 30604 30604 D UrlRepository: Using external URL
12-15 00:13:14.984 30604 30604 V TextView: notifyAutoFillManagerAfterTextChanged
12-15 00:13:14.984 30604 30604 V AutofillManager: notifyValueChanged(1073741890): ignoring on state FINISHED
12-15 00:13:14.984 30604 30604 V TextView: notifyAutoFillManagerAfterTextChanged
12-15 00:13:14.984 30604 30604 V AutofillManager: notifyValueChanged(1073741890): ignoring on state FINISHED
12-15 00:13:14.984 30604 30604 V TextView: notifyAutoFillManagerAfterTextChanged
12-15 00:13:14.984 30604 30604 V AutofillManager: notifyValueChanged(1073741890): ignoring on state FINISHED
12-15 00:13:14.988 30604 30604 V TextView: notifyAutoFillManagerAfterTextChanged
12-15 00:13:14.988 30604 30604 V AutofillManager: notifyValueChanged(1073741891): ignoring on state FINISHED
12-15 00:13:14.988 30604 30604 V TextView: notifyAutoFillManagerAfterTextChanged
12-15 00:13:14.988 30604 30604 V AutofillManager: notifyValueChanged(1073741891): ignoring on state FINISHED
12-15 00:13:14.988 30604 30604 V TextView: notifyAutoFillManagerAfterTextChanged
12-15 00:13:14.988 30604 30604 V AutofillManager: notifyValueChanged(1073741891): ignoring on state FINISHED
12-15 00:13:15.011 30604 30604 V TextView: notifyAutoFillManagerAfterTextChanged
12-15 00:13:15.011 30604 30604 V AutofillManager: notifyValueChanged(1073741892): ignoring on state FINISHED
12-15 00:13:15.017 30604 30604 V AutofillManager: notifyValueChanged(1073741892): ignoring on state FINISHED
12-15 00:13:15.064 30604 12922 D TrafficStats: tagSocket(144) with statsTag=0xffffffff, statsUid=-1
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: Could not update location.
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: io.homeassistant.companion.android.common.data.integration.IntegrationException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	at io.homeassistant.companion.android.common.data.integration.impl.IntegrationRepositoryImpl.updateLocation(IntegrationRepositoryImpl.kt:214)
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	at io.homeassistant.companion.android.common.data.integration.impl.IntegrationRepositoryImpl$updateLocation$1.invokeSuspend(Unknown Source:15)
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:104)
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	at kotlinx.coroutines.internal.LimitedDispatcher.run(LimitedDispatcher.kt:42)
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	at kotlinx.coroutines.scheduling.TaskImpl.run(Tasks.kt:95)
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(CoroutineScheduler.kt:570)
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.executeTask(CoroutineScheduler.kt:750)
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.runWorker(CoroutineScheduler.kt:677)
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.kt:664)
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	at com.android.org.conscrypt.SSLUtils.toSSLHandshakeException(SSLUtils.java:363)
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	at com.android.org.conscrypt.ConscryptEngine.convertException(ConscryptEngine.java:1134)
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	at com.android.org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1089)
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:876)
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:747)
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:712)
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.processDataFromSocket(ConscryptEngineSocket.java:858)
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.-$$Nest$mprocessDataFromSocket(Unknown Source:0)
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	at com.android.org.conscrypt.ConscryptEngineSocket.doHandshake(ConscryptEngineSocket.java:241)
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	at com.android.org.conscrypt.ConscryptEngineSocket.startHandshake(ConscryptEngineSocket.java:220)
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.kt:379)
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.kt:337)
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	at okhttp3.internal.connection.RealConnection.connect(RealConnection.kt:209)
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.kt:226)
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.kt:106)
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.kt:74)
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	at okhttp3.internal.connection.RealCall.initExchange$okhttp(RealCall.kt:255)
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.kt:32)
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.kt:95)
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.kt:83)
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.kt:76)
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(RealCall.kt:201)
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	at okhttp3.internal.connection.RealCall$AsyncCall.run(RealCall.kt:517)
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1137)
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:637)
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	at java.lang.Thread.run(Thread.java:1012)
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:654)
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:503)
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:423)
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	at com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:351)
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:94)
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:90)
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	at com.android.org.conscrypt.ConscryptEngineSocket$2.checkServerTrusted(ConscryptEngineSocket.java:163)
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:255)
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	at com.android.org.conscrypt.ConscryptEngine.verifyCertificateChain(ConscryptEngine.java:1638)
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	at com.android.org.conscrypt.NativeCrypto.ENGINE_SSL_read_direct(Native Method)
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	at com.android.org.conscrypt.NativeSsl.readDirectByteBuffer(NativeSsl.java:569)
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	at com.android.org.conscrypt.ConscryptEngine.readPlaintextDataDirect(ConscryptEngine.java:1095)
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	at com.android.org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1079)
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	... 27 more
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
12-15 00:13:15.214 30604 11136 E LocBroadcastReceiver: 	... 40 more
12-15 00:13:15.585 30604 30604 V AutofillManager: requestHideFillUi(null): anchor = null
12-15 00:13:15.604 30604 30604 E mpanion.android: No package ID ff found for ID 0xffffffff.

Screenshot of problem:

4868ce73-7c17-4ad7-a159-462faed6acd3

Additional information:

Issue Analytics

State:
Created 9 months ago
Comments:10 (4 by maintainers)

Top GitHub Comments

1reaction

regevbrcommented, Dec 15, 2022

I figured it out and you are not going to believe it - my cell company enforced some cyber protection bullshit plan on me yesterday (even though i told them not to) as part of the subscription and that is causing the issue. I figured it when i saw in the logs the “bad” certificate was issued by fortinet and then it hit me. Thanks for the help! 🥳 4 hours of my life down the drain for nothing

0reactions

regevbrcommented, Dec 15, 2022

Final report - after talking to the cell provider, the cyber protection was turned off by them and the issue is now resolved 😃 @dshokouhi many thanks for the assistance and patience, it is much appreciated 😃

For anyone encountering this in the future - I managed to see the following in the log:

12-15 02:51:18.300 29472 29472 E WebviewActivity: onReceivedSslError: primary error: 3 certificate: Issued to: CN=bbbbbbbbbbbbbbbb.duckdns.org;
12-15 02:51:18.300 29472 29472 E WebviewActivity: Issued by: 1.2.840.113549.1.9.1=#1614737570706f727440666f7274696e65742e636f6d,CN=FG3K5FTB21900183,OU=Certificate Authority,O=Fortinet,L=Sunnyvale,ST=California,C=US;

You can see there that if failed on validating a certificate from Fortinet which is not part of my CA chain - that is how I figured out that someone else in intervening in the SSL handshake

Top Results From Across the Web

Owntracks duckdns webhook issues - Configuration

This all works great and I have remote access. ... CertPathValidatorException: Trust anchor for certification path not found”.

Owntracks Webhook not working with HA : r/homeassistant

This all works great and I have remote access working. ... CertPathValidatorException: Trust anchor for certification path not found”.

WearOS can connect #1845 - home-assistant/android - GitHub

I just can't connect to the server from the clock, neither by the local ip nor by the ... Trust anchor for certification...

Trust Anchor not found for Android SSL Connection

"The certificate is not signed by a trusted authority (checking against Mozilla's root store). If you bought the certificate from a trusted authority,...

Security with network protocols - Android Developers

A server with a TLS certificate has a public key and a matching private key. ... Trust anchor for certification path not found....