Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Error while connecting with TLS certificates

See original GitHub issue

I’m trying to connect to the server with the self-signed TLS client certificates (created with generate-CA.sh), but I’m having some issues.

2022-06-05 22:51:15.979 D MessageProcessor: message:TLS setup failed: error constructing MAC: java.security.InvalidKeyException: No installed provider supports this key: com.android.org.bouncycastle.jcajce.PKCS12Key, 
2022-06-05 22:51:15.980 D BackgroundService: endpoint state changed Error. Message: TLS setup failed: error constructing MAC: java.security.InvalidKeyException: No installed provider supports this key: com.android.org.bouncycastle.jcajce.PKCS12Key
java.io.IOException: error constructing MAC: java.security.InvalidKeyException: No installed provider supports this key: com.android.org.bouncycastle.jcajce.PKCS12Key
	at com.android.org.bouncycastle.jcajce.provider.keystore.pkcs12.PKCS12KeyStoreSpi.engineLoad(PKCS12KeyStoreSpi.java:852)
	at java.security.KeyStore.load(KeyStore.java:1484)
	at org.owntracks.android.support.SocketFactory.<init>(SourceFile:304)
	at org.owntracks.android.services.MessageProcessorEndpointMqtt.getMqttConnectOptions(SourceFile:186)
	at org.owntracks.android.services.MessageProcessorEndpointMqtt.connectToBroker(SourceFile:177)
	at org.owntracks.android.services.MessageProcessorEndpointMqtt.sendMessage(SourceFile:30)
	at org.owntracks.android.services.MessageProcessor.lambda$sendAvailableMessages$0(Unknown Source:2)
	at org.owntracks.android.services.MessageProcessor.$r8$lambda$bVYaIhYhXtJCzBaSxWOGtcUu6f8(Unknown Source:0)
	at org.owntracks.android.services.MessageProcessor$$ExternalSyntheticLambda1.call(Unknown Source:4)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at android.os.Handler.handleCallback(Handler.java:938)
	at android.os.Handler.dispatchMessage(Handler.java:99)
	at android.os.Looper.loopOnce(Looper.java:226)
	at android.os.Looper.loop(Looper.java:313)
	at android.os.HandlerThread.run(HandlerThread.java:67)

Here’s what I’ve tried so far:

Turn off TLS and verify that the recorder config is correctly set up
Used mosquitto_pub and mosquitto_sub to verify that certs generated with generate-CA.sh are working fine
Reinstall the app
Tried with new users/certs
Verified that I’m using the same CA for the server/client cert.

…but no luck so far. Not sure what’s wrong, but my only guess is that either openssl is generating incorrect .p12 file or the OS/app somehow can’t find the API required to open PKCS12 file.

Here are some additional information that can help the debugging process:

I’ve used the following command to create .p12 file from the existing crt/key file. openssl pkcs12 -export -in name.crt -inkey name.key -name "name-cert" -out name.p12
When I tried to add name.p12 file in the system settings, it did not accept the password I put in. It’s a very simple password and I’ve verified it multiple times. Perhaps this is somehow related?

App build number: 2.4.8, 20408019
Android version: 12
Device: Galaxy S21 Ultra
Installation source: Google play

Thanks for all the help!

Issue Analytics

State:
Created a year ago
Comments:35

Top GitHub Comments

1reaction

lerracommented, Nov 6, 2022

Alright, big thanks again for helping out, i really appreciate it and sent a donation.

On Sun, Nov 6, 2022, 21:16 Andrew Rowson @.***> wrote:

Great to hear, I’ll get that BC vendor change merged for the next release.

For sponsorships, we use liberapay.com/owntracks.org

— Reply to this email directly, view it on GitHub https://github.com/owntracks/android/issues/1225#issuecomment-1304884769, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEJZPFT2KYP6ACMERK5N3YLWHAG2RANCNFSM5X6N4ZOQ . You are receiving this because you were mentioned.Message ID: @.***>

1reaction

lerracommented, Nov 4, 2022

Confirmed, screenshot of the apk you sent in working state with client certificate and then i exported and imported the config to the lastest version from Google play and it does not work 😃

Big thanks for the great support!

Latest version in google play:

The apk you uploaded yesterday: Screenshot_2022-11-04-20-03-30-59_9951077289cab6671e6adf4f98f78cdd.jpg

Btw, any plans to enable github sponsors on the repo ?

Top Results From Across the Web

How to Fix the SSL/TLS Handshake Failed Error? - AboutSSL

The name on the certificate doesn't match with the hostname in the URL. Incomplete or invalid certificate chain. The SSL/TLS Certificate is expired...

How to Fix the SSL/TLS Handshake Failed Error - SSL2BUY

Failure of the SSL handshake process may be due to many reasons: a mismatch in the protocols as stated below. When a request...

How to Fix the SSL/TLS Handshake Failed Error?

Some common fixes to the SSL/TLS handshake failed error: · Visit SSL Labs. · Click on Projects. · Click on SSL Client Test....

Rehash: How to Fix the SSL/TLS Handshake Failed Error

The TLS Handshake Failed error can originate from the client or the server, here's a guide for fixing the problem for both users...

What is Invalid TLS/SSL Certificate Error and How to Fix it?

One of the most common reasons behind a TLS/SSL error is misconfiguration of your certificate during installation. If you have made any mistake ......