Reply to post

Hot!Cannot open page with ssl certificate, signed by my own certificate authority

Author
mihanentalpo
User
  • Total Posts : 0
  • Reward points: 0
  • Joined: 2022/02/12 06:21:25
  • Status: offline
2022/02/12 10:06:49 (permalink)

Cannot open page with ssl certificate, signed by my own certificate authority

Hello! I'm almost happy user of Voice aloud reader with payed license.
Everything is fine except one major problem:
I'm using my own SSL certificate authority to create self-signed SSL certificate for my website with some books.
I've added the SSL CA certificate to my Android device, so, all the browsers trust it and certificates signed by it, and can open links from that site.
But not the Voice aloud reader.
When I try to open link from my site with certificate signed by my authority, I get error message:

Error loading page <site url goes here>
Exception: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.

Please, could you add functionality so that voice aloud reader could load links with SSL certificates, signed by certificate authority, which is added to android certificates store?

I can help you with reproduction of this error on you environment (I'll not gonna send my SSL CA cert and ask you to install it, as it would be a security risk for you)

6 Replies Related Threads

    Admin
    Administrator
    • Total Posts : 275
    • Reward points: 0
    • Joined: 2010/11/22 00:00:00
    • Location: USA
    • Status: offline
    Re: Cannot open page with ssl certificate, signed by my own certificate authority 2022/02/12 10:38:18 (permalink)
    @Voice can still open "unsecure" http links, in addition to https - will your site permit this? Another possibility - when you get this message, try pressing the "Reload or clear" button on top (circular arrows icon), then press "Load from browser...". See what happens there - can you press some buttons to enable loading a page with an "untrusted" certificate, like you would do in a regular browser? If it does let you do this and the desired page finally loads, press the loudspeaker icon near bottom-right to load the text into @Voice reader screen. I could test this myself, but you would need to send me a link to at least one such page. If the pages are confidential, create a dummy page with whatever text for testing, and send me a link by email. No need to post it publicly in the Forum.
     
    Greg
    Admin
    Administrator
    • Total Posts : 275
    • Reward points: 0
    • Joined: 2010/11/22 00:00:00
    • Location: USA
    • Status: offline
    Re: Cannot open page with ssl certificate, signed by my own certificate authority 2022/02/12 10:44:24 (permalink)
    OK, I found a sample to test: https://self-signed.badssl.com. My advice to use "Load from browser..." does not work, and at this time I don't know how to allow the Android WebView control to open pages with untrusted certificates. Will investigate. Try http link, or consider using free Certify the Web certificates on your web site, they work normally and without any problems. You just need to renew the certificate every 3 months, but most web servers can be configured to do this automatically.
     
    Greg
     
     
    mihanentalpo
    User
    • Total Posts : 0
    • Reward points: 0
    • Joined: 2022/02/12 06:21:25
    • Status: offline
    Re: Cannot open page with ssl certificate, signed by my own certificate authority 2022/02/12 13:21:15 (permalink)
    Thanks for an answer! Your experiment with https://self-signed.badssl.com is not quite correctly represents my situation.
    Let me explain all the conditions:
    1) I created my own Certificate Authority (CA) with help of the tool mkcert (https://github.com/FiloSottile/mkcert)
    CA has it's own certificate files (private and public keys)
    2) When I created certificate for my domain, signed it by my CA certificate
    3) Of course, if at this time I try to open my domain in browser, it would complain about "Bad SSL Cert"
    4) I add my CA certificate to my Android system
    5) And now all the browsers trust my certificate.
     
    Now, to reproduce this situation:
    1) I created NEW my own CA certificates.
    2) I've generated certificate for domain https://self-signed.mihanentalpo.me/
    3) If you open it in any browser you'll get error NET::ERR_CERT_AUTHORITY_INVALID
    4) But if you install my CA certificate into your system, there will be no problem with this site.
     
    Here is the CA certificate (sorry for lots of text)
    -----BEGIN CERTIFICATE-----
    MIIExTCCAy2gAwIBAgIQbzkfP+GbPPlDnYEnGyBrFzANBgkqhkiG9w0BAQsFADB7
    MR4wHAYDVQQKExVta2NlcnQgZGV2ZWxvcG1lbnQgQ0ExKDAmBgNVBAsMH21paGFu
    ZW50YWxwb0BtaWhhbmVudGFscG9TZWNvbmQxLzAtBgNVBAMMJm1rY2VydCBtaWhh
    bmVudGFscG9AbWloYW5lbnRhbHBvU2Vjb25kMB4XDTIyMDIxMjE3NTUyMFoXDTMy
    MDIxMjE3NTUyMFowezEeMBwGA1UEChMVbWtjZXJ0IGRldmVsb3BtZW50IENBMSgw
    JgYDVQQLDB9taWhhbmVudGFscG9AbWloYW5lbnRhbHBvU2Vjb25kMS8wLQYDVQQD
    DCZta2NlcnQgbWloYW5lbnRhbHBvQG1paGFuZW50YWxwb1NlY29uZDCCAaIwDQYJ
    KoZIhvcNAQEBBQADggGPADCCAYoCggGBAN5xpwjl98MPFj4CktRvdDIKSJ+A9ScF
    AtSO7rve8Qz3LUA43yrUi01feST2WSnq1kcvkvRPAetydCPy7cAFx5E7DMCuY69P
    7X+oYoB2u8sY1pl85tJSWy5J7voHc8q3HDm3kvlXobypnEAit6laPJI1q7xjpUXA
    70rG5NqOowGgdaZCJTq0VUv6ZmXtOzwpW4GCeXMwEnvj3OGo1gkrIVqPWwSOYaqi
    TDgBPgcJDyH3DdvyN4P/nOV20tygcF/5bux03JekLLjX6QVfEuYbSbLOlh+LD33S
    nqfodmXWz3Ri8MEGfA74lV1yNcgRsVkG2+GEp8bEFKHGslotCxU9WQKuv8WuP9t9
    e9ItDCa9NGO+5ZIAuStkhIf+w6WRjUPwd40NBBUsZxpbk7k+5TEqKkhoO6wUN7+5
    rr8ex2xa/ulxJWWk8QtEDlR/B4Bsok8BbmWO9RaMPG+XZbD0XEVWzFxw4LQ136P+
    zz1MbzMLJRa75pjYJED4d3jtdtOS74rjRQIDAQABo0UwQzAOBgNVHQ8BAf8EBAMC
    AgQwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU+eUdio+i/GqKyMJN/JnC
    dw62tTowDQYJKoZIhvcNAQELBQADggGBAIREnQshvFmunnzlmtZv9Bp8z6Nb9dU/
    0wrD55GUZVBqUHK5zoq9C0BXljTJr04ZvWFZ6ebGouh4R7SbyoRJS6w1AEDcnb26
    rSoXJ7SEV4Njfo5XH+iDWrS5IIYW+cy0QMS2rTNz14lkZhT5afsSHqvGBRi+NSjA
    ObnYhqGi7zeonUWM4zFHpUBzfHZoHTTEkUd8SJMxlrle4l+eBd9UWzUypNDaZlBz
    2H2YTbN844rL2lvqsdclfMwaixuCRlvvE7UuASrPPPVse9sedta5LHPNeUWOTS/u
    yQ4qJsPdecfeVpfovePbsPlJyk+iiHKSVETAQFq8HOR845msm62f6UZ+dzuwgSYI
    4SgIdn+QvXnmCYPR+zqxD/e/QYIyv3Pdadx4Hlcc9xMwbZS9M30A+lik5w4q6P6n
    k/CKc80D5kmAYMmVCm0BF6pZw7fBfniIg8mkrTUa/4knF/TNbOi9OzCxZLU41NRg
    VZ8k3eYI21/7gRKIvRsP5eELmnNtmXEUHQ==
    -----END CERTIFICATE-----

     
    5) It must be saved in some file with "pem" extension (for example), and uploaded to Android device
    And then it should be added into your system as truster root certificate.
     
    6) If you have Android 11 and newer installation is should be made as follows:
     

    In Android 11, to install a CA certificate, users need to manually:
    • Open settings
    • Go to 'Security'
    • Go to 'Encryption & Credentials'
    • Go to 'Install from storage'
    • Select 'CA Certificate' from the list of types available
    • Accept a large scary warning
    • Browse to the certificate file on the device and open it
    • Confirm the certificate install

    (Instructions taken for here: https://httptoolkit.tech/blog/android-11-trust-ca-certificates/#whats-changed)
     
    In other versions installation could be different.
     
    7) After CA certificate is added to your trust store the site https://self-signed.mihanentalpo.me/ should open normally from any android browser. 
    But not from Voice Aloud Reader.
     
    Now, then I written all this Im starting to think that if even reproduction is so hard, why should you bother on the problem that somebody creates for itself...
     
     
     
    Admin
    Administrator
    • Total Posts : 275
    • Reward points: 0
    • Joined: 2010/11/22 00:00:00
    • Location: USA
    • Status: offline
    Re: Cannot open page with ssl certificate, signed by my own certificate authority 2022/02/12 14:56:17 (permalink)
    Thank you for providing the test certificate and web site! I found out that all that I need to do to accept user installed certificates is to add one line of text in the app's network_security_config.xml. Not sure if Google will permit the app in Google Play that way, we'll see what happens when they review the app. For now you may download version 25.4.7 of @Voice from this web site (https://hyperionics.com/atVoice), and it should work as you expect.
     
    Greg
    mihanentalpo
    User
    • Total Posts : 0
    • Reward points: 0
    • Joined: 2022/02/12 06:21:25
    • Status: offline
    Re: Cannot open page with ssl certificate, signed by my own certificate authority 2022/02/13 00:10:38 (permalink)
    I've tried your new version and it works as expected, my website with self-created certificate successfully loads into Voice aloud reader, and everything is fine now.
    Thank you for quick reaction, honestly I thought that my problem could not be solved this fast.

    Thanks for the great application!
    Admin
    Administrator
    • Total Posts : 275
    • Reward points: 0
    • Joined: 2010/11/22 00:00:00
    • Location: USA
    • Status: offline
    Re: Cannot open page with ssl certificate, signed by my own certificate authority 2022/02/13 07:42:35 (permalink)
    Great, thank you for letting me know. Happy reading and listening!
     
    Greg
    Jump to:
    © 2022 APG vNext Commercial Version 5.1