58

Is it safe to ignore this warning? It shows up when I create a new project in Android Studio:

Server's certificate is not trusted

Certificate details

Issued To

CN (Common Name)       *.google.com
O (Organization)       Google Inc
L (Locality)           Mountain View
C (Country)            US
ST (State or Province) California

Issued By

CN (Common Name)       Google Internet Authority G2
O (Organization)       Google Inc
C (Country)            US

Validity Period

Valid from:            9/24/14
Valid until:           12/23/14

...

The date looks alright and I checked my computer's date settings to be sure. Why else would it be "not trusted"?

szx
  • 6,433
  • 6
  • 46
  • 67

7 Answers7

88

Android Studio has a configuration for Server Certificates (This works for other IntelliJ platforms like PyCharm as well)

Newer IntelliJ it is in File->Settings->Tools->Server Certificates as mentioned in the comments.

Myself I just selected the Accept Automatically check box, hit Apply and never had to deal with it. If you are worried about security, there is also the option to add them 1 at a time as they come up.

In my case I did this because I already had a *.google.com certificate configured as accepted, but I still got the popup. I suspect that the fingerprint changed and if I would have deleted and then accepted the error would have gone away, but I decided to just make it go away by selecting the check box.

Brian S
  • 3,096
  • 37
  • 55
  • 13
    In IntelliJ IDEA 15, the checkbox is here: **File > Settings ... > Tools > Server Certificates > Accept non-trusted certificates automatically** – ROMANIA_engineer Jan 06 '16 at 09:42
  • 4
    You're down voting my answer because I chose to do it? I never said you should do it. And if the NSA wants to push new SDKs to my dev environment, the world must not be so scary anymore. – Brian S Mar 01 '16 at 17:53
  • Yes. It is less optimal than adding the certificates that you need. Given someone coming to the site and looking for a quick solution their first option should be to add the certificates rather than blindly trust all unsigned – chrisortman Mar 21 '16 at 15:16
  • An update, with Android Studio 2.2.3 (and possibly earlier) navigate to *File > Settings > Tools > Server Certificates* – Al Lelopath Dec 20 '16 at 15:52
  • 3
    I accepted non-trusted certificates as in mentioned post and comments, but nothing worked. Seeing "Error:Cause: unable to find valid certification path to requested target" – blackkara Mar 09 '18 at 08:47
  • 1
    Thank you for this answer, but is this also used for unit tests? I still get aan SSL Handshake exception, but with Postman it just works. – Geert Berkers Apr 20 '18 at 09:29
  • Why is it poping up in the first place? – Tupio Jul 23 '18 at 14:15
23

It is not safe to ignore that warning. Someone could be attempting a man-in-the-middle attack with a fake certificate in order to install malicious software on your computer through the update process. This probably isn't happening but it's always better to do things correctly when it comes to security.

You should instead add root certificates you trust to the Android Studio keystore. The location and default password of the keystore should be listed at the bottom of that warning. For example, mine is at ~/Library/Caches/AndroidStudio/tasks/cacerts. Next you'll want to find the root certificate in the chain the server is presenting. Unfortunately the warning doesn't list the whole chain so it takes a little work to find it. The Google Internet Authority G2 certificate is the same one that is used to sign the certificates for google's sites. You can view the chain in Chrome by going to google.com, clicking on the green lock, then "Certificate Information" in the connection tab. At this point you can verify that the hashes in the warning match the hashes for the real G2 certificate. You'll also see that the root certificate is named Equifax Secure Certificate Authority. You can download it from https://www.geotrust.com/resources/root-certificates/. Next you'll need to add it to the keystore:

keytool -import -alias equifaxca \
-file Equifax_Secure_Certificate_Authority.pem -keystore cacerts

Finally, restart Android Studio. That warning should not appear again until August 22, 2018 unless someone is actually presenting a fake certificate.

user695022
  • 579
  • 5
  • 16
  • 1
    I faced the same issue sometime back and resolved it by adding the certificate in cacerts file. But now when I try to update Android Studio, it fails with following message : Android Studio update failed cacerts modified. Have you tried updating Android Studio after modifying cacerts file? – Monish Kamble Mar 19 '19 at 11:51
  • @MonishKamble I haven't done android development for some time, but yes, I was able to update several times over the years after modifying the cacerts file. I would ask about your error message in a new question. – user695022 Mar 19 '19 at 13:01
14

I ran into this problem after adding a maven repository with SSL certificate signed by non-standard Certificate Authority (CA).

When running the gradle build for my project from my command line, everything worked fine (I had added the custom CA to my machine Java installation cacerts). I had problem running the build from Android studio however, and was getting errors like this:

> Could not resolve joda-time:joda-time:2.9.9.
  > Could not get resource 'https://custom-maven-repo.com/repository/releases/joda-time/joda-time/2.9.9/joda-time-2.9.9.pom'.
    > Could not GET 'https://custom-maven-repo.com/repository/releases/joda-time/joda-time/2.9.9/joda-time-2.9.9.pom''.
      > sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        > PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
          > unable to find valid certification path to requested target

I downloaded the pem file for the custom CA, called my-ca.pem. I tried adding this to Android Studio in Preferences -> Tools -> Server Certificates, but that didn't fix it.

I noticed that Android Studio uses an embedded JDK (File -> Project Structure -> SDK Location -> JDK Location) at /Applications/Android Studio.app/Contents/jre/jdk/Contents/Home. In order to get the certificate accepted, I ran (on Mac OS X) these commands to add the certificate, then kill the Android Studio java process:

/Applications/Android\ Studio.app/Contents/jre/jdk/Contents/Home/bin/keytool -import -alias my-ca -keystore /Applications/Android\ Studio.app/Contents/jre/jdk/Contents/Home/jre/lib/security/cacerts -storepass changeit -file path/to/my-ca.pem -noprompt
kill -9 $(ps -A | grep java | grep "Android Studio" | grep -v grep | awk '{print $1}')

Running the gradle build from Android Studio then worked.

An alternative solution is to set up Android Studio to use a custom JDK using on your machine which has the CA certificate installed, using the menu in File -> Project Structure -> SDK Location -> JDK Location

oggmonster
  • 4,672
  • 10
  • 51
  • 73
  • your answer really helped, I was struggling with this issue from last 3-4 days and did not observe that Android studio was using it's own SDK where the cacerts did not have all the certs. After adding the certs there, my issue got resolved. Thanks a lot, really appreciate your answer. – ankit deora Apr 23 '20 at 17:27
  • 1
    I have an answer on a similar questions on another thread, if somebody wants to check it out, it may help: https://stackoverflow.com/a/64997148/1971428 – Carlos B. Flores Nov 25 '20 at 02:04
  • perfect! i have almost waster 5 hrs to resolve it. Ended up in uninstalling & Reinstalling react-native – yokks Dec 17 '20 at 23:31
  • I had the exact opposite problem. Everything worked fine from Android Studio while our build server uses the command line and got this error. It wasn't until this answer that I realized that there was a separate cacerts in the java installation. You can find the java installation with the following command `/usr/libexec/java_home`. – Wirling Dec 15 '21 at 09:27
9

For Mac Operating System it is in the menu Android Studio->Preferences->Tools->Server Certificates.

In the top of the right side window select the checkbox Accept non-trusted certificates automatically. Hit apply and ok.

Saleh Enam Shohag
  • 1,039
  • 1
  • 12
  • 23
  • In a corporate environment behind a firewall with corporate root self-issued certificate: Instead of checking Accept non-trusted certificates automatically, click the plus add button in the Accepted certificates section of the dialog and add your corporate self-issued certificate (export it from the mac KeyChain app Login or System certificates). – farid_z May 03 '19 at 15:07
1

As of AndroidStudio 1.5.1 You can go to Preferences -> Tools -> Server Certificates and click the + button to manually add certificates that should be trusted.

chrisortman
  • 1,514
  • 15
  • 22
0

It is missing system certificate specific for Java. If you are using Ubuntu and Oracle JRE/JDK, install ca-certificates-java package.

Quang Ngô
  • 45
  • 1
  • 5
-3

I followed the SELF_SIGNED_CERT_IN_CHAIN error a lot. Solving npm in node.js solves the certificate problem.

npm config set cafile /path/to/cert.pem

See below https://mmx5002.blogspot.com/2020/02/selfsignedcertinchain.html

Ru Chern Chong
  • 3,692
  • 13
  • 33
  • 43
Sangyoon Moon
  • 1