3

I am creating a android application with cordova and AeroGear PushPlugin which uses https for communication with the unified push server.I use a valid CA certification support (TLS1.2) in my server.

When executing with cordova run android return this error in my device :

error javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.

knowing, i added the certificat in:

platforms/android/res/raw/myCert.crt

And this tag in the config.xml:

  <platform name="android">
    <network-security-config>
        <base-config cleartextTrafficPermitted="true">
            <trust-anchors>
                <certificates src="myCert.crt" />
            </trust-anchors>
        </base-config>
    </network-security-config>
    </platform>

I followed several solutions proposed but dosen't work for my case.

thanks for Help.

يعقوب
  • 1,008
  • 13
  • 14
  • there is no suggestion !! – يعقوب Jun 14 '17 at 07:25
  • In which Android version are you testing? if it's 5.0 or greater, which webview version are you using? There were some versions having troubles connecting with trusted certificates because of a bug, but should be fixed on latest webview. I'm not sure what do you try to achieve by adding that to you config.xml, but that won't do anything to your app. – jcesarmobile Jun 28 '17 at 17:51
  • i use **android 6.0.0**, I used the documentation in this link below : https://developer.android.com/training/articles/security-config.html#CertificatePinning – يعقوب Jun 30 '17 at 12:25
  • As you use android 6, can you check your webview version? (Settings -> Apps -> Android System WebView). That link talks about res/xml/network_security_config.xml file, that's different from Cordova's config.xml, you will need a resource-file tag or a hook to create that file. – jcesarmobile Jun 30 '17 at 13:29
  • the problem was in my CA in my UPS server :) thakns for help – يعقوب Jul 07 '17 at 13:10

1 Answers1

1

it was certificat generation problem in the UPS widfly server.

If you have certification authority CA delivered by trsut provider.

Follow the steps:

1- You must first convert the PEM certificate delivered by your provider to p12 with this command:

$ openssl pkcs12 -export -out yourCertificategenerate.p12 -inkey yourCertificatekey.key  -in certifacteDelivedFromProvider.pem -certfile yourCertificateFromProvider.pem // file contains -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----)

2- create the local keystore with this commande will be (yourCertificategenerate.jks), and copy it to the standalone/configuration directory with this command:

$ keytool -importkeystore -deststorepass yourpassword -destkeypass yourpassword -destkeystore yourNewCertificateGenerate.jks -srckeystore yourCertificateGenerate.p12 -srcstoretype PKCS12 -srcstorepass ""

To check the certification chain

openssl s_client -connect yourDomaine.com -debug

if all things is ok you should have something like this : enter image description here

يعقوب
  • 1,008
  • 13
  • 14