1

I'm working on a Xamarin.Forms app that requires to consume some data exposed in an ASP.NET Core 2.1 API, I'm developing the service and the Xamarin app so everything is running local on MAC OS.

The problem I'm facing is happening when sending a request to the ASP.NET Core API, it seems to be related to the HTTPS protocol enabled by default in ASP.NET Core 2.1, when I run the api it's enabling by default the URL https://localhost:5001 so that is the URL I'm targeting in the Xamarin App.

In Android I can send the request to the API but once the response is sent back, the xamarin app throws the following exception:

Error in AppLoginViewModel.Login Javax.Net.Ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found. ---> Java.Security.Cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found. ---> Java.Security.Cert.CertPathValidatorException: Trust anchor for certification path not found.
   --- End of inner exception stack trace ---
   --- End of inner exception stack trace ---
  at Java.Interop.JniEnvironment+InstanceMethods.CallVoidMethod (Java.Interop.JniObjectReference instance, Java.Interop.JniMethodInfo method, Java.Interop.JniArgumentValue* args) [0x00069] in <fb2a9245146c43afbafe6628542c6726>:0 
  at Java.Interop.JniPeerMembers+JniInstanceMethods.InvokeAbstractVoidMethod (System.String encodedMember, Java.Interop.IJavaPeerable self, Java.Interop.JniArgumentValue* parameters) [0x00014] in <fb2a9245146c43afbafe6628542c6726>:0 
  at Javax.Net.Ssl.HttpsURLConnectionInvoker.Connect () [0x0000a] in <9c89490198b4401e89a0f0bf9e68c7be>:0 
  at Xamarin.Android.Net.AndroidClientHandler+<>c__DisplayClass43_0.<ConnectAsync>b__0 () [0x0005a] in <9c89490198b4401e89a0f0bf9e68c7be>:0 
  at System.Threading.Tasks.Task.InnerInvoke () [0x0000f] in <5b7c58d953774179ac771c086a8fa093>:0 
  at System.Threading.Tasks.Task.Execute () [0x00000] in <5b7c58d953774179ac771c086a8fa093>:0 
--- End of stack trace from previous location where exception was thrown ---
  at Xamarin.Android.Net.AndroidClientHandler+<DoProcessRequest>d__45.MoveNext () [0x0012e] in <9c89490198b4401e89a0f0bf9e68c7be>:0 
--- End of stack trace from previous location where exception was thrown ---
  at Xamarin.Android.Net.AndroidClientHandler+<SendAsync>d__40.MoveNext () [0x00230] in <9c89490198b4401e89a0f0bf9e68c7be>:0 
--- End of stack trace from previous location where exception was thrown ---
  at System.Net.Http.HttpClient+<SendAsyncWorker>d__49.MoveNext () [0x000ca] in <006b95df38b04983b2ec7f1bf1c32608>:0 
--- End of stack trace from previous location where exception was thrown ---
  at AuditoriasCiudadanas.Mobile.Core.Services.RestService+<Seguridad_ValidarEmailAuditorAsync>d__16.MoveNext () [0x00184] in /Users/jorgeramirez/VSProjects/AuditoriasCiudadanas.Mobile/src/AuditoriasCiudadanas.Mobile.Core/Services/RestService.cs:242 
--- End of stack trace from previous location where exception was thrown ---
  at AuditoriasCiudadanas.Mobile.Core.Services.AuthService+<ValidarEmailAuditor>d__6.MoveNext () [0x0002b] in /Users/jorgeramirez/VSProjects/AuditoriasCiudadanas.Mobile/src/AuditoriasCiudadanas.Mobile.Core/Services/AuthService.cs:28 
--- End of stack trace from previous location where exception was thrown ---
  at AuditoriasCiudadanas.Mobile.Core.ViewModels.AppForgotPasswordViewModel+<ValidarEmail>d__27.MoveNext () [0x0006f] in /Users/jorgeramirez/VSProjects/AuditoriasCiudadanas.Mobile/src/AuditoriasCiudadanas.Mobile.Core/ViewModels/AppForgotPasswordViewModel.cs:82 
  --- End of managed Javax.Net.Ssl.SSLHandshakeException stack trace ---
javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
    at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:229)
    at com.android.okhttp.internal.io.RealConnection.connectTls(RealConnection.java:192)
    at com.android.okhttp.internal.io.RealConnection.connectSocket(RealConnection.java:149)
    at com.android.okhttp.internal.io.RealConnection.connect(RealConnection.java:112)
    at com.android.okhttp.internal.http.StreamAllocation.findConnection(StreamAllocation.java:184)
    at com.android.okhttp.internal.http.StreamAllocation.findHealthyConnection(StreamAllocation.java:126)
    at com.android.okhttp.internal.http.StreamAllocation.newStream(StreamAllocation.java:95)
    at com.android.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:281)
    at com.android.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:224)
    at com.android.okhttp.internal.huc.HttpURLConnectionImpl.execute(HttpURLConnectionImpl.java:461)
    at com.android.okhttp.internal.huc.HttpURLConnectionImpl.connect(HttpURLConnectionImpl.java:127)
    at com.android.okhttp.internal.huc.DelegatingHttpsURLConnection.connect(DelegatingHttpsURLConnection.java:89)
    at com.android.okhttp.internal.huc.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:26)
Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
    at com.android.org.conscrypt.TrustManagerImpl.verifyChain(TrustManagerImpl.java:661)
    at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:539)
    at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:495)
    at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:418)
    at com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:339)
    at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:94)
    at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:88)
    at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:208)
    at com.android.org.conscrypt.ConscryptFileDescriptorSocket.verifyCertificateChain(ConscryptFileDescriptorSocket.java:404)
    at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
    at com.android.org.conscrypt.NativeSsl.doHandshake(NativeSsl.java:375)
    at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:224)
    ... 12 more
Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
    ... 24 more

In iOS the behavior is the same, the xamarin app throws an exception when receiving the response

Error in AppLoginViewModel.Login System.Net.WebException: An SSL error has occurred and a secure connection to the server cannot be made. ---> Foundation.NSErrorException: Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSErrorPeerCertificateChainKey=(
    "<cert(0x7fce57040e00) s: localhost i: localhost>"
), NSErrorClientCertificateStateKey=0, NSErrorFailingURLKey=https://localhost:5001/api/auth, NSErrorFailingURLStringKey=https://localhost:5001/api/auth NSUnderlyingError=0x600001fccc60 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x6000023ce400>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerCertificates=(
    "<cert(0x7fce57040e00) s: localhost i: localhost>"
)}}, _NSURLErrorRelatedURLSessionTaskErrorKey=(
    "LocalDataTask <31AF1DE2-4C56-4480-9F1D-0E9B7C7B8D9A>.<1>"
), _kCFStreamErrorCodeKey=-9802, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <31AF1DE2-4C56-4480-9F1D-0E9B7C7B8D9A>.<1>, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x6000023ce400>, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made.}
   --- End of inner exception stack trace ---
  at System.Net.Http.NSUrlSessionHandler+<SendAsync>d__29.MoveNext () [0x001c3] in /Users/builder/jenkins/workspace/xamarin-macios/xamarin-macios/src/Foundation/NSUrlSessionHandler.cs:202 
--- End of stack trace from previous location where exception was thrown ---
  at System.Net.Http.HttpClient+<SendAsyncWorker>d__48.MoveNext () [0x00080] in /Users/builder/jenkins/workspace/xamarin-macios/xamarin-macios/external/mono/mcs/class/System.Net.Http/System.Net.Http/HttpClient.cs:276 
--- End of stack trace from previous location where exception was thrown ---
  at AuditoriasCiudadanas.Mobile.Core.Services.RestService+<Seguridad_ValidarEmailAuditorAsync>d__16.MoveNext () [0x00184] in /Users/me/RestService.cs:242 
--- End of stack trace from previous location where exception was thrown ---
  at AuditoriasCiudadanas.Mobile.Core.Services.AuthService+<ValidarEmailAuditor>d__6.MoveNext () [0x0002b] in /Users/me/AuthService.cs:28 
--- End of stack trace from previous location where exception was thrown ---
  at AuditoriasCiudadanas.Mobile.Core.ViewModels.AppForgotPasswordViewModel+<ValidarEmail>d__27.MoveNext () [0x0006f] in /Users/me/AppForgotPasswordViewModel.cs:82

Is not possible to debug locally using HTTPS? What I need to change to be able to debug the mobile app and the api at the same time?

I will appreciate your help

Anon Dev
  • 1,361
  • 3
  • 14
  • 29
  • When you create a new project it uses a self-signed certificate that isn't trusted by anyone outside the machine that created it. Either trust the certificate in the emulator or *temporarily* suspend certificate validation in your code - where's your code? Another option would be to create a valid certificate for the Web API eg with Let's Encrypt – Panagiotis Kanavos Oct 05 '18 at 07:41
  • @PanagiotisKanavos Everything is local, I just created the asp.net core project with the Visual Studio template, AFAIK it enables SSL by default so I didn't make any changes – Anon Dev Oct 05 '18 at 07:43
  • And as I said, this isn't about HTTP. The certificate is self-signed, therefore not trusted. A project template, for *any language or project* can't know whether you've purchases a certificate or created one with Let's Encrypt, so it *has* to use a self-signed certificate. You have to configure the project with a valid certificate before deployement – Panagiotis Kanavos Oct 05 '18 at 07:46
  • BTW you *have* to add a valid certificate anyway - I'm pretty sure you don't want to create any Android or iOS application that doesn't use SSL to connect to its services – Panagiotis Kanavos Oct 05 '18 at 07:47
  • Is it possible to create a valid certificate for localhost? – Anon Dev Oct 05 '18 at 07:47
  • Your emulators are *NOT* running on your local machine. They think they are *different* machines. You can add the certificate to the trusted certificates in the emulators – Panagiotis Kanavos Oct 05 '18 at 07:47
  • @PanagiotisKanavos I installed the certificate in the android emulator but the error is the same – Anon Dev Oct 05 '18 at 08:48
  • @AnonDev Self-Signed certs led to a bunch of problems on iOS (Review: https://stackoverflow.com/questions/47664218/trust-a-self-signed-certificate-using-httpclient/47666092#47666092) Also what are your native HttpClient implementations set to in each Application project? – SushiHangover Oct 05 '18 at 13:11

1 Answers1

2

I had the same problem. I solved with the Conveyor extension (https://keyoti.com/products/conveyor/index.html?utm_source=conveyor&utm_medium=extension_moreinfo&utm_campaign=conveyor). In netcore, disable SSL first (project property => debug)

Marco
  • 97
  • 12