0

I have published our first Xamarin Android App in the store about 1 month ago, and it was working just fine.

Suddenly, it started to throw the Javax.Net.Ssl.SSLHandshakeException: Unacceptable certificate exception on the first API call attempt. We found out that one of the security certificate on our API server firewall was expired, so we updated it.

After updating the certificate, the app started to throw the java.security.cert.CertPathValidatorException: Trust anchor for certification path not found exception on the first API call attempt. After some research, I discovered that I should add a certificate file to the app and make some certification authorities configurations. Following the documentation instructions I asked our security department for the certificate.pem file, added it to the Resources/raw/my_ca folder (which I created manually) and created a network_security_config.xml file under the Resources/xml folder of the Xamarin Android project:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
  <domain-config>
    <domain includeSubdomains="true">mydomain.com.br/api</domain>
    <trust-anchors>
      <certificates src="@raw/my_ca/certificadopem"/>
    </trust-anchors>
  </domain-config>
</network-security-config>

And now I am getting the folowing error: invalid file path 'E:\MyProjectPath\MyApp.Android\obj\Debug\120\res\raw\my_ca\certificadopem.pem'.

I have checked and the file exists. I tried deleting the bin and obj folders and cleaning/rebuilding the solution, but didn't work.

I HAVE to get the app back online, but I can't make it work. What am I missing here?

Gabic
  • 484
  • 1
  • 6
  • 15

1 Answers1

1

According to the official document about Configure a custom CA, the <certificates src="@raw/my_ca/certificadopem"/> should be <certificates src="@raw/my_ca"/>. And then, you need to add the self-signed or non-public CA certificate, in PEM or DER format, to res/raw/my_ca.

So, if your CA is a custom CA, the network_security_config.xml should be:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
  <domain-config>
    <domain includeSubdomains="true">mydomain.com.br/api</domain>
    <trust-anchors>
      <certificates src="@raw/my_ca"/>
    </trust-anchors>
  </domain-config>
</network-security-config>

In addition, there are two other kinds of CA, different kinds of CA have different folder name. So you need to ensure the type of your CA.

Update1:

The certificate file should be just put below the raw folder. Such as Resrource -> raw -> certificadopem.pem.

And the code should be <certificates src="@raw/certificadopem"/>.

Liyun Zhang - MSFT
  • 8,271
  • 1
  • 2
  • 14
  • I changed the certificates source to `` as you said, but I got the same error. I couldn't find any information about the right build action of the certificate file, so it's AndroidResource. I tried both options of copy to output (Copy always and Do not copy) but no success either – Gabic Apr 13 '23 at 11:48
  • 1
    Oh, we both misunderstand the path. You can check the update part in my answer. @Gabic – Liyun Zhang - MSFT Apr 14 '23 at 01:44
  • Oh now the path seems correct. Thank you! Now I'm back to the `java.security.cert.CertPathValidatorException: Trust anchor for certification path not found` exception, but I think I should ask a new question to solve that. – Gabic Apr 14 '23 at 14:11
  • 1
    It seems there were many cases about the same error in the xamarin.android such as [How to resolve "trust anchor for certification path not found." in Xamarin Project](https://stackoverflow.com/questions/68441785/how-to-resolve-trust-anchor-for-certification-path-not-found-in-xamarin-proje)? – Liyun Zhang - MSFT Apr 17 '23 at 07:54