By using AWS re:Post, you agree to the Terms of Use
/Android 12: Trust anchor for certification path not found/

Android 12: Trust anchor for certification path not found

1

Hi, I have an android app that was tested on mobile phones using Android 8/9/10/11/12, and Android 8/9/10/11 phones are working normally, but I can’t receive notifications on android 12. Can anyone make any suggestions?

The exception I am getting (Only Android 12)! "MqttException (0) - javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found."

further information: https://stackoverflow.com/questions/70163257/mqtt-can-not-connect-to-aws-server

further information(2021/12/9): I use the same account to create an identity pool in Amazon Cognito, and set up different regions for testing. If the region is set to us-west-2, the MQTT connection fails, and the region is set to ap-southeast-1 then the MQTT connection succeeds. What will be the effect on identity pool? Or any other suggestions?

(notice: Android 8/9/10/11 phones are normal, only android 12 has an error message.)

4 Answers
1
Accepted Answer

hey @pc9705atgmi, Bruno, Jason I think I've found the problem. According to https://docs.aws.amazon.com/iot/latest/developerguide/iot-connect-devices.html old accountEndpointPrefix of type iot:Data should not be used. It is described as legacy 'Verisign' endpoint and it obviously doesn't work with Android 12. Call: aws iot describe-endpoint --endpoint-type iot:Data-ATS

and you will get new accountEndpointPrefix ending with -ats (or you can just add -ats to your current accountEndpointPrefix) and try again. It works fine for me now.

Goran

answered 6 months ago
1

Hi Bruno, Jason, I've tried on Samsung S21 and Google Pixel 4. Both with Android 12. The same problem. People are reporting it on other websites too: https://github.com/aws-amplify/aws-sdk-android/issues/2741

Goran

answered 6 months ago
0

Can you please clarify what AWS servers you are connecting to? Are they self-managed? If so can you check its configurations?

answered 7 months ago
  • Thanks for your reply! My reply is as follows:

    1. AWS Iot Server.
    2. Sorry! I don't know what "Are they self-managed?" means.
    3. Android 8/9/10/11 phones are working normally. So I don't think it is a matter of configurations.
0

hey @pc9705atgmi - this seems to be an indication that the signing rootCA isn't present on that device. Have you tried a different Android12 device? Also, getting additional details on that rootCA failing validation might help. In odd cases where devices are on a local network that have proxies, i have seen similar issues w/ certificate validation.

hope that helps!

answered 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions