Android 12: Trust anchor for certification path not found
Hi, I have an android app that was tested on mobile phones using Android 8/9/10/11/12, and Android 8/9/10/11 phones are working normally, but I can’t receive notifications on android 12. Can anyone make any suggestions?
The exception I am getting (Only Android 12)! "MqttException (0) - javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found."
further information: https://stackoverflow.com/questions/70163257/mqtt-can-not-connect-to-aws-server
further information(2021/12/9): I use the same account to create an identity pool in Amazon Cognito, and set up different regions for testing. If the region is set to us-west-2, the MQTT connection fails, and the region is set to ap-southeast-1 then the MQTT connection succeeds. What will be the effect on identity pool? Or any other suggestions?
(notice: Android 8/9/10/11 phones are normal, only android 12 has an error message.)
hey @pc9705atgmi, Bruno, Jason I think I've found the problem. According to https://docs.aws.amazon.com/iot/latest/developerguide/iot-connect-devices.html old accountEndpointPrefix of type iot:Data should not be used. It is described as legacy 'Verisign' endpoint and it obviously doesn't work with Android 12. Call: aws iot describe-endpoint --endpoint-type iot:Data-ATS
and you will get new accountEndpointPrefix ending with -ats (or you can just add -ats to your current accountEndpointPrefix) and try again. It works fine for me now.
Hi Bruno, Jason, I've tried on Samsung S21 and Google Pixel 4. Both with Android 12. The same problem. People are reporting it on other websites too: https://github.com/aws-amplify/aws-sdk-android/issues/2741
Can you please clarify what AWS servers you are connecting to? Are they self-managed? If so can you check its configurations?
Thanks for your reply! My reply is as follows:
- AWS Iot Server.
- Sorry! I don't know what "Are they self-managed?" means.
- Android 8/9/10/11 phones are working normally. So I don't think it is a matter of configurations.
hey @pc9705atgmi - this seems to be an indication that the signing rootCA isn't present on that device. Have you tried a different Android12 device? Also, getting additional details on that rootCA failing validation might help. In odd cases where devices are on a local network that have proxies, i have seen similar issues w/ certificate validation.
hope that helps!
Calabash-android with Appium Ruby sign app with custom keystoreasked 3 years ago
Install Filepath Errors with Android NDK and ToolsAccepted Answerasked 5 years ago
Mobile (iOS and Android) access to shared calendarasked 3 years ago
Android supportAccepted Answerasked 3 years ago
Aws iot core and greengrass for Android devicesasked 3 days ago
Unable to click on android popupasked 3 years ago
Sign API Gateway Request with Android SDKAccepted Answerasked 3 years ago
Amplify.DataStore.observe not triggered in Flutter Androidasked 2 months ago
Unity Android IL2CPP System.Configuration NotSupportedExceptionasked 2 years ago
Android 12: Trust anchor for certification path not foundAccepted Answerasked 7 months ago