By using AWS re:Post, you agree to the Terms of Use
AWS re:Postre:Post
/Android 12: Trust anchor for certification path not found/

Android 12: Trust anchor for certification path not found

1

Hi, I have an android app that was tested on mobile phones using Android 8/9/10/11/12, and Android 8/9/10/11 phones are working normally, but I can’t receive notifications on android 12. Can anyone make any suggestions?

The exception I am getting (Only Android 12)! "MqttException (0) - javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found."

further information: https://stackoverflow.com/questions/70163257/mqtt-can-not-connect-to-aws-server

further information(2021/12/9): I use the same account to create an identity pool in Amazon Cognito, and set up different regions for testing. If the region is set to us-west-2, the MQTT connection fails, and the region is set to ap-southeast-1 then the MQTT connection succeeds. What will be the effect on identity pool? Or any other suggestions?

(notice: Android 8/9/10/11 phones are normal, only android 12 has an error message.)

Topics
Developer ToolsMobileSecurity Identity & Compliance
Tags
Developer ToolsMobileAWS Certificate Manager
pc9705atgmi
asked 7 months ago574 views
4 Answers
1
Accepted Answer

hey @pc9705atgmi, Bruno, Jason I think I've found the problem. According to https://docs.aws.amazon.com/iot/latest/developerguide/iot-connect-devices.html old accountEndpointPrefix of type iot:Data should not be used. It is described as legacy 'Verisign' endpoint and it obviously doesn't work with Android 12. Call: aws iot describe-endpoint --endpoint-type iot:Data-ATS

and you will get new accountEndpointPrefix ending with -ats (or you can just add -ats to your current accountEndpointPrefix) and try again. It works fine for me now.

Goran

goranopacic
answered 6 months ago
1

Hi Bruno, Jason, I've tried on Samsung S21 and Google Pixel 4. Both with Android 12. The same problem. People are reporting it on other websites too: https://github.com/aws-amplify/aws-sdk-android/issues/2741

Goran

goranopacic
answered 6 months ago
0

Can you please clarify what AWS servers you are connecting to? Are they self-managed? If so can you check its configurations?

Jason_S
answered 7 months ago
  • pc9705atgmi 7 months ago

    Thanks for your reply! My reply is as follows:

    1. AWS Iot Server.
    2. Sorry! I don't know what "Are they self-managed?" means.
    3. Android 8/9/10/11 phones are working normally. So I don't think it is a matter of configurations.
0

hey @pc9705atgmi - this seems to be an indication that the signing rootCA isn't present on that device. Have you tried a different Android12 device? Also, getting additional details on that rootCA failing validation might help. In odd cases where devices are on a local network that have proxies, i have seen similar issues w/ certificate validation.

hope that helps!

Bruno_M
answered 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant questions