[Bug]: CertPathValidatorException on Android 6.

[luccasclezar]

What happened?

MongoDB Realm does not connect on Android 6, any Android version after that is working correctly.

The line Realms.Sync.User user = await App.MongoApp.LogInAsync(credentials); throws a java.security.cert.CertPathValidatorException.

I don't know if this issue is occurring on real devices or only on emulators, I don't have any Android 6 device to test.

Repro steps

Just try to use MongoDB Realm on Android 6.

androidmtest.zip

Version

10.10.0

What SDK flavour are you using?

MongoDB Realm (i.e. Sync, auth, functions)

What type of application is this?

Xamarin

Client OS and version

Android 6

Code snippets

No response

Stacktrace of the exception/crash you're getting

code 999: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
  at Realms.Sync.AppHandle.LogInAsync (Realms.Sync.Native.Credentials credentials) [0x00055] in D:\a\realm-dotnet\realm-dotnet\Realm\Realm\Handles\AppHandle.cs:282 
  at Realms.Sync.App.LogInAsync (Realms.Sync.Credentials credentials) [0x0003d] in D:\a\realm-dotnet\realm-dotnet\Realm\Realm\Sync\App.cs:208

Relevant log output

No response

[nirinchev]

Does this error happen if you change the HttpClientHandler implementation from Android to Managed?

[LaPeste]

In the meanwhile I can reproduce the issue on for API 23(Android 6) but not on another APIs (I tried API 30). As originally reported by the user.

[luccasclezar]

@nirinchev Yes, the error is still happening after changing both "HttpClient implementation" and "SSL/TLS implementation" to managed.

I checked the .csproj because sometimes it doesn't update properly, but it looks right.

<AndroidHttpClientHandlerType>Managed (HttpClientHandler)</AndroidHttpClientHandlerType>
<AndroidTlsProvider>Managed TLS 1.0</AndroidTlsProvider>

[nirinchev]

This is an issue due to older versions of Android not trusting the new root certificate of Let's Encrypt. There are no clear workaround currently.

We have two options for solving this:

Expose a way to provide custom HttpClientHandler

Currently we construct an http client with the default handler. We can expose a configuration mechanism for users to provide their custom http client handlers.

Multitargeting

When we start multitargeting the Realm assembly, we can provide an android implementation that trusts the ISRG root with the following code:

private const string ISRGRoot =
@"MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=";

var handler = new AndroidClientHandler();
if (handler.TrustedCerts == null)
{
    handler.TrustedCerts = new List<Certificate>();
}

var factory = CertificateFactory.GetInstance("X.509");
var cert = factory.GenerateCertificate(new MemoryStream(Convert.FromBase64String(ISRGRoot)));

handler.TrustedCerts.Add(cert);

We can probably expose the config option first and then provide the default implementation.

[luccasclezar]

@nirinchev I suspected this was the issue. After manually installing Let's Encrypt ISRG Root X1 certificate on an Android 6 emulator, Realm is working fine.

Of course this is not a workaround, we cannot ask users to manually install a certificate. Will the custom HttpClientHandler property be hotfixed?

And I think Realm should alert about this issue somewhere, right now it's not possible to release an app that supports Android 7 or below with MongoDB Realm.

[nirinchev]

@luccasclezar the SRE team has deployed a new certificate that is cross-signed by the DST Root X3, which should be accepted by older Android devices.

As an aside, we also added a way to configure the HttpClientHandler on the app, which should allow you to manually add a handler that trusts the ISRG Root X1 to future-proof your app.

[luccasclezar]

Thank you @nirinchev! I can confirm the issue is fixed without the need to configure a custom HttpClientHandler.

[sync-by-unito]

➤ Andrea Catalini commented:

A solution was implemented and merged in main.