Requests aborted due to Untrusted chain when running build on Android device

Ionic Framework
1

I’m several days stuck on this SSL error, and I cannot seem to get it working.

I’m implementing an Ionic app with Capacitor. Connections to the server are done with Axios. So, everything was fine when I tried it for development with

ionic serve

running it from a browser. Smooth and perfect.

But then, after building it for production and running it on a device with Android Studio, all the requests to the server are aborted.

I figured out it was due to an SSL error, since this was the error displayed on the terminal:

E/chromium: [ERROR:ssl_client_socket_impl.cc(962)] handshake failed; returned -1, SSL error code 1, net_error -202

But I didn’t know why. So after more research I found out the reason of this was because of an untrusted chain. Now I sort of understand what’s a certificate chain, but I still don’t know how to fix it.

The server the device is trying to connect is ours, in case some action must be done there. I’m aware there’s some hack in the Android Java files where the SSL validation is done. But as far as I know this is not desirable, and I only found this hack for Cordova, not for Capacitor.

In case this might help you helping me, this is the output of a useful command I found during my research, which lists the certificate chain. Since I’m not sure whether some data in this output must remain private, I’ve hidden some info, and replaced our server domain with a fake one:

> openssl s_client -connect ourserver.domain.net:443
CONNECTED(00000184)
depth=0 CN = ourserver.domain.net
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = ourserver.domain.net
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:CN = ourserver.domain.net
   i:C = US, O = **Let's Encrypt**, CN = R3
---
Server certificate
-----BEGIN CERTIFICATE-----
Long list of characters...........................
..................................................
..................................................
............ REPLACED WITH DOTS ..................
..................................................
..................................................
..................................................
-----END CERTIFICATE-----
subject=CN = ourserver.domain.net

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2068 bytes and written 456 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 570AC93042ABDBBACCA8854C022985DCD8712BC2795CE379A3779C975DB58096
    Session-ID-ctx:
    Master-Key: 19C03ED660DCFE807DF2650A960D656089ADD1C9DA941F18127ED396D9EDBC9DF4CBFDFD3BD03E84B234963151DBE75B
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - a5 17 9f 73 46 38 05 b3-f7 d4 d5 ed cb d7 6c 88   ...sF8........l.
    0010 - 79 ee 10 94 41 72 f2 53-88 f6 af 95 e8 dc 4e 5f   y...Ar.S......N_
    0020 - af ef 8f dd 9f dc 52 1f-7d 94 4b 13 e0 b8 bc 06   ......R.}.K.....
    0030 - c0 e3 41 c2 37 3b 12 63-a4 69 e4 10 52 e0 87 fd   ..A.7;.c.i..R...
    0040 - 33 0e 7b 41 ef 65 6f 71-6d be b3 44 5c 85 c2 c4   3.{A.eoqm..D\...
    0050 - 5c e0 34 96 e3 23 f6 dc-01 9a 2b 42 21 88 b2 b7   \.4..#....+B!...
    0060 - 8f e8 8c 6b 4d 42 d6 f9-cb 01 ae 7a 0f 2b 80 48   ...kMB.....z.+.H
    0070 - d8 7f b7 8c ee b3 b6 17-f8 75 bd 47 14 81 79 e8   .........u.G..y.
    0080 - 31 1a 6b 80 d3 78 6b f6-37 9a 2c 63 8f b6 72 db   1.k..xk.7.,c..r.
    0090 - 72 d3 5e 71 69 57 f7 de-82 d1 44 74 fc e0 f4 81   r.^qiW....Dt....
    00a0 - d7 4a 64 28 9c 62 6d 34-52 c0 a7 e5 14 8b b3 63   .Jd(.bm4R......c
    00b0 - 16 1d e9 4c 4e 1f 3d 05-ca 70 3c 4b a9 a9 1d 1d   ...LN.=..p<K....
    00c0 - 18 6e a3 ab a2 84 1c b3-ea 7c b1 e8 da de b4 1f   .n.......|......
    00d0 - 97 72 8c 94 59 80 b9 c6-24 28 7f d5 2b 7f d4 2d   .r..Y...$(..+..-

    Start Time: 1615152283
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no
---
closed

I’d appreciate any help.

2

It’s the exact same information presented to anybody connecting to that server, so no, there aren’t any secrets that need to be redacted.

Since you’re using LetsEncrypt, you should have gotten three files: privkey.pem, cert.pem, and fullchain.pem. Tell whoever is in charge of managing the server configuration to swap fullchain.pem in for wherever they are using cert.pem currently, and your problem should go away.

2 Likes
3

Thank you! I told the server admin about your suggestion, but he eventually opted to use a proxy server to which the connection is accepted.

Anyway, I’m sure your answer is valid, so I will mark it as the solution.