I work for a company that uses a Comodo/Sectigo SSL certificate. But suddenly our app started throwing this error when sending POST to the server, in versions with android 4 and 5, with Okhttp client.
HTTP FAILED: javax.net.ssl.SSLHandshakeException: com.android.org.bouncycastle.jce.exception.ExtCertPathValidatorException: Could not validate certificate: Certificate expired at Sat May 30 05:48:38 CDT 2020 (compared to Mon Jun 08 23:13:02 CDT 2020)
I tried many StackOverflow solutions, without success. Then I found on the Comodo blog this cross-sign certificates warning
Sectigo at present offers the ability to cross-sign certificates with the AddTrust legacy root to increase support among very old systems and devices. This root is due to expire at the end of May, 2020. Any applications or installations that depend on this cross-signed root must be updated by May, 2020 or run the risk of outage or displayed error message.
I tried a few more things to get my okhttp client to trust the certificate (enabled TLS on Socket, added Modern TLS, TLS Versions and cipher Suites to connection Specs in okhttp builder, adding the cert to the raw resources, also I put a custom SslSocketFactory to the client) but none of this works, always throws me an error related to certificate validity or a handshake exception.
The only thing that has worked for me is to make an unsafe okhttp, but obviously its use in production is not recommended.
The app works fine in android > 5, but we still have some users on android 5 and even 4 who cannot use the app due to this problem. Is there still any way to achieve android <= 5 trust this expired root?
Thanks for your help
This should hopefully fix the issue if the the certificates are otherwise valid.
In your build file
implementation 'org.conscrypt:conscrypt-android:2.5.1'
And activate Conscrypt before your request
import org.conscrypt.Conscrypt
Security.insertProviderAt(Conscrypt.newProvider(), 1)
val client = OkHttpClient.Builder().build()
val request = Request.Builder().url("https://status.datadoghq.com/").build()
client.newCall(request).execute().use { response ->
println(response.code())
}
If it's still failing after this then you might need to register a custom certificate as well, but test without this first.