- ABP Framework version: v8.0.5
- UI Type: MVC /
- Database System: EF Core (SQL Server)
- Tiered (for MVC) or Auth Server Separated (for Angular): no
Hello,
I developed a MAUI app, on my development machine everything runs fine, but when I try to connect the production server from the MAUI app on Android, it crashes while trying to connect to RemoteService/ OIDC:
Java.Security.Cert.CertificateException The remote certificate was rejected by the provided RemoteCertificateValidationCallback.
My production server has a valid certificate from Let's encrypt. Also, I can open https://productionsite/.wellknown/openid-configuration and it also shows a valid certificate (even on the Android device's/ emulator's browser), but the MAUI app rejects the certificate.
I can even reproduce the behavior by creating a blank ABP project with MAUI enabled and trying to run it locally using ngrok. As long as MAUI connects to localhost, it works. But when I change RemoteService > Default > BaseUrl or Oidc > Options > Authority in MAUIs appsettings.json to ngrok URL, the same certification rejecting error occurs.
I'm completely lost... struggling for a week now, having read abp.io documentation and hundreds of forum entries, but nothing worked out. Probably I'm missing something completely stupid and trivial, but I can't find the solution... Please point me in the right direction!!
Thanks
3 Answer(s)
-
0
To add some details what I've already tried: I found out that Android doesn't accept all certificate authorities. Therefore, I added the intermediate certificate to Platforms/Android/Resources/raw and modified network_security_config.xml as described here and here. (Actually my application isn't certified from Let's Encrypt but rather ZeroSSL, as I had to switch for some reason, but certificates are generated using Certify the Web). I also tried to add my certificate and the whole chain, nothing worked out...
This is what network_security_config.xml looks like:
(of course, productionsite.com is actually replaced with the URL of my production environment)
This is the folder structure:
Also, network_security_config.xml seems to be correctly attached to AndroidManifest.xml
I also tried to manually install the root and intermediate authorities to the emulator, didn't work either.
I have no idea what I'm doing wrong...
PS: Out of curiosity, I tried to set RemoteServices > Default > BaseUrl to microsoft.com (and added microsoft.com to allowed domains in network_security_config.xml). Even then the certificate rejection occurs. Therefore I suspect it's not really a problem with the authority, but something inside MAUI that rejects just every outgoing connection/ certificate.
-
0
I can even reproduce the behavior by creating a blank ABP project with MAUI enabled and trying to run it locally using ngrok. As long as MAUI connects to localhost, it works. But when I change RemoteService > Default > BaseUrl or Oidc > Options > Authority in MAUIs appsettings.json to ngrok URL, the same certification rejecting error occurs.
This is because we ignore the localhost HTTPS certificate security check according to: https://learn.microsoft.com/en-us/dotnet/maui/data-cloud/local-web-services?view=net-maui-8.0#bypass-the-certificate-security-check
You can try update the
GetInsecureHandler
method:#if ANDROID var handler = new HttpClientHandler() { UseCookies = false }; handler.ServerCertificateCustomValidationCallback = (message, cert, chain, errors) => { if (cert is { Issuer: "CN=localhost" }) // or your productionwebsite.com , you can read it from the appsettings.json { return true; } return errors == System.Net.Security.SslPolicyErrors.None; }; return handler;
-
0
Hi liangshiwei,
thanks for your reply. I can't believe I overlooked that (as I mentioned before, it must have been something completely obvious).
As far as I unterstood, certificate validation shouldn't be disabled as it makes the app vulnerable to man in the middle attacks. However, this helps as I can see the detailed error now (SslPolicyErrors.RemoteCertificateChainErrors) and hopefully I'll find out how to make Android accept our certificates before going live. And in the meantime, I can test my app on production with the certifcate validation disabled.
Thanks!