Open Closed

MAUI - RemoteCertificateValidationCallback error on production #6949


User avatar
0
cbogner85 created
  • ABP Framework version: v8.0.5
  • UI Type: MVC /
  • Database System: EF Core (SQL Server)
  • Tiered (for MVC) or Auth Server Separated (for Angular): no

Hello,

I developed a MAUI app, on my development machine everything runs fine, but when I try to connect the production server from the MAUI app on Android, it crashes while trying to connect to RemoteService/ OIDC:

Java.Security.Cert.CertificateException The remote certificate was rejected by the provided RemoteCertificateValidationCallback.

My production server has a valid certificate from Let's encrypt. Also, I can open https://productionsite/.wellknown/openid-configuration and it also shows a valid certificate (even on the Android device's/ emulator's browser), but the MAUI app rejects the certificate.

I can even reproduce the behavior by creating a blank ABP project with MAUI enabled and trying to run it locally using ngrok. As long as MAUI connects to localhost, it works. But when I change RemoteService > Default > BaseUrl or Oidc > Options > Authority in MAUIs appsettings.json to ngrok URL, the same certification rejecting error occurs.

I'm completely lost... struggling for a week now, having read abp.io documentation and hundreds of forum entries, but nothing worked out. Probably I'm missing something completely stupid and trivial, but I can't find the solution... Please point me in the right direction!!

Thanks


3 Answer(s)
  • User Avatar
    0
    cbogner85 created

    To add some details what I've already tried: I found out that Android doesn't accept all certificate authorities. Therefore, I added the intermediate certificate to Platforms/Android/Resources/raw and modified network_security_config.xml as described here and here. (Actually my application isn't certified from Let's Encrypt but rather ZeroSSL, as I had to switch for some reason, but certificates are generated using Certify the Web). I also tried to add my certificate and the whole chain, nothing worked out...

    This is what network_security_config.xml looks like:

    (of course, productionsite.com is actually replaced with the URL of my production environment)

    This is the folder structure:

    Also, network_security_config.xml seems to be correctly attached to AndroidManifest.xml

    I also tried to manually install the root and intermediate authorities to the emulator, didn't work either.

    I have no idea what I'm doing wrong...

    PS: Out of curiosity, I tried to set RemoteServices > Default > BaseUrl to microsoft.com (and added microsoft.com to allowed domains in network_security_config.xml). Even then the certificate rejection occurs. Therefore I suspect it's not really a problem with the authority, but something inside MAUI that rejects just every outgoing connection/ certificate.

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    I can even reproduce the behavior by creating a blank ABP project with MAUI enabled and trying to run it locally using ngrok. As long as MAUI connects to localhost, it works. But when I change RemoteService > Default > BaseUrl or Oidc > Options > Authority in MAUIs appsettings.json to ngrok URL, the same certification rejecting error occurs.

    This is because we ignore the localhost HTTPS certificate security check according to: https://learn.microsoft.com/en-us/dotnet/maui/data-cloud/local-web-services?view=net-maui-8.0#bypass-the-certificate-security-check

    You can try update the GetInsecureHandler method:

    #if ANDROID
        var handler = new HttpClientHandler()
        {
           UseCookies = false
        };
        handler.ServerCertificateCustomValidationCallback = (message, cert, chain, errors) =>
        {
            if (cert is { Issuer: "CN=localhost" }) // or your productionwebsite.com , you can read it from the appsettings.json
            {
                return true;
            }
    
            return errors == System.Net.Security.SslPolicyErrors.None;
        };
        return handler;
    
  • User Avatar
    0
    cbogner85 created

    Hi liangshiwei,

    thanks for your reply. I can't believe I overlooked that (as I mentioned before, it must have been something completely obvious).

    As far as I unterstood, certificate validation shouldn't be disabled as it makes the app vulnerable to man in the middle attacks. However, this helps as I can see the detailed error now (SslPolicyErrors.RemoteCertificateChainErrors) and hopefully I'll find out how to make Android accept our certificates before going live. And in the meantime, I can test my app on production with the certifcate validation disabled.

    Thanks!

Made with ❤️ on ABP v9.1.0-preview. Updated on December 13, 2024, 06:09