Android application trust error

Hi, I am new here, I've been using Lets Encrypt for over 6 months now on a test server (Windows Server 2019) and certify the web as my ACME, I am happy with how easy it was to setup and very happy with the service. I was able to create a test system using https:// and deploy my application on it.
The in January this year after the certificate was renewed i found that my android application was no longer able to communicate with my server due to a trust error.

I have now tried everything I can to get it back online, Ive redeployed using certificates with the DST Root CA X3 but still unable to get it working.
Im using a Zebra TC56 handheld on Android 8.1.0 (lets encrypt isnt in the trusted credentials list however both Digital signature trust co. DST Root CA X3 & Internet Security research group ISRG RootX1 are).
Below is the error that i am getting, unfortunately I am not a developer but am in contact with him, so any help you could provide would be great thanks, Andy.

Error:
System.Net.WebException: Error: TrustFailure (Authentication failed, see inner exception.) ---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception. ---> Mono.Btls.MonoBtlsException: Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
at /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/external/boringssl/ssl/handshake_client.c:1132
at Mono.Btls.MonoBtlsContext.ProcessHandshake () [0x00042] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/Mono.Btls/MonoBtlsContext.cs:220
at Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake (Mono.Net.Security.AsyncOperationStatus status, System.Boolean renegotiate) [0x000da] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/Mono.Net.Security/MobileAuthenticatedStream.cs:715
at (wrapper remoting-invoke-with-check) Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake(Mono.Net.Security.AsyncOperationStatus,bool)
at Mono.Net.Security.AsyncHandshakeRequest.Run (Mono.Net.Security.AsyncOperationStatus status) [0x00000] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/Mono.Net.Security/AsyncProtocolRequest.cs:289
at Mono.Net.Security.AsyncProtocolRequest.ProcessOperation (System.Threading.CancellationToken cancellationToken) [0x000fc] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/Mono.Net.Security/AsyncProtocolRequest.cs:223
--- End of inner exception stack trace ---
at Mono.Net.Security.MobileAuthenticatedStream.ProcessAuthentication (System.Boolean runSynchronously, Mono.Net.Security.MonoSslAuthenticationOptions options, System.Threading.CancellationToken cancellationToken) [0x0025c] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/Mono.Net.Security/MobileAuthenticatedStream.cs:310
at Mono.Net.Security.MonoTlsStream.CreateStream (System.Net.WebConnectionTunnel tunnel, System.Threading.CancellationToken cancellationToken) [0x0016a] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/Mono.Net.Security/MonoTlsStream.cs:137
at System.Net.WebConnection.CreateStream (System.Net.WebOperation operation, System.Boolean reused, System.Threading.CancellationToken cancellationToken) [0x00170] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/System.Net/WebConnection.cs:236
--- End of inner exception stack trace ---
at System.Net.WebConnection.CreateStream (System.Net.WebOperation operation, System.Boolean reused, System.Threading.CancellationToken cancellationToken) [0x00208] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/System.Net/WebConnection.cs:248
at System.Net.WebConnection.InitConnection (System.Net.WebOperation operation, System.Threading.CancellationToken cancellationToken) [0x000f7] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/System.Net/WebConnection.cs:277
at System.Net.WebOperation.Run () [0x00052] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/System.Net/WebOperation.cs:268
at System.Net.WebCompletionSource1[T].WaitForCompletion () [0x0008e] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/System.Net/WebCompletionSource.cs:111 at System.Net.HttpWebRequest.RunWithTimeoutWorker[T] (System.Threading.Tasks.Task1[TResult] workerTask, System.Int32 timeout, System.Action abort, System.Func1[TResult] aborted, System.Threading.CancellationTokenSource cts) [0x000e8] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/System.Net/HttpWebRequest.cs:956 at RestSharp.Http.GetRawResponseAsync (System.IAsyncResult result, System.Action1[T] callback) [0x0005d] in <442d34e5a4814a60b1d9995408937446>:0
at RestSharp.Http.ResponseCallback (System.IAsyncResult result, System.Action`1[T] callback) [0x0005a] in <442d34e5a4814a60b1d9995408937446>:0
--- End of stack trace from previous location where exception was thrown ---

Hi @agrant, and welcome to the LE community forum

Android 8.1 supports many encryption protocols and ciphers:

image912×818 39.7 KB

I think you might get different (perhaps better) results by changing to ECC ciphers and TLSv1.2 (or higher).

Given:
I don't know which protocol and cipher you are testing with.
I don't know which you have tried thus far.
And I'm not an android programmer.

Hi, I develop Certify The Web. So did this start failing in January or just this week? There is an important difference regarding the default certificate chain that Let's Encrypt now use.

What service type is the android app connecting to? IIS, Apache, Nginx, Tomcat etc?

Did you manually enter a preferred chain (DST Root CA X3)? If so can you try it without.

It would be good to figure out what the actual issue is but as a workaround you can create a BuyPass Go account under Settings > Certificate Authorities then either set the default Certificate Authority to BuyPass or in the managed certificate go to Certificate > Advanced > Certificate Authority and select BuyPass go for that cert, then Request Certificate again.

I just noticed this is using Mono, so I assume this is a Xamarin app, so it's not quite the same as a standard android (java/kotlin based) app. That could be relevant. It turns out mono (the .net runtime used for xamarin stuff) may use it's own certificate store, not the android store, but I could be reading that wrong: [Not a Bug / Installation] Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED · Issue #12406 · mono/mono · GitHub

Looks like the choice of HttpClient selection will make a difference: HttpClient Stack and SSL/TLS Implementation Selector for Android - Xamarin | Microsoft Docs

This is some great feedback, Thank you for your time in replying, You are correct that this is Xamarin android, I will go through the links you have sent and do some more testing, taking onboard your suggestions.
Many Thanks to you

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.