I'm a total beginner when it comes to SSL/TLS certificates. I have generated a few of them using openssl for some local server in my LAN. I have already built and expo react native app working 100%, but when I build the APK, and install it specifically on android devices, Im getting this error:
java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
(NOBRIDGE) LOG Connection closed 1006 java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
The root CA certificate was generated using openssl, and the reverse proxy server is using a signed-server certificate signed by this root CA I created.
My question is:
Since android is not allowing "User" certificates and only allows "System" certificates, is it possible to obtain a certificate from LetsEncrypt for this reverse proxy local server? That way android can trust the reverse proxy certificate and the expo app could connect fine to the backend server.
Basically the servers and clients will all be running in my LAN only, not open to the internet.
This is just for a small learning project in my LAN.
In order to get a certificate from Let's Encrypt, you need to be able to demonstrate control over a public domain name; the most common way of doing that for internal-only hosts is using DNS validation--you'll need to create TXT records containing specified (semi-random) values, and then remove them once validation is complete. You'll then need to repeat that process every 60 days or so, so you really should be able to automate those DNS updates. If you're able to do these things, you should be able to get the cert.
If you're building an app you're going to publish then you'll eventually need to use a real domain for your API anyway. Even if it's not for public services it can be easier to just get a domain that you can use for whatever.
Once you have a domain (e.g. example.com) you have complete control over subdomains, you for instance you can just make up api.yourapp.dev.example.com pointing to the IP on an internal server etc, get a certificate for it (using DNS domain validation) and apply that to an internal service, or a public service etc.
So in general, having your own domain to work with opens up various testing and development possibilities, as well as the option to host public services (hosted anywhere). Cloudflare are pretty cheap for domains, look out for registrars that say a domain will cost $0.05 then charge you $29.99 the next year - a domain is for life
If you really don't want a domain, you can generally modify your dev app to disable TLS validation, and just use a self signed cert.
