SSL CA Certificate Error on Android 7

Hi,

On one of my Android devices when trying to Authenticate I receive a:

Unity.Services.Core.RequestFailedException: Network Error: SSL CA certificate error

My game is targeting API 30 and has a minimum API of 23. The device that is receiving the error is API level 24.

When I deploy the code to a device running API 30 it works fine.

I am calling AuthenticationService.Instance.SignInAnonomouslyAsync()

Thanks
Mick

Hi Mick,
Thanks for that detailed information.
I will try to reproduce the error and report back here with status/results

Could you also share your Unity version?

Best,
Sebastiano

Sure I’m currently using 2021.2.4f1 but had the same issue in 2021.2.3f1.

Hi Mick,

The SSL / CA Error that you are receiving is down to the Android version on one of your devices.

I have tested your code sample succussfully on API 25 and above and am currently seeking confirmation on the minimum version required.

Great, thanks. If 24 is below minimum then i can get a different test device

It would be good to know if there is a minimum level for IOS as well as i need to purchase an Apple device for testing.

I’ll update this thread when I get confirmation on IOS and Android versions.

Hi guys,

I'm currently dealing with a similair problem that I'm pretty sure would be caused by the same issue and I'm posting to share the cause of the problem with you guys.
Since October 2021 Let's Encrypt's previous SSL certificate (DST Root CA X3) expired and they switched over to using their own certificate called ISRG Root X1 and X2.
Trusted certificates are actually added to android devices on an OS level and android versions starting from 7.1.1/API25 contain the ISRG Certificates.
On the other hand older OS versions only contain the DST Root CA X3 certificate which causes SSL requests to fail.

They detailed this situation in this blog post: https://letsencrypt.org/2020/11/06/own-two-feet.html however later on they managed to find a solution with the old certificate outlined here: https://letsencrypt.org/2020/12/21/extending-android-compatibility.html .
A key point in that solution is explained at the bottom: "When we make that change, subscribers will have the option to continue using DST Root CA X3 by configuring their ACME client to specifically request it.".
So basically the certificate can be configured on a per website basis and thus you should be capable of specifically requesting the old certificate but if you don't do that SSL requests will still fail.

Because of this I've been looking for a way to manually add the new certificates to the android app so that secure web requests will hopefully continue to work. The only solution I found so far was specifically for android 7 so hopefully this helps you out: https://www.danieldent.com/blog/android-apps-lets-encrypt-dst-root-expiry/ .
I'm personally looking for a solution that would be compatible with Android 6 so if anybody runs into something I would love to hear your take on this problem.

3 Likes

Any update on what versions work?

Hi! Android API levels 21 and above are supported with TLS 1.2 or above enabled. We currently don’t have plans to support TLS 1.1.

A link to the common errors page : https://docs.unity.com/authentication/CommonErrors.htm

Thanks! Huh, that’s weird then. It seems android 7.0 (api 24) should work just fine based on that, but I’m running into the exact same issue with that level of android or below.

Hello,

in my project I am using Authentication package with version 1.0.0.-pre.37. For testing of this package I am using this script:

using System;
using Unity.Services.Authentication;
using UnityEngine;
using Unity.Services.Core;

public class authentication : MonoBehaviour
{
    // Start is called before the first frame update
    async void Start()
    {
        try
        {
            await UnityServices.InitializeAsync();

            // Check that scene has not been unloaded while processing async wait to prevent throw.
            if (this == null) return;

            if (!AuthenticationService.Instance.IsSignedIn)
            {
                await AuthenticationService.Instance.SignInAnonymouslyAsync();
                if (this == null) return;
            }

            Debug.Log($"Player id:{AuthenticationService.Instance.PlayerId}");

            Debug.Log("Initialization and signin complete.");
        }
        catch (Exception e)
        {
            Debug.LogException(e);
        }
    }
}

Anonymously sign in work well in editor, but in build on mobile I am getting warnings and errors. For testing I am using mobile Honor 7 lite with Android version 7.0 API 24.

Warnings are:
[Authentication]: Well-known keys request failed (attempt: 1): 0, SSL CA certificate error
UnityEngine.StackTraceUtility:ExtractStackTrace () (at /Users/bokken/buildslave/unity/build/Runtime/Export/Scripting/StackTrace.cs:37)
UnityEngine.DebugLogHandler:LogFormat (UnityEngine.LogType,UnityEngine.Object,string,object[ ])
UnityEngine.Logger:LogWarning (string,object)
Unity.Services.Authentication.Utilities.Logger:LogWarning (object) (at Library/PackageCache/com.unity.services.authentication@1.0.0-pre.37/Runtime/Utilities/Logger.cs:16)
Unity.Services.Authentication.AuthenticationServiceInternal/d__93:MoveNext () (at Library/PackageCache/com.unity.services.authentication@1.0.0-pre.37/Runtime/AuthenticationServiceInternal.cs:382)
System.Runtime.CompilerServices.AsyncMethodBuilderCore/MoveNextRunner:InvokeMoveNext (object)
System.Threading.ExecutionContext:RunInternal (System.Threading.ExecutionContext,System.Threading.ContextCallback,object,bool)
System.Threading.ExecutionContext:Run (System.Threading.ExecutionContext,System.Threading.ContextCallback,object,bool)
System.Runtime.CompilerServices.AsyncMethodBuilderCore/MoveNextRunner:Run ()
System.Threading.Tasks.AwaitTaskContinuation:InvokeAction (object)
System.Threading.Tasks.AwaitTaskContinuation:RunCallback (System.Threading.ContextCallback,object,System.Threading.Tasks.Task&)
System.Threading.Tasks.SynchronizationContextAwaitTaskContinuation:Run (System.Threading.Tasks.Task,bool)
System.Threading.Tasks.Task:FinishContinuations ()
System.Threading.Tasks.Task:FinishStageThree ()
System.Threading.Tasks.Task:FinishStageTwo ()
System.Threading.Tasks.Task:Finish (bool)
System.Threading.Tasks.Task:TrySetException (object)
System.Runtime.CompilerServices.AsyncTaskMethodBuilder1<Unity.Services.Authentication.Models.WellKnownKeys>:SetException (System.Exception)* *Unity.Services.Authentication.Utilities.WebRequest/<SendAsync>d__181<Unity.Services.Authentication.Models.WellKnownKeys>:MoveNext () (at Library/PackageCache/com.unity.services.authentication@1.0.0-pre.37/Runtime/Utilities/WebRequest.cs:83)
System.Runtime.CompilerServices.AsyncMethodBuilderCore/MoveNextRunner:InvokeMoveNext (object)
System.Threading.ExecutionContext:RunInternal (System.Threading.ExecutionContext,System.Threading.ContextCallback,object,bool)
System.Threading.ExecutionContext:Run (System.Threading.ExecutionContext,System.Threading.ContextCallback,object,bool)
System.Runtime.CompilerServices.AsyncMethodBuilderCore/MoveNextRunner:Run ()
System.Threading.Tasks.AwaitTaskContinuation:InvokeAction (object)
System.Threading.Tasks.AwaitTaskContinuation:RunCallback (System.Threading.ContextCallback,object,System.Threading.Tasks.Task&)
System.Threading.Tasks.SynchronizationContextAwaitTaskContinuation:Run (System.Threading.Tasks.Task,bool)
System.Threading.Tasks.Task:FinishContinuations ()
System.Threading.Tasks.Task:FinishStageThree ()
System.Threading.Tasks.Task:FinishStageTwo ()
System.Threading.Tasks.Task:Finish (bool)
System.Threading.Tasks.Task:TrySetException (object)
System.Threading.Tasks.TaskCompletionSource1<string>:TrySetException (System.Exception)* *System.Threading.Tasks.TaskCompletionSource1:SetException (System.Exception)
Unity.Services.Authentication.Utilities.WebRequest:RequestCompleted (System.Threading.Tasks.TaskCompletionSource1<string>,long,bool,bool,string,string,System.Collections.Generic.IDictionary2<string, string>) (at PackageCache/com.unity.services.authentication@1.0.0-pre.37/Runtime/Utilities/WebRequest.cs:208)
Unity.Services.Authentication.Utilities.WebRequest/<>c__DisplayClass19_1:b__0 (UnityEngine.AsyncOperation) (at Library/PackageCache/com.unity.services.authentication@1.0.0-pre.37/Runtime/Utilities/WebRequest.cs:95)
UnityEngine.AsyncOperation:InvokeCompletionEvent () (at /Users/bokken/buildslave/unity/build/Runtime/Export/Scripting/AsyncOperation.cs:21)
[Authentication]: Request completed with error: SSL CA certificate error
UnityEngine.StackTraceUtility:ExtractStackTrace () (at /Users/bokken/buildslave/unity/build/Runtime/Export/Scripting/StackTrace.cs:37)
UnityEngine.DebugLogHandler:LogFormat (UnityEngine.LogType,UnityEngine.Object,string,object[ ])
UnityEngine.Logger:LogWarning (string,object)
Unity.Services.Authentication.Utilities.Logger:LogWarning (object) (at Library/PackageCache/com.unity.services.authentication@1.0.0-pre.37/Runtime/Utilities/Logger.cs:16)
Unity.Services.Authentication.Utilities.WebRequest:RequestCompleted (System.Threading.Tasks.TaskCompletionSource1<string>,long,bool,bool,string,string,System.Collections.Generic.IDictionary2<string, string>) (at Library/PackageCache/com.unity.services.authentication@1.0.0-pre.37/Runtime/Utilities/WebRequest.cs:209)
Unity.Services.Authentication.Utilities.WebRequest/<>c__DisplayClass19_1:b__0 (UnityEngine.AsyncOperation) (at Library/PackageCache/com.unity.services.authentication@1.0.0-pre.37/Runtime/Utilities/WebRequest.cs:95)
UnityEngine.AsyncOperation:InvokeCompletionEvent () (at /Users/bokken/buildslave/unity/build/Runtime/Export/Scripting/AsyncOperation.cs:21)

And error:
Curl error 60: Cert verify failed: UNITYTLS_X509VERIFY_FLAG_USER_ERROR1

How can I fix it?

Thank you very much :slight_smile:

This suggests an expired SSL certificate, which is worrying! Was this build working previously and has stopped - or has the code never successfully logged in via the API?

I’ve checked the Authentication endpoint and the certificate is valid until March 2022, which is reassuring!

I’ve never been able to log in on my phone Honor 7 lite with Android 7.0 API 24, but yesterday my co-worker tried it on Samsung S20 FE 5G with Android 11 API 30 and he log in succesfully.

As additional information I can mention that we are using Unity 2021.2.7f1. Do you need to provide any more information?