QR for mobile app is not working

I am user of this app because the company where I am working selected it as an allowed secure one. But I have a problem. The mobile option is not working. Once an another the QR turns error after reading the first page. And I have no option to fix that problem.

My mobile phone is a Xiaomi Redmi Note 9s with Android version 12 MIUI version 14.0.3.

hello @csm-accsa could you provide logs from the Android app?

  1. Before the error occurs first enable logs: click the top-right question mark icon (i.e. on the scanning camera screen) → enable logs
  2. reproduce the error
  3. share the logs by going again to the top-right question mark icon → access logs

P.S. find&replace the server URL in the logs file if you don’t want it shared here

hello @mmichalek . I am sharing the logs.

I also want to comment that, as I said before, Passbolt is corporate. It does not have internet access. It is only functional by logging in through a corporate VPN.

It is also worth clarifying that it is not a generic problem because it is working OK for other users through their cell phone.

Device: Xiaomi Redmi Note 9S
Android 12 (31)
Passbolt 1.22.0-32

10:32:40 a. m. javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.SSLUtils.toSSLHandshakeException(SSLUtils.java:358)
at com.android.org.conscrypt.ConscryptEngine.convertException(ConscryptEngine.java:1131)
at com.android.org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1086)
at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:873)
at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:744)
at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:709)
at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.processDataFromSocket(ConscryptEngineSocket.java:898)
at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.-$$Nest$mprocessDataFromSocket(Unknown Source:0)
at com.android.org.conscrypt.ConscryptEngineSocket.doHandshake(ConscryptEngineSocket.java:238)
at com.android.org.conscrypt.ConscryptEngineSocket.startHandshake(ConscryptEngineSocket.java:220)
at okhttp3.internal.connection.RealConnection.connectTls(SourceFile:379)
at okhttp3.internal.connection.RealConnection.establishProtocol(SourceFile:337)
at okhttp3.internal.connection.RealConnection.connect(SourceFile:209)
at okhttp3.internal.connection.ExchangeFinder.findConnection(SourceFile:226)
at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(SourceFile:106)
at okhttp3.internal.connection.ExchangeFinder.find(SourceFile:74)
at okhttp3.internal.connection.RealCall.initExchange$okhttp(SourceFile:255)
at okhttp3.internal.connection.ConnectInterceptor.intercept(SourceFile:32)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at okhttp3.internal.cache.CacheInterceptor.intercept(SourceFile:95)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at okhttp3.internal.http.BridgeInterceptor.intercept(SourceFile:83)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(SourceFile:76)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at com.passbolt.mobile.android.core.networking.interceptor.CookiesInterceptor$AddCookiesInterceptor.intercept(SourceFile:57)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at com.passbolt.mobile.android.core.networking.interceptor.CookiesInterceptor$ReceivedCookiesInterceptor.intercept(SourceFile:38)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at com.passbolt.mobile.android.core.networking.interceptor.AuthInterceptor.intercept(SourceFile:22)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at com.passbolt.mobile.android.core.networking.interceptor.ChangeableBaseUrlInterceptor.intercept(SourceFile:40)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(SourceFile:201)
at okhttp3.internal.connection.RealCall$AsyncCall.run(SourceFile:517)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:644)
at java.lang.Thread.run(Thread.java:1012)
Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:661)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:510)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:430)
at com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:358)
at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:94)
at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:90)
at com.android.org.conscrypt.ConscryptEngineSocket$2.checkServerTrusted(ConscryptEngineSocket.java:165)
at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:269)
at com.android.org.conscrypt.ConscryptEngine.verifyCertificateChain(ConscryptEngine.java:1635)
at com.android.org.conscrypt.NativeCrypto.ENGINE_SSL_read_direct(Native Method)
at com.android.org.conscrypt.NativeSsl.readDirectByteBuffer(NativeSsl.java:572)
at com.android.org.conscrypt.ConscryptEngine.readPlaintextDataDirect(ConscryptEngine.java:1092)
at com.android.org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1076)
… 35 more
Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
… 48 more

javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.SSLUtils.toSSLHandshakeException(SSLUtils.java:358)
at com.android.org.conscrypt.ConscryptEngine.convertException(ConscryptEngine.java:1131)
at com.android.org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1086)
at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:873)
at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:744)
at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:709)
at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.processDataFromSocket(ConscryptEngineSocket.java:898)
at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.-$$Nest$mprocessDataFromSocket(Unknown Source:0)
at com.android.org.conscrypt.ConscryptEngineSocket.doHandshake(ConscryptEngineSocket.java:238)
at com.android.org.conscrypt.ConscryptEngineSocket.startHandshake(ConscryptEngineSocket.java:220)
at okhttp3.internal.connection.RealConnection.connectTls(SourceFile:379)
at okhttp3.internal.connection.RealConnection.establishProtocol(SourceFile:337)
at okhttp3.internal.connection.RealConnection.connect(SourceFile:209)
at okhttp3.internal.connection.ExchangeFinder.findConnection(SourceFile:226)
at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(SourceFile:106)
at okhttp3.internal.connection.ExchangeFinder.find(SourceFile:74)
at okhttp3.internal.connection.RealCall.initExchange$okhttp(SourceFile:255)
at okhttp3.internal.connection.ConnectInterceptor.intercept(SourceFile:32)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at okhttp3.internal.cache.CacheInterceptor.intercept(SourceFile:95)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at okhttp3.internal.http.BridgeInterceptor.intercept(SourceFile:83)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(SourceFile:76)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at com.passbolt.mobile.android.core.networking.interceptor.CookiesInterceptor$AddCookiesInterceptor.intercept(SourceFile:57)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at com.passbolt.mobile.android.core.networking.interceptor.CookiesInterceptor$ReceivedCookiesInterceptor.intercept(SourceFile:38)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at com.passbolt.mobile.android.core.networking.interceptor.AuthInterceptor.intercept(SourceFile:22)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at com.passbolt.mobile.android.core.networking.interceptor.ChangeableBaseUrlInterceptor.intercept(SourceFile:40)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(SourceFile:201)
at okhttp3.internal.connection.RealCall$AsyncCall.run(SourceFile:517)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:644)
at java.lang.Thread.run(Thread.java:1012)
Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:661)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:510)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:430)
at com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:358)
at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:94)
at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:90)
at com.android.org.conscrypt.ConscryptEngineSocket$2.checkServerTrusted(ConscryptEngineSocket.java:165)
at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:269)
at com.android.org.conscrypt.ConscryptEngine.verifyCertificateChain(ConscryptEngine.java:1635)
at com.android.org.conscrypt.NativeCrypto.ENGINE_SSL_read_direct(Native Method)
at com.android.org.conscrypt.NativeSsl.readDirectByteBuffer(NativeSsl.java:572)
at com.android.org.conscrypt.ConscryptEngine.readPlaintextDataDirect(ConscryptEngine.java:1092)
at com.android.org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1076)
… 35 more
Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
… 48 more
10:32:40 a. m. There was an error during transfer update
javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.SSLUtils.toSSLHandshakeException(SSLUtils.java:358)
at com.android.org.conscrypt.ConscryptEngine.convertException(ConscryptEngine.java:1131)
at com.android.org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1086)
at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:873)
at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:744)
at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:709)
at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.processDataFromSocket(ConscryptEngineSocket.java:898)
at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.-$$Nest$mprocessDataFromSocket(Unknown Source:0)
at com.android.org.conscrypt.ConscryptEngineSocket.doHandshake(ConscryptEngineSocket.java:238)
at com.android.org.conscrypt.ConscryptEngineSocket.startHandshake(ConscryptEngineSocket.java:220)
at okhttp3.internal.connection.RealConnection.connectTls(SourceFile:379)
at okhttp3.internal.connection.RealConnection.establishProtocol(SourceFile:337)
at okhttp3.internal.connection.RealConnection.connect(SourceFile:209)
at okhttp3.internal.connection.ExchangeFinder.findConnection(SourceFile:226)
at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(SourceFile:106)
at okhttp3.internal.connection.ExchangeFinder.find(SourceFile:74)
at okhttp3.internal.connection.RealCall.initExchange$okhttp(SourceFile:255)
at okhttp3.internal.connection.ConnectInterceptor.intercept(SourceFile:32)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at okhttp3.internal.cache.CacheInterceptor.intercept(SourceFile:95)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at okhttp3.internal.http.BridgeInterceptor.intercept(SourceFile:83)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(SourceFile:76)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at com.passbolt.mobile.android.core.networking.interceptor.CookiesInterceptor$AddCookiesInterceptor.intercept(SourceFile:57)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at com.passbolt.mobile.android.core.networking.interceptor.CookiesInterceptor$ReceivedCookiesInterceptor.intercept(SourceFile:38)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at com.passbolt.mobile.android.core.networking.interceptor.AuthInterceptor.intercept(SourceFile:22)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at com.passbolt.mobile.android.core.networking.interceptor.ChangeableBaseUrlInterceptor.intercept(SourceFile:40)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(SourceFile:201)
at okhttp3.internal.connection.RealCall$AsyncCall.run(SourceFile:517)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:644)
at java.lang.Thread.run(Thread.java:1012)
Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:661)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:510)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:430)
at com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:358)
at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:94)
at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:90)
at com.android.org.conscrypt.ConscryptEngineSocket$2.checkServerTrusted(ConscryptEngineSocket.java:165)
at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:269)
at com.android.org.conscrypt.ConscryptEngine.verifyCertificateChain(ConscryptEngine.java:1635)
at com.android.org.conscrypt.NativeCrypto.ENGINE_SSL_read_direct(Native Method)
at com.android.org.conscrypt.NativeSsl.readDirectByteBuffer(NativeSsl.java:572)
at com.android.org.conscrypt.ConscryptEngine.readPlaintextDataDirect(ConscryptEngine.java:1092)
at com.android.org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1076)
… 35 more
Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
… 48 more

javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.SSLUtils.toSSLHandshakeException(SSLUtils.java:358)
at com.android.org.conscrypt.ConscryptEngine.convertException(ConscryptEngine.java:1131)
at com.android.org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1086)
at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:873)
at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:744)
at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:709)
at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.processDataFromSocket(ConscryptEngineSocket.java:898)
at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.-$$Nest$mprocessDataFromSocket(Unknown Source:0)
at com.android.org.conscrypt.ConscryptEngineSocket.doHandshake(ConscryptEngineSocket.java:238)
at com.android.org.conscrypt.ConscryptEngineSocket.startHandshake(ConscryptEngineSocket.java:220)
at okhttp3.internal.connection.RealConnection.connectTls(SourceFile:379)
at okhttp3.internal.connection.RealConnection.establishProtocol(SourceFile:337)
at okhttp3.internal.connection.RealConnection.connect(SourceFile:209)
at okhttp3.internal.connection.ExchangeFinder.findConnection(SourceFile:226)
at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(SourceFile:106)
at okhttp3.internal.connection.ExchangeFinder.find(SourceFile:74)
at okhttp3.internal.connection.RealCall.initExchange$okhttp(SourceFile:255)
at okhttp3.internal.connection.ConnectInterceptor.intercept(SourceFile:32)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at okhttp3.internal.cache.CacheInterceptor.intercept(SourceFile:95)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at okhttp3.internal.http.BridgeInterceptor.intercept(SourceFile:83)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(SourceFile:76)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at com.passbolt.mobile.android.core.networking.interceptor.CookiesInterceptor$AddCookiesInterceptor.intercept(SourceFile:57)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at com.passbolt.mobile.android.core.networking.interceptor.CookiesInterceptor$ReceivedCookiesInterceptor.intercept(SourceFile:38)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at com.passbolt.mobile.android.core.networking.interceptor.AuthInterceptor.intercept(SourceFile:22)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at com.passbolt.mobile.android.core.networking.interceptor.ChangeableBaseUrlInterceptor.intercept(SourceFile:40)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(SourceFile:201)
at okhttp3.internal.connection.RealCall$AsyncCall.run(SourceFile:517)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:644)
at java.lang.Thread.run(Thread.java:1012)
Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:661)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:510)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:430)
at com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:358)
at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:94)
at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:90)
at com.android.org.conscrypt.ConscryptEngineSocket$2.checkServerTrusted(ConscryptEngineSocket.java:165)
at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:269)
at com.android.org.conscrypt.ConscryptEngine.verifyCertificateChain(ConscryptEngine.java:1635)
at com.android.org.conscrypt.NativeCrypto.ENGINE_SSL_read_direct(Native Method)
at com.android.org.conscrypt.NativeSsl.readDirectByteBuffer(NativeSsl.java:572)
at com.android.org.conscrypt.ConscryptEngine.readPlaintextDataDirect(ConscryptEngine.java:1092)
at com.android.org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1076)
… 35 more
Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
… 48 more

Thank you - so there is some issue with SSL certificate trust chain CertPathValidatorException: Trust anchor for certification path not found - looks like the the Android OS cannot validate the certificate chain during connection to passbolt. The untrusted certificate can be in a couple of places (i.e. the passbolt instance certificate itself, corporate proxy certificate if used, VPN), so some more questions:

  1. Is this happening only for users who use VPN? Can users connected to the network in which passbolt is available without VPN use the app without issues?
  2. Is your device a corporate-managed device?
  3. Do you know if you have permission to install a custom CA certificate on the device? (Should be somewhere in Settings -> Security/Privacy -> Encryption -> Certificates -> CA Certificate depending on device)

Hi mmichaelk! Thanks for your help. Here are the answers:
1- Right now this problem is only happening in my device. We tested it with and without VPN and problem remains the same.
2- No, it is not. The device is a personal one.
3- As it is a personal device I have all permissions to install a certificate on it. CA is SECTIGO.