I am user of this app because the company where I am working selected it as an allowed secure one. But I have a problem. The mobile option is not working. Once an another the QR turns error after reading the first page. And I have no option to fix that problem.
My mobile phone is a Xiaomi Redmi Note 9s with Android version 12 MIUI version 14.0.3.
hello @csm-accsa could you provide logs from the Android app?
P.S. find&replace the server URL in the logs file if you donβt want it shared here
hello @mmichalek . I am sharing the logs.
I also want to comment that, as I said before, Passbolt is corporate. It does not have internet access. It is only functional by logging in through a corporate VPN.
It is also worth clarifying that it is not a generic problem because it is working OK for other users through their cell phone.
Device: Xiaomi Redmi Note 9S
Android 12 (31)
Passbolt 1.22.0-32
10:32:40 a. m. javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.SSLUtils.toSSLHandshakeException(SSLUtils.java:358)
at com.android.org.conscrypt.ConscryptEngine.convertException(ConscryptEngine.java:1131)
at com.android.org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1086)
at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:873)
at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:744)
at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:709)
at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.processDataFromSocket(ConscryptEngineSocket.java:898)
at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.-$$Nest$mprocessDataFromSocket(Unknown Source:0)
at com.android.org.conscrypt.ConscryptEngineSocket.doHandshake(ConscryptEngineSocket.java:238)
at com.android.org.conscrypt.ConscryptEngineSocket.startHandshake(ConscryptEngineSocket.java:220)
at okhttp3.internal.connection.RealConnection.connectTls(SourceFile:379)
at okhttp3.internal.connection.RealConnection.establishProtocol(SourceFile:337)
at okhttp3.internal.connection.RealConnection.connect(SourceFile:209)
at okhttp3.internal.connection.ExchangeFinder.findConnection(SourceFile:226)
at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(SourceFile:106)
at okhttp3.internal.connection.ExchangeFinder.find(SourceFile:74)
at okhttp3.internal.connection.RealCall.initExchange$okhttp(SourceFile:255)
at okhttp3.internal.connection.ConnectInterceptor.intercept(SourceFile:32)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at okhttp3.internal.cache.CacheInterceptor.intercept(SourceFile:95)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at okhttp3.internal.http.BridgeInterceptor.intercept(SourceFile:83)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(SourceFile:76)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at com.passbolt.mobile.android.core.networking.interceptor.CookiesInterceptor$AddCookiesInterceptor.intercept(SourceFile:57)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at com.passbolt.mobile.android.core.networking.interceptor.CookiesInterceptor$ReceivedCookiesInterceptor.intercept(SourceFile:38)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at com.passbolt.mobile.android.core.networking.interceptor.AuthInterceptor.intercept(SourceFile:22)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at com.passbolt.mobile.android.core.networking.interceptor.ChangeableBaseUrlInterceptor.intercept(SourceFile:40)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(SourceFile:201)
at okhttp3.internal.connection.RealCall$AsyncCall.run(SourceFile:517)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:644)
at java.lang.Thread.run(Thread.java:1012)
Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:661)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:510)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:430)
at com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:358)
at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:94)
at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:90)
at com.android.org.conscrypt.ConscryptEngineSocket$2.checkServerTrusted(ConscryptEngineSocket.java:165)
at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:269)
at com.android.org.conscrypt.ConscryptEngine.verifyCertificateChain(ConscryptEngine.java:1635)
at com.android.org.conscrypt.NativeCrypto.ENGINE_SSL_read_direct(Native Method)
at com.android.org.conscrypt.NativeSsl.readDirectByteBuffer(NativeSsl.java:572)
at com.android.org.conscrypt.ConscryptEngine.readPlaintextDataDirect(ConscryptEngine.java:1092)
at com.android.org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1076)
β¦ 35 more
Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
β¦ 48 more
javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.SSLUtils.toSSLHandshakeException(SSLUtils.java:358)
at com.android.org.conscrypt.ConscryptEngine.convertException(ConscryptEngine.java:1131)
at com.android.org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1086)
at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:873)
at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:744)
at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:709)
at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.processDataFromSocket(ConscryptEngineSocket.java:898)
at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.-$$Nest$mprocessDataFromSocket(Unknown Source:0)
at com.android.org.conscrypt.ConscryptEngineSocket.doHandshake(ConscryptEngineSocket.java:238)
at com.android.org.conscrypt.ConscryptEngineSocket.startHandshake(ConscryptEngineSocket.java:220)
at okhttp3.internal.connection.RealConnection.connectTls(SourceFile:379)
at okhttp3.internal.connection.RealConnection.establishProtocol(SourceFile:337)
at okhttp3.internal.connection.RealConnection.connect(SourceFile:209)
at okhttp3.internal.connection.ExchangeFinder.findConnection(SourceFile:226)
at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(SourceFile:106)
at okhttp3.internal.connection.ExchangeFinder.find(SourceFile:74)
at okhttp3.internal.connection.RealCall.initExchange$okhttp(SourceFile:255)
at okhttp3.internal.connection.ConnectInterceptor.intercept(SourceFile:32)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at okhttp3.internal.cache.CacheInterceptor.intercept(SourceFile:95)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at okhttp3.internal.http.BridgeInterceptor.intercept(SourceFile:83)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(SourceFile:76)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at com.passbolt.mobile.android.core.networking.interceptor.CookiesInterceptor$AddCookiesInterceptor.intercept(SourceFile:57)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at com.passbolt.mobile.android.core.networking.interceptor.CookiesInterceptor$ReceivedCookiesInterceptor.intercept(SourceFile:38)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at com.passbolt.mobile.android.core.networking.interceptor.AuthInterceptor.intercept(SourceFile:22)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at com.passbolt.mobile.android.core.networking.interceptor.ChangeableBaseUrlInterceptor.intercept(SourceFile:40)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(SourceFile:201)
at okhttp3.internal.connection.RealCall$AsyncCall.run(SourceFile:517)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:644)
at java.lang.Thread.run(Thread.java:1012)
Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:661)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:510)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:430)
at com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:358)
at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:94)
at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:90)
at com.android.org.conscrypt.ConscryptEngineSocket$2.checkServerTrusted(ConscryptEngineSocket.java:165)
at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:269)
at com.android.org.conscrypt.ConscryptEngine.verifyCertificateChain(ConscryptEngine.java:1635)
at com.android.org.conscrypt.NativeCrypto.ENGINE_SSL_read_direct(Native Method)
at com.android.org.conscrypt.NativeSsl.readDirectByteBuffer(NativeSsl.java:572)
at com.android.org.conscrypt.ConscryptEngine.readPlaintextDataDirect(ConscryptEngine.java:1092)
at com.android.org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1076)
β¦ 35 more
Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
β¦ 48 more
10:32:40 a. m. There was an error during transfer update
javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.SSLUtils.toSSLHandshakeException(SSLUtils.java:358)
at com.android.org.conscrypt.ConscryptEngine.convertException(ConscryptEngine.java:1131)
at com.android.org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1086)
at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:873)
at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:744)
at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:709)
at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.processDataFromSocket(ConscryptEngineSocket.java:898)
at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.-$$Nest$mprocessDataFromSocket(Unknown Source:0)
at com.android.org.conscrypt.ConscryptEngineSocket.doHandshake(ConscryptEngineSocket.java:238)
at com.android.org.conscrypt.ConscryptEngineSocket.startHandshake(ConscryptEngineSocket.java:220)
at okhttp3.internal.connection.RealConnection.connectTls(SourceFile:379)
at okhttp3.internal.connection.RealConnection.establishProtocol(SourceFile:337)
at okhttp3.internal.connection.RealConnection.connect(SourceFile:209)
at okhttp3.internal.connection.ExchangeFinder.findConnection(SourceFile:226)
at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(SourceFile:106)
at okhttp3.internal.connection.ExchangeFinder.find(SourceFile:74)
at okhttp3.internal.connection.RealCall.initExchange$okhttp(SourceFile:255)
at okhttp3.internal.connection.ConnectInterceptor.intercept(SourceFile:32)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at okhttp3.internal.cache.CacheInterceptor.intercept(SourceFile:95)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at okhttp3.internal.http.BridgeInterceptor.intercept(SourceFile:83)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(SourceFile:76)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at com.passbolt.mobile.android.core.networking.interceptor.CookiesInterceptor$AddCookiesInterceptor.intercept(SourceFile:57)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at com.passbolt.mobile.android.core.networking.interceptor.CookiesInterceptor$ReceivedCookiesInterceptor.intercept(SourceFile:38)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at com.passbolt.mobile.android.core.networking.interceptor.AuthInterceptor.intercept(SourceFile:22)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at com.passbolt.mobile.android.core.networking.interceptor.ChangeableBaseUrlInterceptor.intercept(SourceFile:40)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(SourceFile:201)
at okhttp3.internal.connection.RealCall$AsyncCall.run(SourceFile:517)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:644)
at java.lang.Thread.run(Thread.java:1012)
Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:661)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:510)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:430)
at com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:358)
at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:94)
at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:90)
at com.android.org.conscrypt.ConscryptEngineSocket$2.checkServerTrusted(ConscryptEngineSocket.java:165)
at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:269)
at com.android.org.conscrypt.ConscryptEngine.verifyCertificateChain(ConscryptEngine.java:1635)
at com.android.org.conscrypt.NativeCrypto.ENGINE_SSL_read_direct(Native Method)
at com.android.org.conscrypt.NativeSsl.readDirectByteBuffer(NativeSsl.java:572)
at com.android.org.conscrypt.ConscryptEngine.readPlaintextDataDirect(ConscryptEngine.java:1092)
at com.android.org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1076)
β¦ 35 more
Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
β¦ 48 more
javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.SSLUtils.toSSLHandshakeException(SSLUtils.java:358)
at com.android.org.conscrypt.ConscryptEngine.convertException(ConscryptEngine.java:1131)
at com.android.org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1086)
at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:873)
at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:744)
at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:709)
at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.processDataFromSocket(ConscryptEngineSocket.java:898)
at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.-$$Nest$mprocessDataFromSocket(Unknown Source:0)
at com.android.org.conscrypt.ConscryptEngineSocket.doHandshake(ConscryptEngineSocket.java:238)
at com.android.org.conscrypt.ConscryptEngineSocket.startHandshake(ConscryptEngineSocket.java:220)
at okhttp3.internal.connection.RealConnection.connectTls(SourceFile:379)
at okhttp3.internal.connection.RealConnection.establishProtocol(SourceFile:337)
at okhttp3.internal.connection.RealConnection.connect(SourceFile:209)
at okhttp3.internal.connection.ExchangeFinder.findConnection(SourceFile:226)
at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(SourceFile:106)
at okhttp3.internal.connection.ExchangeFinder.find(SourceFile:74)
at okhttp3.internal.connection.RealCall.initExchange$okhttp(SourceFile:255)
at okhttp3.internal.connection.ConnectInterceptor.intercept(SourceFile:32)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at okhttp3.internal.cache.CacheInterceptor.intercept(SourceFile:95)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at okhttp3.internal.http.BridgeInterceptor.intercept(SourceFile:83)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(SourceFile:76)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at com.passbolt.mobile.android.core.networking.interceptor.CookiesInterceptor$AddCookiesInterceptor.intercept(SourceFile:57)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at com.passbolt.mobile.android.core.networking.interceptor.CookiesInterceptor$ReceivedCookiesInterceptor.intercept(SourceFile:38)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at com.passbolt.mobile.android.core.networking.interceptor.AuthInterceptor.intercept(SourceFile:22)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at com.passbolt.mobile.android.core.networking.interceptor.ChangeableBaseUrlInterceptor.intercept(SourceFile:40)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:109)
at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(SourceFile:201)
at okhttp3.internal.connection.RealCall$AsyncCall.run(SourceFile:517)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:644)
at java.lang.Thread.run(Thread.java:1012)
Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:661)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:510)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:430)
at com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:358)
at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:94)
at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:90)
at com.android.org.conscrypt.ConscryptEngineSocket$2.checkServerTrusted(ConscryptEngineSocket.java:165)
at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:269)
at com.android.org.conscrypt.ConscryptEngine.verifyCertificateChain(ConscryptEngine.java:1635)
at com.android.org.conscrypt.NativeCrypto.ENGINE_SSL_read_direct(Native Method)
at com.android.org.conscrypt.NativeSsl.readDirectByteBuffer(NativeSsl.java:572)
at com.android.org.conscrypt.ConscryptEngine.readPlaintextDataDirect(ConscryptEngine.java:1092)
at com.android.org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1076)
β¦ 35 more
Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
β¦ 48 more
Thank you - so there is some issue with SSL certificate trust chain CertPathValidatorException: Trust anchor for certification path not found - looks like the the Android OS cannot validate the certificate chain during connection to passbolt. The untrusted certificate can be in a couple of places (i.e. the passbolt instance certificate itself, corporate proxy certificate if used, VPN), so some more questions:
Settings -> Security/Privacy -> Encryption -> Certificates -> CA Certificate depending on device)Hi mmichaelk! Thanks for your help. Here are the answers:
1- Right now this problem is only happening in my device. We tested it with and without VPN and problem remains the same.
2- No, it is not. The device is a personal one.
3- As it is a personal device I have all permissions to install a certificate on it. CA is SECTIGO.
Ok so passbolt cert is signed by Sectigo? Can you go to system Settings β Security/Privacy β Encryption β Trusted Certificates and find the matching Sectigo cert on the list and check if itβs there and if the switch is enabled?
One more verification I can think of is to use https://www.ssllabs.com/ssltest/ to test the server SSL but I am not sure if this can be done if passbolt is accessible through VPN only. This tool can print the report for certification paths (when you go to details β Certification Paths β Android); Also at the end of report there is Handshake Simulation for different Android versions.
Hi @mmichalek, thanks a lot for all your help on this matter!
The certificate that was being used in Passbolt was modified on the company server to include the complete chain of certificates up to the CA.
Problem has been solved with thi action.