Search Unity

  1. Megacity Metro Demo now available. Download now.
    Dismiss Notice
  2. Unity support for visionOS is now available. Learn more in our blog post.
    Dismiss Notice

Bug SSL CA Certificate Error on Android 7

Discussion in 'Authentication' started by lambch0p, Nov 28, 2021.

  1. lambch0p

    lambch0p

    Joined:
    Oct 22, 2014
    Posts:
    62
    Hi,

    On one of my Android devices when trying to Authenticate I receive a:

    Unity.Services.Core.RequestFailedException: Network Error: SSL CA certificate error

    My game is targeting API 30 and has a minimum API of 23. The device that is receiving the error is API level 24.

    When I deploy the code to a device running API 30 it works fine.

    I am calling AuthenticationService.Instance.SignInAnonomouslyAsync()

    Thanks
    Mick
     
  2. SebT_Unity

    SebT_Unity

    Unity Technologies

    Joined:
    Jun 21, 2021
    Posts:
    279
    Hi Mick,
    Thanks for that detailed information.
    I will try to reproduce the error and report back here with status/results

    Could you also share your Unity version?

    Best,
    Sebastiano
     
  3. lambch0p

    lambch0p

    Joined:
    Oct 22, 2014
    Posts:
    62

    Sure I'm currently using 2021.2.4f1 but had the same issue in 2021.2.3f1.
     
  4. Laurie-Unity

    Laurie-Unity

    Unity Technologies

    Joined:
    Mar 5, 2020
    Posts:
    220
    Hi Mick,

    The SSL / CA Error that you are receiving is down to the Android version on one of your devices.

    I have tested your code sample succussfully on API 25 and above and am currently seeking confirmation on the minimum version required.

    upload_2021-11-29_16-34-10.png
     
  5. lambch0p

    lambch0p

    Joined:
    Oct 22, 2014
    Posts:
    62
    Great, thanks. If 24 is below minimum then i can get a different test device
     
  6. lambch0p

    lambch0p

    Joined:
    Oct 22, 2014
    Posts:
    62
    It would be good to know if there is a minimum level for IOS as well as i need to purchase an Apple device for testing.
     
  7. Laurie-Unity

    Laurie-Unity

    Unity Technologies

    Joined:
    Mar 5, 2020
    Posts:
    220
    I'll update this thread when I get confirmation on IOS and Android versions.
     
  8. eclecticLoad

    eclecticLoad

    Joined:
    Mar 13, 2015
    Posts:
    2
    Hi guys,

    I'm currently dealing with a similair problem that I'm pretty sure would be caused by the same issue and I'm posting to share the cause of the problem with you guys.
    Since October 2021 Let's Encrypt's previous SSL certificate (DST Root CA X3) expired and they switched over to using their own certificate called ISRG Root X1 and X2.
    Trusted certificates are actually added to android devices on an OS level and android versions starting from 7.1.1/API25 contain the ISRG Certificates.
    On the other hand older OS versions only contain the DST Root CA X3 certificate which causes SSL requests to fail.

    They detailed this situation in this blog post: https://letsencrypt.org/2020/11/06/own-two-feet.html however later on they managed to find a solution with the old certificate outlined here: https://letsencrypt.org/2020/12/21/extending-android-compatibility.html .
    A key point in that solution is explained at the bottom: "When we make that change, subscribers will have the option to continue using DST Root CA X3 by configuring their ACME client to specifically request it.".
    So basically the certificate can be configured on a per website basis and thus you should be capable of specifically requesting the old certificate but if you don't do that SSL requests will still fail.

    Because of this I've been looking for a way to manually add the new certificates to the android app so that secure web requests will hopefully continue to work. The only solution I found so far was specifically for android 7 so hopefully this helps you out: https://www.danieldent.com/blog/android-apps-lets-encrypt-dst-root-expiry/ .
    I'm personally looking for a solution that would be compatible with Android 6 so if anybody runs into something I would love to hear your take on this problem.
     
    Gnejs, crekri and amjaliks like this.
  9. klemmedan

    klemmedan

    Joined:
    May 18, 2018
    Posts:
    2
    Any update on what versions work?
     
  10. saadk_unity

    saadk_unity

    Unity Technologies

    Joined:
    Oct 15, 2021
    Posts:
    12
    Hi! Android API levels 21 and above are supported with TLS 1.2 or above enabled. We currently don't have plans to support TLS 1.1.

    A link to the common errors page : https://docs.unity.com/authentication/CommonErrors.htm
     
  11. klemmedan

    klemmedan

    Joined:
    May 18, 2018
    Posts:
    2
    Thanks! Huh, that’s weird then. It seems android 7.0 (api 24) should work just fine based on that, but I’m running into the exact same issue with that level of android or below.
     
  12. Kubinna

    Kubinna

    Joined:
    Apr 19, 2015
    Posts:
    17
    Hello,

    in my project I am using Authentication package with version 1.0.0.-pre.37. For testing of this package I am using this script:

    Code (CSharp):
    1.  
    2. using System;
    3. using Unity.Services.Authentication;
    4. using UnityEngine;
    5. using Unity.Services.Core;
    6.  
    7. public class authentication : MonoBehaviour
    8. {
    9.     // Start is called before the first frame update
    10.     async void Start()
    11.     {
    12.         try
    13.         {
    14.             await UnityServices.InitializeAsync();
    15.  
    16.             // Check that scene has not been unloaded while processing async wait to prevent throw.
    17.             if (this == null) return;
    18.  
    19.             if (!AuthenticationService.Instance.IsSignedIn)
    20.             {
    21.                 await AuthenticationService.Instance.SignInAnonymouslyAsync();
    22.                 if (this == null) return;
    23.             }
    24.  
    25.             Debug.Log($"Player id:{AuthenticationService.Instance.PlayerId}");
    26.  
    27.             Debug.Log("Initialization and signin complete.");
    28.         }
    29.         catch (Exception e)
    30.         {
    31.             Debug.LogException(e);
    32.         }
    33.     }
    34. }
    Anonymously sign in work well in editor, but in build on mobile I am getting warnings and errors. For testing I am using mobile Honor 7 lite with Android version 7.0 API 24.

    Warnings are:
    [Authentication]: Well-known keys request failed (attempt: 1): 0, SSL CA certificate error
    UnityEngine.StackTraceUtility:ExtractStackTrace () (at /Users/bokken/buildslave/unity/build/Runtime/Export/Scripting/StackTrace.cs:37)
    UnityEngine.DebugLogHandler:LogFormat (UnityEngine.LogType,UnityEngine.Object,string,object[])
    UnityEngine.Logger:LogWarning (string,object)
    Unity.Services.Authentication.Utilities.Logger:LogWarning (object) (at Library/PackageCache/com.unity.services.authentication@1.0.0-pre.37/Runtime/Utilities/Logger.cs:16)
    Unity.Services.Authentication.AuthenticationServiceInternal/<GetWellKnownKeysAsync>d__93:MoveNext () (at Library/PackageCache/com.unity.services.authentication@1.0.0-pre.37/Runtime/AuthenticationServiceInternal.cs:382)
    System.Runtime.CompilerServices.AsyncMethodBuilderCore/MoveNextRunner:InvokeMoveNext (object)
    System.Threading.ExecutionContext:RunInternal (System.Threading.ExecutionContext,System.Threading.ContextCallback,object,bool)
    System.Threading.ExecutionContext:Run (System.Threading.ExecutionContext,System.Threading.ContextCallback,object,bool)
    System.Runtime.CompilerServices.AsyncMethodBuilderCore/MoveNextRunner:Run ()
    System.Threading.Tasks.AwaitTaskContinuation:InvokeAction (object)
    System.Threading.Tasks.AwaitTaskContinuation:RunCallback (System.Threading.ContextCallback,object,System.Threading.Tasks.Task&)
    System.Threading.Tasks.SynchronizationContextAwaitTaskContinuation:Run (System.Threading.Tasks.Task,bool)
    System.Threading.Tasks.Task:FinishContinuations ()
    System.Threading.Tasks.Task:FinishStageThree ()
    System.Threading.Tasks.Task:FinishStageTwo ()
    System.Threading.Tasks.Task:Finish (bool)
    System.Threading.Tasks.Task:TrySetException (object)
    System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1<Unity.Services.Authentication.Models.WellKnownKeys>:SetException (System.Exception)
    Unity.Services.Authentication.Utilities.WebRequest/<SendAsync>d__18`1<Unity.Services.Authentication.Models.WellKnownKeys>:MoveNext () (at Library/PackageCache/com.unity.services.authentication@1.0.0-pre.37/Runtime/Utilities/WebRequest.cs:83)
    System.Runtime.CompilerServices.AsyncMethodBuilderCore/MoveNextRunner:InvokeMoveNext (object)
    System.Threading.ExecutionContext:RunInternal (System.Threading.ExecutionContext,System.Threading.ContextCallback,object,bool)
    System.Threading.ExecutionContext:Run (System.Threading.ExecutionContext,System.Threading.ContextCallback,object,bool)
    System.Runtime.CompilerServices.AsyncMethodBuilderCore/MoveNextRunner:Run ()
    System.Threading.Tasks.AwaitTaskContinuation:InvokeAction (object)
    System.Threading.Tasks.AwaitTaskContinuation:RunCallback (System.Threading.ContextCallback,object,System.Threading.Tasks.Task&)
    System.Threading.Tasks.SynchronizationContextAwaitTaskContinuation:Run (System.Threading.Tasks.Task,bool)
    System.Threading.Tasks.Task:FinishContinuations ()
    System.Threading.Tasks.Task:FinishStageThree ()
    System.Threading.Tasks.Task:FinishStageTwo ()
    System.Threading.Tasks.Task:Finish (bool)
    System.Threading.Tasks.Task:TrySetException (object)
    System.Threading.Tasks.TaskCompletionSource`1<string>:TrySetException (System.Exception)
    System.Threading.Tasks.TaskCompletionSource`1<string>:SetException (System.Exception)
    Unity.Services.Authentication.Utilities.WebRequest:RequestCompleted (System.Threading.Tasks.TaskCompletionSource`1<string>,long,bool,bool,string,string,System.Collections.Generic.IDictionary`2<string, string>) (at PackageCache/com.unity.services.authentication@1.0.0-pre.37/Runtime/Utilities/WebRequest.cs:208)
    Unity.Services.Authentication.Utilities.WebRequest/<>c__DisplayClass19_1:<SendAttemptAsync>b__0 (UnityEngine.AsyncOperation) (at Library/PackageCache/com.unity.services.authentication@1.0.0-pre.37/Runtime/Utilities/WebRequest.cs:95)
    UnityEngine.AsyncOperation:InvokeCompletionEvent () (at /Users/bokken/buildslave/unity/build/Runtime/Export/Scripting/AsyncOperation.cs:21)

    [Authentication]: Request completed with error: SSL CA certificate error
    UnityEngine.StackTraceUtility:ExtractStackTrace () (at /Users/bokken/buildslave/unity/build/Runtime/Export/Scripting/StackTrace.cs:37)
    UnityEngine.DebugLogHandler:LogFormat (UnityEngine.LogType,UnityEngine.Object,string,object[])
    UnityEngine.Logger:LogWarning (string,object)
    Unity.Services.Authentication.Utilities.Logger:LogWarning (object) (at Library/PackageCache/com.unity.services.authentication@1.0.0-pre.37/Runtime/Utilities/Logger.cs:16)
    Unity.Services.Authentication.Utilities.WebRequest:RequestCompleted (System.Threading.Tasks.TaskCompletionSource`1<string>,long,bool,bool,string,string,System.Collections.Generic.IDictionary`2<string, string>) (at Library/PackageCache/com.unity.services.authentication@1.0.0-pre.37/Runtime/Utilities/WebRequest.cs:209)
    Unity.Services.Authentication.Utilities.WebRequest/<>c__DisplayClass19_1:<SendAttemptAsync>b__0 (UnityEngine.AsyncOperation) (at Library/PackageCache/com.unity.services.authentication@1.0.0-pre.37/Runtime/Utilities/WebRequest.cs:95)
    UnityEngine.AsyncOperation:InvokeCompletionEvent () (at /Users/bokken/buildslave/unity/build/Runtime/Export/Scripting/AsyncOperation.cs:21)


    And error:
    Curl error 60: Cert verify failed: UNITYTLS_X509VERIFY_FLAG_USER_ERROR1

    How can I fix it?

    Thank you very much :)
     
  13. unity_Ctri

    unity_Ctri

    Unity Technologies

    Joined:
    Oct 20, 2020
    Posts:
    81
    This suggests an expired SSL certificate, which is worrying! Was this build working previously and has stopped - or has the code never successfully logged in via the API?

    I've checked the Authentication endpoint and the certificate is valid until March 2022, which is reassuring!
     
  14. Kubinna

    Kubinna

    Joined:
    Apr 19, 2015
    Posts:
    17
    I've never been able to log in on my phone Honor 7 lite with Android 7.0 API 24, but yesterday my co-worker tried it on Samsung S20 FE 5G with Android 11 API 30 and he log in succesfully.
     
    Last edited: Feb 16, 2022
  15. Kubinna

    Kubinna

    Joined:
    Apr 19, 2015
    Posts:
    17
    As additional information I can mention that we are using Unity 2021.2.7f1. Do you need to provide any more information?