Resolved UnityWebRequest report an error : SSL CA certificate error

Hi,
when Android API >= 28, Google does not allow plaintext HTTP requests, but if I change the request to HTTPS, an SSL CA certificate error will occur,But the website certificate is without a problem

Is there a solution?

 

Unity cannot configure the publisher certificate itself

 

Can't you call the certificates configured in the aar package?

 

You can try using System.Net.WebRequest and the following snippet instead:

Code (CSharp):

1. ServicePointManager.ServerCertificateValidationCallback +=
2.     (sender, certificate, chain, sslPolicyErrors) => true;

But I think you should just get a valid web certificate, it's worth learning how to use ACME/LetsEncrypt.

 

Ah, maybe I'm used to iOS development where the underlying web request library is libcurl. I didn't realize that it was engineered to respect some obscure .Net certificate handling scheme!

 

Does anyone have a proper solution for this one?

 

For those who's interested in a workaround, create a certificate handler that accepts all certs (what I've found in another thread):

Code (CSharp):

1. public class ForceAcceptAll : CertificateHandler
2. {
3.     protected override bool ValidateCertificate(byte[] certificateData)
4.     {
5.         return true;
6.     }
7. }

Then, feed it as a field to the UnityWebRequest, like:

Code (CSharp):

1. var cert = new ForceAcceptAll();
2.  
3. // www is a UnityWebRequest
4. www.certificateHandler = cert;
5.  
6. // Send
7.  
8. cert?.Dispose();

Note that unfortunately its not working while re-using single certificate, that's why you need to create a new instance (and dispose it later). But its not as big GC as web request itself, so it shouldn't be too much for you.

Edit: Also, be aware that this is potentially a GP developer policy breach, if used incorrectly (and found by the Google, your build might get rejected).

So use it with caution, and do not send vital / secret / personal information via those requests.

 

@xVergilx hmmm I wouldn't know about that. It's a workaround for sure, but it's like saying instead of locking the door I will just put a chair against the door knob and hope for the best. In other words, if there's a security issue with the certificate this workaround is simply gambling with your player's data security. I'd rather check what's wrong with the certificate and maybe replace it.

 

I doubt we'll be able to replace an Amazon certificate (because that's where bucket from which we load asset bundles are) validation on some chineese devices (because that's what user base uses unfortunately).

I don't know any other workaround for this case.
We're using that request only to download bundles. No personal data involved. Its a public readonly access bucket.

Actually HTTP would've worked just fine (so its kinda works like that?).
Also, I don't think you can really inject executable code via MITM or alike to the asset bundle that can be executed, AFAIK.


This issue is definitely beyond mortal realm of peasant dwarf devs (like me).
Just trusting an OS to figure out what's safe and what's not doesn't work.

Just FYI, Accessing that bucket from the devices browser is not a problem, however, Unity's SSL validation fails miserably.

But Unity haven't provided a proper, known to me, fix yet, as of (2018.4~).

Edit: Also added a warning about it.

 

fair enough, my comment was taking for granted you had control over the ssl certificate. But is it also the case for the OP?

 

unity WWW Error: HTTP/1.1 404 Not Found
UnityEngine.Debug:Log(Object)
<GetStatusData>d__10:MoveNext() (at Assets/NewScripts/RegistrationControllerScript.cs:64)
UnityEngine.SetupCoroutine:InvokeMoveNext(IEnumerator, IntPtr)
showing this error please help me to recover this issue;

Code (CSharp):

1. using UnityEngine;
2. using UnityEngine.Networking;
3. using System.Security.Cryptography.X509Certificates;
4.  
5. public class AcceptAllCertificatesSignedWithASpecificKeyPublicKey : CertificateHandler
6. {
7.  
8.     // Encoded RSAPublicKey
9.     private static string PUB_KEY = "3082010A0282010100AD3E1BBBF82BE073DC5756F57452DB15F1FE3AD0B62066EC91CCCFD7F3C4D6596C076A6152B16E47217C2B0C4143066176F8E3730E1D43D2DD9F7E01E5B88DC1AED991E8ED8FE42ACFB92E5F4E61F86807E31082F4006DB4413323793CC85C91C2E26E3F084F783311F722006AF4A57DA73214EE3014B45E5D048C33732A803BA027DD0EFA1A29F05A7D6DACD01C9968DF2F5C4A7D4145E3F3C118E55615F956AEC5CD2C3A753E08E5E136400D6D396E69AD682D59D49FDDA848B648FCB673CE6421602C2195CDC469D546B90E4F50C8862BE4FC5E3DCF3BB3B47855577173A912A43AA171498C7656DBEF441A456A5D68DDD8CC00533D2CBBCB20BC92B7BE150203010001";
10.      protected override bool ValidateCertificate(byte[] certificateData)
11.      {
12.        X509Certificate2 certificate = new X509Certificate2(certificateData);
13.        string pk = certificate.GetPublicKeyString();
14.         Debug.Log("Key :"+pk);
15.        if (pk.Equals(PUB_KEY))
16.             return true;
17.         return false;
18.      }
19.    /* public static implicit operator CertificateHandler(AcceptAllCertificatesSignedWithASpecificKeyPublicKey v)
20.     {
21.         throw new NotImplementedException();
22.     }*/
23. }
24.  

 

How can we do that? Can you please give me an example? That would help a lot.

For my case :

1. I have a 'custom' certificate (a

   .pfx

   file) with a password (no public string afaik)
2. In order to access the contents from Chrome, first I got to install the certificate with the said password.
3. Then after accessing the page, I have to use a username and password to get to to the content.
4. So, two layers.
5. So that was from Chrome. Now, I would like to do this from Unity.
6. With Unity, this examples were helpful, but I am stuck with the certificate part.

I hope this info will help you help me.

PS : I am new to networking/certificate type stuff, so please bear with me

 

Hey thanks for the quick reply. Much appreciated.

Excuse me, I am gonna ask some real noob questions now. Hopefully this will server others who are as clueless as me in this matter.

1. This ValidateCertifacate example was the first thing that came across. As far as I understand, I create a class like in the example, override the

   ValidateCertificate

   method and set it to

   UnityWebRequest.certificateHandler

2. In this examlpe, they do not deal with private key(or password). But

   X509Certificate2

   has functionality for checking it, so I guess that is no problem.
3. From the same link, it says `Certificate data in PEM or DER format. If certificate data contains multiple certificates, the first one is the leaf certificate`. I am guessing this is what you mean by extracting data ("You'll have to extract your certificate data"). I am not sure how to do that. My certificate file is a

   .pfx

   one.
4. I found the public key by going to "Manage user certificates" on Windows. It is pkcs#12 format, generated and signed by openssl.
5. I have found this where they are using

   WWW

   class. I am not sure if it matters or not which class I use (WWW or UnityWebrequest) offers more flexibility or is there a reason to chose one over the other.

I hope you will be able to help me regarding this topic.

 

1. If this function

   protected override bool ValidateCertificate(byte[] certificateData)

   from

   CertificateHandler

   is to receive the certificate data in PEM or DER format, then I have to first read the certificate file(

   .pfx

   fille in my case) first, convert it and inform my

   UnityWebRequest

   object about it. But in my case, where I want to get data from a webpage, I do not see an option to read and set the certificate data to

   UnityWebRequest

   . It seems so silly, I feel like I am missing something that is very obvious. The only code I have managed to find is this webpage, and they are using PUT, which if I understand correctly is for uploading data. Either, resources are very scarce in this topic, or I am using the wrong search terms.

2. openssl

   is not available in windows by default. So does it mean, every developer in my team have to install it in order to work with it? And, when made into executables, I am assuming the user does not have to worry about that, correct?

If anyone can spare some time to do a detailed answer, it would mean a lot to me.

 

So you are suggesting to work with a .PEM certificate file to begin with, so that we don't have to convert it Unity? Okay, I will talk to my team about it.

Can you help with my other question as well?

If this function

protected override bool ValidateCertificate(byte[] certificateData)

from

CertificateHandler

is to receive the certificate data in PEM or DER format, then I have to first read the certificate file(

.pfx

fille in my case) first, convert it and inform my

UnityWebRequest

object about it. But in my case, where I want to get data from a webpage, I do not see an option to read and set the certificate data to

UnityWebRequest

. It seems so silly, I feel like I am missing something that is very obvious. The only code I have managed to find is this webpage, and they are using PUT, which if I understand correctly is for uploading data. Either, resources are very scarce in this topic, or I am using the wrong search terms. Here is the code from that webpage with translations for convenience -
​

Code (CSharp):

1. using System.Collections;
2. using System.Security.Cryptography.X509Certificates;
3. using System.Text;
4. using UnityEngine;
5. using UnityEngine.Networking;
6.  
7. public class NetTEST : MonoBehaviour
8. {
9.     private string pubkey;
10.     class CertPublicKey : CertificateHandler
11.     {
12.         public string PUB_KEY;
13.  
14.         // Encoded RSAPublicKey
15.         protected override bool ValidateCertificate(byte[] certificateData)
16.         {
17.             X509Certificate2 certificate = new X509Certificate2(certificateData);
18.             string pk = certificate.GetPublicKeyString();
19.  
20.             if (pk.ToLower().Equals(PUB_KEY.ToLower()))
21.                 return true;
22.             else
23.                 return false;
24.         }
25.     }
26.  
27.     private void Start()
28.     {
29.         // Generate PublicKey for authentication
30.         TextAsset tx = Resources.Load<TextAsset>("certificateFile");
31.         byte[] by = Encoding.UTF8.GetBytes(tx.ToString());
32.  
33.         X509Certificate2 certificate = new X509Certificate2(by);
34.         pubkey = certificate.GetPublicKeyString();
35.  
36.         StartCoroutine(Post("https://url", by));
37.     }
38.  
39.     private IEnumerator Post(string url, byte[] data)
40.     {
41.         // We need to send data in bytes. UnityWebRequest.POST is string only. Put it in Put and then change it to POST.
42.  
43.         UnityWebRequest request = UnityWebRequest.Put(url, data);
44.         {
45.             request.method = "POST";
46.             request.certificateHandler = new CertPublicKey{ PUB_KEY = pubkey };
47.             //request.SetRequestHeader("Content-Type", "application/json");
48.  
49.             yield return request.SendWebRequest();
50.  
51.             if (request.isNetworkError)
52.             {
53.                 Debug.Log(request.error + " / " + request.responseCode);
54.             }
55.             else
56.             {
57.                 Debug.Log(request.downloadHandler.text);
58.             }
59.         }
60.     }
61. }

 

What you need is certificate in your script. If you have it in PEM format, you can put it inside script as string, then create X509Certificate2 object from it​

Understood this part

and put that object(X509Certificate2 object) in your certificate handler. Then it's a matter of comparing​

This part I did not understand. This is my understanding so far -

1. The comparison happens in the function

   ValidateCertificate(byte[] certificateData)

   .
2. This function gets the certificate data in its parameter

   certificateData

   .
3. As far as I understand it gets called by the

   UnityWebRequest[ICODE]

   [/ICODE] object. So, I need to tell this UnityWebRequest object about this certificate data, so it calls

   ValidateCertificate(byte[] certificateData)

   with the right argument.

if this is correct, then I do not see how putting X509Certificate2 object in

CertificateHandler

class(inherited) will help

 

In my standalone game build, I am getting the error Curl error 51: Cert verify failed: UNITYTLS_X509VERIFY_FLAG_NOT_TRUSTED and API calls are failing with error code as 0.

I am not getting this error in the editor, I am only getting this error in build.

I have disabled the SSL pinning that is used in my game and after that, all API's are working fine without any errors.

1. Code (CSharp):

   1.     void addCertificatHeader(UnityWebRequest unityWebRequest)
   2.     {
   3.         CertificateHandler certificateHandler = new AcceptAllCertificatesSignedWithASpecificKeyPublicKey();
   4.         unityWebRequest.certificateHandler = certificateHandler;
   5.     }
   6.  
   7.     // Based on https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning#.Net
   8.     class AcceptAllCertificatesSignedWithASpecificKeyPublicKey : CertificateHandler
   9.     {
   10.  
   11.         protected override bool ValidateCertificate(byte[] certificateData)
   12.         {
   13.             X509Certificate2 certificate = new X509Certificate2(certificateData);
   14.             string pk = certificate.GetPublicKeyString();
   15.             pk = pk.ToLower();
   16.             if (pk.Equals(getPublicKey()))
   17.             {
   18.                 return true;
   19.             }
   20.  
   21.             // Bad dog
   22.             return false;
   23.         }
   24.     }

The build is used to work fine, but suddenly after some point, this error is coming.

Unity Editor Version: 2019.3.0f6
Build Platform: Standalone

Any helps folks?

 

I am having the same issue - some % of our users get "SSL CA certificate error" when trying to call some APIs. The domain is google cloud domain (appspot.com, not a private one, so I dont think there's a chance any of the certificates are not validated. This has started only when we upgraded Android api from 27 (android 8.1) to 29 (android 10).
I can see google changed some security stuff from android 9 around that area (web certificates, http cleartext...). Do we need to do anyting on unity side to fully support android 9+? If not, why would unity fail a google cloud certificate?

Thanks.

 

I am having trouble with the implatation of this class. How or when is the

ValidateCertificate()

method called?

Also my API is Node / MongoDB and my cert is LetsEncrypt Cert Bot.

 

I found my problem. I had not set the environment variables on my server. I have a Node.js api for storing specific, non mechanic game state and user data. i.e. what I don't want to accomplish in PUN2 / Mirror. I had a conditional to set the protocol http / https depending on weather the process.env.MY_VAR was "dev" or "prod". Thank You for the help.

 

Is there any update on this issue? We are using 2021.2.7f1 and seeing this error a lot on failed download logs. These are coming from file downloads (assetbundle, json, etc) from Microsoft Azure CDN servers. We are now using a custom DNS, using what Azure CDN gives to us.

 

I'm experiencing a similar issue when trying to communicate with an API hosted on Azure. Requests work in the editor, but on device (HoloLens 2, UWP platform) I always get the 'SSL CA certificate error' message. The interesting part is that this message only appears when the build is done with 2020.3.25f1 or 2020.3.27f1. The same requests on the same device work with version 2019.4.32f1...

I've tried adding a custom certificate handler and this does not help with the issue. The handler is invoked though, this I've confirmed with debugging...

 

I can also confirm that https networking is completely broken in UWP builds for Hololens 2.

It worked just fine in 2020.3.18f and broke completely when I updated to 2020.3.25f
If it helps you thef006, you can use the .18f build

 

Just a little bit of time before reading this comment I saw that Unity 2020.3.28f1 was released. Reading the patch notes I saw a TLS related issue and decided to try to do a build with the new version.

While the description of the issue is different, it seems that it also solved the issue with the 'SSL CA certificate error' message: https://issuetracker.unity3d.com/is...hen-uwp-build-configuration-is-set-to-release

@TheJavierD if you are able to upgrade to 28f1, it might help with your situation too

 

Yes you are right, it's fixed in 2020.3.28f such great news!

 

I've still got this problem with the newest version (2020.3.32f1) and 2021.2.17
even after setting the certificateHandler to always return true

I am using Node and the certifcate is from LetsEncrypt

 

This is weird that when our clients move from cellular to wifi, they can connect and download the required files to open the app but it does not work on some cellular companies' lines and throws this SSL CA Certificate error. We are having this problem while downloading from Azure CDNs but we tried everything that we can, tested using Front Door for content delivering, tested returning true always to certificateHandler, tested other HTTP libraries such as BestHTTP/2 but no solution.

Using: 2021.3.0f1

 

@Aurimas-Cernius Does the ValidateCertificate() method get invoked for each and every WebRequest?
For each WebRequest call, I am initializing a new WebRequest object and I am adding the CertificateHandler to the headers of the request.
When I placed logs inside that function, the log is not printing each and every time a WebRequest is sent.

Am I missing anything else? Shouldn't the ValidateCertificate be supposed to be invoked each time the CertificateHandler is added to the WebRequest headers?

 

Are you talking about the Collapse feature in the Console Window?
If yes, it is disabled. All other identical logs are printing. Only logs placed inside ValidateCertificate() method are not printing each time

 

Anyone still facing this issue?
my web is using SSL issued by Let's Encrypt with TLS version 1.2, but still SSL CA certificate error on some android devices. Any idea?
I'm using unity 2020.3.16f1.
Tried to use 2020.3.28f1 but got issue with missing recommended JDK, SDK & NDK.

 

We are also using Let's Encrypt certificate and just got this error on Android 4.4 after migration to Unity 2020.3.40f. We were aware of this issue a year ago and I just came here to recall the solution. Thanks to @xVergilx!

Code (CSharp):

1. class AcceptAnyCertificate : CertificateHandler {
2.   protected override bool ValidateCertificate(byte[] certificateData) => true;
3. }
4. UnityWebRequest www = UnityWebRequest.Post(***);
5. #if UNITY_ANDROID && !UNITY_EDITOR
6. var buildVersion = new AndroidJavaClass("android.os.Build$VERSION");
7. if (buildVersion.GetStatic<int>("SDK_INT") < 21)
8.   www.certificateHandler = new AcceptAnyCertificate();
9. #endif

I believe Android 4.4 is no longer supported and they will never be able to validate those new keys. So we have to accept any certificate from old devices (unless high security is key in the app).

UPD: Just found (check Note 4) a confirmation that 4.4 only partially supports TLS 1.2 (btw, it was working fine until SDK was updated). So the solution is to downgrade TLS to 1.0 or 1.1 on a server but both of them are officially deprecated and we need to check if that could be a reason of app disapproval.

UPD: According to this tool, all three TLS 1.0, 1.1 and 1.2 are enabled. Does not it mean that Unity should select appropriate (supported) one? The CURL library for example has an option to specify max TLS version "--tlsv1.0".

 

I am trying to parse a Json from URL "https://api.wenlambo.one/meta?meta=1514" and every time I face Handshake failure I tried so many ways but nothing works

 

@thethanksforthegod Do you use UnityWebRequest or something else? Have you tried to set certificateHandler or UnityWebRequest object? Finally, can you share the few lines of code and what exact error message are you getting?

 

Thanks for your reply yes I tried UnityWebRequest also WebClient , HttpClient but nothing worked

Code (CSharp):

1. async void Start()
2.     {
3.         ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls13;
4.         ServicePointManager
5.     .ServerCertificateValidationCallback +=
6.     (sender, cert, chain, sslPolicyErrors) => true;
7.         //StartCoroutine(GetText());
8.  
9.         using (WebClient wc = new WebClient())
10.         {
11.             var json = wc.DownloadString("https://api.wenlambo.one/meta?meta=1514");
12.  
13.         }
14.  
15.         using (var httpClient = new HttpClient())
16.         {
17.             ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls13 | SecurityProtocolType.Tls12;
18.             ServicePointManager
19.         .ServerCertificateValidationCallback +=
20.         (sender, cert, chain, sslPolicyErrors) => true;
21.             var json = await httpClient.GetStringAsync("http://api.wenlambo.one/meta");
22.             Debug.Log(json);
23.             // Now parse with JSON.Net
24.         }
25.     }

 

@thethanksforthegod You cannot solve the problem directly because this web site is using TSL 1.3 (you can see that here). As far as I know, Unity does not support 1.3 yet. However, there is a workaround: if you have any web hosting or better vps (you can get one for couple of bucks) which has TSL 1.3 installed, you can make a simple php script (check the attached file, make sure to remove .txt at the end) which will use curl and work as a proxy. You will request your script and it will request given link above.

 

Great Thanks but I even used Native C# but no hope how a complete programming language can't use TLS 1.3 I checked MSDN an they say that it can support TLS 1.3

 

I am updating the thread because we faced SSL error not only on Android 4. We have three confirmations on Android 8/10. Of course we could accept all certificates (no checking) but if Google somehow finds this, it will be a violation of their terms. Taking in an account that certificate checking requires two extra lines of code, it's better to do it legit way. BTW we also got confirmations from users that problem was resolved.

 

QUESTION: Why does X509Certificate2.Verify() FAIL in the override of CertificateHandler.
ValidateCertificate() when working with a valid certificate?

Using Unity2019.4.36f1 + Windows10 tested in both Editor & Player
Requesting from AWS S3 + CloudFront + Route 53

First, without SSL.
- I needed to assign a custom certificate handler to my UnityWebRequest. This worked as expected - the ValidateCertificate method received an invalid certificate, and when it returned true the web request worked.

Second, SSL certificate issued by Sectigo
- II verified my SSL certificate in Windows (just open the file and look for "This certificate is OK")
- I verified that the AWS server setup is correct according to Qualys SSL Server Test.
- I tried returning the result of certificate.Verify()... and this was FALSE.
- If instead I did not assign a certificate handler, THEN the web request works... and the web request fails if I try to request data from a source that does not have an SSL certificate.
- If I directly import my copy of the certificate from a file (while debugging the handler), the results appear to be identical, BUT Verify() fails for this certificate as well!
- The stated reasons for the failure are "RevocationStatusUnknown" and "OfflineRevocation" which suggests that some of the Verify queries are blocked?

CONCLUSION: There is a clear work-around: *only* override UnityWebRequest.certificateHandler when *correctly* verifying certificates is *not* necessary.

QUESTION: Is this expected behavior? And, if so, WHY? (And also, please *please* update the documentation.)

EDIT: Tested using X509Chain.Build:
chain.ChainPolicy.RevocationMode = X509RevocationMode.Offline;
chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllFlags; // succeeds
chain.ChainPolicy.VerificationFlags = IgnoreRevocationUnknownFlags; // | of 4 flags fails
CONCLUSION: Attempting to configure an "offline" verification is not viable (or the flags are not doing what I expect)

 

The problem with this methode is, public key is refreshed every 3 months using LetsEncrypt.
So all of the webrequests (my whole game is based on) do not work in the time frame of the refresh, because i need to rebuild the game with the new key and upload it to Play Store.

And if i validate it witouth checking a local public key its violation of google terms, according some people.

So this is a real unefficient solution.

Edit: i have checked, all of those values are also refreshed when LetsEncrypt resigns certificate:
CertHash, RawCertData, SerialNumber, RawCertData