I've been spending days trying to figure this out.
I built an EXPO app that connects to a backend server but goes through a reverse proxy that. The reverse proxy handles SSL/TLS. The expo app was built as an APK and installed manually on an Android device.
EXPO App:
wss://ip-of-reverse-proxy:443
BACKEND Server:
ws://ip-of-server:81
REVERSE Proxy:
Listens for connections on port 443 from clients (expo app) using nginx basic configurations.
All these devices will all be working within a LAN private network. I have tried different approaches on how to make SSL/TLS certificates work on Android.
The reverse proxy has a "signed-server certificate" and its private key all configured in the correct place. All other clients (windows or linux machines) can easily connect to the backend server, it's only the Android device that is giving me error:
"java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
(NOBRIDGE) LOG Connection closed 1006 java.security.cert.CertPathValidatorException: Trust anchor for certification path not found."
I have tried different approaches using OpenSSL when attempting to make a connection between the EXPO installed android app and the backend server:
I have tried using self-signed certificate route. Works fine, only android device is giving me error while windows and linux clients within LAN connect OK. This certificate is intalled in the reverse proxy and also in the android device.
I have tried generating a "root CA certificate" and private key, then generate the "signed-server certificate (for the reverse proxy) and pkey" signed by the root CA certificate, and then install the "rootCA.crt" in the android device. Same result.
I have tried adding extensions like "subjectAltName=DNS:reverseproxy.local,IP:192.168.1.100" or "basicConstraints=CA:FALSE" or TRUE depending if I'm creating self-signed certificate or root CA certificate. Same results.
All certificate approaches work fine for all other devices except for android, which is the main focus in my project, and expo app.
Also, whenever I install any type of certificate on android, it always installs under the "User" store and not in the "System" store, which I beleive is the default behavior and in order to install a certificate under the System store I would have to root the device which is a big NO for me.
Anyways, the reverse proxy is working fine, the backend server is working fine. I can connect to the backend server using ExpoGo when I run the development server but only with insecure "ws://ip-of-backend-server:81" or by its hostname.
If I install the APK expo app and try to connect using only ws:// it fails to connect. Basically Android doesnt allow insecure websocket connections, but also it doesnt allow secure websocket connections even if you install certificates.
The only way my app connects to the backend server is if I run ExpoGo in development environment, I'm guessing expoGo is handling SSL/TLS stuff behind the scenes? Anyways thats not what I want, since in production when i build the APK using EAS build, install the apk, it gives me error.
mDNS works fine on all devices, and also the backend server is using mDNS. I dont think thats the problem.
**CONCLUSION: ** I have tried ALL SSL/TLS certificate approaches when attempting to establish a secure connection between the EXPO app and the backend server, but I keep getting the above error. The reverse proxy is working fine, the backend server is working fine. Non-android devices connect easily.
Is this an android roadblock Im facing? How can I connect my android expo APK built app to the backend server using secure websocket?
How do expo apps connect OK using secure websockets when the app was built using EAS as an APK and installed in an android device?