Skip to content

Explain certificate trust failures with actionable guidance#39

Open
lostf1sh wants to merge 1 commit into
mainfrom
fix/issue-34-user-ca-error-hint
Open

Explain certificate trust failures with actionable guidance#39
lostf1sh wants to merge 1 commit into
mainfrom
fix/issue-34-user-ca-error-hint

Conversation

@lostf1sh

@lostf1sh lostf1sh commented Jul 6, 2026

Copy link
Copy Markdown
Collaborator

Analysis of #34

The reporter installed their self-signed CA in the Android user certificate store, but the app rejected the connection. Root cause is release lag: user-installed CA trust was added to network_security_config.xml in 3cbb75b (June 18), but the latest release v0.1.0 (June 9) predates it — so the released build only trusts system CAs. On current main, the scenario in the issue already works: all HTTP traffic goes through OkHttp/HttpURLConnection, both of which honor the network security config, and no code path installs a custom TrustManager. The fix ships with the next release.

What this PR adds

Even with user-CA trust in place, a user who hasn't (or incorrectly) imported their CA hits a raw Java exception in the login screen (Trust anchor for certification path not found), with no hint that the app does support user-installed CAs. This PR maps TLS trust failures in the Jellyfin and Navidrome login flows to actionable messages:

  • Certificate trust failure → tells the user to install their CA certificate via Android Settings, and that PixelPlayer honors user-installed CAs
  • Hostname verification failure → hints the certificate must include the host/IP in its Subject Alternative Names
  • Everything else passes through unchanged; the original exception is kept as the cause for logging

Detection walks the exception cause chain, since OkHttp wraps CertPathValidatorException inside SSLHandshakeException (sometimes further wrapped in IOException).

Testing

  • New unit tests in ConnectionErrorsTest (handshake failure, nested cause chain, bare CertificateException, hostname mismatch, unrelated-error passthrough) — all pass via :app:testDebugUnitTest

Fixes #34

Self-signed certificate handshake failures during Jellyfin/Navidrome
login surfaced raw Java exception text ("Trust anchor for certification
path not found"). Map SSL trust and hostname-verification failures to a
message that tells the user to install their CA certificate in Android
settings, which the app honors via its network security config.

Complements 3cbb75b (user-installed CA trust, unreleased as of v0.1.0).

Fixes #34
@lostf1sh lostf1sh force-pushed the fix/issue-34-user-ca-error-hint branch from bac0d0e to 173bf50 Compare July 6, 2026 21:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Bug]: custom cert in system ca store

1 participant