Dealing with connection to https on old android may depend on Trusted credentials on the the device.
Letsencrypt root certificate does not installed on Trusted credentials prior android 7.1.1.
Some application may throw:
java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
Solution 1 add user Trusted credentials
Install Letsencrypt pem manually on old phone i.e android version 7.1.1 or older. You can download from https://letsencrypt.org/certs/isrgrootx1.pem?hl=en-US .
On your device (mine is evercoss gen pro x pro android 7.0). Go to setting -> Security.
You may find:
- Trusted Credentials
- User Credentials
- Install from SD Card
Choose "Install from SD Card":
- Filed Name of Certification e.g ISGR ROOT X1 or Letsecrypt.
- Credentials Use select VPN and aps
Open your Android Studio project and create res/xml/network_security_config.xml.
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<base-config>
<trust-anchors>
<certificates src="system" />
<certificates src="user" />
</trust-anchors>
</base-config>
</network-security-config>
Edit AndroidManifest.xml
...
<application
...
android:networkSecurityConfig="@xml/network_security_config"
...
>
...
If https server ever falls back to http (not https), you should add cleartextTrafficPermitted="true" to the <base-config> tag (Not Recommended except your application need to access http):
...
<base-config
...
cleartextTrafficPermitted="true"
...
>
...
if this XML fix doesn't work, it's not the certificate—it's the Android 7.0 Cipher bug. In that specific case, you will have to use Conscrypt library (Solution 2).
Solution 2 using Conscript Library
Add dependency into gradle.build app
dependencies {
...
implementation 'org.conscrypt:conscrypt-android:2.5.2'
...
}
Initialize at application startup or foreground
...
if (Build.VERSION.SDK_INT < Build.VERSION_CODES.N_MR1) {
// Below Android 7.1.1
Security.insertProviderAt(Conscrypt.newProvider(), 1);
}
...
