Mobile app stopped working after updating certificate in outsystems cloud
Question
Application Type
Mobile
Service Studio Version
11.12.0 (Build 48966)
Platform Version
11.7.6 (Build 29678)

Hi,
If you can help, thank you in advance.

When updating the certificate on Outsystems clould, the mobile app stopped working.

The App lost access to the server's request, so it doesn't access the database.

The error only occurs on Android, on Iphone it is working correctly.

What do I do to fix this problem?

CertiPROD.png

Hello @Lucio Neves

Could you share the specific error description from ServiceCenter - Monitoring tab, when you recreate the above issue?

Regards,

AJ

It does not generate any type of log in Service Center monitoring.

And when I run the Debug, the transaction is aborted when calling a ServerAction.

Based on the logs (if available) I wanted to verify if maybe you are encountering a "Trust anchor for certification path not found" error. The symptoms seem to point to it. Here's a very good article about it. 

https://blog.product-league.com/a-tale-of-trust-6590d9d013ff

Per Assif's response hopefully this is something OutSystems Support is able to resolve.

Champion

Do you use SSL pinning Plugin ?

No, at the moment, no.

Should I use it for some mandatory question regarding Certificates?

hi @Lucio Neves ,

It happened with me as well.

The only solution worked was to regenerate the binaries and isntall the same. 

However, it happend with IOS device in my case.

Thanks,

Vani


I've generated the binaries again and the error continues.

Hi @Lucio Neves,

Can you check all the dependent modules are without warning or error? 

Republish your current version application again before generating binaries. Then generate binary and validate.

It worked for me in my past.

Thanks, Aadhavan  S

All dependencies are up to date and correct in the three environments, Dev, Hom, and Prod. 

And the error occurs in the three environments when opening the mobile application.

Champion

Hi @Lucio Neves
Yes, you are right, I am facing the same since the second half today .. right after I renewed the SSL for one of my environment.
Here's the detail :

  •  MABS Latest 7.1
  • SSL Plugin Latest 6.0.1
  • Generated SSL Hash & Added to Pinning JSON
  • Generated new build
  • IOS it works perfectly 
  • But Android Tried multiple Build Installations. Still, the Result is the same as yours.

I am chasing the Support Team for same & they are looking into the issue. For the time they mention that there could be Intermediate Chain Certificate Missing from their side while Installing i.e the one we submit to them for installation.  
I will get back to you on this; once it is addressed or do let me know once u manage to fix it :)


Thanks,
Assif

Ok Assif, agreed, as soon as I decide to post here. Thanks

Champion

Root cause :
If the PFX uploaded on the server don't have an intermediate certificate  then :

iOS Manage it but Android doesn't as Android needs an intermediate certificate in the TrustChain.


Support Team: we suggest reaching you to Certificate Provider/Authority to provide you the certificate with the complete full chain in order to be uploaded to the environment. You CA should have provided a zip file with several files (including FullChain) and you will have to upload it with him.

--------------------------------------------

Solution

In my case I used the PFX file, Hence I need to use the Root Certificate i.e IntermediateCrtificate as well while generating PFX.

So basically this is will be the CMD :

openssl pkcs12 -export -out my_pfx_2021.pfx -inkey my_web_pv_2021.key -in star_mydomain_com.crt -certfile DigiCertCA.crt

This will give me the PFX which comprises both certificate & RootCA

my_pfx_202.pfx : new pfx that we generate

my_web_pv_2021.key : private key

star_mydomain_com.crt : SSL certificate in .cert format

DigiCertCA.crt : RootCA or the IntermediateCA that comes in .cert file-zip provied by CA

--------------------------------------------

Now upload the new PFX/PEM to the Lifetime & map it to the environment, better generate a new build &it will be fixed.

I tested now on Android & it is working :)



Thanks,

Assif

Thank you very much Assis, 

I will talk to the infra staff and perform this test. I await your confirmation that this procedure worked. 

If it works here, I mark it as resolved.

Hello,

Unfortunately the procedure you mentioned does not work.

I've tried it with several certificates and it doesn't work.

Does anyone have a solution for this?

Thanks.

https://www.sslshopper.com/ssl-checker.html

TesteSSLChecker.png

Champion

Hi Lucio,
I performed the same steps for my 2 environments & it worked for me.

Can you tell me, how you are generating the PFX; via OpenSSL or DigiCertUtility [ If you purchase from DigiCert ] ?

Champion

Ok so I just seen the attachments & your SS is issues from Digicert.


Here's the step I followed.

1- Created a PrivateKey & CSR to submit to DigiCert; [ You can even Re-issue the SSL with new CSR it's free]

   openssl req -new -newkey rsa:2048 -nodes -keyout my_pv_2021.key -out my_csr_2021.csr

2- Now Once you re-issue the SSL Certificate on Digicert; or the one you already have..
Download the .crt format certificate. The zip downloaded will have 2 certificates.
one which SSL certificate of .crt format & the other with name DigiCertCA.crt i.e. the Root/Intermediate Certificate

3- Now Generate the PFX file using PrivateKey, SSL certificate .crt format &  DigiCertCA.crt file

 openssl pkcs12 -export -out my_pfx_2021.pfx -inkey my_pv_2021.key -in star_myweb_com.crt -certfile DigiCertCA.crt

Provide Password to PFX file.

That's it !! Now you can use this on Lifetime.


If you're still facing the same then better contact OS support :)

Thank you very much Assis, 

I will talk to the infra staff and perform this test.

If it works here, I mark it as resolved.

Champion

Also, make sure Once u installed it on Lifetime. You also need to send this PFX & it's Password.. to install on FrontEnd.
Once all this done.. Refresh your Environment Applications.
Generate a new build & Test :)


Hope it helps,

Assif

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.