starred/Proxyman

Fork 0

mirror of https://github.com/ProxymanApp/Proxyman.git synced 2026-04-26 08:35:53 +03:00

[GH-ISSUE #1225] SSL Proxying is failing in Android with java.security.cert.CertPathValidatorException: Trust anchor for certification path not found #1222

New issue

Closed

opened 2026-03-03 19:49:26 +03:00 by kerem · 5 comments

kerem commented

2026-03-03 19:49:26 +03:00

Owner

Originally created by @ricardopereira on GitHub (May 7, 2022).
Original GitHub issue: https://github.com/ProxymanApp/Proxyman/issues/1225

Originally assigned to: @NghiaTranUIT on GitHub.

Proxyman version?

Proxyman 3.4.0 (30400)

HTTP/HTTPS Proxy is overridden by Proxy Helper Tool.
Proxy Helper Tool: ✅ Installed: com.proxyman.NSProxy.HelperTool(1.3.0).

Proxyman Certificate trusted in Keychain Access:

Proxyman CA (6 May 2022, <redacted>)
Not Valid Before: Friday, 6 May 2022 20:14:37 +01:00
Not Valid After: Thursday, 8 August 2024 20:14:37 +01:00
✅ Installed & Trusted

macOS Version?

mac 12.3.1 (21E258) - MacBook Pro M1

Steps to reproduce

Run automatic script to Install Root Proxyman Certificate in an Android Emulator Device with Android 12 and Google APIs.
Guarantee the script hasn't failed.
Add Proxyman Config in the Android app
Restart the app
Add domain to SSL Proxying List.
Start app and perform action to do a request for that domain.
Request will fail with java.security.cert.CertPathValidatorException: Trust anchor for certification path not found..

Proxyman displays an item with status Internal Error in the URL list with response:

SSL Handshake Failed
handshakeFailed(NIOSSL.BoringSSLError.sslError([Error: 268436502 error:10000416:SSL routines:OPENSSL_internal:SSLV3_ALERT_CERTIFICATE_UNKNOWN]))

Expected behavior

Request succeed and be able to see the HTTPS response in Proxyman.

Originally created by @ricardopereira on GitHub (May 7, 2022). Original GitHub issue: https://github.com/ProxymanApp/Proxyman/issues/1225 Originally assigned to: @NghiaTranUIT on GitHub. ### Proxyman version? Proxyman 3.4.0 (30400) HTTP/HTTPS Proxy is overridden by Proxy Helper Tool. Proxy Helper Tool: ✅ Installed: `com.proxyman.NSProxy.HelperTool(1.3.0)`. Proxyman Certificate trusted in Keychain Access: ``` Proxyman CA (6 May 2022, <redacted>) Not Valid Before: Friday, 6 May 2022 20:14:37 +01:00 Not Valid After: Thursday, 8 August 2024 20:14:37 +01:00 ✅ Installed & Trusted ``` ### macOS Version? mac 12.3.1 (21E258) - MacBook Pro M1 ### Steps to reproduce 1. Run automatic script to Install Root Proxyman Certificate in an Android Emulator Device with Android 12 and Google APIs. 2. Guarantee the script hasn't failed. 3. Add Proxyman Config in the Android app 4. Restart the app 5. Add domain to SSL Proxying List. 6. Start app and perform action to do a request for that domain. 7. Request will fail with `java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.`. Proxyman displays an item with status `Internal Error` in the URL list with response: ``` SSL Handshake Failed handshakeFailed(NIOSSL.BoringSSLError.sslError([Error: 268436502 error:10000416:SSL routines:OPENSSL_internal:SSLV3_ALERT_CERTIFICATE_UNKNOWN])) ``` ### Expected behavior Request succeed and be able to see the HTTPS response in Proxyman.

kerem closed this issue

2026-03-03 19:49:26 +03:00

kerem commented

2026-03-03 19:49:26 +03:00

Author

Owner

@NghiaTranUIT commented on GitHub (May 9, 2022):

Hey @ricardopereira it seems that Android 12 has changed how we config the self-signed certificate.

Please check out this doc: https://developer.android.com/training/articles/security-config

Edit this file in your source code: res/xml/network_security_config.xml. Make sure you replace the example.com with the domain that you'd like to intercept.

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <domain-config>
        <domain includeSubdomains="true">example.com</domain>
        <trust-anchors>
            <certificates src="@raw/my_ca"/>
        </trust-anchors>
    </domain-config>
</network-security-config>

Add the certificate in PEM or DER format, to folder: res/raw/my_ca. You can export the certificate in Certificate Menu -> Export -> Root Certificate as PEM.

Let me know if it works 👍

@NghiaTranUIT commented on GitHub (May 9, 2022): Hey @ricardopereira it seems that Android 12 has changed how we config the self-signed certificate. Please check out this doc: https://developer.android.com/training/articles/security-config 1. Edit this file in your source code: `res/xml/network_security_config.xml`. Make sure you replace the `example.com` with the domain that you'd like to intercept. ```xml <?xml version="1.0" encoding="utf-8"?> <network-security-config> <domain-config> <domain includeSubdomains="true">example.com</domain> <trust-anchors> <certificates src="@raw/my_ca"/> </trust-anchors> </domain-config> </network-security-config> ``` 2. Add the certificate in PEM or DER format, to folder: `res/raw/my_ca`. You can export the certificate in Certificate Menu -> Export -> Root Certificate as PEM. Let me know if it works 👍

kerem commented

2026-03-03 19:49:26 +03:00

Author

Owner

@NghiaTranUIT commented on GitHub (May 9, 2022):

@ricardopereira I've tested Proxyman with Emulator API 32 and it works fine.

Files

AndroidManifest.xml

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    package="io.approov.shapes">

    <uses-permission android:name="android.permission.INTERNET" />
    <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />

    <application
        android:allowBackup="true"
        android:icon="@mipmap/ic_launcher"
        android:label="@string/app_name"
        android:roundIcon="@mipmap/ic_launcher"
        android:supportsRtl="true"
        android:theme="@style/AppTheme"
        android:name="io.approov.shapes.ShapesApp"
        android:networkSecurityConfig="@xml/network_security_config"
    >
        <activity android:name=".MainActivity" android:exported="true">
            <intent-filter>
                <action android:name="android.intent.action.MAIN" />
                <category android:name="android.intent.category.LAUNCHER" />
            </intent-filter>
        </activity>
    </application>

</manifest>

network_security_config.xml

<network-security-config>
    <debug-overrides>
        <trust-anchors>
            <!-- Trust user added CAs while debuggable only -->
            <certificates src="user" />
            <certificates src="system" />
        </trust-anchors>
    </debug-overrides>

    <base-config cleartextTrafficPermitted="true">
        <trust-anchors>
            <certificates src="system" />
        </trust-anchors>
    </base-config>

    <domain-config>
        <!-- Make sure your URL Server here -->
        <domain includeSubdomains="true">shapes.approov.io</domain>
        <trust-anchors>
            <certificates src="user"/>
            <certificates src="system"/>
        </trust-anchors>
    </domain-config>
</network-security-config>

Screenshot

@NghiaTranUIT commented on GitHub (May 9, 2022): @ricardopereira I've tested Proxyman with Emulator API 32 and it works fine. ### Files - AndroidManifest.xml ```xml <?xml version="1.0" encoding="utf-8"?> <manifest xmlns:android="http://schemas.android.com/apk/res/android" package="io.approov.shapes"> <uses-permission android:name="android.permission.INTERNET" /> <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" /> <application android:allowBackup="true" android:icon="@mipmap/ic_launcher" android:label="@string/app_name" android:roundIcon="@mipmap/ic_launcher" android:supportsRtl="true" android:theme="@style/AppTheme" android:name="io.approov.shapes.ShapesApp" android:networkSecurityConfig="@xml/network_security_config" > <activity android:name=".MainActivity" android:exported="true"> <intent-filter> <action android:name="android.intent.action.MAIN" /> <category android:name="android.intent.category.LAUNCHER" /> </intent-filter> </activity> </application> </manifest> ``` - network_security_config.xml ```xml <network-security-config> <debug-overrides> <trust-anchors>  <certificates src="user" /> <certificates src="system" /> </trust-anchors> </debug-overrides> <base-config cleartextTrafficPermitted="true"> <trust-anchors> <certificates src="system" /> </trust-anchors> </base-config> <domain-config>  <domain includeSubdomains="true">shapes.approov.io</domain> <trust-anchors> <certificates src="user"/> <certificates src="system"/> </trust-anchors> </domain-config> </network-security-config> ``` ### Screenshot <img width="1624" alt="Screen Shot 2022-05-09 at 13 17 59" src="https://user-images.githubusercontent.com/5878421/167351496-a3e503b1-85f6-41d0-a7df-04f5e47b1dc9.png"> <img width="1231" alt="Screen Shot 2022-05-09 at 13 18 09" src="https://user-images.githubusercontent.com/5878421/167351489-e0fd5edb-87be-4aeb-9062-f1458a1ec719.png">

kerem commented

2026-03-03 19:49:27 +03:00

Author

Owner

@NghiaTranUIT commented on GitHub (May 9, 2022):

Here is the output when using the Emulator Script on Proxyman. The certificate is properly installed.

If you don't mind, please open your Emulator and check if you can see the Proxyman CA in Setting app -> Security -> Encryption & Credentials -> Trusted Certificate -> User Tab

...
7. Close all current running apps...
Closing: com.google.android.apps.nexuslauncher
Closing: com.google.android.apps.nexuslauncher
Status: SUCCESS!
Please restart your app from Android Studio to take effect
Root Certificate is installed and trusted in Setting app -> Security -> Encryption & Credentials -> Trusted Certificate -> User Tab

@NghiaTranUIT commented on GitHub (May 9, 2022): Here is the output when using the Emulator Script on Proxyman. The certificate is properly installed. If you don't mind, please open your Emulator and check if you can see the Proxyman CA in Setting app -> Security -> Encryption & Credentials -> Trusted Certificate -> User Tab ``` ... 7. Close all current running apps... Closing: com.google.android.apps.nexuslauncher Closing: com.google.android.apps.nexuslauncher Status: SUCCESS! Please restart your app from Android Studio to take effect Root Certificate is installed and trusted in Setting app -> Security -> Encryption & Credentials -> Trusted Certificate -> User Tab ```

kerem commented

2026-03-03 19:49:27 +03:00

Author

Owner

@ricardopereira commented on GitHub (May 9, 2022):

@NghiaTranUIT Thank you for your replies!

check if you can see the Proxyman CA in Setting app

Yes, the certificate is present in the user tab and trusted:

Certificate	User tab

Still not working. I will export the certificate and add it to the project and see if it helps.

@ricardopereira commented on GitHub (May 9, 2022): @NghiaTranUIT Thank you for your replies! > check if you can see the Proxyman CA in Setting app Yes, the certificate is present in the user tab and trusted: |Certificate|User tab| |---|---| |![Screenshot_1652095217](https://user-images.githubusercontent.com/3541185/167399951-969ba3fc-2fa2-4258-9f2f-87733fda2516.png)|![Screenshot_1652095220](https://user-images.githubusercontent.com/3541185/167399940-b95b2240-d9ef-457c-a785-d36a9d37055d.png)| Still not working. I will export the certificate and add it to the project and see if it helps.

kerem commented

2026-03-03 19:49:27 +03:00

Author

Owner

@ricardopereira commented on GitHub (May 9, 2022):

@NghiaTranUIT I works! I didn't export the certificate. I removed the existing certificate from the phone and run the script again because I noticed the issue time was not right. Now it has the right certificate 🙌🏼. Thanks for your help.

@ricardopereira commented on GitHub (May 9, 2022): @NghiaTranUIT I works! I didn't export the certificate. I removed the existing certificate from the phone and run the script again because I noticed the issue time was not right. Now it has the right certificate 🙌🏼. Thanks for your help.