Problem
You're seeing Connection Not Private errors or ERR_CERT_AUTHORITY_INVALID
Summary
Starting with Android 7.0, Google set stricter rules on how applications and emulators trust user/admin added certificates.
Before, adding your custom SSL certificate to the emulator (which in Sauce's case we did by adding our custom Sauce Labs Tunnel Proxy certificate. which is used by Sauce Connect) would be enough to ensure a successful connection. This is no longer the case. Your application itself needs to have this certificate for the connection to be trusted. This is discussed a bit more in detail in this post from the Android Developer's blog. There are two scenarios that would affected by this:
- The URL your app is trying to hit does not have a public CA trusted certificate (this is common on dev/staging/private environments)
- You are trying to use an intercepting proxy like Charles to view, analyze and modify traffic
What does this mean for you? You have two options depending on your setup, and the original certificate of your server.
💡 Both of these options require changes to the Android app being used and will likely need a developer or someone with access to the app source code to do this change💡
Option 1 - Add your own certificate onto your app
Trust the self-signed/non-public CA trusted certificate within the Android app and use -B all on your Sauce Connect tunnel to avoid Sauce’s re-encryption.
The post in the Developer's Blog linked above explains how to do this. The process involves adding the certificate file to your app by creating a network configuration file, and telling your app to trust it. As an example, this is what a network_security_config.xml file would look like:
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<debug-overrides>
<trust-anchors>
<certificates src="@raw/selfsigned_ca" />
</trust-anchors>
</debug-overrides>
</network-security-config>
where @raw/selfsigned_ca is the path to res/raw/selfsigned_cawhich contains my site's certificate.
You then add this file to your AndroidManifest.xml with the android:networkSecurityConfig attribute, as explained in this page on Network Security Configuration in the Android Developers documentation.
Pros
- Add your own certificate onto your app
Cons
- If using something like Charles where multiple Charles instances have different certificates, the list of certificates to be added can be long
Option 2 - Add Sauce’s Sauce Labs Tunnel Proxy certificate
In this scenario we will also add the certificate as mentioned on Option 1 but we will remove -B all and instead res/raw/selfsigned_ca will be Sauce’s own certificate
Pros
- No need to handle multiple certificates if multiple proxies are being used
Cons
- If Sauce were to change this certificate we cannot guarantee there would be an announcement on this and could break your tests (the odds of this happening are low as this certificate is managed by us and not due for renewal until 2028)
You can find this certificate here.
