I'm trying to setup a local dev environment for a PWA I'm working on.
I have installed mkcert on my Mac and am able to host a https://localhost version on my computer.
Now I'd like to open the page on my Android phone. On the mkcert github it says:
Mobile devices
For the certificates to be trusted on mobile devices,
you will have to install the root CA. It's the rootCA.pem file in the
folder printed by mkcert -CAROOT.
On iOS, you can either use AirDrop, email the CA to yourself, or serve
it from an HTTP server. After installing it, you must enable full
trust in it. Note: earlier versions of mkcert ran into an iOS bug, if
you can't see the root in "Certificate Trust Settings" you might have
to update mkcert and regenerate the root.
For Android, you will have to install the CA and then enable user
roots in the development build of your app. See this StackOverflow
answer.
https://github.com/FiloSottile/mkcert
I installed the rootCA.pem on my phone. The part about "enabling user roots" doesn't apply, since this is not an app.
But when I open the page on my phone using https://[my-local-network-ip]:1234 I get a warning, that the certificate can't be trusted.
How can I trust the certificate so I can locally test the PWA on my phone?
I know you've probably moved on from this question, as it's almost a year on. However, I would like to share how I was able to test my PWA locally in a secure context.
Not making any assumptions about what framework / packaging / build system you're using:
Generate a certificate & key using mkcert. If you are hosting your PWA locally & want to access it over your local IP address i.e. 192.168.1.x:3000 you also need to tell mkcert to generate a certificate that covers that IP address:
mkcert localhost 192.168.1.17
// The certificate is at "./localhost+1.pem" and the key at "./localhost+1-key.pem" ✅
Important note: most routers dynamically assign local IP addresses, so it's worthwhile assigning a static IP.
Install your RootCA from mkcert onto your iOS or Android device. Follow the instructions in the mkcert docs
Serve your generated certificates with your web server of choice. I use Create React App. You can see my answer about PWAs in secure context here
I agree with your goal - running a local TLS based setup can be useful in terms of productivity and early troubleshooting.
Your problem is DNS based and you need to access the TLS secured URL via the host name.
The only way you'll get DNS to match up on the Android side is to use an HTTP proxy, while running either an emulator or a device connected via USB.
In a nutshell I would do this:
Issue your cert to a more real world domain name such as mycompany.com
Add this domain name to DNS on your Mac book
Install a free proxy such as proxyman on the Mac
Configure the Android emulator or device to use the proxy (you will also need to trust the proxy's cert on Android and the Mac)
Then browse to https://mycompany.com from Android
Full details are available in my write up
In my Android emulator, I was able to contact the GAE dev server.
I use this url: "http://10.0.2.2:8080/myurl".
The server is listening on http://127.0.0.1:8080.
Then, after I've updated the emulator to the Nexus 5X version with Google Play(API 27), the connection fails and the server show this log:
ERROR 2018-01-11 11:17:05,463 wsgi_server.py:329] Request Host 10.0.2.2 not whitelisted. Enabled hosts are set(['127.0.0.1'])
I'm using the latest GAE python SDK with webapp2.
Any idea on how to solve the problem?
The more recent versions of the development server includes whitelisting checks of the source IP address of incoming requests.
You can use the --enable_host_checking=False command line option for the GAE devserver, which disables these checks. Not a good idea if you're running on an untrusted network.
You're probably seeing such errors even for accessing the devserver from the same machine. Another option for these requests would be to use the --host 10.0.2.2 devserver option (i.e. use your machine's external IP address instead of localhost/127.0.0.1, but that won't help with the emulator requests if you're running the emulator on some other machine.
Ideally the whitelist should IMHO be manageable independently from the server's IP address, but this is what is available presently.
I'm trying to test a website in the Android Emulator. The website is required to run on HTTPS. Outside the emulator on my PC the website is running fine with SSL, because I use an official certificate which is bound to https://localhost. When I run the website in the emulator I can access in on https://10.0.2.2, but I get a warning and a red 'https' in Chrome (10.0.2.2 is the address to access localhost on the host machine).
Is there any way to get it use a certificate?
A common solution is to use a tool like ngrok which creates a web available HTTPS site that will proxy requests to a specific port on your local machine. Then you open https://examplexyz.ngrok.io in the emulator and you have a valid TLS certificate and your local development website.
Chrome browser and others will show a warning about security when your website use a self-signed certificate. Please ignore it if you are testing at localhost. When you publish your website to production and have a domain, you can use a free SSL certificate Let's Encrypt.
I'm able to import the certificate into Android via settings/security/trusted credentials without a problem and have tried this on Android 4.1, 4.4, and 6.x without success. SSL cert is generated with v3_req and v3_ca via openssl. We use the web app offline and neither the app manifest nor service workers will work without a "green lock". With Chrome moving to require SSL for app manifest soon (and deprecating it in favor of service workers), this is pretty important. The server is IIS 8 (also tried on IIS 7). I swear this worked in the past! Any help would be appreciated.
Works fine in Chrome on Windows and Linux (able to import cert and get the green lock instead of red). Firefox works fine on Android.
This is for an internal web server on a .local domain.
I have Android 4.3 forced to use Charles proxy via IPTABLES.
The charles certificate is installed on the phone.
I am able to capture normal SSL traffic like https websites in the browser.
All POST and GET methods seem to work fine.
In a particular app, it fails when using the SSL CONNECT method.
URL: https://XX.XX.XXX.XXX/
Status: Failed
Failure: SSLHandshake: Received fatal alert: unknown_ca
Response Code: - Protocol: HTTP/1.0
Method: CONNECT
From iOS 10.3 you also need to go to Settings > General > About > Certificate Trust Settings and trust Charles certificate.
You can face with this problem at some applications like Facebook or Instagram.
Charles certificate doesn't work at some new apps because they are using a technique named as SSL-PINNING. First of all you have to break ssl-pinning system of application or you can instal old version of application then it sometimes works but we need a new solution about ssl pinning in order to record traffic for this kind of applications.
as #Berkay Yıldız says, it probably using ssl/certificate pinning.
how to fix/avoid/disable ssl pinning?
the whole logic is:
LEVEL 1: for normal http:
core logic:
PC:Mac/Windows
Charles set http proxy
set port
app use Charles proxy
inside Wifi, set
host IP
port
Note:
computer side, MUST use wired network, NOT wireless, otherwise mobile side network not usable
LEVEL 2: for encrypted https:
PC
install Charles root certificate
Mac:use Key Chain to trust Charles Root CA
Charles
Enable SSL Proxying
set location filter for your specific api address
phone
app
install Charles Root CA
Note: type should select: VPN and Application
NOT select:WLAN
makesure certificate install successfully
Trusted Credentials -> User, can see installed Charles certificate
LEVEL 3: for SPECIAL https which using ssl pinning:
Phone:
make sure root or jailbreak
Android:has rooted
for later to install tool: Xposed
iOS:has jail break
for later to install tool: Cydia
then install plugin/tool, capable of avoid/disable ssl pinning
Android:
JustTrustMe (based on Xposed)
Android-SSL-TrustKiller (Cydia Substrate)
iOS:
SSL Kill Switch 2 (based on Cydia)
old version:iOS SSL Kill Switch (based on Cydia)
more detailed summary please refer my post (written in Chinese): 1 and 2
Some folks my end up here with android N Devices that won't do SSL over charles even after installing the cert - now on http://chls.pro/ssl
In N - you need to also add an xml file and security config. This post goes into more details: How to get charles proxy work with Android 7 nougat?
I have met the same problem. And after installing the latest certificate, it is solved.
On your phone, visit http://charlesproxy.com/getssl to download the cert. Upon downloading the cert in android, it will prompt you to install the cert, give the cert a name and continue. It should now work.
Note: The sshould be similar on an iPhone
I got the following error when I was trying to install the cert on my Nexus 6p, Android 6.0. (I followed the instructions in charles and downloaded the cert via http://chls.pro/ssl.):
Couldn't install because the certificate file couldn't be read.
The solution to this problem was to install via:
Settings > Security > Install from storage
After navigating to the cert file and installing it everything worked as expected.
On this link http://www.charlesproxy.com/documentation/using-charles/ssl-certificates/ you have all the information you need on properly installing the Charles certificate.
After installing it you'll get rid of the "SSLHandshake: Received fatal alert: unknown_ca" error.
If you get this with an app using facebook login on an android phone, I got around it by uninstalling the fb app. Then the mobile fb web is used instead and I can charles everything. With the fb app installed the fb api fails with SSL error.
On Samsung phones, you should install the certificate by navigating to Biometrics and security/Other security settings/Install from device storage/CA Certificate.
I am using Charles 4.2.5 and Nexus 6P on Android 8.1.
One cannot use Charles to track https on my mobile phone.
Plz note that after Android N, we cannot capture normal SSL traffic of others'app.
Here is the official website of Charles.
https://www.charlesproxy.com/documentation/using-charles/ssl-certificates/
Android As of Android N, you need to add configuration to your app in
order to have it trust the SSL certificates generated by Charles SSL
Proxying. This means that you can only use SSL Proxying with apps that
you control.
In order to configure your app to trust Charles, you need to add a
Network Security Configuration File to your app. This file can
override the system default, enabling your app to trust user installed
CA certificates (e.g. the Charles Root Certificate). You can specify
that this only applies in debug builds of your application, so that
production builds use the default trust profile.
Add a file res/xml/network_security_config.xml to your app:
Then add a reference to this file in your app's manifest, as follows:
...