I have added my own custom root CA certificate to the Android trust store (it shows as a "User" security certificate in the list of certificates in the "Settings" app). Next, I set up a Flutter app and added a network-security-config descriptor which contains the certificate source "user" to the manifest. This allows the app to use my custom root CA certificate from the Android trust store.
Then I made the following request in the Flutter app:
HttpClient client = HttpClient(context: SecurityContext.defaultContext);HttpClientRequest request = await client.getUrl(url);HttpClientResponse response = await request.close();However, this results in a HandshakeException with underlying OS error: "CERTIFICATE_VERIFY_FAILED: self signed certificate in certificate chain."
I have tried the following:
- Made the request using native Java code. => This works as expected without error!
- Manually added the certificate to the
SecurityContextusingsetTrustedCertificatesBytes(...). => This works, but I have to add the certificate to the app manually. (I didn't find any way to retrieve it from the system trust store.) - Replaced the
SecurityContextwithSecurityContext(withTrustedRoots: true)or didn't specify any. => This does not work, either. Same error as above.
Since the Java http request is working as expected, there must be an issue with the Flutter http client. Is there any way to get the Flutter http client to behave properly and use the existing certificate?