Skip to content
This repository has been archived by the owner on Jun 20, 2023. It is now read-only.

Error Reason: 2001; App does not work anymore #968

Open
3 tasks done
gagamail opened this issue Aug 4, 2020 · 213 comments
Open
3 tasks done

Error Reason: 2001; App does not work anymore #968

gagamail opened this issue Aug 4, 2020 · 213 comments
Assignees
Labels
bug Something isn't working mirrored-to-jira This item is also tracked internally in JIRA

Comments

@gagamail
Copy link

gagamail commented Aug 4, 2020

EDIT: Corona-Warn-App Open Source Team

Solved: See FAQ:


ORIGINAL POST

Avoid duplicates

  • Bug is not mentioned in the FAQ
  • Bug is specific for Android only, for general issues / questions that apply to iOS and Android please raise them in the documentation repository
  • Bug is not already reported in another issue

Describe the bug

When I open the App I immediatley get the error message "Ursache: 2001 an error occured while trying to establish a secure connection to the server". This results in a not working App. Deinstalling and restarting did not help. Last confirmed working of the App was on July, 20th, first time I saw the error was on July, 23rd. In between I did not start the App.

Expected behaviour

The App should work

Steps to reproduce the issue

Starting the App is enough, I did not do anything specific and I did not change anything on my own on my Smartphone since the App is not working anymore.

Technical details

  • Mobile device: Samsung Galaxy Note 8 SM-N950F
  • Android version: 9, July security patch
  • CWA version: 1.1.1

Possible Fix

No idea

Additional context

My first thought was that Blokada changed something. Deactivating Blokada did not help. And even if so I am not willing to deactivate it completely (CWA is on the Allowed Apps list) as the App worked with it before.


Internal Tracking ID: EXPOSUREAPP-10944

@gagamail gagamail added the bug Something isn't working label Aug 4, 2020
@SebastianWolf-SAP
Copy link
Member

Thanks for the report. We've also been getting similar reports from Play Store comments. Reports from there show that

  • it seems to be unrelated from rooting/modifications, personal firewalls or similar measures
  • it seems to be independent from the used network (wi-fi or cellular)
  • it might be related to the latest update 1.1.1 as some people report that it occurs only since the latest update

Quotes from Play Store:

Initially, but for several days (even after reinstallation) a "Cause 2001" error worked: a secure connection to the server could not be established. EDIT: The error suddenly appeared / without changing the network, is in all WLAN networks, and also in mobile data mode. EDIT 2: the device was not modified and no firewall was installed. Resetting the network settings did not solve the problem

Until the update - all errors correcting - the app ran really well. No error message or similar. However, since the update: Error: CAUSE 2001. Rien ne va plus! No more risk assessment. This is how the app helps me - especially when the number of cases increases again. Please troubleshoot here. Then I also like to upgrade.

Unfortunately now without function. Something has been made worse, now it only shows that something went wrong. Cause of error 2001. Under "Details" there follows a cryptic error message. Android 9, Samsung S8. No blockers active. Own WiFi without restrictions. And before I get any tips like updating: I have installed version 1.5. Theoretically should correct errors, but in practice does the opposite. I uninstalled the app first.

After the update to 1.1.1 only error message 2001 comes. Even a restart of the cell phone brought no improvement. Risk determination is active, risk status is only displayed after the error message. Cause 2001 is displayed. Something went wrong. I am logged in to my own WLAN and have not made any changes to the network. Even a new installation did not bring any improvement. After the risk determination has been switched off, the error message disappears.

A different error after each update. Now after the latest update on 07/25/2020 "Cause 2001" on Huawei P8 Android 6.0. an error occured while trying to establish a secure connection to the server. Tried 3 different WLANs as well as cell phones. All unsuccessful. With another device - Samsung J3 - it works in the same networks.

The following error message appears when the APP is called: CAUSE: 2001 Something went wrong an error occured while trying to establish a secure connection to the server What can I do? Thank you for your help_______________________________ Edit: Unfortunately a restart does nothing to change this behavior. ___________________________________________ Edit: The error has occurred since the update to version 1.1.1. Lenovo Moto G5. Android 8.0.1, Google Play Store 21.0.17-all, services 20.24.14

The following error message appears when the APP is called: CAUSE: 2001 Something went wrong an error occured while trying to establish a secure connection to the server What can I do? Thank you for your help. The device has been restarted several times since it first appeared. The error always comes reliably since the update to version 1.1.1

Reported devices (all on CWA 1.1.1):

  • moto g(6) (ali_n), Android 9
  • OnePlus5, Android 10
  • Huawei P30 Pro (HWVOG), Android 10
  • Huawei P8 Android 6.0
  • Galaxy S8 (dreamlte), Android 9
  • HTC U11 (htc_ocndugl), Android 9
  • Moto G (5th Gen) (cedric), Android 8.1

As reports are increasing, we will address this with high priority to product management to prioritize analyses and a fix.

Mit freundlichen Grüßen/Best regards,
SW
Corona Warn-App Open Source Team

@SebastianWolf-SAP SebastianWolf-SAP changed the title Ursache: 2001; App does not work anymore Reason: 2001; App does not work anymore Aug 4, 2020
@SebastianWolf-SAP SebastianWolf-SAP changed the title Reason: 2001; App does not work anymore Error Reason: 2001; App does not work anymore Aug 4, 2020
@SebastianWolf-SAP SebastianWolf-SAP added the mirrored-to-jira This item is also tracked internally in JIRA label Aug 4, 2020
@thomasaugsten
Copy link
Member

thomasaugsten commented Aug 5, 2020

@gagamail Can you please contact me directly to provide more details about the network setup

@vaubaehn
Copy link
Contributor

vaubaehn commented Aug 5, 2020

@thomasaugsten @gagamail
Hi, gagamail listed Android July Patch for his device settings.
The July Patch also consists of Qualcomm fixes that seem to affect wifi.
May there be any (timely) relation to the July Patch?
https://source.android.com/security/bulletin/2020-07-01?hl=en

@gagamail
Copy link
Author

gagamail commented Aug 6, 2020

@thomasaugsten @gagamail
Hi, gagamail listed Android July Patch for his device settings.
The July Patch also consists of Qualcomm fixes that seem to affect wifi.

The SM-N950F is the version with the Samsung Exynos Processor and not Qualcomm Snapdragon. So I guess it can't be related?

May there be any (timely) relation to the July Patch?
https://source.android.com/security/bulletin/2020-07-01?hl=en

According to the logfiles I installed the last upgrade (i don't think there was any other upgrade besides the July Patch) on July, 28th which would mean it already did not work without July Patch.

@DerPlankton13
Copy link

Hi all,
I am effected by this bug as well (last working was the 20th July as well).
Since the error message gives more details hinting in the direction of the error, I wanted to provide some information from it. Unfortunately I am not allowed to take a screenshot of the error message and will thus not type the whole error stack.
The full error message starts with:

Etwas ist shiefgelaufen.
Ursache:
de.rki.coronawarnapp.exception.CwaWebSecurityException: an error occurred while trying to establish a secure connection to the server

And it ends with:

Caused by: java.securit.cert.CertPathValidatorException: Trust anchor for certification path not found.

I hope this helps :)

Cheers

@vaubaehn
Copy link
Contributor

vaubaehn commented Aug 6, 2020

Hi @gagamail , thanks for clearing up!

According to the logfiles I installed the last upgrade (i don't think there was any other upgrade besides the July Patch) on July, 28th which would mean it already did not work without July Patch.

So, any problems with 2001 related to that patch can be completely excluded then.
And you are right, Qualcomm for that model is US market only. Anyway, there were also some Samsung internal fixes and Android kernel fixes. However, doesn't play any role here.

@vaubaehn
Copy link
Contributor

vaubaehn commented Aug 6, 2020

Hi @DerPlankton13 , thanks for your report!
You mentioned that app was working well until July 20th.
Interestingly, around July 21st/22nd, CWA-server 1.2.0 was released...
May there be any correlation, @thomasaugsten @EvgeniiSkrebtcov ?

@thomasaugsten
Copy link
Member

thomasaugsten commented Aug 6, 2020

Hi,
the issues is the app cannot verify the ssl certificate of the diagnosis key server (Introduced with v1.1.1). This can caused by multiple things.

  1. Date/Time is not correct.
  2. Android Root/CA certificates are not up to date
  3. Antivirus App is breaking the ssl chain
  4. Network/Firewall tool like pi-hole is breaking the ssl chain

Maybe you can provide a screenshot of
Open Settings
Tap “Security & location”
Tap “Encryption & credentials”
Tap “Trusted credentials.”

@vaubaehn
Copy link
Contributor

vaubaehn commented Aug 6, 2020

maybe any problem in server certificate pinning?

@gagamail
Copy link
Author

gagamail commented Aug 6, 2020

1. Date/Time is not correct.

Is correct.

2. Android Root/CA certificates are not up to date

I have one certificate which is not up to date. Thats an old Deutsche Telekom Root CA 2 which I needed in the past for WLAN access.

3. Antivirus App is breaking the ssl chain

No Antivirus App installed

4. Network/Firewall tool like pi-hole is breaking the ssl chain

In my home WLAN I have a pi-hole, but the App also does not work outside of this WLAN. On the smartphone I have Blokada which I completely deactivated. Before July 21st the App worked with both activated.

@thomasaugsten
Copy link
Member

@gagamail Can you remove the old CA and test again?

@gagamail
Copy link
Author

gagamail commented Aug 7, 2020

@gagamail Can you remove the old CA and test again?

Looks like I can't. I don't find a possibility to deinstall it, according to what I found with google it is not possible to completely remove a WLAN CA. But it is (and was before) dectivated.

@kira99
Copy link

kira99 commented Aug 7, 2020

IMG_20200807_081146
Redmi Note 7

@thomasaugsten
Copy link
Member

Hi Kira,
can you provide a screenshot of
Settings
Tap “Security & location”
Tap “Encryption & credentials”
Tap “Trusted credentials.”

@kira99
Copy link

kira99 commented Aug 7, 2020

IMG_20200807_082025
IMG_20200807_082418

@kira99
Copy link

kira99 commented Aug 7, 2020

Hi Kira,
can you provide a screenshot of
Settings
Tap “Security & location”
Tap “Encryption & credentials”
Tap “Trusted credentials.”

Did my screenshots help? If not, can you give me a hint where to find the settings?

@thomasaugsten
Copy link
Member

@kira99
Settings->Additional Settings->Privacy->Trusted Credentials
Is the button "Clear credentials" active?

@kira99
Copy link

kira99 commented Aug 7, 2020

There is no additional settings in the App visible. Only settings. In settings everything is on. My operating system MIUI is in German. But I could not find any similar settings to credentials. Where do I have to look?

@thomasaugsten
Copy link
Member

I mean the Android Settings not the App Settings

@kira99
Copy link

kira99 commented Aug 7, 2020

Sorry, MIUI does not show this. The settings UI is not Android standard. I looked up privacy. There is not setting for credentials and I even have already activated developer mode for MIUI.

@thomasaugsten
Copy link
Member

Ok maybe you can try
Settings->Privacy & security -> Privacy->Trust agents
Settings->Privacy & security -> Privacy->Encryption Credentials->Trusted Credentials
Settings->Privacy & security -> Privacy->Encryption Credentials->User Credentials

@kira99
Copy link

kira99 commented Aug 7, 2020

Or did you mean this?
IMG_20200807_115641

@corona-warn-app corona-warn-app deleted a comment from kira99 Aug 7, 2020
@akuckartz
Copy link

@kira99 "Vertrauenswürdige Anmeldedaten" seems to be what you should look for.

@thomasaugsten
Copy link
Member

Hi thanks for your help.
The setting: Vertrauenswürdige Anmeldedaten is empty?
Ok this helps. I deleted one your screenshots because of privacy reasons

@mlenkeit
Copy link
Member

mlenkeit commented Dec 8, 2021

@Stonebubble ok, thanks for the clarification 👍

@vaubaehn
Copy link
Contributor

vaubaehn commented Dec 8, 2021

@Stonebubble Thanks, yes, then it's related to the issue 2 days ago. For now it looks like you won't be able to receive the Monday's test result in the app anymore. Do you need further assistance?

@Stonebubble
Copy link

@vaubaehn No, that's all. Thank you ( ꈍᴗꈍ)

@Berengar13
Copy link

Still exact same for me as for harry-g in december Today 21/01/2022
Tested at 17:15 scanned 18:20 certificates installed and active no firewall no matter mobile or wifi quite annoying

Still exact same for me as for @dor-bw and @bienzle.

*  the exact error as described above occured (Ursaxche 2001, T-Systems certificate)

*  the "QR code ungültig" appeared, exactly as in above screenshots

 
* nothing in the recycle bin

* app was not uninstalled

* after that only, also tried to delete app data and uninstall, also does not help
Any news about this issue?

@mirabilos
Copy link

I got a 2001 but the certificate is enabled. The reason was for me, as far as I could figure out from the traceback, a handshake error. Sony Xperia S, Android 7.1.2

@dsarkar
Copy link
Member

dsarkar commented Jan 22, 2022

Hi @mirabilos @Berengar13,

Thanks for reporting. You are using latest version CWA 2.16?

Best wishes, DS


Corona-Warn-App Open Source Team

@mirabilos
Copy link

@dsakar sorry, in my case it’s 2.11.2.0 from F-Droid

@da-Rob
Copy link

da-Rob commented Jan 30, 2022

Dear all,
suddenly on two phones Motorola brand. Version CWA 2.16.2 ENF Version 182148150000 both fail to operate risk monitoring feature (Risikoermittlung).

URSACHE: 2001 Etwas ist schiefgelaufen.
Bitte aktivieren Sie das SYSTEM Sicherheitszertifikat T-Systems Enterprise Services GmbH, T-TeleSec GlobalRoot Class 2 auf Ihrem Gerät. Mehr Informationen finden Sie in den FAQs auf https://coronawarn.app unter "URSACHE 2001".

First only one phone (moto g(7) power, Android 10) was affected, since yesterday the second (Moto Z (2) Android 9).

Certificate on given hints was active and also de-activating and re-activating did not fix the issue.
Re-installation of CWA did not fix the problem.
Phone 1 Android 10:

Ursache:
de.rki.coronawarnapp.exception.CwaWebSecurityException: An error occurred while trying to establish a secure connection to the server
at de.rki.coronawarnapp.http.interceptor.WebSecurityVerificationInterceptor.intercept(WebSecurityVerificationInterceptor.kt:4)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(RealCall.kt:25)
at okhttp3.internal.connection.RealCall$AsyncCall.run(RealCall.kt:12)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
at java.lang.Thread.run(Thread.java:919)
Caused by: javax.net.ssl.SSLHandshakeException: Handshake failed
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:288)
at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.kt:25)
at okhttp3.internal.connection.RealConnection.connect(RealConnection.kt:27)
at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.kt:111)
at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.kt:20)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.kt:228)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.kt:38)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.kt:36)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at de.rki.coronawarnapp.http.HttpErrorParser.intercept(HttpErrorParser.kt:3)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at de.rki.coronawarnapp.http.interceptor.RetryInterceptor.intercept(RetryInterceptor.kt:3)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at okhttp3.logging.HttpLoggingInterceptor.intercept(HttpLoggingInterceptor.kt:5)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at de.rki.coronawarnapp.http.interceptor.WebSecurityVerificationInterceptor.intercept(WebSecurityVerificationInterceptor.kt:3)
... 6 more
Suppressed: javax.net.ssl.SSLHandshakeException: Handshake failed
... 25 more
Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x7047253b48: Failure in SSL library, usually a protocol error
error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER (external/boringssl/src/ssl/tls_record.cc:242 0x70bd957e6b:0x00000000)
at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
at com.android.org.conscrypt.NativeSsl.doHandshake(NativeSsl.java:387)
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:226)
... 24 more
Suppressed: javax.net.ssl.SSLHandshakeException: Handshake failed
... 25 more
Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x7047253b48: Failure in SSL library, usually a protocol error
error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER (external/boringssl/src/ssl/tls_record.cc:242 0x70bd957e6b:0x00000000)
at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
at com.android.org.conscrypt.NativeSsl.doHandshake(NativeSsl.java:387)
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:226)
... 24 more
Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x7047253b48: Failure in SSL library, usually a protocol error
error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER (external/boringssl/src/ssl/tls_record.cc:242 0x70bd957e6b:0x00000000)
at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
at com.android.org.conscrypt.NativeSsl.doHandshake(NativeSsl.java:387)
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:226)
... 24 more

Screenshot_20220130-115848
Screenshot_20220130-115923

Phone 2 Android 9:

Ursache:
de.rki.coronawarnapp.exception.CwaWebSecurityException: An error occurred while trying to establish a secure connection to the server
at de.rki.coronawarnapp.http.interceptor.WebSecurityVerificationInterceptor.intercept(WebSecurityVerificationInterceptor.kt:4)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(RealCall.kt:25)
at okhttp3.internal.connection.RealCall$AsyncCall.run(RealCall.kt:12)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
at java.lang.Thread.run(Thread.java:798)
Caused by: javax.net.ssl.SSLHandshakeException: Handshake failed
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:286)
at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.kt:25)
at okhttp3.internal.connection.RealConnection.connect(RealConnection.kt:27)
at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.kt:111)
at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.kt:20)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.kt:228)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.kt:38)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.kt:36)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at de.rki.coronawarnapp.http.HttpErrorParser.intercept(HttpErrorParser.kt:3)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at de.rki.coronawarnapp.http.interceptor.RetryInterceptor.intercept(RetryInterceptor.kt:3)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at okhttp3.logging.HttpLoggingInterceptor.intercept(HttpLoggingInterceptor.kt:5)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at de.rki.coronawarnapp.http.interceptor.WebSecurityVerificationInterceptor.intercept(WebSecurityVerificationInterceptor.kt:3)
... 6 more
Suppressed: javax.net.ssl.SSLHandshakeException: Handshake failed
... 25 more
Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x716920e988: Failure in SSL library, usually a protocol error
error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER (external/boringssl/src/ssl/tls_record.cc:242 0x7169cf9e07:0x00000000)
at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
at com.android.org.conscrypt.NativeSsl.doHandshake(NativeSsl.java:375)
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:224)
... 24 more
Suppressed: javax.net.ssl.SSLHandshakeException: Handshake failed
... 25 more
Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x716920e988: Failure in SSL library, usually a protocol error
error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER (external/boringssl/src/ssl/tls_record.cc:242 0x7169cf9e07:0x00000000)
at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
at com.android.org.conscrypt.NativeSsl.doHandshake(NativeSsl.java:375)
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:224)
... 24 more
Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x716920e988: Failure in SSL library, usually a protocol error
error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER (external/boringssl/src/ssl/tls_record.cc:242 0x7169cf9e07:0x00000000)
at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
at com.android.org.conscrypt.NativeSsl.doHandshake(NativeSsl.java:375)
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:224)
... 24 more

Screenshot_20220130-120621

Thank you for looking into this.

da Rob

@MikeMcC399
Copy link
Contributor

@da-Rob
I see in the stack trace OPENSSL_internal:WRONG_VERSION_NUMBER
CWA Android uses TLS 1.2 and 1.3 according to HttpModule.kt.

What happens if you try to access https://www.coronawarn.app on a webbrowser on your mobile device? Is it successful or do you get an error message?

Is there any difference to the app error if you are connected on WiFi or on a mobile connection?
Has there been any network change involving firewalls, antivirus software, proxy servers, etc. that you know about?

@da-Rob
Copy link

da-Rob commented Jan 30, 2022

Hey @MikeMcC399 thank you for your reply.
You have been right. When the Phone 2 (Android 9) was on mobile data connection it seemed to connect. There the Guest WiFi of FRITZ!Box might have filtered too strictly by firewall measures.
While Phone 1 (Android 10) did not see the guest WiFi apparently, it was working when I used Phone 2 to create a local hotspot by mobile data.

Seems to be fixed here now, while the AVM settings of firewall for CWA should affect a high amount of users.

Though: Thank you for the moment, still I was puzzled by the cryptic error messages and that the straight forward way (Re-activate certificate) did not work out.

Improvement point: Add to URSACHE 2001 also hint to "Try using mobile data connection."

[Edit]
Maybe it is due to the block of "www.t-online.de" in the content filter settings. Might that affect the "T-Systems" certificate, then?
[/Edit]

Thank you and best regards
da Rob

@vaubaehn
Copy link
Contributor

@da-Rob and all,

[Edit]
Maybe it is due to the block of "www.t-online.de" in the content filter settings. Might that affect the "T-Systems" certificate, then?
[/Edit]

I had a quick check, and the reason why it is blocked via "Fritz Box Gastzugang" is a bit unfortunate:
For guest access via fritz box, there is a standard configuration of open ports, blocked web sites and the activated usage of the parental control filter (BPjM). And: port 443 is blocked, obviously to allow fritz box to make use of the BPjM module (reading unencrypted packets for keywords)... The host/owner of the fritz box would need to add port 443 to the allowed ports (via filter lists), but then listening on traffic for the BPjM module is likely not possible anymore.

@dsarkar Is this something we should add to the FAQ? "Gastzugang" -> "#cause2001" and "Port 443" -> "#access-list"

@mlenkeit
We now have 4 different error reasons:

  1. java.securit.cert.CertPathValidatorException: Trust anchor for certification path not found (caused possibly by malformed certificate chain)
  2. java.io.EOFException: connection closed (someone pulled the plug in the server room)
  3. java.lang.NullPointerException: Attempt to invoke virtual method 'java.lang.String java.lang.String.toUpperCase(java.util.Locale)' on a null object reference (root cause unknown; occured as a temporary problem. Caused by mobile provider? Or TSI tried something with server certificate?)
  4. javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x716920e988: Failure in SSL library, usually a protocol error // error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER (external/boringssl/src/ssl/tls_record.cc:242 0x7169cf9e07:0x00000000) (root cause: port 443 blocked. Possible other reason: TSL malconfiguration on client (something is wrong with OS))

Only error no. 1 fits to the current '2001 dialog'.

@MikeMcC399
Copy link
Contributor

@da-Rob
It's good you were able to resolve your problem1

The FAQ article [Google/Android]: CAUSE: 2001, trying to establish a secure connection to the server does refer to [Google/Android]: Firewall/Router configuration: CAUSE: 4000, error during web request, HTTP status 901 where the list of access points is published.

If there is a need to improve either of those articles, then I suggest to open a new issue for the website content using https://github.com/corona-warn-app/cwa-website/issues.

@illifee
Copy link

illifee commented Jun 10, 2022

Hallo,
bei mir ist das Problem heute zum 1. Mal aufgetreten.
Das Sicherheitszertifikat ist bereits aktiv, ich habe keine Firewall und es funktioniert nicht egal ob im WLan oder über Mobilfunk.
Ich habe allerdings ebenfalls eine Fritzbox mit Gastzugang.
Bin nicht sehr IT-affin, daher benötige ich bitte Hilfe.

@Fkultra-boop
Copy link

Fkultra-boop commented Jun 10, 2022

Hey, Problem tritt seit heute auf. Gestern zum ersten Mal einen PCR-Tests gescannt.
Handy: OnePlus 5t
Es macht keinen Unterschied ob WiFi oder mobile Daten.
Sicherheitszertifikat ist aktiv.
Screenshot_20220610-045934

Ursache:
de.rki.coronawarnapp.exception.CwaWebSecurityException: An error occurred while trying to establish a secure connection to the server
at de.rki.coronawarnapp.http.interceptor.WebSecurityVerificationInterceptor.intercept(WebSecurityVerificationInterceptor.kt:4)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(RealCall.kt:25)
at okhttp3.internal.connection.RealCall$AsyncCall.run(RealCall.kt:12)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
at java.lang.Thread.run(Thread.java:919)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:231)
at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.kt:25)
at okhttp3.internal.connection.RealConnection.connect(RealConnection.kt:27)
at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.kt:110)
at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.kt:20)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.kt:228)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.kt:38)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.kt:36)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at de.rki.coronawarnapp.http.HttpErrorParser.intercept(HttpErrorParser.kt:3)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at de.rki.coronawarnapp.http.interceptor.RetryInterceptor.intercept(RetryInterceptor.kt:3)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at okhttp3.logging.HttpLoggingInterceptor.intercept(HttpLoggingInterceptor.kt:4)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at de.rki.coronawarnapp.http.interceptor.WebSecurityVerificationInterceptor.intercept(WebSecurityVerificationInterceptor.kt:3)
... 6 more
Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.TrustManagerImpl.verifyChain(TrustManagerImpl.java:674)
at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:551)
at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:617)
at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:640)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:507)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:426)
at com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:354)
at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:94)
at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:89)
at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:224)
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.verifyCertificateChain(ConscryptFileDescriptorSocket.java:407)
at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
at com.android.org.conscrypt.NativeSsl.doHandshake(NativeSsl.java:387)
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:226)
... 24 more
Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
... 38 more

@JanMarcusEskes
Copy link

JanMarcusEskes commented Jun 10, 2022

Guten Tag, auch bei mir (Note 10 + SM-N976B, Sicherheitspatch 1.Mai 2022, Android 12) tritt es seit heute auf. Alle Systemzertifikate sind aktiviert. Kann das Zertifikat (also im SSL Sinne, nicht CWA-Zertifikat) abgelaufen sein oder sowas?
Über Mobil und WLan keine Verbindung BEIM HINZUFÜGEN eines Tests möglich. Die App läuft abseits des nicht-hinzufügens jedoch völlig normal.

Mit freundlichen Grüßen
Jan-Marcus Eskes

@StefanR22
Copy link

Bei mir der selbe Fehler.
Weder über Mobilfunk noch WLAN funktioniert es.
Zertifikat ist aktiviert. Firewall gibt es nicht.

Ursache:
de.rki.coronawarnapp.exception.CwaWebSecurityException: An error occurred while trying to establish a secure connection to the server
at de.rki.coronawarnapp.http.interceptor.WebSecurityVerificationInterceptor.intercept(WebSecurityVerificationInterceptor.kt:4)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(RealCall.kt:25)
at okhttp3.internal.connection.RealCall$AsyncCall.run(RealCall.kt:12)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
at java.lang.Thread.run(Thread.java:920)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.SSLUtils.toSSLHandshakeException(SSLUtils.java:363)
at com.android.org.conscrypt.ConscryptEngine.convertException(ConscryptEngine.java:1134)
at com.android.org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1089)
at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:876)
at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:747)
at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:712)
at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.processDataFromSocket(ConscryptEngineSocket.java:858)
at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.access$100(ConscryptEngineSocket.java:731)
at com.android.org.conscrypt.ConscryptEngineSocket.doHandshake(ConscryptEngineSocket.java:241)
at com.android.org.conscrypt.ConscryptEngineSocket.startHandshake(ConscryptEngineSocket.java:220)
at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.kt:25)
at okhttp3.internal.connection.RealConnection.connect(RealConnection.kt:27)
at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.kt:110)
at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.kt:20)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.kt:228)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.kt:38)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.kt:36)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at de.rki.coronawarnapp.http.HttpErrorParser.intercept(HttpErrorParser.kt:3)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at de.rki.coronawarnapp.http.interceptor.RetryInterceptor.intercept(RetryInterceptor.kt:3)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at okhttp3.logging.HttpLoggingInterceptor.intercept(HttpLoggingInterceptor.kt:4)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at de.rki.coronawarnapp.http.interceptor.WebSecurityVerificationInterceptor.intercept(WebSecurityVerificationInterceptor.kt:3)
... 6 more
Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.TrustManagerImpl.verifyChain(TrustManagerImpl.java:672)
at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:549)
at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:615)
at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:638)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:505)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:425)
at com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:353)
at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:94)
at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:90)
at com.android.org.conscrypt.ConscryptEngineSocket$2.checkServerTrusted(ConscryptEngineSocket.java:163)
at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:255)
at com.android.org.conscrypt.ConscryptEngine.verifyCertificateChain(ConscryptEngine.java:1638)
at com.android.org.conscrypt.NativeCrypto.ENGINE_SSL_read_direct(Native Method)
at com.android.org.conscrypt.NativeSsl.readDirectByteBuffer(NativeSsl.java:569)
at com.android.org.conscrypt.ConscryptEngine.readPlaintextDataDirect(ConscryptEngine.java:1095)
at com.android.org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1079)
... 31 more
Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
... 47 more

@mlenkeit
Copy link
Member

We're looking into it...

@mlenkeit mlenkeit assigned mlenkeit and unassigned maugst Jun 10, 2022
@mlenkeit
Copy link
Member

@illifee @Fkultra-boop @JanMarcusEskes @StefanR22 Danke für die schnelle Meldung!

Besteht das Problem weiterhin oder tauch der Fehler inzwischen nicht mehr auf? Falls doch, würde uns auch die Versionsnummer der CWA helfen.

Wir haben verschiedene mögliche Ursachen für diese Fehlermeldung geprüft, konnten aber bislang auf unseren Servern nichts auffälliges beobachten und können den Fehler zum jetzigen Zeitpunkt nicht Nachstellen.

@JanMarcusEskes
Copy link

Bei mir klappt es jetzt wieder, vielen Dank.
Was war das Problem, wenn man fragen darf (bin Softwareentwickler, interressiert mich nur)?

@mlenkeit
Copy link
Member

Bei mir klappt es jetzt wieder, vielen Dank. Was war das Problem, wenn man fragen darf (bin Softwareentwickler, interressiert mich nur)?

Die Fehlermeldung taucht auf, wenn der Server mit einem anderen SSL-Zertifikat (bzw. -kette) antwortet als erwartet (auch bekannt als Certificate Pinning).

Warum das allerdings heute morgen passiert ist, ist leider noch unklar. Wir bleiben dran. Die Tatsache, dass es jetzt wieder zu funktionieren scheint, deutet auf ein temporäres Problem in der Infrastruktur hin.

@Fkultra-boop
Copy link

@illifee @Fkultra-boop @JanMarcusEskes @StefanR22 Danke für die schnelle Meldung!

Besteht das Problem weiterhin oder tauch der Fehler inzwischen nicht mehr auf? Falls doch, würde uns auch die Versionsnummer der CWA helfen.

Wir haben verschiedene mögliche Ursachen für diese Fehlermeldung geprüft, konnten aber bislang auf unseren Servern nichts auffälliges beobachten und können den Fehler zum jetzigen Zeitpunkt nicht Nachstellen.

Funktioniert jetzt wieder.
Dankeschön!

@illifee
Copy link

illifee commented Jun 10, 2022

Bei mir funktioniert auch wieder alles :-)

@Ein-Tim
Copy link
Contributor

Ein-Tim commented Jun 18, 2022

I have a user on Twitter reporting this issue. @thomasaugsten has the team any assumption in which circumstances (besides of an incident) this message is shown?

@Ein-Tim
Copy link
Contributor

Ein-Tim commented Jun 18, 2022

@mlenkeit

Die Fehlermeldung taucht auf, wenn der Server mit einem anderen SSL-Zertifikat (bzw. -kette) antwortet als erwartet (auch bekannt als Certificate Pinning).

Könnte eine mögliche Ursache sein, dass ein Server ein veraltetes/falsches SSL-Zertifikat hat & wenn der Load Balancer diesen Server für die Anfrage pickt bekommt der Nutzende diese Fehlermeldung?

@thomasaugsten
Copy link
Member

This happens when the establishment of a proper SSL is failing. The faq gives information to check the ssl certificate on client side

@Ein-Tim
Copy link
Contributor

Ein-Tim commented Jun 18, 2022

@thomasaugsten For the user the pop up just popped up randomly and after clicking on "OK" the app works as expected. After restarting the app the pop up does not appear again.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug Something isn't working mirrored-to-jira This item is also tracked internally in JIRA
Projects
None yet
Development

No branches or pull requests