java.security.cert.CertPathValidatorException

App version: 3.4.0 F-Droid

Android version: 9 Verizon

Device model: Samsung Galaxy S-8

Expected behavior: Download / stream podcast episodes from ARRL Audio News

Current behavior: Download attempts fail with this error message:

Unable to establish a secure connection. This can mean that another app on your device (like a VPN or an ad blocker) blocked the download, or that something is wrong with the server certificates. 

Technical reason: 
java.security.cert.CertPathValidatorException: Trust anchor for certification path not found. 

File URL:
https://media.blubrry.com/arrlaudionews/content.blubrry.com/arrlaudionews/AAN-2024-05-17.mp3

I see a similar error message when attempting to stream an episode of this podcast.

I AM able to paste the podcast episode link into my browser (Chrome on my S-8) and play it there.

First occurred: Approximately 10 days ago

Steps to reproduce:

  1. Wait for the auto-download to start
  2. Read the error message in my notifications area

OR

  1. Open the queue
  2. Click the Download icon for a failed episode
  3. Wait for the download attempt to time out and read the error in a dialog box (or eventually in my notifications area)

OR

  1. Open an episode page
  2. Click the Stream icon
  3. Wait for the download attempt to time out and read the error in a dialog box

Environment:

This issue occurs whether or not I have my wired “ear buds” plugged in.

  • Keep updated is enabled
  • Include in auto downloads is enabled
  • No authentication
  • No tags
  • Uses global default playback speed
  • No autoskip
  • Uses global default auto delete
  • No volume adaptation
  • Uses global default new episodes action
  • No episode filter settings

Are you using an app called AdAway? Reference It got in the way of a few others as you see in that thread.

Other thought is your Android version is very old, and the certificates that came with it might have expired or will soon.

3 Likes

(I had to post this through the WebUI due to the forum’s e-mail security settings)

andbenn via AntennaPod Forum said:

Are you using an app called AdAway? It got in the way of a few others as you
see in that thread.

I’m not using AdAway or a VPN.

Other thought is your Android version is very old, and the certificates
that came with it might have expired or will soon.

The media.blubrry.com podcast links work for me in the Chrome browser
on my phone, so I’m not sure that we can blame my Android version.

It may be notable that the media.blubrry.com SSL cert was updated on May
15th, shortly before I encountered this error.

This issue is also being discussed at

2 Likes

I reckon Chrome on Android doesn’t use the system certificate store, which is why it works. But if you install another browser - I tried with the Duck Duck Go one - then it does show a warning when accessing media.blubrry.com, although it just says the certificate “is not valid” vaguely.

Antenna Pod shipped CAs for old devices before Ship our own CA certificates for old devices by ByteHamster · Pull Request #4497 · AntennaPod/AntennaPod · GitHub - it’d be great if somehow the powers that be could add the missing CA from GlobalSign nv-sa :pleading_face:

Canflu via AntennaPod Forum said:

I reckon Chrome on Android doesn’t use the system certificate store,
which is why it works. But if you install another browser - I tried
with the Duck Duck Go one - then it does show a warn ing when accessing
media.blubrry.com, although it just says the certificate “is not
valid” vaguely.

As of this morning AntennaPod now downloads from media.blubrry.org

And I didn’t see an error in DuckDukGo.

Carrying-over the solution solved by @Canflu efforts

Sadly, it seems like this has broken again in the last few days. This morning the error returned on a download that worked last week. I give up, I’ll probably buy a new phone soon because other errors and glitches are starting to stack up on it (entirely unrelated to this).

1 Like

A newer phone (with a newer OS version) is certainly a good plan when

Time to ping Blubrry again if the new phone purchase isn’t imminent?

What is the best path forward – talking to blubrry, who seem to revert back to unusability frequently or ship our own CA certificates again?
If the latter, do we merely need to update the certificates in core/src/main/java/de/danoeh/antennapod/core/ssl/BackportCaCerts.java?

Certificate added. Will be released in AntennaPod 3.5

3 Likes