I’m a little confused about this - I’m seeing 100s of CHT users with this white screen.
Things are working fine, users are engaged with CHT
The CHT app is moved from one data-center to a new data-center (specific details unknown)
Users get this white screen
The instance appears to work fine when I test it. We have tried restarting the phone and reinstalling the app, but the issue persists. I have requested somebody onsite to debug. In the meantime, any pointers or thoughts on what might cause this and how best to resolve it?
That’s sounds super frustrating - sorry to hear about the issue @kenn !
Is this the nairobi-echis.health.go.ke instance? Given there was a server move (@elijah said in the past week, so between Jan 21-Jan 28), I thought maybe this was the prior invalid TLS cert chain issue you discovered. However, when I check the domain on SSL Labs I don’t see any chain issues flagged.
It is CHT Android 1.4, correct? Do you know what version of Android this is on?
I believe Android 9 with SDK 28 only supports TLS 1.2 or lower per Android docs.
When you compare eCHIS TLS support vs a Medic hosted project, you see they only support 1.3, but we support 1.2 and 1.3. (cc @Hareet who might have more details):
After spinning up Android 9, 10 and 11 instances with SDK versions 28, 29 and 30 in Android Studio , and checking the result of Chrome in those same versions of Android, we’re fairly confident this is an instance of a TLS misconfiguration per the ticket cited above.
To confirm this we see Failed to validate the certificate chain in the log files of the APK:
X509Util org...webapp.mobile.moh_kenya_echis I Failed to validate the certificate chain, error: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
9082-9151 chromium org...webapp.mobile.moh_kenya_echis E [ERROR:ssl_client_socket_impl.cc(946)] handshake failed; returned -1, SSL error code 1, net_error -202
Further confirmation is from running Chrome on the same Android device which shows:
NET::ERR_CERT_AUTHORITY_INVALID
This server could not prove that it is nairobi-echis.health.go.ke; its security certificate is not trusted by your device's operating system. This may be caused by a misconfiguration or an attacker intercepting your connection.
Finally, using sslchecker.com and having it scan nairobi-echis.health.go.ke, shows a number of chain certificates missing.