(FIXED) Issue on APP preview - HTTPS CORS REST

Munus · June 30, 2020, 2:23pm

Hi everybody,
I got an app that is trying to fecth data from a REST deployed on our server over HTTPS with our own certificate (we didn’t distribute it so SSL is private)
Response works correctly if I use web preview but when I try to see the preview in the APP on my phone i receive the following message
{
“name”: “error”,
“type”: “object”,
“title”: “Error”,
“properties”: {
“code”: {
“enum”: [
“requestFailed”,
“serverError”,
“unknown”
],
“type”: “string”
},
“message”: {
“type”: “string”
},
“rawError”: {
“type”: “value”
}
},
“description”: “One of the following error codes:\n\n- requestFailed: Thrown if the entire request failed due to e.g. CORS issues or no network connectivity.\n- serverError: Thrown if the server returned an error response.\n- unknown: Thrown if an unknown error occurred while fetching the collection of records.”,
“value”: {
“code”: “unknown”,
“message”: “TypeError: Network request failed”,
“rawError”: {
“line”: 137,
“column”: 7285,
“sourceURL”: “index.android.bundle”
}
}
}

CORS is implemented and I don’t know how to use web service in https in my APP
From server access log we don’t receive any calls
Could someone help me on this?

Sasu_Makinen · July 1, 2020, 9:54am

Just to clarify. Were you using native app or the app on mobile web?

Munus · July 1, 2020, 9:59am

native app
web app is working fine
Here my app url if can help
https://platform.appgyver.com/builder/applications/101365/

Sasu_Makinen · July 1, 2020, 11:04am

I get this on my browser as well. Don’t feel brave enough to allow the connection anyway.
GET https://xxxxxxxxxxxxx/api/deals/service_hierarchy net::ERR_CERT_AUTHORITY_INVALID

Maybe android apps block invalid cert authorities by default and this is not about CORS?

Munus · July 1, 2020, 11:37am

I guess issue is on certificate not distributed but I don’t know how I can skip or let the app accepting certificates not trusted
Any idea on how to implement this?

Sasu_Makinen · July 1, 2020, 11:50am

Honestly, no idea. I’d guess it’s on AppGyver’s code to allow this, but it’s really not a good idea to allow it universally.

Munus · July 1, 2020, 11:52am

Server are ours so it is safe to accept the certificate even if is not signed.
I would also add that in order to let the WS working also on browser, you have firstly to invoke the WS from the browser, accepting the certificate.
Do you know how to save the certificate in the app?

Munus · July 1, 2020, 1:56pm

Issue has been solved so the thread can be renamed as FIXED
What I’ve done has been to sign my domain certificate with a CA
Here the instruction on how to generate a certificate signed by a CA for free

ssh into your public server that your domain is associated with
install letsencrypt
generate a certificate for your development subdomains
- dev.my-domain.com for developing my website/webapp locally
- api.dev.my-domain.com for the api
- ./letsencrypt-auto certonly --standalone -d dev.my-domain.com -d api.dev.my-domain.com
copy fullchain.pem and privkey.pem to your local machine
- probably found under /etc/letsencrypt/live/dev.my-domain.com
- one way to get the files from your remote machine: scp -r your_user@123.123.(...):/etc/letsencrypt/live/dev.my-domain.com ./
replace your self-signed certificate with fullchain.pem and privkey.pem
point dev.your-domain.com and other subdomains you use to your development machine’s ip
- you can modify your hosts file on each machine you want to use the domain
- if your router has dnsmasq, you can do something like address=/dev.my-domain.com/192.168.(...) for the whole network (I recommend this)

This is part of one thread on stackoverflow