In case you run into the dreaded SSLHandshakeException

javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.

There are the following possible causes

https://developer.android.com/training/articles/security-ssl.html#CommonProblems

1. The CA that issued the server certificate was unknown

2. The server certificate wasn’t signed by a CA, but was self signed

3. The server configuration is missing an intermediate CA

For troubleshooting run

where we can see that there is a self signed certificate in certificate chain

depth=3 C = DE, O = T-Systems Enterprise Services GmbH, OU = T-Systems Trust Center, CN = T-TeleSec GlobalRoot Class 2

verify error:num=19:self signed certificate in certificate chain

verify return:0

There are 3 solutions to this:

Either fix server ssl certificates: have officially signed certificates and intermediate certificates in the entire certificate chain. In which case you’re done.

or use the specific server certificate during https calls

or trust all hosts (worst solution, never do this!)

First of all make sure to have the latest security provider installed using Google Play Service ProviderInstaller during app start by using Google’s gms plugin)

This method usually runs only during the very first app start.

But that won’t fix the issue of self-signed certificates.

This can be remedied by adding your server ssl certificate during https calls. For that you need to:

Download ssl certificate from your server

2. and add certificate to your https client, in our case OkHttp which is usually used in retrofit.

Here is the helper to load your ssl certificate from your asset folder: