guardianproject
[BUG] Can Not Request Bridges on Nougat (API 24,25)
2025-06-17 14:11:08.753 22197-22197 MoatBottomSheet org.torproject.android.debug D DISPLAY ERROR: com.android.volley.NoConnectionError: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
The CAPTCHA fails to load and the UI is left in an incomplete state, nothing is rendered to the user.
Seems like SSL certs expired on Nougat https://the-gadgeteer.com/2020/11/20/android-nougat-security-certificates-are-expiring-in-2021/
Works fine on Oreo (aka Android 8.0 API 26)
It works fine for me on Nougat, but I am using a custom ROM with the ssl cert updated.
That's smart, most people aren't though so I want to get this sorted obviously. Plus I think the thing should fail gracefully for whenever certs on slightly less old versions of Android expire.
Certificate issues notwithstanding, @tladesignz should we even be using the CAPTCHA endpoint anymore? I'm behind on things and am learning that the API is deprecated. What's the correct path forward with this
Haha! Good point. I think I'll need to give that whole bridge selection thing an update together with #1196 #1323.
Next week, I'll take care.
Will we need to pin CA certificates to fix this on old Androids? Urgh. I'd hate to da that.
I think so on API 24 and (probably also) 25 (and then of course defaults should be stuck with for 26 and up).
That's the wrong attitude though, it's not that we have to it's that we get to
I back ported the Makefile to support Nougat with newer CA certificates here: https://github.com/syphyr/android_system_ca-certificates/commit/c2ed03d550a3c62ada08c8da3650fd2a4b5cc281
Working on a full rewrite of bridge configuration which mirrors what we did on Orbot Apple here: https://github.com/tladesignz/orbot/tree/bridge_refurbish
CAPTCHAs are not a part of it anymore.
@tladesignz After testing the refurbished bridge support, everything is working fine with cm-14.1. Although, now I do not see a way to request bridges via moat like before. Is that feature now removed?
It's the "Ask Tor" button, as seen in my screenshot. That calls the latest version of the Moat API through a special Meek tunnel.
I fixed the missing Let's Encrypt cert problem in Android SDK 24 and 25. Please test and close if good enough!
The "Ask Tor" button already worked for me on cm-14.1 (Nougat) since the certs are updated. I'm afraid I won't be able to reproduce this error in my device.
Ok. Well, I could reproduce that problem on a API 24 emulator.
@bitmold, maybe you want to confirm, that it works now?
It does not on API 24 , throws:
java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
and like before, works fine on API 25
Have you actually encountered this issue on API 25? It's a bit confusing since both 24 and 25 are both branded as Nougat.
I'm very certain the fix just needs to target 24.
Very sorry, I'm realizing I misread GitHub and saw your commit on your fork referencing this issue and just assumed it was on the main branch already, so when I tested I didn't have the fix. It does work on 24 and I just pushed that commit to the main branch.
Ah, stupid me. I wanted to commit right away to Orbot's main branch, but instead used my copy and forgot to send a PR. Thanks for already taking care, @bitmold!