Realm: HTTP Transport: Exception executing get https://realm.mongodb.com/api/client/v2.0/app/{appId}/location

[Sandiverse]

What happened?

Hello everyone, first of all, great job for everything you do at Realm MongoDB

I am getting this error after upgrading to version 1.6.0 on Android, not tested on iOS yet.

Realm: HTTP Transport: Exception executing get https://realm.mongodb.com/api/client/v2.0/app/{appId}/location: HandshakeException: Handshake error in client (OS Error: CERTIFICATE_VERIFY_FAILED: certificate has expired(handshake.cc:393))
I/flutter (24774): AppException: non-zero custom status code considered fatal, status code: 999

By the way, I am using a custom token from AWS Cognito service as credentials to login to Realm, I do not know if its relevant.

Maybe it is related to the change added in this new version (provided in the image) on the enhancements section.

Repro steps

1. Just upgrade from version 1.5.0 to version 1.6.0.
2. After upgrading you will see the error on this line await app.logIn(credentials).

Version

3.16.0

What Atlas Services are you using?

Both Atlas Device Sync and Atlas App Services

What type of application is this?

Flutter Application

Client OS and version

Android

Code snippets

if (user == null) {
    debugPrint('User is not already authenticated');
    debugPrint('creating jwt credentials with token: $token');
    Credentials credentials = Credentials.jwt(token);

    debugPrint('before app login');
    user = await app.logIn(credentials);
  } else {
    debugPrint('User is already authenticated');
  }

Stacktrace of the exception/crash you're getting

2023-11-17T16:22:28.429781: [ERROR] Realm: HTTP Transport: Exception executing get https://realm.mongodb.com/api/client/v2.0/app/{appId}/location: HandshakeException: Handshake error in client (OS Error: 
I/flutter (24774): 	CERTIFICATE_VERIFY_FAILED: certificate has expired(handshake.cc:393))
I/flutter (24774): AppException: non-zero custom status code considered fatal, status code: 999

Relevant log output

No response

[nirinchev]

Thanks for this report. We'll investigate, but in the meantime, you can try and workaround this by explicitly creating the http client used by Realm. You can pass it in the AppConfiguration constructor like:

final appConfig = AppConfiguration(..., httpClient: HttpClient());

[Matishock1]

I have the same issue: my application works correctly on emulators, but on some physical devices, it stops working and throws the following error message:

"AppException: non-zero custom status code considered fatal, status code: 999".

I have conducted tests on devices with Android 11 and 12, where the issue occurs, while on a device with Android 13, the application works without any problems.

It is important to note that this error situation occurs on the Android platform, while on iOS devices, the application works correctly.

After implementing the code provided by nirinchev, the application functions properly.

[rodrigoreal]

Thanks for this report. We'll investigate, but in the meantime, you can try and workaround this by explicitly creating the http client used by Realm. You can pass it in the AppConfiguration constructor like:

final appConfig = AppConfiguration(..., httpClient: HttpClient());

First of all, great job for everything you guys doing at the Flutter Realm MongoDB.
I'm getting the same problem here after upgrading to 1.6.0 and the solution from nirinchev worked to fix the problem.

[nirinchev]

A quick update here: this appears to be related to dart-lang/http#627. The https certificates for realm.mongodb.com are issued by Let's Encrypt and as such are dual signed with their new ISRG Root X1 and IdenTrust's DST Root CA X3. The interesting bit is that the DST Root CA X3 is expired, but due to the fact older android devices don't validate the expiration of Root CA's, they consider it valid. This allows Let's Encrypt certificates to be trusted by both old Android devices and new ones. It appears this works just fine when we use the default HttpClient without an explicit SecurityContext, but when we use the SecurityContext and add the ISRG Root X1 to it, the certificate validation fails due to the expired DST Root CA X3. It's not yet clear to us why this is happening and we're working through the Dart code to understand what is wrong. If we don't have a reasonable solution by the end of the week, we'll revert the change in #1378.

[ianpward]

DST is expected to completely deprecated in the next couple quarters here -
https://letsencrypt.org/2023/07/10/cross-sign-expiration.html

And the MongoDB cloud intends to remove them from our endpoints. Please plan accordingly

[nirinchev]

When it gets removed, it'll actually resolve this issue. I don't think we can wait for it though 😞