CERTIFICATE_VERIFY_FAILED on connection

[ali-1989]

Hi.

I use this:

var key = 'secret...';
 client = SupabaseClient('https://tyzsguwlnxsbvfmbrrir.supabase.co', key);

await client.storage.from('files').list();

I see 'HandshakeException: Handshake error in client (OS Error: CERTIFICATE_VERIFY_FAILED: certificate has expired(handshake.cc:359))'

This code worked before and has been wrong without change.

what?

[ali-1989]

I temporarily solved my problem.
solution here:

https://stackoverflow.com/questions/54285172/how-to-solve-flutter-certificate-verify-failed-error-while-performing-a-post-req

But this is not the right solution.

[dshukertjr]

It seems like this has been happening to other people as well.
supabase/supabase#3427

You can send your project details to support@supabase.io to have the team take a look at your project!

[ali-1989]

It seems like this has been happening to other people as well. supabase/supabase#3427

You can send your project details to support@supabase.io to have the team take a look at your project!

What information should I send? My project is big. Please tell me more precisely what to send.

I repeat again, I did not change the project. The code that used to work does not work now. I think the problem is with the server and the certificate.

[darora]

@ali-1989 - including your project ref (tyzsguwlnxsbvfmbrrir based on your snippet) should be sufficient

[darora]

@ali-1989 - I suspect you're running into a dart/flutter-specific issue: dart-lang/io#83

Can you confirm the Android version involved?

[ali-1989]

@ali-1989 -
Can you confirm the Android version involved?

My android version is 7.0.

This problem seems to be related to the dart language, not supabase package.

[inian]

Can you try upgrading your android version @ali-1989? from the issue linked by @darora above, it looks like Android 7 and below have an issue with Lets Encrypt after the root cert switch

[darora]

It's slightly more complex; LetsEncrypt defaults to a config that special-cases Android <= 7, but the way that's done seems to break things for Dart (on at least Android <= 7).

I imagine the market for not-Dart is bigger than Dart on Android <=7, so we'll likely keep things as-is.

[ali-1989]

Can you try upgrading your android version @ali-1989? from the issue linked by @darora above, it looks like Android 7 and below have an issue with Lets Encrypt after the root cert switch

I can not force my app users to do this.

[takenoto]

Can confirm this on Android 6.0.1 // Samsung Galaxy On7. I'm not sure this is a dart problem because I'm sure my code was working and now it isn't. I didn't change ANY SUPABASE-RELATED CODE, just some widgets to this new version. The Android version is also the same. I did not update flutter neither dart between the previous and the current versions.

[dshukertjr]

@inian
I'm sure you have already checked this, but could the issue be related to this issue where few people experienced certificate issue all at once? I wonder why it was working earlier and now it's not.

Edited: I have a better grasp of the issue now. I can see that there's not much we can do at this point.

[darora]

@takenoto - it's caused due to the behaviour of Dart's cert verification routines, and a root CA cert expiring on the 30th of September, as explained on dart-lang/io#83 - the combination of the two results in breakage of code that was functional prior to the 30th.

In terms of workarounds, the solution at dart-lang/io#83 (comment) is liekly your best bet, unless a better one gets put forth by the Dart community.

[dshukertjr]

I just finished reading this article and recommend reading it if you are still uncertain what the cause is. Great read.

Basically there is really nothing we can do at this point to fix this, and this is the world we live in now, it sounds like. At least there is nothing we can do on the Supabase Dart SDK level.

[takenoto]

@takenoto - it's caused due to the behaviour of Dart's cert verification routines, and a root CA cert expiring on the 30th of September, as explained on dart-lang/io#83 - the combination of the two results in breakage of code that was functional prior to the 30th.

In terms of workarounds, the solution at dart-lang/io#83 (comment) is liekly your best bet, unless a better one gets put forth by the Dart community.

Thank you for clarifying

[bohan0]

This resolved the problem for me on Android Emulator - Nexus One - API 22 (Android 5.1 (Google APIs Image):

const isrgRootX1 = '''-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----
''';

void main() {
  SecurityContext.defaultContext
      .setTrustedCertificatesBytes(Uint8List.fromList(isrgRootX1.codeUnits));

  WidgetsFlutterBinding.ensureInitialized();

  Supabase.initialize(
    url: '<supabase_api_url>',
    anonKey:
        '<supabase_api_key>'
  ).then((_) => runApp(const MyApp()));
}

I tried the method of including the isrgrootx1.pem file in assets/ca/ in pubspec.yaml , then loading the contents using rootBundle.load() or PlatformAssetBundle().load(), but for some reason it was not working for me (probably due to a relative path issue).