AQI: Firebase Crashlytics panel doesn't work with corporate proxy [308147320]

Fixed

Bug

Status Update

No update yet.

Description

yo...@gmail.com

created issue #1

Oct 27, 2023 11:21PM

Firebase Crashlytics panel fails to load when using a corporate proxy.

Oddly, the "Android Vitals" tab DOES work fine.

With this error (see attached screenshot):

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

There only logs that show up when refreshing the Firebase Crashlytics panel are these:

2023-10-27 16:19:13,006 [1638117]   INFO - #c.i.w.i.i.j.s.JpsGlobalModelSynchronizerImpl - Saving global entities to files
2023-10-27 16:19:14,356 [1639467]   INFO - #com.android.tools.idea.insights.events.actions.ActionDispatcher - Dispatching actions Refresh
2023-10-27 16:19:16,114 [1641225]   INFO - #com.android.tools.idea.insights.events.actions.ActionDispatcher - Dispatching actions Multiple(

Build: AI-232.10072.27.2321.11006994, 202310260032

AI-232.10072.27.2321.11006994, JRE 17.0.8+0-17.0.8b1000.22-10799086x64 JetBrains s.r.o., OS Mac OS X(aarch64) v13.4, screens 1440.0x2560.0, 5120.0x2880.0; Retina

AS: Iguana | 2023.2.1 Canary 11
Kotlin plugin: 232-1.9.0-release-358-AS10072.27.2321.11006994
Android Gradle Plugin: 8.1.2
Gradle: 8.4
Gradle JDK: Azul Zulu version 17.0.9

FirebaseError.png

136 KB

View

Download

Comments

er...@google.com <er...@google.com> Oct 30, 2023 10:12PM

Assigned to an...@google.com.

al...@google.com <al...@google.com> #2Nov 10, 2023 10:09PM

This error means that the proxy server you configured performs SSL termination to watch or modify the traffic. Android Studio proxy configuration allows you to turn off proxy settings for particular domains, I would suggest to disable the proxy for *.googleapis.com as the most secure solution.

yo...@gmail.com <yo...@gmail.com> #3Nov 10, 2023 10:11PM

There often is no direct route to *.googleapis.com and it is only accessible thru the proxy.

Message last modified on Nov 10, 2023 10:12PM

al...@google.com <al...@google.com> #4Nov 10, 2023 10:14PM

I see, but can the proxy itself be configured to do SSL passthrough or SSL forwarding instead of ssl termination?

yo...@gmail.com <yo...@gmail.com> #5Nov 10, 2023 10:40PM

TLS passthrough is not an option for many people.

I was able to add the TLS to Android Studio Iguana 2023.2.1 Canary 13.app/Contents/jbr/Contents/Home/lib/security/cacerts which generally solves this issue in many cases, but in this case it seems to have had no effect (even after restarting studio).

Is there something about the way it is doing HTTPS requests that would cause it NOT to use Android Studio Iguana 2023.2.1 Canary 13.app/Contents/jbr/Contents/Home/lib/security/cacerts as a source of root CA certs? Is there some sort of cert pinning happening?

al...@google.com <al...@google.com> #6Nov 12, 2023 06:29PM

Yes, there is a call which uses https://cloud.google.com/java/docs/reference/google-api-client/latest/com.google.api.client.googleapis.javanet.GoogleNetHttpTransport#com_google_api_client_googleapis_javanet_GoogleNetHttpTransport_newTrustedTransport__

Feature team, this is a dup of b/266868580 feature request.

jb...@google.com <jb...@google.com> #7Nov 13, 2023 05:09PM

Status: New

I assume specifically point 1 there? That seems like it should be straightforward to fix.

yo...@gmail.com <yo...@gmail.com> #8Jan 2, 2024 04:03PM

Feature team, this is a dup of b/266868580 feature request.

FYI, that bug is not public.

yo...@gmail.com <yo...@gmail.com> #9Feb 28, 2024 02:35PM

Tried again with Jellyfish Canary 11.

Now neither App vitals nor Firebase Crashlytics is working.

App vitals says

 No apps available
 Request that your app Admin provides you with the
 View App Quality Information (read-only) permission via the Play Console.

but I DO have permission and I can see the vitals in the web UI.

Firebase Crashlytics says:

 Request failed
 You can retry the request or, if you currently don't
 have a network connection, enter Offline Mode.

I do have a proxy set within Studio.

I logged out of my google accounts in studio and logged back in, same thing.

When the failure happens, all I see in the studio.log is this:

2024-02-28 06:22:17,331 [ 156853]   WARN - GrpcUtils - Retry attempt #1 for a rpc call, retrying in 0.118 second(s)...
2024-02-28 06:22:17,331 [ 156853]   WARN - GrpcUtils - Retry attempt #1 for a rpc call, retrying in 0.273 second(s)...
2024-02-28 06:22:17,331 [ 156853]   WARN - GrpcUtils - Retry attempt #1 for a rpc call, retrying in 0.0 second(s)...
2024-02-28 06:22:17,331 [ 156853]   WARN - GrpcUtils - Retry attempt #1 for a rpc call, retrying in 0.283 second(s)...
2024-02-28 06:22:17,331 [ 156853]   WARN - GrpcUtils - Retry attempt #2 for a rpc call, retrying in 0.206 second(s)...
2024-02-28 06:22:17,450 [ 156972]   WARN - GrpcUtils - Retry attempt #2 for a rpc call, retrying in 0.443 second(s)...
2024-02-28 06:22:17,539 [ 157061]   WARN - GrpcUtils - Retry attempt #3 for a rpc call, retrying in 1.373 second(s)...
2024-02-28 06:22:17,608 [ 157130]   WARN - GrpcUtils - Retry attempt #2 for a rpc call, retrying in 0.815 second(s)...
2024-02-28 06:22:17,615 [ 157137]   WARN - GrpcUtils - Retry attempt #2 for a rpc call, retrying in 0.44 second(s)...
2024-02-28 06:22:17,895 [ 157417]   WARN - GrpcUtils - Retry attempt #3 for a rpc call, retrying in 1.293 second(s)...
2024-02-28 06:22:18,060 [ 157582]   WARN - GrpcUtils - Retry attempt #3 for a rpc call, retrying in 2.246 second(s)...
2024-02-28 06:22:18,425 [ 157947]   WARN - GrpcUtils - Retry attempt #3 for a rpc call, retrying in 1.783 second(s)...

yo...@gmail.com <yo...@gmail.com> #10Jun 28, 2024 01:47PM

Adding the custom CA cert to

$HOME/Applications/Android Studio Koala Feature Drop 2024.1.2 Canary 8.app/Contents/jbr/Contents/Home/lib/security/cacerts

AND setting play.vitals.grpc.use.transport.security=false in

$HOME/Library/Application Support/Google/AndroidStudioPreview2024.1/idea.properties

seems to work.

eu...@gmail.com <eu...@gmail.com> #11Jun 28, 2024 01:58PM

It looks like I have something similar. My corporation requires self signed root certificate to be added to certificate store.

I have script that uses keytool to import certificate.

However, the play.vitals.grpc.use.transport.security doesn't make job for me - Android Vitals and Crashlytics show that I'm offline.

jb...@google.com <jb...@google.com> #12Jul 8, 2024 06:13PM

Marked as fixed, reassigned to jb...@google.com.

I've fixed Studio to use the default certificate store, which I think could be considered to fix this issue? I'm going to mark it as fixed, but if that's not a sufficient fix please let me know.

eu...@gmail.com <eu...@gmail.com> #13Jul 8, 2024 07:44PM

Confirmed - I just downloaded the nightly version and I can see Android Vitals and Crashlytics data.

an...@google.com <an...@google.com> #14Jul 15, 2024 07:35PM

Thank you for your patience while our engineering team worked to resolve this issue. A fix for this issue is now available in:

Android Studio Ladybug | 2024.1.3 Canary 1
Android Gradle Plugin 8.7.0-alpha01

We encourage you to try the latest update.

If you notice further issues or have questions, please file a new bug report.

Thank you for taking the time to submit feedback — we really appreciate it!