Keep getting Network Network request failed | Network Error

[Audrey-Ann]

Hello there!

I am trying to integrate self-signed SSL pinning with Axios in a bare react-native project.

My domain:

https://my-domain.com

Here is my configuration using initializeSslPinning:

    await initializeSslPinning({
      'my-domain.com': {
        includeSubdomains: true,
        publicKeyHashes: ['hash-1', 'hash-2'],
      },
    });

I am calling this method at the very top of my application (App.tsx) and no error is being return from initializeSslPinning.

However when I use axios or even fetch it keeps returning the following error:

TypeError: Network request failed

or

AxiosError: Network Error

Could it be possible to get an example that uses axios or guidance on how to fix this issue please? Thank you very much.

[frw]

Hi @Audrey-Ann,

This library unfortunately does not work with self-signed certificates unless the certificate is added to the device's trust store. This is due to how the underlying native libraries used by this library works. You can read more about this on the following links:

OkHttp CertificatePinner
TrustKit

If you'd like to use this library without installing certificates on the device, the best course of action would unfortunately be to issue a certificate from a trusted CA, such as through Let's Encrypt, and use it on your server.

[Audrey-Ann]

HI @frw thank you for your answer and explanation,

I am quite new to Self-Signed Certificates and private IPS / local domains. That being said, is issuing a certificate from a Trusted CA work for a local domain (linked to a private IP)?

Thanks again very much for your help!

[frw]

Hi @Audrey-Ann,

Unfortunately, I don't believe there's a way to issue a certificate from a trusted CA directly for private IPs/local domains. If your server is completely private/behind a firewall, perhaps you could use something like CloudFlare Tunnel or ngrok to assign a public-facing hostname and SSL certificate for your private IP address?

[Audrey-Ann]

We actually have a local domain now, would that still possible to issue a certificate from a trusted CA ?

(PS: thanks so much for your guidance)

[frw]

Unfortunately, I believe all SSL certs from trusted CAs need to be issued against public-facing domains. I don't know of any CAs that will assign one for a private/local domain.
Perhaps this might not be the right solution for you. Is there a reason why you can't install your self-signed CA certs on the devices that will access your local server?

[Audrey-Ann]

@frw thank you for asking. 🙏🏽
The reason why a self-signed certificate (SSC) is not possible is because it would mean that users would have to manually add the certificate in their devices (ios or android) right?
Which, if that’s the case, is not a solution for us. The goal is to allow a seamless integration/secure connection between the app and that local network/domain.

I could not find a solution that allows having the client-side automatically issue the SSC with the local domain (yet)… unless there’s a way to do it server-side with a reverse proxy (HTTPS reverse proxy) or a specific type of CA aside from a SSC we could use… :(

it’s quite a new use case for me.. my apologies for not specifying more context earlier too.

[frw]

If this is in a corporate network, you could look into MDM solutions (available for both Android and iOS) to automatically install the self-signed certs on employee devices (although an initial setup process would be necessary).

Alternatively, if you're willing to go through the trouble, you could set up a domain name that points to a public-facing IP when queried from the outside network (which will allow you to pass authentication challenges by Let's Encrypt/other CAs to issue the cert), and use the same domain name for the private network but have it point to a different IP address when queried from the private network through a local DNS server. You could then use the same SSL cert for both the public and private servers.

Apart from these, I'm afraid there might not be any good way to do this with self-signed certs due to inherent limitations set by the devices themself, since both Android and iOS are strict in terms of what certificates are accepted, and any attempts to workaround them could result in bigger security holes.