cordova "release" behaves differently to "debug" regarding SSL

Problem

I have identified the exact source of the problem and i have found the perfect solution. It turned out to be a superposition of two separate issues each of which is seriously misleading:

  1. My SSL certificate from Thawte (despite its cost) is not recognized by Android 5.1.1 as a valid one (while being recognized by all desktop browsers)

  2. The --debug flag in cordova build simply ignores certificate "errors" (silently).

Solution

Go to your project's directory and find the following file:

platforms/android/CordovaLib/src/org/apache/cordova/engine/SystemWebViewClient.java

Locate the method definition (onReceivedSslError) and the following condition:

(appInfo.flags & ApplicationInfo.FLAG_DEBUGGABLE) != 0

This is what makes --debug and --release different. In order to ignore certificate "errors" the following code should be executed:

handler.proceed();
return;

This file persists through the build process. Don't forget to ignore those quasi-errors next time you add a platform to your project.


Issue

Android does not recognise the certificate authority (CA) of that certificate. It is a common issue, specially with older devices, and it affects every device every time a new CA appears.

Solutions

A. Configure intermediate certificates.

Look for a detailed setup for your platform. Here are some examples:

  • Microsoft IIS and Exchange: https://knowledge.digicert.com/solution/SO16219.html

  • Apache on RedHat (and related): https://access.redhat.com/solutions/43575

You can read more about it in this Q&A at StackExchange's Unix.

B. Use the trust hierarchy chaining certs.

Taking advantage of the trust hierarchy feature, you can chain certs.

You can leverage the effort using a tool like: https://whatsmychaincert.com/

Or you can do it by yourself, as it is just a concatenation of text files (certs):

Example steps for Linux / macOS

  1. Concat the authority's certs with your cert. That way you'll send your CA's certificates first to ensure that the device trust your CA before your domain's certificate.

    If you have separated certs, this shell command does the trick:

    $ cat authority1.cert authority2.cert authority3.cert your_domain.cert >> your_domain_bundle.cert
    

    Or if you have a ca-bundle file, that is a concatenation of certificates, just run:

    $ cat authority.ca-bundle your_domain.cert >> your_domain_bundle.cert
    
  2. Add that your_domain_bundle.cert to the server.

Problem solved for any ssl protocol, https, wss, etc.