Unable to get local issuer certificate when configure Amplify on Windows Devices

[CarlosEspinozaMaruri]

Description

I encountered an issue while configuring Authentication and Analytics in our cross-platform mobile app (Android, iOS, Windows). When attempting Amplify.configure(amplifyConfig), an error is triggered, but this issue is isolated to certain Windows devices. The configuration process works without issues on Android and iOS devices.

Error Details:
The error message received is as follows:

flutter: WARN  | Analytics  | Could not update endpoint: NetworkException {
  "message": "The request failed due to a network error.",
  "recoverySuggestion": "Ensure that you have an active network connection",
  "underlyingException": "POST https://cognito-identity.us-west-2.amazonaws.com/? failed: HandshakeException: Handshake error in client (OS Error: \n\tCERTIFICATE_VERIFY_FAILED: unable to get local issuer certificate(../../third_party/boringssl/src/ssl/handshake.cc:393))"
}

In certain cases, reinstalling the app temporarily resolves the issue on affected Windows devices. However, the problem resurfaces consistently after 1-2 days post reinstallation.

Auth error is a similar one with the same underlyingException.

Notes
Connectivity: Stable internet connection via LAN wire.
Windows version: Windows 10 Home

Categories

• Analytics
• API (REST)
• API (GraphQL)
• Auth
• Authenticator
• DataStore
• Notifications (Push)
• Storage

Steps to Reproduce

Try to configure amplify plugins using Amplify.configure(amplifyConfig)

Screenshots

Platforms

• iOS
• Android
• Web
• macOS
• Windows
• Linux

Flutter Version

3.10.0

Amplify Flutter Version

1.7.0 and lower

Deployment Method

Amplify CLI

Schema

No response

[NikaHsn]

@CarlosEspinozaMaruri thanks for taking the time to raise this issue. Can you please share the code for instantiating the plugins you use before calling amplify.configure()

[CarlosEspinozaMaruri]

@NikaHsn Sure,

 try {
    await amplify_flutter.Amplify.addPlugins(
      [
        pinpoint.AmplifyAnalyticsPinpoint(),
        auth_cognito.AmplifyAuthCognito(),
      ],
    );
    await amplify_flutter.Amplify.configure(amplifyconfig);
  } on amplify_flutter.AmplifyAlreadyConfiguredException catch (_) {
    print(
        "Tried to reconfigure Amplify; this can occur when your app restarts on Android.");
 }

[NikaHsn]

The issue with HTTPS calls failing due to Dart's inability to verify the SSL certificate is a known problem in Dart with an open issue dart-lang/http/issues/627
can you please confirm if the devices are set to the correct date/time and they are not using a VPN?

[CarlosEspinozaMaruri]

Yes, all devices are in the correct timezone and not using VPN

[Jordan-Nelson]

@CarlosEspinozaMaruri - Apologies for the delay. Can you tell us more about the windows devices you are experiencing this on? How many devices are you seeing this on? Are they running specific versions of Windows? Are there windows devices that you are not seeing this issue on?

[Jordan-Nelson]

I think the issue is that Dart does not support root certificates that are installed lazily. This impacts Windows devices. There is an issue open for this with dart: dart-lang/sdk#52266

It is possible that we could work around this by including the root certificates required by AWS services in Amplify Flutter. See realm/realm-dart@8792fff for an example of how this could be done.

Another option would be to allow developers to provide their own http client so they could work around this.

I am going to mark this as a feature request for the time being. If you can provide us with more info about the devices you are seeing this on, or the frequency at which it occurs that would be helpful in determining the priority of supporting this.

It is not clear to me why this would resurface on the same device. If you can provide more details around that it would be helpful as well.

[CarlosEspinozaMaruri]

Hello @Jordan-Nelson, The error occurs across some client's devices. The available information suggests they are running on Windows 10 (not sure if running with windows license). However, it's worth noting that there are instances where it works seamlessly on both Windows 10 and 11 devices.

[Jordan-Nelson]

Hi @CarlosEspinozaMaruri thanks for the info. If you are able to find out any more info about the devices that this occurs on please let us know. For now we are going to track this as a feature request because it seems like the issue is how Windows/Dart handles root certs. There might be a way to work around it, but ideally this is resolved in the Dart SDK.